Account & Permissions Management
2. Account & Permissions Management
Has management of User Accounts and Privileged accounts been clearly delegated to be handled by information stewards/owners for all systems under your control? At a minimum this responsibility includes:
> Approval of new accounts
> Periodic reviews of user accounts
> Annual reviews of privileged accounts to validate that they remain restricted to authorized personnel.
Control or Process Description
Every person in your unit is considered a User and each of those Users is the holder of an Account, which allows them to have access to UBC's network and systems. For example, to have a UBC email address, access to Workday, Sharepoint, OneDrive, Microsoft Teams etc. you will need a UBC-provided account. Every time someone new gets an account, typically the hiring manager needs to decide which systems they need access to, ideally not more or less than what he needs to do his job - that is what we call ""least privileged, need-to-know job-function-basis"". When someone changes jobs, or leaves UBC, those access need to be reviewed to ensure that the least privileged, need-to-know job-function-basis principles is still being observed for the new job or if access has been cut off, as the case may be.
UBC policy and standards require that, in addition, one or more people within the Unit is appointed to be the information steward, with delegated powers by the Administrative Head of Unit of Unit to manage and periodically review theses accesses to the Unit's various user accounts.
By answering yes to this question, you are stating that the accesses to your Unit's various User accounts (such as service accounts for running programs, system accounts for storing system files and administrator accounts for system administration, regular user accounts etc.) are handled by the information owners/ system owners for all the systems under your control.
In addition, you are stating that there is a process in place for the Information Owners/ System Owners ensure all accounts that have more privileges than ordinary users are reviewed at least annually. Examples of privileges these accounts might have are installing or removing software, upgrading the operating system, or modifying system or application configurations etc.
Why is this Essential?
User account onboarding, off-boarding processes along with periodical review of all accounts minimizes the risk of takeover of a system, unauthorized access, and preserves confidentiality, integrity and availability of the data, system and system settings. Furthermore, system compromise is very frequently associated with compromised accounts. Limiting account access following the 'least privileged' principle minimizes the number of accounts and the capabilities of these accounts reducing the likelihood and impact of a breach.
Reference Links
Information Security Standards – M2 User Account ManagementData Governance at UBC
Information Security Standards – M3 Privileged Account Management
Instructions
N/A
What is Acceptable?
Each system has person(s) and a process for account management. They consider appropriate approval, periodic review that is done at least annually and deprecation. Further, for all systems and applications, the results of the review of accounts are communicated and documented.