SEC-S005 Special Named Accounts Standard

  1. OBJECTIVE: 
    1. Austin Peay State University (APSU) is responsible for ensuring the confidentiality, integrity, and availability of data stored on its systems.  This standard, operating under University Policy 4:042 Information Security and Data Classification, defines and establishes governance for the creation and maintenance of special named accounts for student workers, graduate assistants, contractors, and other named account users requiring Enterprise User access to APSU employee email and systems that fall outside of the automated provisioning and deprovisioning process.  Proper management of accounts that are manually created will ensure secure access to and protection of university data assets.
  2. RESPONSIBILITY: 
    1. Director, Information Technology Security
  3. APPROVAL AUTHORITY:
    1. Chief Information Officer
  4. SCOPE:
    1. This standard applies to the provisioning, use, and de-provisioning of named employee accounts managed externally to the automated process in place for regular employee accounts.   Such accounts include student employee accounts, vendor accounts, contractor accounts and external auditor accounts when these users need access to university email and/or systems while working as an agent for the university.
  5. DEFINITIONS:
    1. Student Employee Account – an account created for a student employee that resides in the employee email tenant.  This account allows a student employee to access to email and systems required to perform their job responsibilities.
    2. Auditor or Vendor Account- a university employee account created for outside agents of the university that require access to university email and systems for the benefit of the university.
  6. REQUIREMENTS:
    1. Student Employee Accounts
      1. Student employee accounts are not automatically created for all student employees.  If the student employee needs an employee account for email and/or access to university systems to fulfill their job responsibilities, the sponsoring department must request a student employee account with the Special Named Account Request
      2. Student employee accounts are created with a preset expiration date of the last day of the semester the request is made.
      3. Student employee accounts are created by appending a ‘1’ to the beginning of the student’s regular email account.  Student employee accounts reside in the @apsu.edu email tenant
      4. The sponsoring department may request re-activation of the student employee account on a semester by semester basis with the Special Named Account Request within each semester the student is being employed.  
      5. Student employee accounts will be restricted as much as possible and will be assigned the least privileges required to be able to fulfill their job responsibilities.  
      6. Student employee accounts must be protected by multi-factor authentication and will follow the normal user password account change policy.  Exceptions to this requirement must be approved by the IT Security director or CIO.
      7. It is the responsibilitiy of the sponsoring department and the sponsoring employee within the department that requested the student employee account to ensure proper use of the account.  Responsibility also falls on the student employee that has access to this account.   The student employee must adhere to the Acceptable Use of Information Technology Resourses Policy.
      8. Student employee accounts will be audited annually by the Information Technology Security department for appropriateness of access and proper expiration.
    2. Employee Accounts created for Outside Agents working for the University
      1. Accounts for vendors, contractors, external auditors, or any other persons working as an agent for the university that require access to university email and/or systems must request an account with the Special Named Account Request. Select the “Auditor or Contractor Account” in the request form.
      2. These accounts are created with a preset expiration date of the 90 days from when  the request is made.
      3. These accounts are created in the form of firstname_lastname and reside in the @apsu.edu email tenant.
      4. If after the 90 day period, this account needs to be extended, a request is made with the Special Named Account Request, selecting Reactivate Existing Account.  And additional 90 days may be requested. 
      5. These accounts will be restricted as much as possible and will be assigned the least privileges required to be able to fulfill their job responsibilities..
      6. It is the responsibilitiy of the sponsoring department and the sponsoring employee within the department that requested the account to ensure proper use of the account.  Responsibility also falls on the outside agent that has access to this account.   The outside agent must adhere to the Acceptable Use of Information Technology Resourses Policy.
  7. ASSOCIATED DOCUMENTS:
    1. 4:042 Information Security and Data Classification Policy
    2. 4:029: Acceptable Use of Information Technology Resourses

​​​​​​​​​

  1. RECORD RETENTION TABLE:

Identification

Storage

Retention

Disposition

Protection

OITManagers Network Share

Electronic

Perpetual

Delete

Electronic Back-up

 

  1. REVISION HISTORY:

Date:

Rev.

Description of Revision:

6/28/2021

 

Initial Release

 

Print Article