Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

Account, Access, and Data Managment policy

advertisement 
Duke University departmental policy template: Account, Access, and Data Management
University IT Security Office
Version 1.0
Authority:
Duke University Chief Information Officer
Duke University Chief Information Security Officer
1. Definitions
Departmental staff
End-User Account
(or user account)
Service or SystemLevel Account
Duke University staff who work for a specific department and who are involved in
installation or support of departmental servers. For the purpose of this document, all
contract and temporary employees are included.
Accounts used by the non-administrator community to access services offered by the
server. Note that this refers to an account on the server and does not necessarily refer to
institutional accounts such as the Duke NetID.
Accounts that have full system privileges and are an integral part of the operating
system, database, or application into which they are bundled. These accounts often
cannot be renamed because the named accounts are needed to perform certain functions
(e.g., root, Oracle).
2. Purpose
The purpose of this policy template is to assist Duke University organizations (departments, schools, institutes,
etc.) in creating an internal policy regarding account management, authorization and access rights, and the
management of data related to accounts. Filling in this template will enable departmental staff to accurately
document their policy and procedures governing account, access, and data management. Once completed,
departments will have a written policy and a document to record the location of their written procedures.
The departmental policy will assist Duke system administrators in establishing strict rules for managing Duke
account and access rights, and for managing data associated with accounts. Compliance with this policy does
not exempt a department from meeting University, federal, or state regulations or other required
standards.
Effective implementation of this policy should minimize the likelihood of unauthorized access to campus
computing resources and protected data. However, all security events must be reported to security@duke.edu as
soon as they are discovered, in order to ensure compliance with legal obligations.
3. Scope
This policy applies to all accounts (as defined above) administered or serviced by university staff or by third
parties via contractual agreements with university departments or other organizational groups.
4. Departmental Policy
Account Authorization
4.1 Users request departmental accounts by:
User accounts are automatically created (see 4.4)
Emailing departmental IT staff
Emailing the Dean
Other:
4.2 To qualify for a departmental account, users must:
Have a Duke affiliation of faculty, student, staff, or affiliate
Agree to abide by the Duke Acceptable Use Policy and any departmental policies
Other:
4.3 Location of account authorization log:
Example account authorization log:
Date
Name
Authorization
Account
Name
Function
(Create/Delete/Change)
Account Creation
4.4 User accounts are created by:
Duke NetID creation
Departmental automated process
Details:
Departmental manual process
Details:
Other:
4.5 Shared departmental user accounts are permitted.
No
Yes (document the parameters and permissions of shared accounts below)
4.6 Guest accounts are permitted.
No
Yes (document the parameters and permissions of guest accounts below)
Performed By
4.7 The creation of a departmental user account triggers the creation of other departmental resources for the user.
No, no other resources are provided.
No, other resources are provided through a manual process. (document below)
Yes
Departmental email account
Departmental file share
Other (describe):
4.8 Password requirements for departmental accounts are (check all that apply):
8 or more characters required
upper and lower case required
number required
special character required
passwords expire every 30 days
passwords expire every 60 days
passwords expire every 90 days
new passwords may not be variants of previous 5 passwords
multifactor authentication is implemented
other (describe):
Access Rights Management
Access rights are managed to ensure that all members of the department have appropriate levels of access to all
forms of Sensitive or Restricted data. Access rights shall not exceed the minimum necessary for a workforce
member’s assigned duties. Security configurations shall be maintained on electronic resources to restrict access
to Sensitive or Restricted data to only those workforce members or software programs that have been granted
access.
4.9 Workforce clearance and authorization to access Sensitive or Restricted data shall be performed for all
workforce members prior to granting access requests to Sensitive Data. The departmental clearance and
authorization process documentation is located here: _____________________________________
4.10 Before providing access to Sensitive or Restricted data, an individual’s identity is verified by:
Dean
Departmental business manager
the individual’s manager
IT director
4.11 Individual and group access rights are assigned and documented by: _______________________________
4.12 Accounts and their associated access controls are reviewed by the departmental IT director or their
delegate:
once a month
once a quarter
once a year
other (describe):
4.13 User group membership and their associated access controls are reviewed by the departmental IT director
or their delegate:
once a month
once a quarter
once a year
other (describe):
Account Termination
4.14 When departmental accounts are terminated, account access is removed:
immediately
within 24 hours
within 1 week
within 30 days
other (describe):
4.15 When departmental accounts are terminated (unless an exception process has been triggered), all data
associated with the account is deleted:
within 30 days
within 60 days
within 90 days
within 180 days
other (describe):
4.16 User accounts are deleted by:
Duke NetID deletion
Departmental automated process
Details:
Departmental manual process
Details:
Other:
4.17 Exception processes for the procedures above are triggered by:
meeting with IT staff
email to IT staff
permission from IT Director
4.18 If an exception process has been triggered (for example, a legal hold on a user’s data by University
Counsel), the exception process for preserving the data is (describe in detail):
4.19 If anyone other than the account owner (the user) requests access to the account information or the account
owner’s data, our departmental policy for providing access is to refer to the university policy
(https://security.duke.edu/account-or-data-access-policy).
Yes
No – if not, provide your departmental policy and location of the documentation:
4.20 Departmental termination checklist documentation is located: _______________________________
Example termination checklist:
Termination Checklist
Responsibilities
Item
User Account
Service 1
Service 2
Service 3
Service 4
Service 5
Responsible Party
Comments
Item
Identify & remove
systems/applications
with local access
Responsible Party
Department
Departmental Mail access
Departmental VPN access
Departmental Door
access
Department
Department
Department
Comments
Need to include OS logins,
root/admin logins and
passwords, and
application
logins/passwords. Also
check permissions on
remote shares (e.g. NFS
mounts)
Retrieve Computer
(Optional)
Data Deletion
Department
Department Responsibilities
Department
If separate from
Blackboard, Lenel, or
Optim
Delete user’s local data
per departmental policy,
unless exception process
has been triggered due to
legal preservation
requirements.
5. Enforcement
It is the responsibility of departmental IT staff to ensure that the controls described in this document are
implemented. IT administrators understand that the secure management of accounts, access rights, and data is a
critical part of Duke’s overall information security strategy.
Campus departments undergo periodic internal and external audits. These audits typically include an analysis of
the processes and controls used by departments to secure and manage servers. The Office of Internal Audits
carries out internal audits. The initiation of an internal audit is based on a risk analysis, also performed by the
Office of Internal Audits. A requirement for an external audit may be recommended as a result of the internal
audit, or be requested independently by a department's management. The department is responsible for
remediation of any findings of non-compliance with this standard within the time frame agreed to with the
auditors.
Review Frequency: Annually
Updated: 2/13
In Compliance with:
Duke University Data Classification Standard
Duke University Acceptable Use Policy
Duke University Log Standard
References:
University IT Security Office website: http://www.security.duke.edu
Related documents
Service Department Billing Policy
Service Department Billing Policy
Education Department - Single Sign-On
Education Department - Single Sign-On
application_for_lab_access
application_for_lab_access
University Course Line and Topic Form
University Course Line and Topic Form
1440-accounting systems analyst-cs
1440-accounting systems analyst-cs
Induction Programme for
Induction Programme for
Department of Cardiovascular Sciences
Department of Cardiovascular Sciences
Download
advertisement