User Account Management

Introduction

User Accounts control access to UBC Electronic Information and Systems. This document defines standards that Information Stewards/Owners must comply with when managing these accounts throughout their lifecycle to ensure individual accountability exists and access is restricted on a 'need to know' basis. In addition to this standard, Privileged Accounts must also comply with the Privileged Account Management standard.
The Chief Information Officer has issued this standard under the authority of Policy SC14, Acceptable Use and Security of UBC Electronic Information and Systems. Questions about this standard may be referred to information.security@ubc.ca.

Applications for User Accounts must be reviewed and approved by Information Steward/Owners and a record must be kept of all Users being granted these accounts and who provided authorization. This record must be retained for at least one year.
Service Providers applying for User Accounts must comply with the Outsourcing and Service Provider Management standard.
All User Accounts must be uniquely identifiable to a specific User.
Users must be granted the minimum level of access for their defined job function (i.e. the Principle of Least Privilege).
User Accounts must not be shared. Accounts must be traceable back to the individuals using them. This requirement does not apply to test accounts, which may be shared during the pre-production phase.
Where possible, User Accounts should be linked to sources of record that can accurately capture User status (e.g. Workday, PersonHub, SIS or other ERPs).

When Users’ roles and responsibilities change, their access rights should be updated in a timely manner to ensure they remain aligned with the Principle of Least Privilege.
Changes to User Accounts should be documented, approved and retained by Information Stewards/Owners in the same manner as User Account requests.

All User Accounts must be disabled (i.e. access is revoked) in a timely manner, especially when the User has been terminated or the User has a Privileged Account. Accounts may be disabled by either closing the account to all Users or changing the password to restrict access by specific Users.
On Merchant Systems, User Accounts must be automatically disabled if not used for 90 days.
The information stored in disabled accounts, as well as the username, logs and other metadata for these accounts, must be retained for one year, except for the following accounts:

Account Retention

Student Email TBD, currently indefinite

Student Email Alias TBD, currently indefinite

Home Drive 90 days
In cases where accounts are migrated from one authentication system to another, the original account does not need to be retained, provided all of the information in the account has been migrated to the new system.
At any time before the expiration of the relevant retention period, the account can be reinstated to the account holder where appropriate.
After the expiration of the relevant retention period, the account and the information stored within it must be securely deleted.

Users’ access rights must be reviewed at regular intervals to ensure they remain aligned with current roles and responsibilities. The frequency of the review must be risk based (e.g. access rights to High or Very High Risk Information such as Personal Health Information should be reviewed more frequently than access rights to Medium Risk Information that may not do as much harm if exposed to unauthorized individuals).

University IT Support Staff must protect User Accounts in compliance with Securing User Accounts standard.