Sunday, July 8, 2007

Information Security Policy 101 – Account Management Policy

The Account Management Policy is next in our alphabetical list of information security policies that I will be covering as part of the Information Security Policy 101 series. Typically an Account Management Policy has more usefulness in organizations with a group of individuals whom are authorized to create, monitor, control, and/or remove user accounts.

The business assessment process that we covered in “Information Security Policy 101 – Assess the Business” should give information security personnel the information needed to determine if an Account Management Policy will provide value to the organization.

General Policy Format
All information security policies should have the following sections at a minimum:

Purpose – This is the stated purpose of the policy and clearly communicates why it was written.

The purpose of the %Organization% Account Management Policy is to establish the rules for the creation, monitoring, control, and removal of user accounts.

Audience – This section of the policy states who the policy statements apply to, or who is governed by them. Typically an Account Management Policy applies to persons authorized and responsible for account management.

The %Organization% Account Management Policy applies equally to all individuals whose authorized business duties include account management pertaining to any %Organization% Information Resource.

Policy – The section that contains the actual policy statements.

Other sections that may be added to security policies could be definitions, scope, responsibilities, etc.

Account Management Policy
The Account Management Policy is written to communicate the general rules and guidance to those persons in an organization with account management responsibilities. As with all information security policies, the Account Management Policy should be general in nature and not detail specific settings requirements. The Account Management Policy should adequately address account creation, monitoring, control, expiration, disablement, and deletion.


  • All accounts created must have an associated and documented request and approval
  • All accounts must be uniquely identifiable using the user name assigned by MGI IT

In the companies that I have had the opportunity to assess, many did not include an Account Management Policy in their greater global information security policy, although most of these companies could benefit from having one. The Account Management Policy is a very simple policy to write due to its limited scope and in most cases its creation, approval, and adoption is well worth the investment


TIP: Be sure that each account in your organization corresponds to a single entity (person, service, application, etc.) whenever possible.

Next in the series: “Information Security Policy 101 – Administrator/Special Access Policy”

Information Security Policy 101 – Acceptable Use Policy

No comments: