Information Security

User Account Management Standard

Last modified 4/14/2026

This standard has been superseded by the Account Management Standard.


Purpose

The purpose of this standard is to establish secure account management for managed University accounts. Phishing and account compromise are two of the most prevalent and highest risk security threats to the University with attackers attempting to gain network access and execute account compromise attacks on a daily basis. Compromised accounts can spread quickly across networks and cause severe damage.

By implementing this standard, the University seeks to formalize and document controls to address the threat of phishing and account compromise.

Scope

This standard applies to all University user accounts ("accounts").

Standard

  1. Accounts must be managed by the central account management system.
  2. Enabled accounts must be associated with at least one University affiliation.
  3. Non-student and non-employee primary user accounts must have an active account sponsor and be renewed annually.
  4. Secondary accounts must be associated with a primary University account.
  5. Account activation with x days?











Additional Information

The following items are to provide context or better understanding of this standard:

  • Non-User Accounts

There are non-user types of accounts that support the operations of University systems and services. The most common example of this is often referred to as a "service" account. These accounts and configured within systems themselves and are not directly used by individuals. A separate standard is under development for such accounts.

  • Requesting an Exemption

In the event that this standard cannot be met, an exemption can be requested and will be evaluated on a case-by-case basis.

All exemptions will require documentation of the user account, how it is managed, what it has access to, the reason the standard cannot be met, and then executive approval determined by the area requesting and based on the documented risks.

  • System Defined

The current central account management system is Oracle Identity Manager (OIM). OIM provisions user accounts and more to the University directory systems which are then used by other systems and services.

Feedback

To suggest an update to this article, ISU students, faculty, and staff should submit an Update Knowledge/Help Article request and all others should use the Get IT Help form.