Acceptable Practices for Privilege Account Management

Revised: 9 Dec 2015 by ITSC

This states how privileged accounts should be managed, controlled and tracked.

  • Privileged access is restricted to people who have a true need-to-know requirement for system access, control and modification.
  • Privileged access may only be used to perform assigned job duties. Minimize administrative privileges and only use privileged accounts when they are required. Whenever possible, gaining and using administrative privileges should be logged.
  • An ongoing inventory of all privileged accounts, together with regular validation that each person with administrative privileges is authorized is necessary.
  • Administrative passwords should be complex and meet the following Password Construction Guidelines:
    • Contain at least 14 alphanumeric characters.
    • Contain both upper and lower case letters.
    • Contain at least one number.
    • Contain at least one special character (for example,!$%^&*()_+|~-=\`{}[]:”;'<>?,/).
    • Should not be found in a dictionary.
    • Should not contain personal information such as phone numbers.
  • System administrators should comply to the following Password Protection Policy:
    • Password Creation
      • Users must use different passwords for University accounts as for other non-University access.
      • Where possible, users must use different passwords for various access needs.
    • Password Change
      • All privileged account passwords must be changed at least every 90 days.
      • Before deploying any new devices in a networked environment, change all default passwords.
    • Password Protection
      • Passwords must not be shared with anyone.
      • Passwords must not be inserted into email messages or other forms of electronic communication.
      • Do not write passwords down and store them anywhere in your office.
      • Passwords should be hashed or encrypted in storage.
      • Do not use the “Remember Password” feature of applications (for example, web browsers).
      • Enforce password history.
  • Configure systems to log unsuccessful login attempts to administrative accounts.