Account Management Policy

Introduction

The process of authentication and authorization is where a user’s identity is verified and allowed access to the organization’s systems. Access control (also called permissions or privileges) defines and enforces the authorization policies.

One of the most important roles as a Network Administrator is to create accounts for an organization and manage the level of user access by creating an account management policy. The policy should lay out the account naming convention, password composition and complexity as well as the level of access for all organizational users. Having a definitive policy in place, per the Definitive Guide to Account Username Conventions (Moreland, 2013) is essential for usability, security, administration, and auditing. 

Account Creation

Username Constraints

Default usernames will be based on the user’s lowercase first initial, last name, and the date (day and month only) of the first day of onboarding.

Examples:

EMPLOYEE NAMEONBOARD DATEUSERNAME
Tara Mahto06/17tmahto0617
Isaac Acosta3/30iacosta0330
Henry Avila11/14havila1114

If more than one employee shares identical username constraints, an additional lowercase letter should be added to the end of the username.

Examples:

EMPLOYEE NAMEONBOARD DATEUSERNAME
Tara Mahto06/17tmahto0617a
Tara Mahto06/17tmahto0617b

Password Creation

For security purposes, there will be types of passwords: user account passwords and privileged account passwords. All passwords must follow the guidelines for their specific type, be adequately complex, and cannot be NULL. All passwords must be changed every 90 days, users cannot change their password within 7 days of the previous change and cannot reuse old passwords. No two or more users can have the same password and no two or more users can have a password that had been previously used by another user. All default passwords should be changed immediately to a username/password that meets the policy criteria. To enforce this policy, the company will maintain an encrypted log of previous user passwords.

User Accounts

All user account passwords must be:

  • At least 8 characters in length
  • Sufficiently complex
  • Contain at least one uppercase letter, one number and one symbol character
    • Only the following special characters are allowed: ! @ # $ %  ^ & *

Good Password Examples:

  • e6@bJLDJ
  • 7k@ErBXU

Bad Password Examples:

  • 12345A
  • Letmein_

Privileged Accounts

These types of user accounts are for server administrative access. All privileged account passwords must be:

  • At least 10 characters in length
  • Sufficiently complex
  • Should not be memorized
  • Passphrases are forbidden
  • Contain at least one uppercase letter, one number and one symbol character
    • Only the following special characters are allowed: ! @ # $ %  ^ & *

Sources

Moreland, T. (2013). Definitive Guide to Account Username Conventions. https://info.identityautomation.com/hubfs/PDFs/Enterprise_Resources/Definitive-guide-to-username-conventions.pdf

Leave a Comment

This site uses Akismet to reduce spam. Learn how your comment data is processed.