Policy Number: 12-003
Account Management
Category: Information Technology
Responsible Executive: Vice President and Chief Information Officer
Responsible Office: Vice President and Chief Information Officer
1. Purpose
To provide a comprehensive account management process that allows only authorized individuals access to University Data and Information Systems.
2. Applicability
This policy applies to all Information Systems, University Data, identities and accounts used to access them and University Data.
3. Definitions
Information System: An individual or collection of computing and networking equipment and software used to perform a discrete business function. Examples include the eLearning System, ISIS, the EPIC electronic medical records system, a lab system and associated PC or the set of desktop computers used to perform general duties in a department.
University of Florida Data: Data in any format collected, developed, maintained or managed by or on behalf of the University, or within the scope of University activities. The terms ‘data’ and ‘information’ are used interchangeably in the context of the information security program.
4. Policy Statement
4.1. All persons and processes granted access to an information system, beyond that explicitly intended for unauthenticated public access must be uniquely and individually identified and authenticated.
4.2. All university managed or contracted services must accept Gatorlink credentials, unless the primary user base includes those not eligible to obtain Gatorlink accounts.
4.3. All persons and processes that have been granted access to an information system must have an approved and documented level and scope of access.
4.4. Access to University Data and Information Systems is to be promptly modified upon changes in university affiliation, position, or responsibilities
4.5. Responsibilities
4.5.1. All members of the University Constituency are responsible for all actions initiated from accounts issued to them.
4.5.2. Managers of university employees are responsible for promptly coordinating suspension of accounts for terminated employees.
4.5.3. Information Security Administrators (ISAs) are responsible for developing and implementing procedures to properly authorize, modify or terminate accounts and permissions.
4.5.4. Information Security Managers (ISMs) are responsible for implementing Information Systems such that account authorizations are promptly enforced.
5. References and Related Information
Authority:
UF Regulation 1.0102: Policies on Information Technology and Security
References:
NIST 800-53 revision 3: AC-2, IA-2, IA-4, IA-8, IA-3
HIPAA Security Rule 164.312(d)
SEC-AC-001.01 Account Management Standard
IT Policy SEC-AC-001
IT Policy Family: Information Security
IT Policy Category: Access Control
Effective Date: 1/20/2016
Additional Resources
ACCOUNT MANAGEMENT STANDARD
Purpose
To establish requirements for account and access management, including creation, approval, authorization and termination.
Standard:
- Each user of an Information System will be issued a unique account and identifier (username) for an Information System. Information Systems must utilize Gatorlink accounts, otherwise unique identifiers should match those of the enterprise-issued account assigned to the user. Unique identifiers will not be reissued to anyone other than the original user. Systems in which it is not possible to assign unique identifiers to each user must implement compensating controls to limit access and provide accountability.
- Shibboleth SSO is the preferred method for authenticating user access.
- Web applications, cloud services, and any other system capable of Shibboleth must do so.
- Authentication via PC-based client software, in which the computer accepting the credentials is managed by UF, may use UFAD if Shibboleth is not supported.
- Units must document approval to issue each account, the type of account (individual, group, system, guest/anonymous and temporary) and the scope and level of access assigned to that account.
- Authorizations must only grant the minimum level of access to University Data and Information Systems needed to perform the intended function.
- Every account on an Information System must be reviewed prior to being placed into use and annually thereafter. The approval and authorizations for each account must be verified.
- Accounts not used within 180 days are to be disabled, and must be explicitly re-enabled prior to further use. Temporary accounts should be issued with a pre-set expiration date.
- Accounts and authorizations must be promptly modified when the assigned user’s job duties or assignment change, or upon termination of employment or appointment. Managers should coordinate with appropriate staff to ensure immediate suspension of accounts assigned to employees that are involuntarily terminated. Other personnel actions may also warrant immediate suspension of accounts. Access methods (such as passwords) for any shared accounts must be changed upon termination of an employee with use of the shared account. Temporary and Guest access must be monitored and promptly suspended or removed once approval expires.
Standard History: New 1-20-2016, Amended 5-18-2022
_______________________________________________________________
Procedure: Account Management for Terminated and Transferred Employees
Purpose:
The UF Account Management Standard requires that accounts and authorizations be promptly modified when a user’s job duties or employment ends. Many users retain affiliations upon termination of employment which prevent their Gatorlink account from being disabled (i.e. Alumni). Processes are in place to automatically remove assignable enterprise roles from the accounts of former employees.
These procedures address removal of unit assigned enterprise roles, and permissions and authorizations controlled by unit-level mechanisms.
Procedures:
Departmental Security Administrators (DSA):
A Security Role Verification Report is sent to the DSA of departments to which an employee transfers from within the university. The DSA is responsible for reviewing and updating enterprise security roles for transferred employees. Enterprise security roles that are no longer needed for the new position should be removed within three business days of the employee’s start date in the new department.
Unit IT:
Locally granted permissions and authorizations that are no longer necessary are expected to be removed within 24 hours of an employee’s employment end-date. This includes permissions and group assignments within Active Directory, as well as any other systems or software controlled by the unit, including cloud services. Access to departmentally controlled resources must be terminated regardless of whether the access was granted to a Gatorlink or other account. If the terminated employee had access to accounts with shared passwords, the UF Account Management standard requires that the password for those accounts be changed to prevent use by the terminated employee.
For timely notice of transferred and terminated employees, department IT staff can subscribe to receive an enterprise report for the specific Department IDs they are responsible for. Refer to the Running and Scheduling the Department Terminations and Transfers Report document for instructions on how to configure and schedule the report for automated delivery. This report should be set for daily delivery and will include all employees that terminated or transferred within the past 14 days, for the selected Department IDs. Departments should assign staff to review this report daily and take appropriate action and include coverage for when the person with primary responsibility is out of the office.
References:
UF Account Management Standard
UF Admin Memo: Timely Deactivation of Access Privileges
Instructions for Running and Scheduling the Department Terminations and Transfers Report
Procedure Number: SEC-AC-001.01a
IT Policy Family: Information Security
IT Category: Access Control
Effective Date: 6/22/2020
History
Policy History: New 1-20-2016, Amended 8-1-2022, Amended 2-18-2025 (administrative)