Sample Account Management Policy Template
Contents
The purpose of this policy is to establish a standard for the creation, administration, use, and removal of accounts that facilitate access to information and technology resources.
Free Security Policy Templates
Get a step ahead of your cybersecurity goals with our comprehensive templates.
Definitions
- Account: Any combination of a User ID (sometime referred to as a username) and a password that grants an authorized user access to a computer, an application, the network, or any other information or technology resource.
- Security Administrator: The person charged with monitoring and implementing security controls and procedures for a system. Whereas {COMPANY-NAME} may have one Information Security Officer, technical management may designate a number of security administrators.
- System Administrator: The person responsible for the effective operation and maintenance of information systems, including implementation of standard procedures and controls to enforce an organization’s security policy.
Overview
Computer accounts are the means used to grant access to {COMPANY-NAME}’s information systems.
These accounts provide a means of providing accountability, a key to any computer security program, for {COMPANY-NAME} usage.
This means that creating, controlling, and monitoring all computer accounts is extremely important to an overall security program.
Audience
This policy applies to the employees, Directors, volunteers, contractors, consultants, temporaries, and other workers at {COMPANY-NAME}, including all personnel affiliated with third parties with authorized access to any {COMPANY-NAME} information system.
Policy Detail
Accounts
- All accounts created must have an associated written request and signed management approval that is appropriate for the {COMPANY-NAME} system or service.
- All accounts must be uniquely identifiable using the assigned username.
- Shared accounts on {COMPANY-NAME} information systems are not permitted.
- Reference the Employee Access During Leave of Absence Policy for removing an employee’s access while on a leave of absence or vacation.
- All default passwords for accounts must be constructed in accordance with the {COMPANY-NAME} Password Policy.
- All accounts must have a password expiration that complies with the {COMPANY-NAME} Password Policy.
- Concurrent connections may be limited for technical or security reasons.
- All accounts must be disabled immediately upon notification of any employee’s termination.
Account Management
The following items apply to System Administrators or designated staff:
- Information system user accounts are to be constructed so that they enforce the most restrictive set of rights/privileges or accesses required for the performance of tasks associated with an individual’s account. Further, to eliminate conflicts of interest, accounts shall be created so that no one user can authorize, perform, review, and audit a single transaction.
- All information system accounts will be actively managed. Active management includes the acts of establishing, activating, modifying, disabling, and removing accounts from information systems.
- Access controls will be determined by following established procedures for new employees, employee changes, employee terminations, and leave of absence.
- All account modifications must have a documented process to modify a user account to accommodate situations such as name changes and permission changes.
- Information system accounts are to be reviewed monthly to identify inactive accounts. If an employee or third party account is found to be inactive for 30 days, the owners (of the account) and their manager will be notified of pending disablement. If the account continues to remain inactive for 15 days, it will be manually disabled.
- A list of accounts, for the systems they administer, must be provided when requested by authorized {COMPANY-NAME} management.
- An independent audit review may be performed to ensure the accounts are properly managed.
Article by
Jason Firch, MBA
Jason is a proven marketing leader, veteran IT operations manager, and cybersecurity expert with over a decade of experience. He is the founder and CEO of PurpleSec.
Jason Firch, MBA
Jason is a proven marketing leader, veteran IT operations manager, and cybersecurity expert with over a decade of experience. He is the founder and CEO of PurpleSec.
Share This Page
Our Editorial Process
Our content goes through a rigorous approval process which is reviewed by cybersecurity experts – ensuring the quality and accuracy of information published.
Categories
The Breach Report
Our team of security researchers analyze recent cyber attacks, explain the impact, and provide actionable steps to keep you ahead of the trends.
Related Templates
An acceptable use policy outlines the use of computer equipment. Inappropriate use exposes the company to risks including virus attacks, compromise of network systems and services, and legal issues.
This policy defines the requirement for reporting and responding to incidents related to the company’s information systems and operations
A penetration testing policy provides guidance for managing a penetration testing program and performing penetration testing activities with the goal of improving defensive IT security
The purpose of an internet usage policy is to establish the rules for the use of company Internet for access to the Internet or the Intranet.
The company must prioritize its assets and protect the most critical ones first; however, it is important to ensure patching takes place on all machines.
