Draft IT User Accounts Policy
Every user shall have one identity
The User ID that is given shall be consistent with all systems. There is no need to have multiple, different user IDs. The reason for this is to ensure that all IT User Accounts can be reconciled with an individual user and can be de-provisioned effectively when the user is no longer at The Polytechnic.
Every user account shall be used only by the person or persons it was issued to.
- It is vitally important that only the person, who should be using the IT User Account, actually is. If this is not strictly adhered to, the ability to audit individual actions is diminished.
- If an IT User Account is misused, the person to whom the account was issued must take sole responsibility for those actions, regardless of who was actually using the IT User Account at the time.
- The IT User Account is the only way to identify a person from an action and trust must be maintained that the relationship between the person and the account is unique.
There is no such a thing as generic password
No generic account or shared account will be permitted access to any systems or storage containing personal data or research data. Only accounts explicitly linked to defined individuals will be provided access to such data, and then under least privilege and need to know principles, or as otherwise defined in and governed by third party contracts or data sharing agreements.
User IDs or email addresses shall not be re-used for a minimum of 24 months.
- A system is in place to ensure that user IDs and email addresses shall not be re-issued within 24 months of the account’s disablement or deletion, in accordance with the user account lifecycle process. Nor shall they be assigned to “non-person” entities, such as departmental mailing lists.
- Experience has shown that re-using an account too quickly means that the new owner receives lots of newsletters and messages intended for the previous owner: a two-year window allows the senders to remove disabled mail accounts through their receipt of non-deliverable message reports.
- System owners of services that rely on Active Directory accounts but replicate user IDs locally for authorisation purposes must check for instances where user IDs are deleted or re-issued. It is their responsibility to remove expired accounts from their systems.
All accounts must adhere to the principle of least privilege
The level of access to resources granted to an IT User Account should be commensurate with the privileges required by the owner to do his or her job, and no more. This is so that accidental damage is limited, for example if a standard user is added to the local administrative group, a virus downloaded will spread with the same rights. In a database or application context, limiting access removes the temptation to access information that someone should not have access to.
Administrative IT User Accounts should not be used for day-to-day activities
Where users with privileged IT User Accounts (i.e. those with elevated access permissions) need to access the Internet or read e-mail, this should be done using an account without administrative privileges. The reason for this is that any malicious software inadvertently downloaded while using a privileged account will spread across the domain using the same privileges as the account used to download it. The assignment of accounts with Administrative privileges will be audited, and an appropriate account (with formal ‘admin_xxx where xxx is the standard username of the user requesting admin access) will be created.
Different types of accounts
Different types of user are entitled to different levels of access, depending on their relationship with The Malawi Polytechnic and their primary purpose for being at the institution.
This is a student registered to do an undergraduate degree course and registered through the Student Management Information system (SMIS). The account terminates when completed, suspended or withdrawn.
This is a student registered to do a postgraduate course and registered through the Student Management Information system (SMIS). The account terminates when completed, suspended or withdrawn.
Short course student
This is a student registered on a short course, registered and active within a short coursedatabase. The account terminates when completed, suspended or withdrawn. Account allocation and de-allocation dates registered in database – fed into account expiry settings.
Members of Polytechnic Students’ Union executive.
These are issued accounts that are treated as staff. User accounts are withdrawn at the termination of contract. Accounts are withdrawn or extended upon information from the Students’ Union executive.
Staff: salaried or hourly paid, and with a contract of employment
These are members of staff who are paid via Payroll and have a contract of employment with The Malawi Polytechnic. User accounts are withdrawn at the termination of contract.
Staff – contract or temporary
These are members of staff who are paid via a third party who invoices The Malawi Polytechnic, including contract staff and consultants. An account is provided on request from the department that would also request deletion when the contract ceases.
Former members of staff
These are former academic members and administrative members of the School, where the relevant Head of Service/Department has explicitly agreed to it.
All other staff
These are Members of staff of The Malawi Polytechnic who work full-time
TERMINATION OF USER ACCOUNTS
A simple determination of the number of days an IT User Account has been inactive is not a reliable metric to determine a user’s status within the campus.
An IT User Account should only exist for as long as strictly necessary to prevent its use by someone that The Malawi Polytechnic cannot sanction for misuse.
Student IT User Accounts will expire three months after the date of graduation. Until this time, they will still hold the status of student.
Where staff details exist in the HR system, their IT User Account(s) will renew automatically, as per above.
By default staff accounts will expire upon termination of contract, unless a request for an extension is received from the relevant Authorities.
Under certain circumstances (e.g. suspected misuse of the IT User Account, or if the user it was assigned to has left The Malawi Polytechnic) an IT User Account may be suspended.
Periodically, disabled and expired IT User Accounts will be deleted, along with their associated data. Once an IT User Account has been disabled through the normal process of expiry, there should be no expectation of retrieval of the associated data. Departments and Services should actively consider retaining data that may be of value before a person leaves.
All user ids shall take the form: initial + surname. However, if there are users with the same combination of the initial and surname, they will be asked to include another initial.