UMGC Policy X-1.19B

Account Management (UMGC Workforce)

Policy Category Policy No. & Title Policy Owner Effective Date Revision Number Revision Eff. Date Review Cycle

X
Information Governance, Security & Technology

X-1.19B
Account Management (UMGC Workforce)

VP of Information Security

July 15, 2021

N/A

N/A

Every 3 years

  1. Purpose

    The purpose of this Account Management (UMGC Workforce) Policy is to (a) establish standards for the creation, administration, and disabling of University of Maryland Global Campus ("UMGC" or "University") Accounts used by UMGC staff ("Staff"), faculty members, including adjunct, overseas and collegiate faculty ("Faculty"), or another person or company which provides materials or services to UMGC (a "Contractor"); and (b) establish Account management parameters to allow only Authorized Users to access University Information, Information Systems and Information Resources, and to restrict unauthorized individuals from access.

  2. Scope

    This Policy applies to all those responsible for the management and/or administration of User Accounts created for the use of Staff, Faculty, and Contractors. A separate policy, UMGC Policy X.1-19A Account Management (UMGC Learner Community), applies to the creation and administration of Accounts for those individuals.

  3. Definitions

    The capitalized terms found in the Policy shall have the meanings below:

    1. Account: An established relationship between a User and a computer, network, or Information System which is assigned a credential such as a username and password.

    2. Access Account Manager: The individual who is responsible for creating, monitoring, modifying, administering or terminating User Account privileges on any UMGC Information Systems or Information Resource.

    3. Administrative Account: An Account with elevated privileges intended to be used only when performing management tasks, such as installing updates and application software, managing user accounts, and modifying operating system and application settings.

    4. Authorized User: A User who has been granted authorization to access electronic Information Resources and is current in their privileges.

    5. Critical Information Systems or CIS: Inter-related components of Information Resources working together where the loss of confidentiality, integrity, availability, or privacy could be expected to have a severe or catastrophic adverse effect on University operations, assets, or individuals.

    6. Data: A subset of Information in an electronic format which allows it to be retrieved or transmitted.

    7. Data Classification: The assignment of a classification to Data or sets of Data based on the impact to the University if the Confidentiality, Integrity, Availability of the Data is compromised.

    8. Data Steward: A UMGC staff member responsible for determining User access to Data and classifying the Data which originates from or resides in their respective business units.

    9. Emergency Account: A temporary Account created in response to a crisis situation and with the need for rapid Account activation.

    10. Functional Account: An Account used to perform automated account management functions regardless of being within an operating system, application, on-premise, or in the cloud.

    11. Guest Account: A temporary Account with a limited set of privileges given to certain types of third-party Users.

    12. Information: Any communication or representation of knowledge such as facts, data, or opinions in any medium or form, including textual, numerical, graphic, cartographic, narrative, or audiovisual.

    13. Information Governance (IG) Team: A group of representatives from the various functional areas of the University and third party subject matter experts as appropriate who are responsible for (i) providing interdepartmental oversight and strategic management of the University's Information and Information Resources; (ii) facilitating the integration of Privacy by Design into University operations; and (iii) supporting the development and review of Information Governance related policies and procedures across the University.

    14. Information Resource: Anything that is intended to generate, store, or transmit Information.

    15. Information System: Inter-related components of Information Resources working together for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

    16. Information System Steward: A UMGC staff member or other individual providing services to the University who is responsible for the development, procurement, compliance, and/or final disposition of an Information System.

    17. Least Privilege: The security objective of granting an individual access to only such Information Resources and records, and the Information contained therein, as necessary to perform the individual's job.

    18. Non-Critical Information System: An electronic Information Resource that does not meet the definition of a Critical Information System.

    19. Privileged Account: An Account that is authorized to perform security-relevant functions that an ordinary Account is not authorized to perform.

    20. Record: A collection of Information, in any form, created, received and retained by the organization as evidence in the transaction of business to meet legal obligations or regulatory requirements. Also used to refer to units of related data fields (i.e., groups of data fields that can be accessed by a program and that contain the complete set of information on particular items).

    21. Service Account: An Account which is created explicitly to provide a security context for services running on the local operating system. The security context determines the service's ability to access local and network resources.

    22. Shared Account: An Account that allows multiple people to use the same username and password to access the Account.

    23. Supervisor (CIS): An individual who directly manages a Supervisor (Immediate). For Contractors, a UMGC staff member designated by the Information System Steward to approve Contractor access to the applicable Critical Information System.

    24. Supervisor (Immediate): An individual who directly manages an Employee or Contractor; may approve access to non-Critical Information Systems and may request access for Critical Information Systems.

    25. Technical System Lead: An Employee or individual providing services to the University who works to ensure that the Information System meets the business expectations around functionality and deliverable as well as the integration, modification, security, operation and maintenance of an Information System.

    26. Two-Factor Authorization: A method of authenticating a User's authorization to access an Information System, using two independent authentication methods before granting a User authorization to access an Information System.

    27. User: A member of the UMGC community, including but not limited to Staff and Faculty, and other individuals performing services on behalf of UMGC, including Contractors, volunteers and other individuals who may have a need to access, use or control UMGC Data.

  4. Management of Information Resources

    1. The University shall designate Information System Stewards. The Information Governance Team, established by University Policy UMGC X-1.01 - Information Governance, shall maintain a record of designated Information System Stewards.

    2. Each Information System Steward shall be responsible for ensuring that the identified Technical System Lead, Data Steward(s), Supervisor(s) (Immediate), Access Account Manager(s), and other key stakeholders as applicable, who carry out Account management activities for the Information Resource(s) overseen by that Information System Steward is recorded.

    3. Each Information System Steward shall be responsible for ensuring that there is a designated Supervisor (CIS) for Contractors accessing the Information System Steward's respective Information Resource(s) and that such designations are appropriately recorded.

    4. When an Information Resource is purchased, modified or developed, the Information System Steward shall ensure the applicable Data Steward(s) are notified in order for the Data Steward(s) to assign Data Classification(s) to the Data contained in the Information Resource.

    5. Data Stewards shall work with Information System Stewards and Technical System Leads to appropriately ensure that the assigned roles, privileges, and safeguards within an Information Resource align with the Data Classification(s) assigned.

  5. Account Provisioning

    1. Employees, Contractors, and third parties acting on behalf of the University, shall acknowledge and sign the University's Confidentiality Statement and Acceptable Use Policy prior to Account provisioning for the User.

    2. Supervisors (Immediate) shall ensure the following when requesting Account creation:

      1. That the identity of a User has been verified before the User is provided with log-in credentials.

      2. That Authorized User's access to Information Resources and the Information therein is granted in accordance with the concept of Least Privilege.

      3. That for Critical Information Systems, the Supervisor (Immediate) obtains approval from the Supervisor (CIS) prior to requesting the creation of a new Account.

      4. That all Account creation requests shall be documented and submitted to the Information Resource's Access Account Manager. The request shall include the Authorized User's Account privileges.

    3. Access Account Managers shall ensure the following when creating Accounts:

      1. All Accounts are constructed in accordance with the minimum requirements of the most recent University System of Maryland IT Security Standards, where administratively and technologically feasible.

      2. Each Authorized User shall receive a unique username. To avoid Information System conflicts and ensure accountability, existing or disabled usernames shall not be reissued.

      3. In addition to the requirements above, Administrative Accounts shall be protected by Two-Factor Authentication, and passwords shall have a minimum length of 14 characters, where administratively and technologically feasible.

    4. Additional Criteria for Creating Specific Types of Accounts

      1. Emergency Accounts may be created on a temporary basis in order to remediate an immediate threat to the University.

        1. Within two (2) business days of the creation of the Emergency Account, the Emergency Account must either be approved by the Supervisor (Immediate) of the individual who creates the Account or disabled.

        2. Within five (5) business days of the creation of the Emergency Account, the Supervisor (Immediate) of the individual who creates the Emergency Account must report on the basis for the creation and the current status of the Emergency Account to the Information System Steward.

        3. A record of the creation of the Emergency Account, the basis for its creation, and its disposition shall be appropriately documented.

      2. Privileged Accounts that are not associated with a User, such as Service Accounts and Functional Accounts, may be created in order to ensure that an Information Resource operates effectively. Such Privileged Accounts shall be documented and approved, prior the creation of the Privileged Account, by the Supervisor (Immediate) of the individual who creates the Privileged Account and the Information System Steward.

      3. Guest Accounts shall only be created and assigned on a temporary basis. Such Guest Accounts shall be removed or disabled after a pre-defined period of time has elapsed.

        1. For Non-Critical Information Systems, the manager of the Access Account Manager must approve the Guest Account, including the intended date of creation and the deadline by which the Account shall be disabled, prior to its creation. The details of the request shall be documented.

        2. For Critical Information Systems, the manager of the Access Account Manager and applicable Information System Steward must approve the Guest Account, including the intended date of creation and the deadline by which the Account shall be disabled, prior to its creation. The details of the request shall be documented.

      4. Shared Accounts are prohibited unless approved by the Information System Steward as necessary for a documented legitimate business purpose prior to its creation.

  6. Managing Accounts

    1. Supervisors (Immediate) shall ensure that all Account changes for an Authorized User are documented and submitted to the applicable Access Account Manager(s). For Critical Information System(s), all Account changes shall be documented and approved by the Supervisor (CIS) prior to the submission of the requested change to the Access Account Manager.

    2. The documentation shall include the Account privileges for that particular Authorized User.

    3. Authorized Users shall not make changes to their own Account privileges. If Authorized Users believe they need changes to their Account privileges, they shall make the request to their Supervisor (Immediate).

    4. If an Authorized User is determined to have an inappropriate level of access, the Supervisor (Immediate) shall work with the Access Account Manager to remediate the Account status in a timely manner. All changes must be documented.

    5. If an Authorized User transfers to a new position at UMGC, the individual's previous and new Supervisor (Immediate) shall review and modify the individual's Account(s) in accordance with the concept of Least Privilege. All changes must be documented.

  7. Deprovisioning Accounts

    1. UMGC's Human Resources department shall establish and maintain internal administrative procedures for notification to the Access Account Manager responsible for deactivating access to User Accounts when Staff or Faculty separate from UMGC.

    2. The Access Account Manager shall terminate access as soon as administratively feasible after a User separates from UMGC, but in any event, within 24 hours of separation.

    3. In the event that a Contractor's relationship with the University is terminated, the Information System Steward and the Technical System Lead are responsible for ensuring that the Access Account Manager(s) has been notified in writing immediately upon termination. Accounts associated with the Contractor shall be disabled in a timely manner, not to exceed 1 calendar day from the date the notification is sent.

    4. Accounts that have been inactive for a minimum of ninety (90) days shall be reviewed and disabled, as appropriate.

    5. Information System Stewards and Technical System Leads may disable, or instruct appropriate personnel to disable, an Account without warning if detected to have been accessed in violation of UMGC or USM policies, state or federal law, or if specific Account activity has the potential to introduce a risk to the Information Resource(s) as a whole. The Office of Human Resources shall be notified within twenty-four (24) hours of such action being taken on a Staff or Faculty Account.

  8. Yearly Review

    1. Supervisors (Immediate) shall validate the Accounts for which they are responsible with all applicable Information System Stewards on a yearly basis. Information System Stewards shall assess and identify any necessary Account changes.

    2. Information System Stewards shall report on compliance with this Policy on a yearly basis to the Information Governance Team.

  9. Enforcement

    1. Any Faculty, Staff, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy shall notify the V.P., Information Security as soon as practicable.

    2. Information System Stewards in consultation with the Office of Human Resources may instruct Access Account Managers, or other appropriate personnel to confiscate, temporarily suspend, or terminate Users' access to Information Resources while investigating an alleged violation of this Policy.

    3. Any Employee, Contractor, or other third-party performing duties on behalf of the University who violates this Policy may be denied access to Information Resources and may be subject to disciplinary action, up to and including termination of employment or contract.

  10. Related Policies and Procedures

    1. UMGC Policy X.1-19A - Account Management (UMGC Learner Community)

    2. Internal Administrative Procedures – Decommissioning of Staff and Faculty Accounts.