Purpose
The purpose of this Account Management Information Technology Requirement (ITR) is to establish a standard for the administration of computing accounts that facilitate access or changes to Anne Arundel Community College institutional data. This ITR establishes standards for issuing accounts and managing accounts.

Scope
This ITR is applicable to those responsible for the creation, management and disposition of user accounts for access to college information. 

This ITR is applicable to any individual who is granted an account on a college system.

Definitions

1. Interactive login: A log on process whereby the user gains access to the network by entering a username and password in response to a dialog box.

Account Management Requirement

1. The owners of college data shall make decisions regarding access to their respective data. Account setup and modification shall require appropriate approval from the data owner.
2. All account passwords must adhere to requirements outlined in the AACC Password Standard.
3. Accounts shall not be granted any more privileges than those that are necessary for the functions the user will be performing. When establishing accounts, standard security principles of “least required access” to perform a function must always be used, where administratively feasible.
4. The identity of users must be authenticated before providing them with account and password details. If an automated process is used, then the account holder should be asked to provide multiple information items that in totality could only be known by the account holder. 
5. Accounts that are not used for interactive login or authentication must be “locked” or “disabled.”
6. All college employees must sign a confidentiality agreement prior to obtaining access to any college system.
7. IIT will provide oversight for the management of user accounts. Whenever possible, Active Directory/Azure Active Directory will be used for authentication. If the option is not available accounts shall use the college-issued username wherever possible.
8. Administrative (privileged) accounts can be created to permit elevated access rights for a specific system or application. Administrative accounts must only be provided to users that are required to perform system administrative tasks.
9. Accounts that are not used for interactive login or authentication must be locked or disabled.
10. User accounts will be disabled when they are no longer required according to college policies.
11. User accounts will be disabled if the individual cannot successfully complete required access control measures.
12. All accounts shall be reviewed at least annually by the data owner to ensure that access and account privileges are commensurate with job function, need-to-know and employment status. 
13. Users must attend all required application or data handling training courses prior to their account being activated.

Exemptions
Exceptions to this ITR should be submitted to the vice president for the Information and Instructional Technology Division, through the director of Information Security for review and approval. If an exception is granted a compensating security control or safeguard will be documented.

Contingencies
None

Review Process
Information Technology Requirements will be reviewed every 12 months or sooner, if required. Guidelines and Processes will be reviewed every 24 months or sooner, if required.

Guideline Title: Account Management Information Technology Requirement

Guideline Owner: Vice President for Information and Instructional Technology

Guideline Administrator: Director, Information Security

Contact Information: John Williams, jwwilliams6@aacc.edu

Approval Date: Jan. 8, 2024

Effective Date: Jan. 8, 2024

History: N/A

Applies to: Faculty, staff and students

Related Policies: N/A

Related Procedures: N/A

Related Guidelines: Identify and Access Management

Forms: N/A

Relevant Laws:

• Gramm Leach Bliley Act (GLBA)
• Family Educational Rights and Privacy Act (20 U.S.C. § 1232g; 34 CFR Part 99)