Account Management Policy

Version: 1.00Issue Date: 10/15/2014

1.0 Overview

In order to properly protect the organization and those who do business with the organization, all accounts must be properly managed to prevent unauthorized access or security holes.

2.0 Purpose

This Account Management Policy is designed to provide a secure environment by standardizing the methods used to create, modify, and remove accounts.

Procedures defining account creation, account removal, and account changes must be defined to support this Account Management Policy. Procedures will include roles, responsibilities, and processes for each role.

3.0 Scope

This Account Management Policy applies to all employees and personnel that have any type of accounts in the organization or that allow access to organizational data. Personnel includes contractors, consultants, and temporary employees. This policy covers management of accounts. The provision for managing access and organizational property with respect to the employee when they arrive or leave is provided for in the employee access policy. This policy covers all account types including administrative accounts, accounts used for network access, e-mail, help desk, employee self help, and other applications that are required to perform job functions or be an employee of the organization. This policy is effective as of the issue date and does not expire unless superceded by another policy.

4.0 Definitions

  • Account management - The process of managing accounts to perform basic functions in a secure way. Account management includes account creation, account modification, account removal, and the process of resetting passwords.
  • Resource Managers - Managers who are in charge of resources such as servers, web sites, or domains that control access to resources such as files, email, or applications. These managers typically manage administrators of systems or applications.
  • Personnel Managers - All managers which have positions directly below them that they create position descriptions for.

Account Types

Account Types include:

  • Administrative accounts - Used to administer servers
  • Network access - An example is a Windows domain account or Novell account for file access.
  • E-mail
  • Help desk
  • Internet access
  • Employee self help
  • Miscellaneous applications

5.0 Shared Information

To support this policy information must be shared between the Human Resources department, the managers in charge of positions (Personnel Managers), and the managers in charge of resources (Resource Managers) required for access by employees. This shared information will allow the processes required for account management and employee management to work.

6.0 Human Resource Duties

The Human Resources department must provide contact information to all managers about who in Human Resources (by position title) should be contacted to provide updated position descriptions. All position descriptions should describe the access required for the type of position including all applications that the person filling the position will need to access with login capabilities. The type of access to the system such as read or write access should also be specified where applicable.

The Human Resources department must provide contact information to all managers who manage any systems requiring access. The contact information indicates who in Human Resources should be contacted to update information about systems with resources and who the managers and administrators are.

The Human Resources Department must keep and maintain employee and third party entry and exit procedures and keep all involved managers informed about changes to these procedures.

7.0 Resource Managers Duties

The Resource Managers must keep the Human Resources department updated with the following information:

  • Type of resource such as email, file, application including name of the application.
  • Whether the resource is an application or a server and names of the server(s) the resource is on.
  • The level of sensitivity of the data on the resource or managed by the resource.
  • The name, phone number, and email address of the manager in charge of the resource.
  • The names, phone numbers, and email addresses of all administrators of the system or resource.

8.0 Personnel Managers Duties

The Personnel Managers must keep the Human Resources department updated with the following information:

  • Title of positions and position descriptions of all positions directly under them.
  • Type of access required by the position such as email, network file access, and all applications that the person filling the position will need to access.
  • Any special physical access or key access required.
  • Any special equipment required such as cell phones, tools, or other special equipment required to perform the job.
  • The confidentiality access level for the position must be defined.
  • Screening required such as credit check, drug testing, criminal history check, or background history check to qualify the employee to be placed in or continue in the defined position.

9.0 Account Creation

Account creation may be required under one or more of the following circumstances:

  • A new employee is hired.
  • The position duties are modified to require additional access.
  • A new application is created with accounts not integrated with another system(position descriptions should be appended to reflect those positions that require access to the application).
  • An employee changes job roles in the organization. New accounts for applications or other functions may need to be created.

10.0 Account Modification

Account modification may be required under one or more of the following circumstances:

  • An employee changes their name.
  • The position duties are changed to require additional permissions or access such as group access.
  • An employee changes job roles in the organization.
  • Password reset is technically an account modification but it is addressed separately since it is a more serious security concern.

11.0 Account Removal

Account removal may be required under one or more of the following circumstances:

  • An employee leaves the organization either voluntarily or involuntarily.
  • An employee changes job roles in the organization.
  • The position description for the employee is changed to require less access.

Account removal activities must take place in a timely manner.

12.0 Forms and Lists

Required forms and lists for the below processes to be supported are listed here.

  • Account creation form.
  • Account removal form.
  • Account modification form.
  • Position description for all positions kept by the Human Resource Department and provided by Personnel Managers. The description lists resources and types of access required by the position.
  • Description of all resources with current contact information for managers and administrators of each resource. Kept by the Human Resource Department and provided by Resource Managers.

13.0 Processes

For each circumstance listed above, a process will exist. Brief examples are listed below:

New Hire Procedure

  • The hiring manager provides a position title and description to the Human Resources Department being sure all position requirements are current.
  • The Human Resources Department advertises the position.
  • The hiring manager(s) or committee interviews candidates coordinating with the Human Resources Department.
  • The hiring manager(s) or committee selects a candidate and informs the Human Resources Department.
  • Offer negotiation is conducted between the hiring manager, the Human Resources Department, and the candidate. A tentative start date for employment is set.
  • If an offer is accepted, the Human Resources Department arranges for pre-employment screening such as background checks or drug tests noting any special requirements of the position.
  • If the candidate passes pre-employment screening, the tentative start date for employment is finalized.
  • The Human Resources Department checks the position access requirements and prepares a list of all accounts required by the position.
  • For each account to be added, the account creation procedure is followed.
  • The Human Resources Department checks for any additional requirements such as keys, cell phones, or other special equipment required to perform the duties of the job. The Human Resources Department follows appropriate procedures for that equipment which will require equipment or keys to be checked out to the new employee. The Human Resources Department lists all user access and organizational equipment in the care of the employee. The employee signs for the equipment agreeing to take proper care of equipment and protect account access.
  • The employee is trained in the use of the accounts and resources they are using. Security awareness training is included in the training materials.
  • The hiring manager will inform the Human Resources Department if or when they put the employee in charge of any system or application as an administrator.

Third Party Access Procedure

  • The manager managing projects that the third party staff are working on will inform the Human Resources Department what third party is involved and what staff members are involved. The manager shall provide a copy of the contract to the Human Resources Department.
  • The Human Resources Department will be sure all third party staff members have signed a non-disclosure agreement and agree to abide by all organizational policies before any access is granted or equipment is provided by the organization.
  • The manager will inform the Human Resources Department what resource access is required for each third party staff member. The principle of least privilege which allows the job to be performed must be followed.
  • For each account to be added, the account creation procedure is followed.
  • If any additional access or requirements such as keys, cell phones, or other special equipment are required to perform the duties of the job the manager will inform the Human Resources Department. The Human Resources Department follows appropriate procedures for that equipment which will require equipment or keys to be checked out to the third party staff member. The Human Resources Department lists all user access and organizational equipment in the care of the third party staff member. The third party staff member signs for the equipment agreeing to take proper care of equipment and protect account access.
  • The third party staff member is trained in the use of the accounts and resources they are using. Security awareness training is included in the training materials.

Modification of Position Duties Procedure or Creation of New Position Procedure

  • The personnel manager modifies and provides a new position title and/and description to the Human Resources Department. If the position title is changed, the old position title must be listed. The principle of least privilege to resources which allows the job to be performed must be followed.
  • The Human Resources Department checks the position job requirements to determine whether any access or equipment requirements have changed.
  • If a change is required the Human Resources Department will determine where accounts should be removed, added, or changed.
  • For each account to be added, the account creation procedure is followed.
  • For each account to be removed, the account removal procedure is followed.
  • For each account to be modified such as permissions change, the account modification procedure is followed.

Creation of a New Application Procedure

This procedure should be called out in the System Development Life Cycle (SDLC) procedure.

  • The resource manager who manages the new application resource provides information to the Human Resources Department concerning the type of resource, the servers involved, and who the administrators are with contact information.
  • Personnel managers who require their staff to have access to the new resource modify the appropriate position description(s) to specify the required resource for the performance of duties and what permissions should be granted. The principle of least privilege which allows the job to be performed must be followed. This information is passed to the Human Resources Department.
  • For each account to be added, the account creation procedure is followed.
  • The employee is trained in the use of the new applications. Security awareness training is included in the training materials.

Employee Change of Job Roles Procedure

  • The personnel manager of the employee in the current job role notifies the Human Resources Department that the employee is changing jobs in the organization. The name of the manager in the new role is provided.
  • The personnel manager of the employee in the new job role contacts the Human Resources Department and informs them what position the employee is moving to.
  • The Human Resources Department compares the two job descriptions and determines changes to accounts, what accounts should be added, what accounts to be removed, and what equipment or keys should be turned in or provided.
  • For each account to be added, the account creation procedure is followed.
  • For each account to be removed, the account removal procedure is followed.
  • For each account to be modified, the account modification procedure is followed.
  • The employee is trained in the use of the accounts and resources they are given access to. Security awareness training is included in the training materials.

Employee Name Change Procedure

  • The employee contacts their manager informing them of the name change.
  • The personnel manager contacts the Human Resources Department informing them of the name change and any change to the login ID for accounts that is desired.
  • For each account the employee has access to, the account modification procedure is followed.

Employee Termination Procedure

The organization should have an employee termination policy that defines the employee termination process in more detail than this document since this document is about account management.

  • If the termination is voluntary:
    • The personnel manager contacts the Human Resources Department informing them of the termination and planned termination date. The personnel manager chooses whether to remove access to any accounts immediately and which accounts. The personnel manager also decides what equipment or keys should be immediately returned, collects the items from the employee, and informs the Human Resources Department.
    • The Human Resources Department checks the position description and active account creation forms to determine accounts the employee has access to.
    • On the termination date the Human Resources Department activates the account removal procedure for each account the employee still has access to. It uses the description of resources list to get contact information for managers and administrators for each resource involved.
  • If the termination is involuntary:
    • The Human Resources Department immediately activates the account removal procedure for each account the employee has access to. The account removal procedure should be complete for all involved accounts before the employee is informed of the involuntary termination. The Personnel supervisor gets the list or has a copy of the list of items checked out by the employee from the Human Resources Department. The personnel supervisor requires the employee to return all keys and equipment using the list of checked out items to be sure all equipment is returned.
  • The Human Resources Department will conduct an exit interview for all terminating staff members.

14.0 Account Creation Procedure

  • The Human Resources Department provides an account creation sheet for each required account listing the new employee name, office phone number, email address, name of department the employee is in, the name of the hiring manager, requested user ID, and permissions and access granted. The Human Resources Department checks for any additional requirements such as keys, cell phones, or other special equipment required to perform the duties of the job. The Human Resources Department follows appropriate procedures for that equipment which will require equipment or keys to be checked out to the new employee. The Human Resources Department lists all user access and organizational equipment in the care of the employee. The employee signs for the equipment agreeing to take proper care of equipment and protect account access.
  • The manager of each resource involved requests an administrator to create the account.
  • The account will be created with the minimum privileges (least privilege principle) required to perform the required function.
  • During account creation, the administrator creating the account will call the user and inform them of their user ID, temporary password, and any other required information to access the resources required. The administrator will instruct the user to change their password at the time of the first log on.
  • Once the account is created, the Human Resources department is informed and the user ID is specified. The acount creation is sent back to the Human Resources Department and kept as long is the account is active.
  • The Human Resources Department informs the hiring manager that the accounts are created.

15.0 Account Removal Procedure

  • The Human Resources Department sends an account removal form to the manager of the resource where the account must be removed.
  • The Resource Manager will pass the request to an appropriate member of the team to remove the account.
  • The account will be de-activated or removed according to the policy for the specific resource.
  • If files are used by the account or the account gives access to email or databases, the access privileges will be moved to another account before the account is removed or suspended. Some policies may specify a suspension of the account with a 30 day period until the account is deleted.
  • The Resource Manager is informed that the account has been suspended or removed.
  • The Resource Manager informs the Human Resources Department that the account is no longer active and sends the account removal sheet back to the Human Resources Department.
  • The Human Resources Department informs the personnel manager that the employee account has been de-activated.
  • The Human Resources Department files the original account creation sheet and the associated account removal sheet in an inactive account folder associated with the applicable employee.

16.0 Account Modification Procedure

  • The Human Resources Department sends an account modification form to the manager of the resource where the account must be modified.
  • The Resource Manager will pass the request to an appropriate member of the team to change the account.
  • The account will be modified according to the policy for the specific resource. This may allow additional access, less access, or no access change with a name change for the user.
  • The Resource Manager is informed that the account has been modified.
  • The Resource Manager informs the Human Resource Department that the account was modified.
  • The Human Resource Department informs the personnel manager that the employee account has been modified.

17.0 Password Reset Procedure

The password reset procedure should address issues of user identification to be sure the user asking for a password to be reset is really who they claim to be. Verified information should be more than the account ID and user name, especially if the account ID is related to the user name. Depending on the required security for the system the information used to verify the user may be any combination of a minimum of three personal questions, part or all of an employee ID number, card identification such as a driver's license, voice print identification, or proof of posession of a secure ID token.

  • The user calls the help desk requesting a password reset.
  • The help desk verifies the identity of the user using the preset method.
  • The help desk contacts the administrator to determine if the account is locked out (perhaps account lockout is required for password reset request to be honored).
  • If the account is locked out, the administrator configures the system to require the user to change their password the next time they login and resets the password. A random password generation program should be used to choose the new user password.
  • The user is told the new password or the new password is sent to the user using some secure mechanism.

This procedure requires the help desk to have administrative contact information for all systems that users calling the help desk may have accounts on.

18.0 Centralized Access

Technologies shall be employed which shall provide for centralized access if reasonably possible. This will reduce the number of passwords the staff member must remember and reduce the chance of error or forcing the staff member to write down passwords which would be a violation of password policy. Users should be assigned accounts and access in a standard manner using a centralized system such as a Windows domain.

19.0 Periodic Access Review

Every year the Human Resources Department will ask the personnel managers to review all positions they manage to determine whether access requirements have changed and make appropriate changes.

20.0 Additional Access Control Policy

  • Business and end users are not allowed to have access to development or test systems unless a test system is need for end user testing. The business user should perform testing on a Quality Assurance (QA) system which is the last test environment before production.
  • If a system fails, users cannot get back onto the system before an administrator checks the system, then they will need to logon again.
  • All systems shall require a minimum of a user ID and password or some secure authenticator mechanism such as smart cards, biometrics or other authentication verification method before granting access.
  • Minimal information is provided back to the user in the event of a failed logon attempt. The user may be informed that the logon failed but not whether the ID or password were incorrect.
  • Users of systems should be able to view their last login times and should be able to review all login times to help determine whether their account may have been used by unauthorized individuals. Any suspicious activity must be promptly reported.
  • Where systems have diagnostic methods for providing access, they must be controlled by an appropriate security mechanism such as a key or combination which is relevant to the security needs of the data stored on the system.
  • Systems shall use strong authentication techniques and technologies where possible and practical or when security needs require it. These techniques include but are not limited to multifactor authentication, biometrics, dynamic passwords, pass phrases, challenge response, or asymmetric key cryptography with public and private keys.
  • The resource manager must define emergency situations for the systems managed and emergency rights. Emergency access rights must be defined in advance of emergencies and a known time of removing those rights is agreed upon in advance. Actions to be taken during an emergency are predefined.
  • The internal environment for access control technical and management methods shall be audited no less than every two years.

21.0 Enforcement

Since proper account management is very important to the security of the organization all activity that does not comply with this Account Management Policy and other policies and procedures is investigated. Organizational members that do not adhere to this policy may be subject to disciplinary action up to and including denial of access, legal penalties, and/or dismissal. Any employee aware of any violation of this policy is required to report it to their supervisor or other authorized representative.

22.0 Additional Requirements

  • An organizational formal disciplinary process for staff who are found to have violated organizational security policies and procedures must be developed.
  • A detailed Account Creation Procedure must be developed.
  • A detailed Account Modification Procedure must be developed.
  • A detailed Account Removal Procedure must be developed.
  • A detailed Password Reset Procedure must be developed.

Approval

Approved by:__________________________ Signature:_____________________ Date:_______________