Account Management Configuration Requirements
On this page
- 1. Life-cycle management
- 2. Authentication hardening
- 3. Account management
- 4. Privileged account management
- 5. Systems monitoring
1. Life-cycle management
1.1 Manage user accounts using a life-cycle approach. Such an approach includes establishing the approval, notification, monitoring, operational requirements and operational procedures related to the creation, activation, modification, periodic review, disabling and deletion of accounts.
2. Authentication hardening
2.1 Authenticate users before they are granted access to a system and its resources, leveraging approved GC authentication services, in accordance with the Directive on Identity Management and associated guidelines such as Guidance on Cloud Authentication for the Government of Canada. Exceptions are to be assessed through the GC Enterprise Architecture Review Board.
2.2 Implement strong authentication mechanisms such as multi-factor authentication (MFA) for all accounts that have privileged or enhanced access, in accordance with Canadian Centre for Cybersecurity guidance in ITPS.30.031 v3, User Authentication Guidance for Information Technology Systems. Additional information regarding the GC enterprise approach with respect to MFA is provided in Multi-factor Authentication Considerations and Strategy for GC Enterprise IT Services. At a minimum, MFA is used to authenticate:
- 2.2.1 All users accessing information systems with an Assurance Level Requirement of 3 or higher;
- 2.2.2 All privileged users performing privileged actions; and
- 2.2.3 All users of remote access solutions.
2.3 Where passwords are used, implement a password policy in accordance with the GC Password Guidance.
2.4 Systems are configured with a session or screen lock.
2.5 Systems have an approved log-on banner that requires users to acknowledge and accept their security responsibilities before access is granted.
3. Account management
3.1 Establish criteria to grant access to information systems based on:
- 3.1.1 A valid access authorization;
- 3.1.2 Intended system usage;
- 3.1.3 Other attributes as required by the department; and
- 3.1.4 Program and service requirements.
3.2 Identify account types (for example, privileged, individual, group, system, application, guest/anonymous and temporary).
3.3 Associate each account with a single (digital) identity (person or non-person).
3.4 Carefully control and manage privileges assigned to users and administrators. Provide a reasonable (but minimal) level of system privileges and rights needed for their role.
3.5 Identify authorized users of information systems and specification of access privileges.
3.6 Ensure that access is revoked, or modified accordingly, when individuals no longer need access or should no longer have access.
3.7 Disable inactive accounts after 90 days for user accounts and after 30 days for temporary and emergency accounts.
3.8 Establish conditions for group membership.
4. Privileged account management
4.1 Establish and administer privileged user accounts, in accordance with subsection B.2.3.2 of the Directive on Security Management, Appendix B: Mandatory Procedures on IT Security Controls with a role-based access schemeFootnote 1 that organizes allowed information system access and privileges into roles, monitoring privileged role assignment, and removing privileged role assignments when no longer required. Privileged accounts are considered to be those that have one or more of the following abilities or accesses:
- 4.1.1 The ability to change key system configuration settings;
- 4.1.2 The ability to change or circumvent security controls;
- 4.1.3 Access to audit and security monitoring information;
- 4.1.4 Access to data, files and accounts used by other users, including backups and media; and
- 4.1.5 Access to troubleshoot a system.
5. Systems monitoring
5.1 Create audit records for actions against accounts, groups and allocation of privileges.
5.2 Perform audits for compliance with account management requirements at a frequency no longer than monthly.
Page details
- Date modified: