3.2.4 User Accounts and Access Management Policy
- Purpose
This policy sets forth the way Piedmont University institutional accounts are setup and their access is managed along with account password standards. This document is to provide a set of minimum-security standards governing the use of passwords for Piedmont University information technology systems. This document is intended to offer minimum standards for system and application administrators and developers. All parties are encouraged to apply more stringent controls than those outlined below in accordance with the security needs of the system and the information being stored or accessed. Regulatory, compliance or grant requirements supersede any standards defined below.
- Policy
- Definitions
- User Accounts and Access Management
- Standard Accounts
Standard accounts are accounts that provide minimal account access to applications that assist the users to perform their daily tasks per their role (i.e. email, student information systems, system database, etc....). These accounts do not have any administrative privileges. Roles of these accounts include but are not limited to:
- Contractors and Vendors Accounts
- Shall follow the standard account guidelines.
- Shall have signed a Business Associate Agreement before providing access.
- Account Password Standards
- Scope and Intent
This section is intended to provide guidance for systems and applications that utilize a username and password for authentication and authorization. For many systems, these settings are customizable and must be configured before a system goes into production or stores institutional information. Systems that utilize a Piedmont University ID for authentication can assume these requirements are met as part of the service provided.
- Password requirements for standard accounts
- Passwords may never be stored in plain text. Passwords must be stored using industry-standard hashing and salting methodologies.
- Passwords must be encrypted and/or hashed while in transit to the authenticating system.
- Accounts must use Multi-Factor Authentication (MFA) where possible.
- Passwords must adhere to the following complexity rules:
- Must be at least 12 characters long.
- Must have at least one capital letter.
- Must have at least one lower case letter.
- Must have at least one number.
- Special characters are optional. (Example - !, @, #, $, %, ^)
- Must have a minimum age of 1 day before it can be changed.
- Users cannot use the last 24 passwords they have used.
- Passwords are non-expiring.
- Password requirements for administrative accounts
In addition to the requirements for standard accounts:
- Passwords may not be re-used for a period of 12 months.
- Must be at least 20 characters long and follow the standard account complexity requirements.
- Accounts must use Multi-Factor Authentication (MFA) where possible.
- Password requirements for service accounts
- Service-based accounts are those used for automation, monitoring, and other non-interactive tasks not performed by an individual.
- In addition to the requirements for standard accounts:
- Passwords must be at least 25 characters.
- User IDs and passwords shall never be used through an interactive login mechanism except for testing/setup purposes.
- Service accounts must have a responsible point of contact or sponsor.
- Service accounts must be reviewed annually to ensure they are properly used, secured, and necessary.
- Initial Account Provisioning
Newly provisioned user accounts must have a secure password set by the account holder. This may be accomplished via an activation method that allows the account holder to set a password (before which the account is not usable), secure transmission of an initial password to the account holder, a small expiration window for an initial password, and/or manual intervention of support resources.
If an initial account password is set before account handoff to the account holder:
- Accountholders must have the ability to either activate an account and set a password before use or require users to set a password during initial access to a system. Service accounts may be considered exempt from this requirement.
- All vendor-supplied passwords, including service accounts, must be changed as soon as possible after system/application deployment and before becoming operational.
- Password Protection
To ensure that the intended account holder is the authorized holder of a password or credential, distribution or reset should occur only after a reasonable effort has been made to verify the identity of the account holder.
- Faculty
- Staff
- Students
- Vendors
- Contractors
- Emeriti
- Guests
- Accounts Management
- User account requests must be formally documented and appropriately approved.
- All users must use a unique ID to access University systems and applications. Passwords shall be set following the password section of this policy.
- User’s identity must be verified before executing a password reset.
- Accounts of individuals on extended leave (more than 12 weeks) shall be disabled. IT will receive formal notification, via a helpdesk request, from HR to disable the account while the employee is on leave.
- Users must complete required training within 30-days of account activation/matriculation. Training is provided to newly hired faculty and staff from KnowBe4 which provides guidance on information security awareness. Training is provided from Vector Solutions to newly hired faculty and staff and newly matriculated students which provides guidance on Title IX awareness topics. Failure to comply with the completion of these requirements will result in the user account being locked and disabled.
- User accounts must follow the University’s documented account termination procedures as stated below.
- Executive Users
- Notification to be received from HR via helpdesk ticket on the termination date.
- At 5pm (unless notified to complete it sooner) on termination day, the account will be disabled and the users supervisor will be granted access to the executives mailbox to assure that emails that are received are responded to appropriately.The supervisor will oversee the mailbox for up to one year.
- If an account has a litigation hold on it, IT will place it in a specified OU in Active Directory and will remove all physical hard drives from any devices the user may have used during their period of employment.
- After the year has expired, the account will be moved to the archive folder for a period of 7 years, unless specified by HR that it requires a longer retention period.
- Retention of accounts is based on the active HR policy.
- Faculty/Staff
- Notification to be received from HR via helpdesk ticket on the termination date.
- At 5pm (unless notified to complete it sooner) on termination day, the account will be disabled and moved to the archive folder for a period of 7 years, unless specified by HR that it requires a longer retention period.
- Retention of accounts is based on the active HR policy.
- Students
- In August of each year, a report is run to determine which students are not enrolled in the current term and previous term (if available).
- The report will be provided to the registrar’s office for review.
- Upon confirmation from the registrar, these accounts will deleted at that time.
- Other non-administrative or service accounts
- Will follow the guidelines as specified for Faculty/Staff above.
- User accounts must be monitored for inappropriate use and activity.
- Access Management
- The University will provide access privileges to the University’s technology (including networks, systems, applications, computers, and mobile devices) based on the following principles:
- Business needs – users or resources will be granted access to systems necessary to fulfill their roles and responsibilities.
- Least privilege – users or resources will be provided with the minimum privileges necessary to fulfill their roles and responsibilities.
- Access requests for all accounts and permissions, including privileged and limited user accounts, must be documented using the ticketing system.
- Alternative authentication mechanisms that do not rely on a unique ID and password must be formally approved.
- Access to the University systems and applications must use multifactor authentication (MFA) where technically feasible and practical.
- Remote access must be authorized. MFA is required for all remote access to university systems and services, and connections must be monitored and additional alerts enabled.
- System sessions must automatically lock after 10 minutes of inactivity where feasible and practical.
- University systems shall enforce a limit of 5 or fewer consecutive invalid login attempts by a user and lock the offending account for 15 minutes.
- Access rights shall be disabled or removed when the user is terminated or ceases to have a legitimate reason to access University systems.
- User account access must be reviewed annually to determine if access rights are still needed. Changes to account access rights must be approved and documented.
- University IT is responsible for managing access to applications and services. Exceptions must be documented, reviewed, and approved by the CIO or their designee.
Individuals should be confirmed as the intended recipient by contact via an authorized work phone number, verification of personal data, photo ID, or similar means.
Where possible, passwords should be maintained by the individual through automated means that uses either pre-existing answers to a set of questions or a secondary channel meant to confirm someone’s identity, such as a one-time password sent to a registered person’s device.
If an automated process is not available, initial or reset passwords may be communicated by calling the college’s helpdesk at 706.894.4205 in which the user will need to provide identifying information to verify their identity and then will get their password reset. However, users are encouraged to go to www.office.com or https://passwordreset.microsoftonline.com and select the reset password option.