SEC-S002 Generic Account Standard

  1. OBJECTIVE: 
    1. Austin Peay State University (APSU) is responsible for ensuring the confidentiality, integrity, and availability of data stored on its systems.  This standard, operating under University Policy 4:042 Information Security and Data Classification, defines and establishes governance for the creation and maintenance of generic user accounts for network, system, application, and email access on all of APSU’s systems.
  2. RESPONSIBILITY: 
    1. Director, Information Technology Security
  3. APPROVAL AUTHORITY:
    1. Chief Information Officer
  4. SCOPE:
    1. This standard applies to the use of generic login and generic email accounts by the university.  Users are prohibited from accessing other users’ accounts by APSU Policy 4:029: Acceptable Use of Information Technology Resources.  However, in some situations and to support the functionality of a business process, system, device, or application, a shared account may be justified.  
  5. DEFINITIONS:
    1. Generic login account - any non-person account that may allow multiple users to use a single account to authenticate to the network, application, or other university technology resources.  These accounts will not have email access.
    2. Generic email account - any email account used by a department or unit that does not uniquely identify an individual person or people
  6. REQUIREMENTS:
    1. ​​​​​​​​​​​​Generic Login Accounts
      1. ​​​​​​​Generic login accounts will be restricted as much as possible and will be assigned the least privileges required to do the job they are intended for.   Because these accounts will not have email access, they will not be visible in the campus directory.​​​​​​​
      2. Generic login accounts will not be approved for access to university financial or credit card information or to personnel records.
      3. The generic login will follow the normal user password account change policy.  Exceptions to this requirement must be approved by the IT Security director or CIO.
      4. The generic logon account is owned by a department or unit and must have a designated owner who is responsible for the account from that department or unit. 
      5. Request for a generic login account is made with the Generic Email Account Request and must have a short description of the business case requiring the creation of the account.  Requests for a generic login account will be approved or disapproved by the Information Technology Security Director.
      6. The password must be changed whenever the owner or any other user of the generic logon account changes.  
      7. The owner of the generic login account is responsible for periodically reviewing the generic login account for need and usage.  If the account is determined to not be needed, the owner of the generic login account must request to have the account disabled.
      8. Generic login accounts will be audited annually by the Information Technology Security department for appropriateness of access and ongoing need.
    2. Generic Email Accounts
      1. ​​​​​​​A generic email account must be configured so that it can only be used by delegate access.  A user must not be able to directly enter the username and password (interactive login) to gain access to the generic email account.   Exceptions must be approved by the IT Security Director or CIO and will follow the normal user password account change standard.​​​​​​​
      2. Additional delegate access to the account email must be requested by the account owner to the IT Help Desk (GovsTech).
      3. The generic email account is owned by a department or unit and must have a designated owner who is responsible for the account from that department or unit. 
      4. Request for a generic email account is made with the Generic Email Account Request and must have a short description of the business case requiring the creation of the account.  Requests for a generic email account will be approved or disapproved by the Information Technology Security Director.
      5. The owner of the generic email account is responsible for periodically reviewing the generic email account for need and usage.  If the account is determined to not be needed, the owner of the generic login account must request to have the account disabled.
      6. Generic email accounts will be audited annually by the Information Technology Security department for appropriateness of access and ongoing need.
  7. ASSOCIATED DOCUMENTS:
    1. ​​​​​​​4:042 Information Security and Data Classification Policy
    2. 4:029: Acceptable Use of Information Technology Resourses
  8. RECORD RETENTION TABLE:​​​​​​​​​​​​​​​​​​

Identification

Storage

Retention

Disposition

Protection

OITManagers Network Share

Electronic

Perpetual

Delete

Electronic Back-up

  1. REVISION HISTORY:

Date:

Rev.

Description of Revision:

6/28/2021

 

Initial Release