• Print

3.8.2 Accountability Policy

Policy:
Individual accountability must be maintained on all University computing and communications systems.

A University Computer System is defined for the purposes of this and other Information Technology Policies as any University-provided computer, workstation or server – either stand alone or networked – that processes, stores, receives or transmits University information, or information entrusted to the University by a third party. In general, access to University Computer Systems and networks is provided through the use of individually assigned unique computer identifiers, known as UserIDs. Each individual is responsible and accountable for all activity performed under his/her UserID(s). The ISPC has the authority to grant exceptions and define the accountability mechanism for those computer systems whose access and use cannot reasonably be controlled through use of an individual UserID.

Access to protected resources is granted to UserIDs. This access is based on an individual UserID, or to a groupID containing individual UserIDs. Group-IDs are commonly used in role-based security models. It is, therefore, critically important that unique UserIDs be assigned to specific individuals, and that these UserIDs not be shared ensuring that the controls in place perform as they are intended. This will ensure the accountability of all individuals accessing the University’s protected resources.

UserID based accountability should be required for any network-based service, but may be impractical for non-networked, public access, or kiosk-type installations. In private areas (research laboratories, faculty offices, etc.), sign-on procedures to use non-networked services may interfere with normal operations. In non-networked situations such as these, regular audit of local information and/or appropriate physical access restrictions may be substituted for UserID access. It is highly recommended that the Information Security Analyst be consulted.

Issues Addressed

Accountability, is an element of security. By requiring each individual to sign on using a unique UserID, activity can be attributed to a particular individual. This auditability provides management with information regarding who performed what activity on what information resources. It can also be used to help resolve system or network problems by providing more complete usage information.