账户管理
关于本政策
- 负责办公室
- 信息技术
1.0的目的
The purpose of this policy is to establish a standard for the administration of computing accounts that facilitate access or changes to 十大博彩推荐排名州立大学 information resources. 帐户至少由一个用户ID和一个密码组成. 提供帐户信息通常会授予对某组服务和资源的访问权. 这一政策建立了发放和管理帐户的指导方针.
2.0范围
This policy is applicable to those responsible for the management of user accounts or access to shared information or network devices; information can be held within a database, 应用程序或共享文件空间. This policy covers departmental accounts as well as those managed centrally by the 信息技术 Division.
3.0的政策
Server Owners and Application Administrators are responsible for ensuring that all accounts at the OS level or within a particular application are created according to the following procedures:
3.1帐号发放和访问控制标准
访问电子计算和信息资源的帐户需要谨慎的监督. 帐户管理中应注意以下安全防范措施:
- All accounts must have a password that adheres to the practices outlined in the 密码管理策略 document.
- Any account that is not used for interactive login or authentication must be “locked” or “disabled” according to the definition of those terms for the particular OS in question.
- 在创建用户帐户之前, that user’s affiliation with the 大学 must be verified by the sponsoring unit or division (i.e.(人力资源注册处处长).
- Users must attend all appropriate application or data handling training courses prior to their account being activated.
- 与大学无关的个人帐户必须事先获得IT部门的批准.
- 一个帐户可能只关联一个用户. 用户不能共享一个帐户.
- Accounts should not be granted any more privileges than those that are necessary for the functions the user will be performing. 开户时, standard security principles of “least required access” to perform a function must always be used, 在行政上可行的情况下. 例如, a root or administrative privileged account must not be used when a non-privileged account will suffice.
- Directory and file permissions should be set correctly to prevent users from listing directory contents or reading, 修改, 或者删除他们没有权限访问的文件.
- 账户设置和修改需要账户请求人签名, 请求者的直接主管, 数据所有者和信息技术办公室.
- The organization responsible for a resource shall issue a unique account to each individual authorized to access that networked computing and information resource. 它还负责在必要时及时停用帐户.e., accounts for terminated individuals shall be removed/disabled/ revoked from any computing system at the end of the individual’s employment or when continued access is no longer required; and, the accounts of transferred individuals may require removal/disabling to ensure changes in access privileges are appropriate to the change in job function or location.
- The identity of users must be authenticated before providing them with account and password details. 如果使用自动化流程, then the account holder should be asked to provide several information items that in totality could only be known by the account holder. 除了, it is highly recommended that stricter levels of authentication (such as face-to-face) be used for those accounts with privileged access (e.g., user accounts used for email do not require an identity validation process as thorough as for those user accounts that can be used to post information to public web pages or modify department budgets).
- 新帐户的密码不应该通过电子邮件发送给远程用户,除非电子邮件是加密的.
- The date when the account was issued and its expected expiration date (if applicable) should be recorded in an audit log.
- All managers of accounts with privileged access to 大学 data must sign a Confidentiality Agreement that is kept in the department file under the care of a Human Resources representative or liaison.
3.2管理帐户
- All accounts shall be reviewed at least annually by the data owner to ensure that access and account privileges are commensurate with job function, 跟据, 就业状况. IT Security may also conduct periodic reviews for any system connected to the 十大博彩推荐排名州立大学 network.
- All guest accounts (for those who are not official members of the 大学 community) with access to computing resources shall contain an expiration date of one year or the work completion date, 以先发生者为准. All guest accounts must be sponsored by the appropriate authorized member of the administrative entity managing the resource.
- 用于访问由部门管理的敏感信息, 帐户管理应符合上述标准. 除了, naming conventions must not cause contention with centrally managed 大学 NetIDs. 争论的可能性会出现吗, 在达成双方都满意的安排之前,不会创建该帐户.
- The identity of users must be authenticated before providing them with ID and password details. 除了, it is required that stricter levels of authentication (such as face-to-face) be used for those accounts with privileged access.
- Account management should allow for lock-outs after a set number of failed attempts (ten is the recommended number). Access should then be locked for a minimum of one hour unless a local system administrator intercedes. 除非日志信息中包含密码信息,否则应该记录锁定.
4.0执法
Any member of our community found in violation this policy is subject to disciplinary proceedings including suspension of system privileges, 被学校开除, termination of employment and/or legal action as may be appropriate and in accordance with the administrative handbooks and codes of conduct applicable to the individual’s role at the 大学.