Account Management (UMGC Workforce)

Purpose

The purpose of this Account Management (UMGC Workforce) Policy is to (a) establish standards for the creation, administration, and disabling of University of Maryland Global Campus ("UMGC" or "University") Accounts used by UMGC staff ("Staff"), faculty members, including adjunct, overseas and collegiate faculty ("Faculty"), or another person or company which provides materials or services to UMGC (a "Contractor"); and (b) establish Account management parameters to allow only Authorized Users to access University Information, Information Systems and Information Resources, and to restrict unauthorized individuals from access.

Scope

This Policy applies to all those responsible for the management and/or administration of Accounts created for the use of Staff, Faculty, and Contractors. A separate policy, UMGC Policy X.1-19A Account Management (UMGC Learner Community), applies to the creation and administration of Accounts for those individuals.

Definitions

Defined terms are capitalized throughout this Policy and can be found in the Information Governance Glossary.

1. The University shall designate Information System Stewards. The Information Governance Team, established by University Policy UMGC X-1.01 - Information Governance, shall maintain a record of designated Information System Stewards.
2. Each Information System Steward shall be responsible for ensuring that the identified Technical System Lead, Data Steward(s), Supervisor(s) (Immediate), Access Account Manager(s), and other key stakeholders as applicable, who carry out Account management activities for the Information Resource(s) overseen by that Information System Steward is recorded.
3. Each Information System Steward shall be responsible for ensuring that there is a designated Supervisor (CIS) for Contractors accessing the Information System Steward's respective Information Resource(s) and that such designations are appropriately recorded.
4. When an Information Resource is purchased, modified or developed, the Information System Steward shall ensure the applicable Data Steward(s) are notified in order for the Data Steward(s) to assign Data Classification(s) to the Data contained in the Information Resource.
5. Data Stewards shall work with Information System Stewards and Technical System Leads to appropriately ensure that the assigned roles, privileges, and safeguards within an Information Resource align with the Data Classification(s) assigned.

1. Employees, Contractors, and third parties acting on behalf of the University, shall acknowledge and sign the University's Confidentiality Statement and Acceptable Use Policy prior to Account provisioning for the User.
2. Supervisors (Immediate) shall ensure the following when requesting Account creation:
   1. That the identity of a User has been verified before the User is provided with log-in credentials.
   2. That Authorized User's access to Information Resources and the Information therein is granted in accordance with the concept of Least Privilege.
   3. That for Critical Information Systems, the Supervisor (Immediate) obtains approval from the Supervisor (CIS) prior to requesting the creation of a new Account.
   4. That all Account creation requests shall be documented and submitted to the Information Resource's Access Account Manager. The request shall include the Authorized User's Account privileges.
3. Access Account Managers shall ensure the following when creating Accounts:
   1. All Accounts are constructed in accordance with the minimum requirements of the most recent University System of Maryland IT Security Standards, where administratively and technologically feasible.
   2. Each Authorized User shall receive a unique username. To avoid Information System conflicts and ensure accountability, existing or disabled usernames shall not be reissued.
   3. In addition to the requirements above, Administrative Accounts shall be protected by Multi-Factor Authentication (MFA), and passwords shall have a minimum length of 12 characters, where administratively and technologically feasible.
4. Additional Criteria for Creating Specific Types of Accounts
   1. Emergency Accounts may be created on a temporary basis in order to remediate an immediate threat to the University.
      1. Within two (2) business days of the creation of the Emergency Account, the Emergency Account must either be approved by the Supervisor (Immediate) of the individual who creates the Account or disabled.
      2. Within five (5) business days of the creation of the Emergency Account, the Supervisor (Immediate) of the individual who creates the Emergency Account must report on the basis for the creation and the current status of the Emergency Account to the Information System Steward.
      3. A record of the creation of the Emergency Account, the basis for its creation, and its disposition shall be appropriately documented.
   2. Privileged Accounts that are not associated with a User, such as Service Accounts and Functional Accounts, may be created in order to ensure that an Information Resource operates effectively. Such Privileged Accounts shall be documented and approved, prior the creation of the Privileged Account, by the Supervisor (Immediate) of the individual who creates the Privileged Account and the Information System Steward.
   3. Guest Accounts shall only be created and assigned on a temporary basis. Such Guest Accounts shall be removed or disabled after a pre-defined period of time has elapsed.
      1. For Critical Information Systems, the manager of the Access Account Manager and applicable Information System Steward must approve the Guest Account, including the intended date of creation and the deadline by which the Account shall be disabled, prior to its creation. The details of the request shall be documented.
      2. For Non-Critical Information Systems, the manager of the Access Account Manager must approve the Guest Account, including the intended date of creation and the deadline by which the Account shall be disabled, prior to its creation. The details of the request shall be documented.
   4. Shared Accounts are prohibited unless approved by the Information System Steward as necessary for a documented legitimate business purpose prior to its creation.

1. Supervisors (Immediate) shall ensure that all Account changes for an Authorized User are documented and submitted to the applicable Access Account Manager(s). For Critical Information System(s), all Account changes shall be documented and approved by the Supervisor (CIS) prior to the submission of the requested change to the Access Account Manager.
2. The documentation shall include the Account privileges for that particular Authorized User.
3. Authorized Users shall not make changes to their own Account privileges. If Authorized Users believe they need changes to their Account privileges, they shall make the request to their Supervisor (Immediate).
4. If an Authorized User is determined to have an inappropriate level of access, the Supervisor (Immediate) shall work with the Access Account Manager to remediate the Account status in a timely manner. All changes must be documented.
5. If an Authorized User transfers to a new position at UMGC, the individual's previous and new Supervisor (Immediate) shall review and modify the individual's Account(s) in accordance with the concept of Least Privilege. All changes must be documented.

1. UMGC's Human Resources department shall establish and maintain internal administrative procedures for notification to the Access Account Manager responsible for deactivating access to Accounts when Staff or Faculty separate from UMGC.
2. The Access Account Manager shall terminate access as soon as administratively feasible after a User separates from UMGC, but in any event, within 24 hours of separation.
3. In the event that a Contractor's relationship with the University is terminated, the Information System Steward and the Technical System Lead are responsible for ensuring that the Access Account Manager(s) has been notified in writing immediately upon termination. Accounts associated with the Contractor shall be disabled in a timely manner, not to exceed 1 calendar day from the date the notification is sent.
4. Accounts that have been inactive for a minimum of ninety (90) days shall be reviewed and disabled, as appropriate.
5. Information System Stewards and Technical System Leads may disable, or instruct appropriate personnel to disable, an Account without warning if detected to have been accessed in violation of UMGC or USM policies, state or federal law, or if specific Account activity has the potential to introduce a risk to the Information Resource(s) as a whole. The Office of Human Resources shall be notified within twenty-four (24) hours of such action being taken on a Staff or Faculty Account.

1. Supervisors (Immediate) shall validate the Accounts for which they are responsible with all applicable Information System Stewards on a yearly basis. Information System Stewards shall assess and identify any necessary Account changes.
2. Information System Stewards shall report on compliance with this Policy on a yearly basis to the Information Governance Team.

1. Any Faculty, Staff, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy shall notify Information Security as soon as practicable.
2. Information System Stewards in consultation with the Office of Human Resources may instruct Access Account Managers, or other appropriate personnel to confiscate, temporarily suspend, or terminate Users' access to Information Resources while investigating an alleged violation of this Policy.
3. Any Employee, Contractor, or other third-party performing duties on behalf of the University who violates this Policy may be denied access to Information Resources and may be subject to disciplinary action, up to and including termination of employment or contract.

1. USM IT Security Standards, v.5, dated July 2022
2. NIST SP 800-171r2 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations,” dated February 2020
3. Cybersecurity Maturity Model Certification (CMMC), v.2.0, December, 2021

Related Policies and Procedures

UMGC Policy X.1-19A - Account Management (UMGC Learner Community)