Purpose

The purpose of this standard is to establish secure account management for managed University accounts. Phishing and account compromise are two of the most prevalent and highest risk security threats to the University with attackers attempting to gain network access and execute account compromise attacks on a daily basis. Compromised accounts can spread quickly across networks and cause severe damage.

By implementing this standard, the University seeks to formalize and document controls to address the threat of phishing, account compromise, and improper access.

Scope

This standard applies to all University accounts ("accounts")¹ registered in University directory services⁴.

Scope Exemptions

This standard does not apply to disabled accounts solely used for non-user Exchange resources⁷.

Standard

University teams and departments ("teams") creating or managing accounts within this standard's scope must meet the following criteria:

1. Teams administrating directory services must maintain an inventory of directory services.
2. All accounts, including both user and service, must be managed by the central identity management system².
3. Enabled user accounts must be associated with at least one University affiliation³.
4. Accounts must be in an inactive state until account activation⁵.
5. Non-student and non-employee primary user accounts must have an active account sponsor and be renewed annually.
6. Secondary user accounts must be associated with a primary University user account.
7. Access granted to user accounts must utilize automatic group management⁶ where capable. All user access not configured through automatic group management must have a documented access review completed annually.

Exceptions

While this standard is intended to apply comprehensively, there may be instances where certain systems or accounts are unable to meet the full requirements. In such cases, exceptions must be formally requested and reviewed.

Requests for exceptions must be submitted to the Information Security Office (ISO) through the university’s ticketing system or by emailing informationsecurityoffice@ilstu.edu. Each request must include:

• User account names associated with the exception request
• A detailed use case explaining why the exception is necessary and what compensating security controls, if any, will be implemented

The ISO will review all exception requests in accordance with the Information Security Program's exception management process. Approval will be granted only when it is determined that operational needs outweigh the security risks, and where appropriate compensating controls are in place to mitigate those risks. All approved exceptions will be documented, periodically reviewed, and may be subject to additional security monitoring.

Additional Information

Footnotes

The following information provides supporting information referenced in the other sections of this document:

1. User Accounts for the purposes of this standard are defined as the use of accounts by individuals ("user accounts") as opposed to exclusively programmatic uses for services ("Service Accounts"). 
2. The Central Identity Management System is the primary and central identity service provided for University-wide use by the Office of Identity and Access Management, currently Midpoint/Grouper at the time of writing.
3. Affiliations represent the official relationship an individual, or a digital identity, has with the University.
4. Directory Services are a database-type system that provides inventory, security/authentication services, and/or lookup functionality for other information technology systems. Examples of directory services include Active Directory (AD), Entra (Azure) AD, LDAP. and identity management systems.
5. Account Activation is a critical step for account onboarding and setup. Account activation completes account setup including but not limited to acknowledging appropriate use policies and configuring account recovery options.
6. Automatic Group Management, for the purposes of this standard, is defined as 1) access being granted through a security group/list and 2) exclusively using automated means (queries, rules) to automate the addition and removal for the security group. For example, a Grouper-managed security group for all employee accounts configured to automatically add employees and remove non-employees would be compliant with this standard item.
7. Non-User Exchange resources in Active Directory (AD) are utilized for shared mailboxes, aliases, rooms/locations, calendars, and similar functionality. The accounts are perpetually disabled in AD, are never directly logged into, and exist solely to create the Exchange resource.

Roles & Responsibilities

Compliance

The Information Security Office will report on local administrator membership to ensure compliance with this standard and University policies. Systems out of compliance with this standard or the University Security Program policy will be escalated for remediation planning, and continued noncompliance may result in systems being segmented from the University network.

Supporting References

The following information provides supporting references that informed the development of this standard:

2024 Data Breach Investigations Report | Verizon

CIS Critical Security Controls Version 8 (cisecurity.org)

CIS Community Defense Model 2.0 (cisecurity.org)

NIST SP 800-53 v5 Security and Privacy Controls for Information Systems and Organizations

ISU Affiliation Dictionary

CIS Control v8 Guidance

Illinois State University leverages the CIS Controls framework, validated through the CIS Community Defense Model, to ensure our cybersecurity measures effectively mitigate the most prevalent real-world threats, including those identified in the MITRE ATT&CK framework, thereby enhancing our defenses against known adversary behaviors.

5.1 Establish and Maintain an Inventory of Accounts: Establish and maintain an inventory of all accounts managed in the enterprise. The inventory must include both user and administrator accounts. The inventory, at a minimum, should contain the person’s name, username, start/stop dates, and department. Validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently.

5.3 Disable Dormant Accounts: Delete or disable any dormant accounts after a period of 45 days of inactivity, where supported.

5.5 Establish and Maintain an Inventory of Service Accounts: Establish and maintain an inventory of service accounts. The inventory, at a minimum, must contain department owner, review date, and purpose. Perform service account reviews to validate that all active accounts are authorized, on a recurring schedule at a minimum quarterly, or more frequently

5.6 Centralize Account Management: Centralize account management through a directory or identity service.

6.1 Establish an Access Granting Process: Establish and follow a process, preferably automated, for granting access to enterprise assets upon new hire, rights grant, or role change of a user.

6.2 Establish an Access Revoking Process: Establish and follow a process, preferably automated, for revoking access to enterprise assets, through disabling accounts immediately upon termination, rights revocation, or role change of a user. Disabling accounts, instead of deleting accounts, may be necessary to preserve audit trails.

6.6 Establish and Maintain an Inventory of Authentication and Authorization Systems: Establish and maintain an inventory of the enterprise’s authentication and authorization systems, including those hosted on-site or at a remote service provider. Review and update the inventory, at a minimum, annually, or more frequently.

6.7 Centralize Access Control: Centralize access control for all enterprise assets through a directory service or SSO provider, where supported.

6.8 Define and Maintain Role-Based Access Control: Define and maintain role-based access control, through determining and documenting the access rights necessary for each role within the enterprise to successfully carry out its assigned duties. Perform access control reviews of enterprise assets to validate that all privileges are authorized, on a recurring schedule at a minimum annually, or more frequently.