|
------- INDEX AND GLOSSARY. DO NOT CHANGE OR DELETE! ----------
Open IT Policy Index
-
Acceptable Use, Administrative or Special Access (Policy)
-
Acceptable Use, Email (Policy)
-
Acceptable Use, Internet (Policy)
-
Acceptable Use, Virtual Private Network (VPN) (Policy)
-
Access Controls, Account (Policy)
-
Account Management (Policy)
-
Change Management (Policy)
-
Computer Virus Prevention (Policy)
-
Contingency Planning (Policy)
-
Data Backup and Storage (Policy)
-
Data Marking, Handling, Processing, Storage, and Disposal (Policy)
-
Deferral of System Security Certification or Accreditation, Annual (Form)
-
General Information Security Management (Procedure)
-
Green Computing (Policy)
-
Incident Response (Policy)
-
Intrusion Detection (Policy)
-
Logging and Audit Trails (Policy)
-
Mobile Computing and Network Access (Policy)
-
Network Access (Policy)
-
Network Access Controls (Standard)
-
Network Configuration (Policy)
-
Network Data Privacy (Policy)
-
Password Management (Policy)
-
Personnel Security (Policy)
-
Physical Security (Policy)
-
Policy Application Checklist (Administrative Utility)
-
Secure Media and Data Handling (Procedure)
-
Secure Software Development Lifecycle (Standard)
-
Social Computing and Networking (Policy)
-
Software and Hardware Security Controls (Policy)
-
Spam and Unsolicited Commercial Email Prohibition (Policy)
-
System Security Certification/Accreditation, Annual (Form)
-
System Security Certification/Accreditation, Annual (Policy)
-
Telecommuting Agreement, Employee (Form)
-------------------------------------------------------------------------------------------------
Overview and Purpose
Computer accounts are the means used to grant access to [variable: Covered Organization]
Information Resources. These accounts provide a means of providing accountability, a key to any computer security program, for
Information Resources usage. This means that creating, controlling, and monitoring all computer accounts is extremely important to an overall security program.
The purpose of the [variable: Covered Organization] Account Management Security Policy is to establish the rules for the creation, monitoring,
control and removal of user accounts.
Coverage
The [variable: Covered Organization] Account Management Security Policy applies equally to all individuals with authorized access to any [variable: Covered Organization]
Information Resources.
Definitions
Roles and Functions:
Policy
-
All accounts created must have an associated request and approval that is appropriate for the [variable:Covered Organization] system or service.
-
All users must sign the [variable:Covered Organization]
Information Resources Security Acknowledgement and Nondisclosure Agreement before access is given to an account.
-
All accounts must be uniquely identifiable using the assigned user name.
-
All default passwords for accounts must be constructed in accordance with the [variable:Covered Organization] Password Policy.
-
All accounts must have a password expiration that complies with the [variable:Covered Organization] Password Policy.
-
Accounts of individuals on extended leave (more than 30 days) will be disabled.
-
All new user accounts that have not been accessed within 30 days of creation will be disabled.
-
System Administrators or other designated staff:
-
Are responsible for removing the accounts of individuals that change roles within [variable:Covered Organization] or are separated from their relationship with [variable:Covered Organization]
-
Must have a documented process to modify a user account to accommodate situations such as name changes, accounting changes and permission changes
-
Must have a documented process for periodically reviewing existing accounts for validity
-
Are subject to independent audit review
-
Must provide a list of accounts for the systems they administer when requested by authorized [variable:Covered Organization] management
-
Must cooperate with authorized [variable:Covered Organization] management investigating security incidents
Enforcement
Violation of this policy may result in disciplinary action which may include termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; dismissal for interns and volunteers; or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of [variable:Covered Organization]
Information Resources access privileges, civil, and criminal prosecution.
Supporting Documentation
This policy is supported by the following rules, standards, and procedures:
-
[variable: internal documents (with links, if available)]
-
[variable: external documents (with links, if available)]
References
-
Copyright Act of 1976
-
Foreign Corrupt Practices Act of 1977
-
Computer Fraud and Abuse Act of 1986
-
Computer Security Act of 1987
-
The Health Insurance Portability and Accountability Act of 1996 (HIPAA)
-
The State of Texas Information Act
-
Texas Government Code, Section 441
-
Texas Administrative Code, Chapter 202
-
IRM Act, 2054.075(b)
-
The State of Texas Penal Code, Chapters 33 and 33A
-
DIR Practices for Protecting
Information Resources Assets
-
DIR Standards Review and Recommendations Publications
Policy Source Document(s)
State of Texas, Department of Information Resources
|
Open IT Policy Project 
