Body
This standard establishes the process for creating and maintaining “Generic/Shared Accounts” for network and system access. A Generic Account is an account that is not derived using the Faculty, Staff or Student naming convention. There is no corresponding real user associated with a generic account.
Adopted by the Information Security Committee - May 10, 2011
Users are prohibited from accessing other users' computer IDs or accounts, by the Responsible Use of Information Technology Facilities and Services Policy. However, in some situations to support the functionality of a business process, system, device, or application, a shared account may be justified.
Procedures
- Generic accounts will be used by TRU in cases where multiple users must access one workstation or application to perform assigned duties or temporary work.
- The ASAR process must be followed to request the creation of a generic account.
- Each generic account must have a designated owner who is responsible for the management of access to the account.
- Each generic account must have a short description of the business case requiring the creation of the account.
- Documentation must be maintained by the owner, which will include a list of individuals who have current access to the account.
- The account password must be changed promptly whenever individuals accessing the account are terminated for any reason, or are transferred to a role that does not require access.
- The documentation must be available upon request for an audit or a security assessment as often as quarterly or as defined by the Information Security Committee.
- Network generic account access to workstations will occur only in protected areas where public access is supervised and/or restricted and the account may not be used on workstations in any other area.
- Requests for all generic accounts will be reviewed and signed by the appropriate head of department, and recommendations for approval or disapproval as appropriate will be made by the Information Security Office to the Chief Information Officer.
- Generic accounts will be audited on a regular schedule for appropriateness of access and ongoing need.