3.1 Account Administration Standards
Accounts that access electronic computing and information resources require prudent oversight. The following security precautions should be part of account management:
3.1.1 Issuing Accounts
- The owners of Brown data shall make decisions regarding access to their respective data (e.g., the Registrar will determine who has access to registration data, and what kind of access each user has). Account setup and modification shall require the signature (paper or electronic) of the requestor's supervisor.
- The organization responsible for a resource shall issue a unique account to each individual authorized to access that networked computing and information resource. It is also responsible for the prompt deactivation of accounts when necessary, i.e., accounts for terminated individuals shall be removed/disabled/revoked from any computing system at the end of the individual's employment or when continued access is no longer required; and, the accounts of transferred individuals may require removal/disabling to ensure changes in access privileges are appropriate to the change in job function or location.
- When establishing accounts, standard security principles of “least required access” to perform a function must always be used, where administratively feasible. For example, a root or administrative privileged account must not be used when a non-privileged account will do.
- The identity of users must be authenticated before providing them with account and password details. If an automated process is used, then the account holder should be asked to provide several information items that in totality could only be known by the account holder. In addition, it is highly recommended that stricter levels of authentication (such as face-to-face) be used for those accounts with privileged access (e.g., user accounts used for email do not require an identity validation process as thorough as for those user accounts that can be used to modify department budgets).
- Passwords for new accounts should NOT be emailed to remote users UNLESS the email is encrypted.
- The date when the account was issued should be recorded in an audit log or captured electronically.
- All managers of accounts with privileged access to Brown data must sign a Confidentiality Agreement Form that is kept in the department file under the care of a Human Resources representative or liaison.
3.1.2 Managing Accounts
- All accounts shall be reviewed at least annually by the data owner to ensure that access and account privileges are commensurate with job function, need-to-know, and employment status. The Information Security Group (ISG) may also conduct periodic reviews for any system connected to the Brown network.
- All guest accounts (for those who are not official members of the Brown community) with access to Brown computing resources shall contain an expiration date of one year or the work completion date, whichever occurs first. All guest accounts must be sponsored by the appropriate authorized member of the administrative entity managing the resource.
3.1.3 Departmental Accounts
For access to sensitive information managed by a department, account management should comply with the standards outlined above. In addition, naming conventions must not cause contention with centrally managed email addresses or usernames. Should the potential for contention arise, the applicable system(s) shall not be connected to the campus network until a mutually satisfactory arrangement is reached.
3.2 Shared Accounts
Use of shared accounts is not allowed. However, in some situations, a provision to support the functionality of a process, system, device (such as servers, switchers or routers) or application may be made (e.g., management of file shares). Such exceptions will require documentation which justifies the need for a shared account; a copy of the documentation will be shared with ISG.
Each shared account must have a designated owner who is responsible for the management of access to that account. The owner is also responsible for the above mentioned documentation, which should include a list of individuals who have access to the shared account. The documentation must be available upon request for an audit or a security assessment.
3.3 Administration of Password Changes
3.3.1 Procedures for password resets
- The identity of users must be authenticated before providing them with ID and password details. In addition, it is required that stricter levels of authentication (such as face-to-face) be used for those accounts with privileged access.
- Whenever possible, passkeys should be used to authenticate a user when resetting a password or activating a guest account, and should comply with the above standards. Passkeys provide one-time access to a system or application and require the user to change to a password of their choice upon initial login. Where passkeys are not feasible, pre-expired passwords should be used.
- Automated password resets are available and may be utilized, provided that a recognized and approved method is used, such as multiple, random challenge and response questions.
- Passwords must be reset over an encrypted tunnel (SSL, ssh, or VPN, for example).
- Password change events should be recorded in an audit log.
3.3.2 Procedures for maintenance of "shared secrets"
Those responsible for access to systems/applications/servers, etc. protected by high-level super-passwords (or the equivalent) must have proper auditable procedures in place to maintain custody of those "shared secrets" in the event of an emergency and/or should the super-password holder becomes unavailable. These documented procedures, which must be appropriately secured, should delineate how these passwords are logically or physically accessed as well as who in the "chain of command" becomes responsible for access to and/or reset of the password.