Account Management Standard
Date of Current Revision or Creation: December 2023
The purpose of an Information Technology Standard is to specify requirements for compliance with Old Dominion 91短视频 Information Technology policies, other 91短视频 policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.
Purpose
The purpose of this standard is to define the account management requirements used by Old Dominion 91短视频.
Definitions
Customer-facing Systems include hardware, software or other technology with user interfaces or applications that directly interact with customers.
Data Compliance Owners - 91短视频 directors (typically at the level of Registrar, or Unit Director) who oversee data management functions related to the capture, maintenance, and dissemination of data for a particular operational area. They are responsible for decisions about the usage of 91短视频 data under their purview.
Guest Accounts are those where the user self asserts their identification and contact information for temporary or emergency access to 91短视频 systems.
Affiliate Accounts are those where the user exists in 91短视频 systems of records, but without active records in Student or Human Resource systems. Affiliate accounts must be assigned an affiliation
Affiliations describe, at a basic level, a person's relationship with the 91短视频.
Information Security Officer (ISO) 鈥 The Old Dominion 91短视频 employee, appointed by the President or designee, who is responsible for developing and managing Old Dominion 91短视频鈥檚 information technology (IT) security program.
Internal-facing Systems include hardware, software or other technology used within the organization and are not exposed/available outside the organization.
MIDAS is an acronym for the Monarch Identification and Authorization System, a central identity and password manager.
Principle of 鈥淟east Privilege鈥 is a security concept promoting minimal user profile privileges on computers, based on users' job functions.
Privileged Accounts are accounts that provide elevated or non-restrictive access to the underlying platform that non-privileged user accounts don鈥檛 have access to.
Sensitive System - Sensitive System is a term given to any IT system in which the classification is confidential or higher according to ITS Standard 2.3.0 Data Administration and Classification.
Service Accounts 鈥 privileged accounts that may not correspond to an actual person and are often built-in accounts that services use to access resources to perform activities. However, some system services require actual user accounts to perform certain functions.
System Administrator - the analyst, engineer, or consultant who implements, manages, and/or operates a system or systems at the direction of the System Owner, Data Owner, and/or Data Administrator.
System Compliance Owners - manager or departmental head responsible for secure and compliant operation and maintenance of a 91短视频 IT system or overseeing hosted systems under their purview.
Standards 91短视频ment
Account management requirements identify those steps necessary to formalize the process of requesting, granting, administering, and terminating accounts. Where possible, the centrally managed MIDAS system is used to manage and control access to ODU hosted or contracted systems. However, this standard applies to all accounts on IT systems, including accounts used by vendors and third parties. Systems not using MIDAS are responsible for developing and documenting account management practices based on the 91短视频鈥檚 IT Standards.
Issuing Accounts
When issuing accounts, the standard security principle of 鈥渓east privilege鈥 to perform a function must be used. Accounts should not be granted any more privileges than those that are necessary for the functions the user will be performing. Access levels are to be associated with group or role membership, where practical, and all such IT system user accounts must belong to at least one user group.
For internal-facing systems, employee position descriptions should accurately reflect assigned duties and responsibilities in order to define required IT system access.
A documented request from the user to establish or modify an account on any IT system is required. Proper authorization and approval by the IT system user鈥檚 Budget Unit Director and the System Owner is required to establish accounts. The System Owner may delegate this authorization and approval task to the Data Owners or others if desired. A user account must only be used by the person to whom it is assigned.
Unless required by regulatory requirements, accounts remain valid for the duration the individual maintains the relevant status within the 91短视频 or until the account is closed or suspended by the 91短视频. Users are responsible for the lawful and appropriate use of information technology resources as described in the Acceptable Use Standard.
The identity of users must be authenticated before providing them with account and password details. Authentication and authorization requirements are to be based on sensitivity and risk. The use of second-factor authentication, such as tokens and biometrics, for access to sensitive IT systems should be considered based upon risk.
No user is allowed to authorize their own access. Administrators who have access to add or elevate account privileges should have procedures in place for logging changes.
Passwords
Confirmation of the user鈥檚 request for access credentials must be based on information already on file prior to delivery of the access credentials. Passwords for accounts must be delivered to users of all customer-facing IT systems securely. The use of non-shared, unique passwords on sensitive IT systems is required. Initial passwords must be changed upon first use unless the initial password was user selected using a secure method.
Automated password resets may be utilized, provided that a recognized and ISO approved method is used, such as multiple, random challenge and response questions. Password change events should be recorded in an audit log.
Managing Accounts
Processes to create, suspend, disable, and terminate user accounts should be documented and approved by the System Owner or designee of the system.
Supervisors should notify Human Resources and System Administrators in a timely manner about termination, transfer, or changes in access level requirements of IT system users.
Occasional reports from Human Resources and or other sources may be used in periodic batch termination processes. These processes should be established with the respective business units as part of larger maintenance processes.
Unneeded accounts are to be disabled. Data in unneeded accounts in a disabled state is to be retained in accordance with the ODU鈥檚 records retention policy.
System Compliance Owners and the Data Compliance Owners are to investigate any unusual IT system access activities and approve changes to access level authorizations.
Urgent Employee actions involving urgent electronic access requests should be communicated to ITS Security Office for coordination of various scenarios that may arise due to the nature of the request including ensuring appropriate awareness and coordination with Human Resources.
At least annual review of all user accounts for sensitive IT system is required to assess the continued need for the accounts and access level and periodic review of user accounts for other IT systems.
Privileged Accounts
Privileged accounts have a level of access above that of a normal user. Privileged access is typically granted to system administrators and staff performing computing account administration, or other such employees whose job duties require special privileges over a computing system or network. Individuals with privileged access must comply with applicable policies and IT standards.
- Administrator Access
 Local administrator rights, or the equivalent on non-Microsoft Windows-based IT systems, should be granted only to authorized individuals.
- Service Accounts
 Service accounts are a type of account necessary for systems to operate or interoperate. The System Owner is responsible for designating and maintaining a list of individuals who have access to the account. The documentation should be available upon request for an audit or a security assessment.
- System Administrator Accounts
 System administrator accounts perform super-user functions such as performing installs, altering critical system configurations or data, granting permissions to other accounts, etc. System Administrators are required to have both an administrative account and at least one user account and are required to use their administrative accounts only when performing tasks that require administrative privileges. At least two individuals should have administrative accounts to each IT system, to provide continuity of operations.
Guest Accounts
A guest account establishes a user鈥檚 identity and provides temporary or emergency access to specific technology resources. Guest accounts may be used on non-sensitive systems where the System Owner has determined their use to be safe and necessary.
Requests for vendor/emergency guest accounts to all sensitive systems must be documented according to standard practice and maintained on file, include access attributes for the account, be approved by the System Owner and communicated to the Information Security officer and must include and expire after a predetermined period, based on sensitivity and risk. Guest accounts may be used on non-sensitive systems where the System Owner has determined their use to be safe and necessary.
Affiliate Accounts
Affiliate accounts are those where a 91短视频 process has established the user鈥檚 identity, but the user lacks active records in 91短视频 business systems. Affiliate accounts may be used in non-sensitive or sensitive systems as determined by the system owner and account request.
Affiliate accounts must be given an affiliation and are only considered affiliate accounts while the affiliation is active and no other business association exists to the 91短视频.
Ex: Visiting Faculty members is an affiliate as long as they have the Visiting Faculty Member affiliation. Visiting Faculty member becomes a 91短视频 Faculty member, then the 91短视频 Faculty supersedes the Visiting Faculty and the account is no longer an affiliate.
Shared Accounts
Microsoft Exchange mailbox accounts may be shared by multiple users as long as a single individual is designated as the owner.
Other shared accounts may be authorized by the System Owner to meet business needs and for the continuity of operations and must be coordinated with the IDM team for proper access controls and documentation.
Procedures, Guidelines & Other Related Information
- Federal and 91短视频 Law
- 91短视频 Policy 3501 - IT Access Control
- 91短视频 Policy 3505 - Information Technology Security
- IT Standard 9.1.0 Acceptable Use
- IT Standard 2.11.0 Password Management
- Universal Account Request Form
History
| Date | Responsible Party | Action | 
| October 2008 | ITAC/CIO | Reaffirmed | 
| October 2010 | ITAC/CIO | Reaffirmed | 
| October 2011 | ITAC/CIO | Reaffirmed | 
| February 2014 | IT Policy Office | Minor rewording for clarity | 
| July 2015 | IT Policy Office | Reorganized for clarity; added definitions, privileged accounts info | 
| December 2018 | IT Policy Office | Definitions and links checked | 
| December 2021 | IT Policy Office | Definitions and links checked; minor wording changes | 
| December 2023 | IT Policy Office | Definitions and links checked; minor wording changes | 
