9-4 Information Technology Professionals Policy - Section XIV: User Access Management Policy
What’s on this Page
Section XIV: User Access Management Policy
Read next: Section XV: Compliance Policy
XIV. User Access Management Policy
This Policy establishes how User access privilege to Local Agency IT resources and data must be assigned and managed.
- User Registration
Local Information Service Providers must establish and document User registration and de-registration procedures for granting and revoking access to Local Agency IT resources and data.
- User Access Authorization
User access to Local Agency IT resources or data must only be authorized by a Data Owner, Data Steward or designee.
- Minimum Necessary Access
- Access to and use of Local Agency IT resources and data must adhere to the Principle of Least Privilege, which requires that each User be given no more privilege than necessary to perform their work assignment.
- Access to Confidential data is limited to those permitted under law, regulation, and with a need to know, as identified by the Data Owner.
- Privileged Accounts Management
The issuance and use of privileged accounts must be restricted and controlled. Processes must be developed to ensure that uses of privileged accounts are monitored, and any suspected misuse of these accounts is promptly investigated.
- User Identification (ID) and Authentication
- All Users must be assigned a unique User ID to establish accountability.
- All User IDs must have a password that adheres to Local Information Service Provider standards.
- All User IDs must have an authentication technique (e.g., knowledge, token and/or biometric-based).
- Individuals, whose work assignment requires elevated privileges, must be issued an additional unique ID. Regular User activities (e.g., e-mail or word processing) must not be performed from privileged accounts.
- Individual User IDs must not give any indication of the User’s work assignment or privilege level, (e.g., Admin, SuperUser, and Manager).
- Shared User IDs may only be created and assigned to support the functionality of a process, system, device or application. To establish accountability, each shared User ID must have a designated owner.
- Guest User IDs are not allowed except where explicitly needed to satisfy a valid business requirement (i.e., public kiosk, public web site, etc.).
- Suspension of Access
User IDs must be disabled according to Local Information Service Provider standards.
- Access Modification
If a User’s work assignment changes within a Local Agency, access must be reviewed and modified commensurate with the User’s new work assignment.
- Termination of Access
- Access to Local Agency IT resources and data must be terminated when the User ceases to be a member of the County workforce.
- Data Owners/Data Stewards/Designees must terminate a User’s access to Local Agency IT Resources and Data when the work assignment no longer requires access.
- Access Review
User access privileges must be periodically reviewed by the Data Owner/Data Steward or designee to ensure access is commensurate with the work assignment. Local Information Service Providers must provide reports of User access privilege to Local Agencies.