ISO Position Paper

Position Title: Non-person “service” account maintenance and lifecycle

Position Audience: Princeton IT Professionals

Contact: Information Security Office: [email protected]

Position Release Date: March 20, 2018

Problem Statement

Account credentials continue to be considered as the security perimeter of an organization. As
such, the lifecycle of those accounts needs to be managed closely in order to minimize the
information security risk posed to the University through the existence of these accounts. The
accounts of students, faculty, staff, and affiliates of the University (person accounts) are
managed closely through a well-defined process. Non-person / service accounts require the
same level of management.

ISO Position

Service account management should be done through a process that minimally supports the
following criteria:

• Annual recertification of all service accounts by account owners justifying the business need for the account
• Monitoring of accounts with no authentication events for 1 year or more to provide particular focus on whether these accounts should continue to exist
• Accounts that have not been used or recertified for at least 1 year will be suspended for 60 days, after which, the account will be deprovisioned

Additional Information

The OIT Person Office will create, implement, and manage the ongoing service account
management process.

Data classification: Public