Policy Number: 12-003

Account Management Policy

Category: Information Technology

Responsible Executive: Vice President and Chief Information Officer

Responsible Office: Vice President and Chief Information Officer

  1. Purpose To provide a comprehensive account management process that allows only.authorized individuals access to University Data and Information Systems.

  2. Applicability This policy applies to all Information Systems, University Data, identities and accounts used to access them and University Data.

  3. Definitions:

Information System: An individual or collection of computing and networking equipment and software used to perform a discrete business function. Examples include the eLearning System, ISIS, the EPIC electronic medical records system, a lab system and associated PC or the set of desktop computers used to perform general duties in a department.

University of Florida Data: Data in any format collected, developed, maintained or managed by or on behalf of the University, or within the scope of University activities. The terms ‘data’ and ‘information’ are used interchangeably in the context of the information security program.

4. Policy Statement

  1. All persons and processes granted access to an information system, beyond that explicitly intended for unauthenticated public access must be uniquely and individually identified and authenticated.
  2. All university managed or contracted services must accept Gatorlink credentials, unless the primary user base includes those not eligible to obtain Gatorlink accounts.
  3. All persons and processes that have been granted access to an information system must have an approved and documented level and scope of access.
  4. Access to University Data and Information Systems is to be promptly modified upon changes in university affiliation, position, or responsibilities

Additional Resources

ACCOUNT MANAGEMENT STANDARD

Purpose

To establish requirements for account and access management, including creation, approval, authorization and termination.

Standard:

  1. Each user of an Information System will be issued a unique account and identifier (username) for an Information System. Information Systems must utilize Gatorlink accounts, otherwise unique identifiers should match those of the enterprise-issued account assigned to the user. Unique identifiers will not be reissued to anyone other than the original user. Systems in which it is not possible to assign unique identifiers to each user must implement compensating controls to limit access and provide accountability.
  2. Shibboleth SSO is the preferred method for authenticating user access.
    1. Web applications, cloud services, and any other system capable of Shibboleth must do so.
    2. Authentication via PC-based client software, in which the computer accepting the credentials is managed by UF, may use UFAD if Shibboleth is not supported.
  3. Units must document approval to issue each account, the type of account (individual, group, system, guest/anonymous and temporary) and the scope and level of access assigned to that account.
  4. Authorizations must only grant the minimum level of access to University Data and Information Systems needed to perform the intended function.
  5. Every account on an Information System must be reviewed prior to being placed into use and annually thereafter. The approval and authorizations for each account must be verified.
  6. Accounts not used within 180 days are to be disabled, and must be explicitly re-enabled prior to further use. Temporary accounts should be issued with a pre-set expiration date.
  7. Accounts and authorizations must be promptly modified when the assigned user’s job duties or assignment change, or upon termination of employment or appointment. Managers should coordinate with appropriate staff to ensure immediate suspension of accounts assigned to employees that are involuntarily terminated. Other personnel actions may also warrant immediate suspension of accounts. Access methods (such as passwords) for any shared accounts must be changed upon termination of an employee with use of the shared account. Temporary and Guest access must be monitored and promptly suspended or removed once approval expires.

Effective Date:

January 20, 2016

More Information

PDF DOWNLOADS

History

Revision Date Description
January 20, 2016 Policy originally adopted
August 1, 2022 Policy updated