Skip to Content

9-4 Information Technology Professionals Policy - Section XIV: User Access Management Policy

Information Systems Department

Return to Information Technology Professionals Policy Table of Contents

What’s on this Page

Section XIV: User Access Management Policy

Read next: Section XV: Compliance Policy

XIV. User Access Management Policy

This Policy establishes how User access privilege to Local Agency IT resources and data must be assigned and managed.

  1. User Registration
    Local Information Service Providers must establish and document User registration and de-registration procedures for granting and revoking access to Local Agency IT resources and data.
  2. User Access Authorization
    User access to Local Agency IT resources or data must only be authorized by a Data Owner, Data Steward or designee.
  3. Minimum Necessary Access
    1. Access to and use of Local Agency IT resources and data must adhere to the Principle of Least Privilege, which requires that each User be given no more privilege than necessary to perform their work assignment.
    2. Access to Confidential data is limited to those permitted under law, regulation, and with a need to know, as identified by the Data Owner.
  4. Privileged Accounts Management
    The issuance and use of privileged accounts must be restricted and controlled. Processes must be developed to ensure that uses of privileged accounts are monitored, and any suspected misuse of these accounts is promptly investigated.
  5. User Identification (ID) and Authentication
    1. All Users must be assigned a unique User ID to establish accountability.
    2. All User IDs must have a password that adheres to Local Information Service Provider standards.
    3. All User IDs must have an authentication technique (e.g., knowledge, token and/or biometric-based).
    4. Individuals, whose work assignment requires elevated privileges, must be issued an additional unique ID. Regular User activities (e.g., e-mail or word processing) must not be performed from privileged accounts.
    5. Individual User IDs must not give any indication of the User’s work assignment or privilege level, (e.g., Admin, SuperUser, and Manager).
    6. Shared User IDs may only be created and assigned to support the functionality of a process, system, device or application. To establish accountability, each shared User ID must have a designated owner.
    7. Guest User IDs are not allowed except where explicitly needed to satisfy a valid business requirement (i.e., public kiosk, public web site, etc.).
  6. Suspension of Access
    User IDs must be disabled according to Local Information Service Provider standards.
  7. Access Modification
    If a User’s work assignment changes within a Local Agency, access must be reviewed and modified commensurate with the User’s new work assignment.
  8. Termination of Access
    1. Access to Local Agency IT resources and data must be terminated when the User ceases to be a member of the County workforce.
    2. Data Owners/Data Stewards/Designees must terminate a User’s access to Local Agency IT Resources and Data when the work assignment no longer requires access.
  9. Access Review
    User access privileges must be periodically reviewed by the Data Owner/Data Steward or designee to ensure access is commensurate with the work assignment. Local Information Service Providers must provide reports of User access privilege to Local Agencies.

Back to top