User Account Management Guidance for UCOP Departments

9/29/2010

The University of California Office of the President uses numerous computerized systems and associated information repositories to conduct business. Based on employment status, UC affiliation, and/or roles and responsibilities, individuals are granted authority to use these systems and to access information. Confidential information, as well as other University information assets, must be protected by means of user account management processes that include procedures for authorizing and revoking access.

Responsibility for User Account Management
Per policy,1 the Resource Proprietor (or “owner,” such as a UCOP department or unit) of each system is responsible for

  • classifying the data in the system,
  • identifying risks to the data and ensuring appropriate security controls are in place to reduce risks,
  • approving requests for access to and release and disclosure of information, and
  • revoking system access when appropriate.

Approval of Access. An approved access request typically leads to the creation of a user account for system access and/or establishment of specific access permissions. Depending on the system, the user account and permissions may be set up by the Resource Proprietor, IR&C, or a third party such as a vendor or another UC location.

Revocation of Access. When an individual no longer has the job responsibilities or University affiliation that justified authorization for access to the system, it is important to revoke access promptly. Revocation of access is especially important for systems that contain personally identifying information or Protected Health Information protected by law, and for which there may be notification requirements in the event of unauthorized access.

Guidelines for User Account Management
Resource Proprietors should implement procedures to manage user account access consistent with the following guidelines:

    1. Define and Communicate Authorization Criteria
        1. Establish and document clear criteria for approving and authorizing access to the system, including requirements for UC employment, UC affiliation status, and role and responsibilities.

        1. Communicate the access authorization criteria to those who request access to the system and clearly indicate that changes in status of employment, affiliation, or role/responsibilities which contravene previous approvals are cause for revocation of access.

      1. Communicate to users the need for immediate notification to the Resource Proprietor of changes in an individual’s employment status, UC affiliation, or job responsibilities.

  1. Implement Controls on Accounts
      1. Track information about the user account:

        Retain detailed information pertaining to the account: request for access, approvals, creation of account, lock out and unlock activity, revocation, and closure as well as timestamps (date and time) for each.

      2. Use account lock out and expiration mechanisms when setting up accounts for system access:
        • If possible, set up accounts to lock out the user (prevent login even when the correct password is supplied) after a specified period of time has elapsed in which no logins have occurred.
        • If possible, set up accounts either to lock out the user or to expire on a specified date such as the planned end of the individual’s need for the account or on a periodic basis (e.g., yearly or every 6 months) appropriate to the nature of the system/service to which the account provides access.

    1. Conduct a periodic authorization review:

      At least once a year, review the status of each individual for whom an account has been established to determine whether authorization for access is still valid. Lock out or remove the accounts of those individuals who no longer meet authorization criteria. Authorization review is a particularly important control for access by individuals who are not UCOP employees, such as contractors or campus staff, where notification about changes in status may be delayed.