The purpose of this policy is to establish a standard for the administration of computing accounts that facilitate access or changes to Amrita University institutional data. An account, at minimum, consists of a user ID and a password; supplying account information will usually grant access to some set of services and resources. This policy establishes standards for issuing accounts, creating password values, and managing accounts.
This policy is applicable to those responsible for the management of user accounts or access to shared information or network devices. Such information will be within a database, application or shared file space. This policy covers departmental accounts as well as those managed centrally.
The following security precautions should be part of account management:
ICTS shall issue a unique account to each individual authorized to access the network and computing and information resource. The naming convention to be followed by ICTS to issue a new account for users should be “firstname” + “lastname”. E.g. NavneetPal
In case of similar names a Initial should be used in addition to the “firstname” + “lastname”. E.gNavneetKPal. In case of long name, “firstname” + intial of “lastname” should be used. E.g. KarthikeyanSathyanarayanan should be as “KarthikeyanS”. Email address should be setup as “firstname” + “.” + “lastname” @ “am.amrita.edu. In case of similar names it should be firstname + “.” + initial + “lastname” @ “am.amrita.edu. In case of long names, email address should be “firstname” + initial of lastname @ “am.amrita.edu
ICTS is also responsible for the prompt deactivation of accounts when necessary, i.e., accounts for terminated individuals shall be removed/disabled/revoked from any computing system at the end of the individual's employment or when continued access is no longer required; and, the accounts of transferred individuals may require removal/disabling to ensure changes in access privileges are appropriate to the change in job function or location. For students all data related to a disabled account should be cleared after 1 month. For staff all data related to a disabled account should be cleared after 3 months.
When establishing accounts, standard security principles of “least required access” to perform a function must always be used, where feasible. For example, a root or administrative privileged account must not be used when a non-privileged account will do.
The identity of users must be authenticated before providing them with account and password details. In addition, it is highly recommended that stricter levels of authentication be used for those accounts with privileged access (e.g., user accounts used for email do not require an identity validation process as thorough as for those user accounts that can be used to modify department budgets etc.).
Passwords for new accounts should NOT be emailed to remote users unless the email is encrypted.
The date when the account was issued should be recorded in an audit log.
All managers of accounts with privileged access should be recorded under the care of a Human Resources representative or liaison.
All guest accounts (for those who are not official members of the Amrita University community) with access to Amrita University computing resources shall contain an expiration date of one year or the work completion date, whichever occurs first. All guest accounts must be sponsored by the appropriate authorized member of the administrative entity managing the resource.
For access to sensitive information managed by a department, account management should comply with the standards outlined above. In addition, naming conventions must not cause contention with centrally managed email addresses or usernames.
Use of shared accounts is not allowed. However, in some situations, a provision to support the functionality of a process, system, device (such as servers, switchers or routers) or application may be made (e.g., management of file shares). Such exceptions will require documentation which justifies the need for a shared account; a copy of the documentation should be shared with ICTS.
Each shared account must have a designated owner who is responsible for the management of access to that account. The owner is also responsible for the above mentioned documentation, which should include a list of individuals who have access to the shared account. The documentation must be available upon request for an audit or a security assessment.
Those responsible for access to systems/applications/servers, etc. protected by high-level super-passwords must have proper auditable procedures in place to maintain custody of those "shared secrets" in the event of an emergency and/or should the password holder becomes unavailable. These documented procedures should define how these passwords are logically or physically accessed as well as who becomes responsible for access to and/or reset of the password.
Applications developed at Amrita University or purchased from a vendor should contain the following security precautions: