1.6 Account Standard
- 1.6.1. Identity
- a. Each user, group, role, service, or device must have a unique identifier.
- b. Accounts issued to individuals must not be shared with anyone other than the account holder.
- c. Identifiers must not be reused for a minimum of two years or longer as needed by agency compliance requirements. If a previously enrolled user, group, role, service, or device is later re-enrolled, the same identifier should be reused to maintain continuity and avoid duplication.
- 1.6.2. Account Creation and Termination
- a. Accounts must be created according to the applicable ITS process and/or procedure. Creation of accounts must be documented. Sufficient documentation would include account identifier actions completed, and the name of the ITS member that carried out the actions.
- b. When no longer needed, accounts must be disabled, closed, archived, or otherwise terminated and such actions must be documented. Sufficient documentation would include account identifier actions completed, and the name of the ITS member that carried out the actions.
- 1.6.3. Use
- a. Accounts must only be used for purposes the account was created for.
- b. Use of Highline College’s Information Technology resources must comply with the Appropriate Use Policy.
- 1.6.4. Account States and Changes
- a. Upon worker termination, accounts should be disabled.
- b. Accounts should be temporarily disabled upon hiatus, or sabbatical.
- c. When an individual’s formal or functional role changes, the account should be adjusted accordingly to meet, and not exceed, the established needs of the role and assigned work duties and according to ITS documented processes and procedures.
- d. When the purpose or needs change for an account that is not designated or issued to an individual, the account must be adjusted accordingly to meet, and not exceed, functional needs.
- 1.6.5. Communication and Notification
- a. It is the responsibility of supervisors to provide timely notification to Human Resources of any termination, hiatus, sabbatical, role change, or change in permission needs of workers they supervise.
- b. It is the responsibility of Human Resources to provide timely notification to ITS of any termination, hiatus, sabbatical, role change, or change in permission needs of workers.
- c. Upon receiving notice, ITS should promptly adjust the specified account(s) according to applicable processes and procedures.
- d. Approval is required for user, group, role, service, or device identifiers creation, termination, and adjustments. Approval must be obtained from appropriate employees (ex: employee’s direct supervisor, data owners, and ITS staff) to assign according to documented processes and procedures.
- 1.6.6. Simplified Protections
- a. To reduce complexity, Highline College and/or teams in ITS may implement a higher protection than required as a standard protection measure.
- 1.6.7. Identification
- a. Authentication, passwords, and other authentication factors must comply with the Authentication and Password Standard.
- 1.6.8. Credentials
- a. When providing initial access or information needed to gain or regain access, information must only be communicated directly to the designated individual(s) the account was created for according to established processes and procedures..
- 1.6.9. Privileges/Permissions
- a. Accounts shall have the minimum privileges/permissions necessary to meet the account purpose.
- b. Highline College shall implement separation of duties where feasible. Separation of duties includes dividing critical operational mission functions and system support functions among different individuals or roles; conducting system support functions with different individuals. For example, account access granted to security personnel administering access control functions must be limited to their assigned tasks.
- c. Highline shall define and maintain role-based access control. The access rights needed for each position in the organization to successfully carry out its assigned duties shall be identified and documented. Specific needs and measures for roles includes, and is not limited to:
- i. Account status, descriptions, etc.
- ii. Authentication requirements.
- iii. Account security groups, permissions, and privileges.
- iv. Login access to specific devices, services, software, applications, apps, etc.
- v. Login access to/from specific locations, networks, internet protocol (IP) addresses.
- d. Account access is subject to audit, review, follow-up, and may result in adjustment according to ITS processes and procedures.
- e. Physical access and physical security are provided by and granted by and according to Public Safety’s policies, standards processes, and procedures. Access to IT infrastructure areas are limited to specific staff and may have additional physical security mitigations.
- f. Time of day, day of week, and/or geographic location restrictions may be applied to accounts for IT security and risk management purposes according to ITS’ policies, standards, processes and procedures. For example, accounts used by vendors for remote maintenance will be enabled only during the time needed and only accept connections from within WA state or other specific location.
- 1.6.10. Account Management Capabilities
- a. Account management capabilities must be limited to individuals with roles in support and system administrators within ITS. Account management capabilities include the addition, deletion, and modification of UserIDs, credentials, and other identifier objects.
- b. System administration privileges must be restricted to dedicated administrator accounts on enterprise assets where technically supported. General computing activities, such as internet browsing, email, and productivity suite use, shall be performed under the user’s standard account.
- 1.6.11. Additional Standards by Account Type
- a. Accounts for Guests, Training and Demonstrations
- i. Use
- 1. Not to be used for personal benefit
- ii. Accessibility
- 1. Accounts should only be usable while on campus within the appropriate networks.
- iii. Obtaining and Communicating Credentials
- 1. College employees who regularly support events or external visitors may be provided limited access to retrieve needed credentials from a secure retrieval portal.
- i. Use
- b. Student Accounts
- i. Use
- 1. Future students must be assigned an ID number in the admissions and enrollment systems to be eligible to create a student account.
- 2. Accounts may be made prior to an individual’s enrollment into classes for the purpose of providing access to Highline College systems as necessary for the purpose of orientation and other pre-enrollment processes.
- ii. Account Sharing
- 1. Each account is held and used by one person and must not be shared.
- 2. Sharing of authentication credentials, such as usernames, passwords, or any other form of identification is strictly prohibited. Temporary passwords may be communicated to the student by support staff tasked with supporting employee accounts after the student’s identity was verified.
- iii. Termination
- 1. When students are no longer attending or enrolled at Highline College for more than four consecutive quarters (one year), full account access must be disabled, terminated or otherwise prohibited.
- 2. Individual accounts of students will be archived, or otherwise removed according to ITS processes and procedures after a span of five year(s) of no current or future term activations.
- 3. At least once a day, individual accounts of students will be automatically updated based on current system data.
- iv. Privileges/Permissions
- 1. Accounts shall have the minimum privileges/permissions required to meet the needs of the student based on class needs.
- i. Use
- c. Standard Accounts for Employees
- i. Account Sharing
- 1. Each account is held and used by one person and must not be shared.
- ii. Creation
- 1. Accounts may be created prior to an individual’s start date in order to participate in orientation, onboarding and course development activities.
- iii. Termination
- 1. When employees no longer work for Highline College, access must be disabled, terminated or otherwise prohibited.
- 2. Accounts must be disabled in a timely and complete manner when an individual is no longer employed by or working for Highline College.
- 3. Access to accounts of former employees and contracted workers will be disabled, or otherwise prevented within one business day of the last day worked or when notified by Human Resources and terminated according to ITS procedures.
- 4. Ability to access an individual account related to a sudden or urgent separation will be terminated as soon as possible according to ITS process and procedures.
- iv. Privileges/Permissions
- 1. Where administrator privileges/permissions are required, an individual should be provided with their own administrator account separate from their regular, non-administrator account.
- 2. Accounts shall have the minimum privileges/permissions required to meet the needs of the respective position and job role.
- v. Obtaining and Communicating Credentials
- 1. The account holder may contact the ITS Help Desk to obtain the account’s temporary credentials on or after the specified start date.
- i. Account Sharing
- d. Specially Designated Lab Environments
- i. Use
- 1. These accounts are provided by Highline College and permitted by the ITS department for the purpose of creating and operating within specific dedicated lab environments when required by course curriculum.
- 2. These accounts are a privilege and must be used appropriately.
- 3. Existence, designation, and security mitigations must be formally approved by ITS prior to planning, testing, implementation, etc.
- ii. Account Sharing
- 1. Accounts, when created for individual use, must not be shared. Accounts must be unique to the account holder, may only be used by the respective account holder, and may not be shared. Group, shared, or generic UserIDs and passwords are prohibited.
- iii. Creation
- 1. Accounts may be created for learning purposes by ITS Staff, instructors, and students depending on ITS authorization.
- iv. Termination
- 1. At the end of a quarter, ITS staff may wipe the accounts and systems to prepare for the next quarter as appropriate for the specific lab environment and account purpose.
- v. Obtaining and Communicating Credentials
- 1. If created by an ITS staff member, the instructor may contact ITS for the initial account credentials.
- 2. If created by an employee, under approval of ITS, the account credentials may be securely shared with the student.
- i. Use
- e. Third-Party Maintenance Accounts
- i. Prerequisite
- 1. The third party must be contracted to provide support and/or maintenance.
- 2. A risk assessment must be completed when considering the creation of a third-party maintenance account. Considerations should identify security assurances and risks introduced should an account be compromised.
- 3. Access must not be provided if the risk is above Highline College’s documented risk tolerance threshold.
- 4. It must be determined ahead of time how frequently the account will be needed. For example, whether date/time restrictions would be appropriate. The account should be set up to reflect those identified needs.
- 5. The necessary actions and/or mitigations based on the risk assessment must be established and implemented.
- ii. Use
- 1. These accounts are managed and provided by ITS to specific third-parties contracted to provide support, maintenance, etc. Examples of a third party are manufacturers that manage or support our campus’ Operational Technology (OT) devices.
- 2. Only for use for purposes as authorized by Highline College.
- 3. Accounts must not be shared beyond the defined individual, group, or organization.
- iii. Account Sharing
- 1. Each account is held and used by one person and must not be shared.
- 2. Sharing of authentication credentials, such as usernames, passwords, or any other form of identification is strictly prohibited. Temporary passwords may be communicated to the student by employee account support staff.
- iv. Obtaining and Communicating Credentials
- 1. When providing initial access or information needed to regain access, information must only be communicated directly to the designated individual(s), representative or pre-established liaison.
- v. Privileges/Permissions
- 1. Account access will be limited, as much as possible, to only what is necessary. Limitations may include only being able to access specific networks, ports, devices, applications, use specific protocols, at specific times, etc.
- 2. Accounts used by vendors for remote maintenance must be enabled and available only during the time needed.
- i. Prerequisite
- f. Third-Party Access Accounts
- i. Prerequisite
- 1. In order to provide the third party access to information or information system(s) before access is provided, Highline and the third-party must have:
- a. a signed contract, memorandum of agreement, or other legally documented partnership; and
- b. a signed data security and assurance agreement
- 2. A risk assessment must be completed when considering the creation of a third-party access account. Considerations should identify security assurances and risks introduced should an account be compromised.
- 3. Access must not be provided if the risk is above Highline College’s documented risk tolerance threshold.
- 4. It must be determined ahead of time how frequently the account will be needed. For example, whether date/time restrictions would be appropriate. The account should be set up to reflect those identified needs.
- 5. The necessary actions and/or mitigations based on the risk assessment must be established and implemented.
- 1. In order to provide the third party access to information or information system(s) before access is provided, Highline and the third-party must have:
- ii. Use
- 1. These accounts are managed and provided by ITS to specific third-parties contracted to provide support, maintenance, etc. Examples of a third party are manufacturers that manage or support our campus’ Operational Technology (OT) devices.
- 2. Only for use for purposes as authorized by Highline College.
- 3. For individual use only.
- 4. Accounts must not be shared beyond the defined individual.
- iii. Account Sharing
- 1. Each account is held and used by one person and must not be shared.
- 2. Sharing of authentication credentials, such as usernames, passwords, or any other form of identification is strictly prohibited. Temporary passwords may be communicated to the student by employee account support staff.
- iv. Privileges/Permissions
- 1. Account access will be limited, as much as possible, to only what is necessary. Limitations may include only being able to access specific devices, applications, use specific protocols, at specific times, etc.
- a. Accounts used by vendors for remote maintenance must be enabled and available only during the time needed.
- 1. Account access will be limited, as much as possible, to only what is necessary. Limitations may include only being able to access specific devices, applications, use specific protocols, at specific times, etc.
- i. Prerequisite
- g. Service Accounts
- i. Use
- 1. Accounts may not be used for individual use, or purposes other than the account’s designated purpose. For example, used as part of an automated, scheduled task or job; ITS staff to troubleshoot or otherwise validate system or service functionality.
- 2. Accounts used for system service, daemon, or application execution (service accounts) require documentation in the agency security program and the following controls:
- a. Requires a discrete account used only for the defined privileged functions, and never used by an individual.
- b. Password expiration requirements must be documented in the agency security program.
- c. The principle of least privilege must be employed when determining access requirements for the account.
- ii. Termination
- 1. When an account is no longer needed, the account should be disabled, inactivated, or otherwise terminated.
- iii. Location Requirement
- 1. Account access must be limited to local college networks or cloud environments.
- iv. Privileges/Permissions
- 1. Account permissions must be limited to local college networks or cloud environments.
- 2. Accounts shall have the minimum privileges/permissions required for the specific use case.
- v. Obtaining and Communicating Credentials
- 1. Passwords must be documented in a secure encrypted location according to established policies, standards, processes, or procedures.
- 2. Account credentials must be shared with as few people as feasible and must not be shared to employees that are not authorized to access or use them, as deemed by the Highline CISO.
- i. Use
- h. Elevated Privilege/Administrator Accounts
- i. Use
- 1. Used to keep user and administrative account usage separate.
- 2. Used for process escalation only when elevated privileges are needed.
- 3. An employee who has this type of account also has a standard account that they use to login to computers. The separation of privileges helps to reduce the risk of a compromised standard individual account since standard accounts do not have elevated or administrative rights.
- 4. Accounts shall have the minimum privileges/permissions required to meet the needs of the respective position and job role.
- ii. Account Sharing
- 1. Each account is held and used by one person and must not be shared.
- 2. Temporary passwords may be communicated to the student by employee account support staff.
- iii. Termination
- 1. When an audit has been completed, auditor and/or auditing accounts should be disabled, closed, or otherwise terminated.
- iv. Location Requirement
- 1. Account access must be limited to local college networks or cloud environments.
- v. Privileges/Permissions
- 1. Account permissions must be limited to local college networks or cloud environments.
- 2. Accounts shall have the minimum privileges/permissions required for the specific use case.
- i. Use
- i. Administrative, and Other Accounts
- i. Use
- 1. May only be used for:
- a. Initial server, service, or system setup; Performing an action that cannot be completed from an individual’s administrative/elevated account;
- b. Regaining access to the system, or to apply or restore administrative access/permissions to another account if needed due to permissive limitations;
- c. ITS staff to troubleshoot or otherwise validate system or service functionality.
- d. As part of IT Security Event Response efforts.
- 1. May only be used for:
- ii. Account Sharing
- 1. Each account is held by Highline College’s ITS division and only shared with appropriate ITS staff.
- 2. Sharing of authentication credentials beyond the approved individuals or teams is strictly prohibited.
- iii. Location Requirement
- 1. Access to accounts of this type that exist on the local college networks and infrastructure must not be usable or accessible remotely without first connecting to the local infrastructure management network or cloud environment.
- iv. Storing, Accessing Credentials
- 1. Account credentials must be shared to as few people as feasible, as deemed necessary by the Highline CISO.
- 2. Account credentials must be documented in a secure encrypted location according to established policies, standards, processes, or procedures.
- 3. The secret -text and/or Multi-Factor Authentication (MFA) QR code or seed can be printed off and stored in a safe that is located in a secured area.
- v. Multi-Factor Authentication (MFA)
- 1. Careful protection, management, and handling of administrator accounts is of utmost importance. If supported by the system, feasible, and approved by the CISO, additional authentication methods may be implemented such as types of One-Time Passwords (OTP).
- vi. Exceptions
- 1. Built-in system accounts that are considered part of an operating system’s core functionality may be exempt from some requirements. For example, it may not be technically possible or sensible for every account to use a password. For example: .\NTAUTHORITY, .\IUSR.
- i. Use
- a. Accounts for Guests, Training and Demonstrations
- 1.6.12. Account Administration
- a. Documented processes and procedures for issuing, replacing, and revoking accounts and authentication factors to information technology assets and resources must be maintained, and followed.
- b. ITS must have administrative rights of all accounts and access to all logs of devices, systems, services, and other information technology resources.
- 1.6.13. Retention, Records
- a. Account data must be retained in accordance with applicable laws, record retention schedules, auditing and applicable requirements. Account information and data will be retained according to applicable policies, processes, and procedures of the Highline College Public Records Office.
- 1.6.14. Auditing and Monitoring
- a. An inventory shall be kept of all of the following account types managed by Highline College:
- i. Accounts for guests, training and demonstrations
- ii. Student accounts
- iii. Standard accounts for employees
- iv. Elevated privilege/administrator accounts
- v. Third-party maintenance accounts
- vi. Third-party access accounts
- The inventory will include:
- i. The account username or login name. If the account has neither, a unique identifier specific to the account should be included.
- ii. The name of the individual assigned to or utilizing the account.
- iii. Current status
- iv. Most recent account active and inactive dates such as the start/stop dates of employment or enrollment
- v. If it’s not a student account, include the department and/or company name.
- vi. Date of last account review.
- vii. Account role, designation, groups, permissions, etc.
- b. An inventory shall be kept of all of the following account types managed by Highline College:
- i. Service accounts
- ii. Administrative
- iii. Other accounts
- The inventory will include:
- i. The account username or login name. If the account has neither, a unique identifier specific to the account should be included.
- ii. The system(s) the account(s) exist on.
- iii. Department owner (ex: Regroup is Public Safety; ITS is stewards and support)
- iv. Date of last account review
- v. Purpose
- vi. Account role, designation, groups, permissions, etc.
- c. The inventories should each be updated on a recurring schedule, either weekly, or more frequently. Automation is encouraged for efficiency.
- d. An audit of all accounts should be done at least quarterly to validate that all active accounts are authorized. Automation is encouraged for efficiency.
- a. An inventory shall be kept of all of the following account types managed by Highline College:
Revision History
Date | By | Summary |
07/17/2025 | TW | Update approved. |