Helpful Links

Navigate OHIO

About OHIO Admission Athletics
Academics Life at OHIO

Connect With Us

Bobcat Depot
1 Park Place
Athens, OH 45701
help.ohio.edu

Account Management Standard

Purpose

The Office of Information Technology (OIT) is responsible for issuing digital identities (University Accounts) to Users associated with Ohio University (OHIO Users). The purpose of this Standard is to outline the minimum requirements for identity and access management of University Accounts. 

Access management refers to the creation of authorized access and prevention of unauthorized access to OHIO Systems or information, ensuring that access is limited to authorized users with a valid need to access specific resources. The revocation of access when OHIO Users leave the organization or change roles within the organization is part of the account management process as well.

Scope

This standard applies to University Accounts issued to OHIO Users for all University Systems. All accounts created for University purposes are within this scope. Some examples include, but are not limited to a department’s social media account, accounts for third-party services or applications, or local accounts to systems.

Standard

This standard exists to ensure that access to systems is appropriately requested, approved, granted, terminated, and reviewed on a regular basis. The management of user accounts is critical in protecting university data and minimizing risks to the institution. 

OHIO Accounts

An OHIO account is the digital identity associated with an OHIO User and is comprised of three attributes: a unique ID number (PID), University Credentials, and an OHIO email address. 

  • PID: The University’s primary identifier for all information systems and electronic communications is the PID. 

    • The PID must be a nine-digit number that is unique to a single person and must never be reused.

    • If duplicate PID numbers are identified, all reasonable steps must be taken to eliminate those as soon as they are discovered. 

  • University Credentials: The official OHIO email address used in conjunction with a password to access OHIO Systems. 

    • OHIO usernames must be unique to each individual and never reused. 

  1. The authoritative repository of OHIO Accounts will be maintained within the OIT Accounts and Passwords Service which is comprised of multiple technical components to facilitate both identity management, authorization, and authentication.

  2. Those individuals with the role of Accounts and Passwords Service Administrators will be the only individuals permitted to add, modify, or delete University Accounts.

  3. Accounts and Password Service Administrators will issue two types of University Accounts: Individual Accounts and Service Accounts

Individual Accounts 

  1. Individual Accounts will automatically be issued to University students and employees based on information provided from Authoritative Sources.

  2. Accounts for other Organizational Users, for example system vendors, consultants, or those receiving courtesy appointments, must be requested by an OHIO faculty or staff member. 

  3. All individuals must activate their Individual Account using the account claiming process at https://account.ohio.edu

  4. Once a University Account has been claimed, the individual must create a strong password and adhere to University Policy 91.004 University Credentials. The individual will then use the OHIO Login username and password (Credentials) to facilitate Authentication.

  5. Start and end access dates for Individual Accounts will be based on the information entered in the authoritative repository as described above.

Service Accounts

  1. Service Accounts will be created for those University Information Systems that need to Authenticate to perform a specific activity, such as sending email.

  2. Service Accounts must only be created and used for a specific purpose.

  3. Service Accounts must be requested by the Information System Owner or the unit’s leadership as applicable. A short description of the business case that necessitates the creation of the account is required to approve creation.

  4. All Service Accounts must have a designated Service Account Owner (SAO) who is responsible for management of access to the account.

Authentication

When technically possible, the OIT Accounts and Passwords Service, whether used in part or whole, must be used to authenticate individuals to University Systems or a federated system using their OHIO Username as noted in University Policy 91.004 University Credentials. When technically possible, all OHIO systems must authenticate via a Single Sign-on (SSO) offering in the Accounts and Passwords Service. 

Account Management 

Ohio Accounts must be appropriately managed as follows: 

Provisioning Accounts

  1. The process to create and terminate user accounts must be approved and documented by unit leadership and / or an authorized owner of the system, application, or database.  A list of unit leadership and authorized owners must be documented and maintained. 

  2. Account setup and modification shall require the appropriate documented authorization. 

  3. Account-related changes must be logged.

  4. All account creation shall follow the principle of least privilege, ensuring that provisioned access is the minimum necessary to perform the individual’s job functions. 

Deprovisioning Accounts

  1. To effectively deprovision an account, all the roles associated with a given account must be removed immediately.
    1. OIT is responsible for removal of access to applications under OIT control.
    2. Each department is responsible for removal of access to applications specific to the department. 
  2. Managers shall coordinate with appropriate staff to ensure the immediate suspension of accounts assigned to employees upon separation of employment or removal of roles in the event of a role change.
  3. Resources can be suspended at any time if requested by an appropriate representative in the respective operating units, Human Resources, the Information Security Office, or Student Affairs. 
  4. Unless otherwise authorized, all accounts to which the user had access must be disabled or have their credentials changed upon the user’s termination of relationship with the university. 

Managing Roles and Data Access for Accounts

  1. All managers shall review user accounts periodically to ensure that access and account privileges are applicable to job function, need-to-know, and employment status.

  2. A user requesting an account password change must provide proper authentication. 

Definitions

Account: Provisioning, activation, management, and lifecycle deactivation of OHIO online credentials, including OHIO IDs/passwords and sponsored guest accounts. The different account types are outlined within the Accounts, IDs, and Passwords Service Level Agreement.

Authentication: Verifying the identity of a user, process, or device to allow access to an OHIO System. 

Authorized Owner: Overall responsibility for system, application, or database access which includes processes and procedures for maintaining and reviewing computer accounts. 

OHIO User(s): Faculty, staff, third-party agents of the university, and other authorized university affiliates accessing university data. 

OHIO Systems: The set of components for collecting, creating, storing, processing, and distributing information, typically including hardware and software, system users, and the data itself.

Principle of Least Privilege: Allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with organizational missions and business functions.

Roles: A job function that identifies the tasks that a person can do and the resources to which the person has access. 

References

  1. Policy 93.001 Data Classification
  2. Policy 91.005 Information Security
  3. Policy 91.006 Information Security Risk Management
  4. NIST 800 Series Publications

Exceptions

All exceptions to this standard must be formally documented with the ISO prior to approval by the Information Security Governance Committee (ISGC). Standard exceptions will be reviewed and renewed on a periodic basis by the ISO.   

Request an exception

Complete Exception request form.

Governance

This standard will be reviewed and approved by the university Information Security Office as deemed appropriate based on fluctuations in the technology landscape, and/or changes to established regulatory requirement mandates.

Reviewers

The reviewers of this standard are the members of the Information Security Governance Committee representing the following University stakeholder groups: 

  • Information Technology: Ed Carter (Chair) 

  • Human Resources: Michael Courtney 

  • Faculty: Hans Kruse 

  • Senior Associate Dean: Brian McCarthy 

  • Finance and Administration: Julie Allison

  • Faculty: Shawn Ostermann 

  • Regional Higher Education: Larry Tumblin 

  • Research and Sponsored Programs: Susan Robb

  • Risk Management & Insurance: Larry Wines 

History

Draft versions of this policy were circulated for review and approved on November 2, 2023.