Sample Document

Account Management Policy (Version 1)

1. Overview
User/Network accounts control access to the company’s technology resources.
They are critical to any IT security program, and the proper creation, control, and
supervision of all User/Network accounts is vital.

2. Scope
This policy applies to all accounts (or any form of access that supports or
requires User/Network ID) on any system that resides at any company facility,
has access to the company network, or stores any non-public company
information.

3. Policy
3.1. General
The ___ is responsible for ensuring that this policy is adhered to.
All authorized users will be provided a unique User/Network account
for their sole use.
All accounts must be uniquely identifiable by an assigned user name.
All accounts must have a password that complies with the Password
Policy.
Accounts will be administered by a Designated Account Administrator
(DAA)
Five types of User/Network accounts are used by the company:

Individual Accounts
Individual accounts are the primary and preferred method of providing
access to the company’s IT resources.
Users are accountable for their actions and can be audited by the
systems to which they have access rights.
Individual users must adhere to the terms and conditions of use set
forth in the company’s policies relating to technology, e-mail, the
internet, and computers.
Sample policy from AAA Technical Writing: Account Management Policy (Version 1) Page 2 of 4

Administration (Privileged) Accounts

IT Administrative/Operational staff can be granted privileged accounts
that permit elevated access rights for specific system or application
support and maintenance.
Generic/built-in privileged accounts (e.g., Windows domain and local
administrator, etc.) shall not be used for daily systems administration.
Use a company privileged account instead.

Application-Specific Accounts
An application-specific account controls access to individual
applications available on the network. Access rights and privileges are
programmed/configured within the application.
These accounts must never be used for individual access to the
network itself.

Guest Accounts
A guest account is associated with an account that has a generic ID
rather than an individual User/Network ID (e.g., when a vendor is to be
given access).
Such accounts are intended for temporary (5 day maximum) use by a
visitor who has been authorized by the designated account
administrator or assistant. Guest accounts must be kept to a minimum.
Their access is limited to a list of application programs, and they have,
at most, restricted network access.

Group Accounts
A group account identifies a functional group or organization. It
provides a group of users with a shared User/Network ID to access a
common application or system.
Group accounts are permitted only if:
• There is a demonstrable need to provide “group” access because
the overhead of individual accounts is not acceptable.
• The number of applications accessible is kept to a minimum.
Group accounts are provided with the minimum access privileges
required to meet business needs (e.g., read/write access is not given
when read-only access will suffice).
Group accounts will not be used to permit remote access.
Group account owners are responsible for their correct use at all times,
and must maintain a complete list of staff members that use the
account.
Sample policy from AAA Technical Writing: Account Management Policy (Version 1) Page 3 of 4

3.2. Account Creation

A user’s manager, or, in the case of a new employee, HR, must submit
a request for the creation of a new account to ___.
A new user is not permitted, under any circumstances, to inherit the
User/Network ID that was originally assigned to another user.
Before access is given to an account, all users should be provided with
the company’s policies concerning technology, e-mail, the Internet, and
computers.
All default passwords for accounts must be constructed in accordance
with the Password Policy.
The Designated Account Administrator or assistant shall:
• Create the user ID, the account, and a temporary password, and
• Retain an account’s associated request and approval
documentation.

3.3. Account Management

The _____ must disable all new accounts that have not been accessed
within 30 days of creation.
Accounts of individuals on extended leave (more than 30 days) should
be disabled. (Note: Exceptions can be made in cases where
uninterrupted access to IT resources is required. In those instances,
the individual going on extended leave must have a manager-approved
request from the designated account administrator or assistant.)
If an individual is assigned to another office for an extended period
(more than 90 days), transfer the individual’s account(s) to the new
office. (Note: To ensure minimum user disruption, transfer the user’s
local/network resource in a timely manner—e.g., Exchange mailbox,
local archived files, etc.
Primary responsibility for account management belongs to the
Designated Account Administrators. The DAA shall:
• Modify user accounts in response to events like name changes,
accounting changes, permission changes, or office transfers,
• Periodically review existing accounts for validity, and
• Cooperate fully with an authorized security team that is investigating
a security incident or performing an independent audit review.

3.4. Account Removal

A user’s manager must immediately notify __ or H.R. of changes in a
user’s employment status (departure, extended leave, or absence of a
contractor or consultant). The designated account administrator or
assistant will then disable or remove all associated User/Network
accounts.
Sample policy from AAA Technical Writing: Account Management Policy (Version 1) Page 4 of 4

The designated account administrator or assistant will:

• Ensure that disabled User/Network IDs are not re-issued to another
user.
• Leave the associated Network account disabled for 30 days to
facilitate auto reply indicating that a person has left the company.
(Remove the Network account after 30 days.)
• Remove, after consultation with a user’s manager, redundant
User/Network accounts that are no longer required.

4. Version History
Number Date Approved by
1 April 15, 2009 Blair Bolles