Account Management Configuration Requirements

On this page


1. Life-cycle management

1.1 Manage user accounts using a life-cycle approach. Such an approach includes establishing the approval, notification, monitoring, operational requirements and operational procedures related to the creation, activation, modification, periodic review, disabling and deletion of accounts.

2. Authentication hardening

2.1 Authenticate users before they are granted access to a system and its resources, leveraging approved GC authentication services, in accordance with the Directive on Identity Management and associated guidelines such as Guidance on Cloud Authentication for the Government of Canada. Exceptions are to be assessed through the GC Enterprise Architecture Review Board.

2.2 Implement strong authentication mechanisms such as multi-factor authentication (MFA) for all accounts that have privileged or enhanced access, in accordance with Canadian Centre for Cybersecurity guidance in ITPS.30.031 v3, User Authentication Guidance for Information Technology Systems. Additional information regarding the GC enterprise approach with respect to MFA is provided in Multi-factor Authentication Considerations and Strategy for GC Enterprise IT Services. At a minimum, MFA is used to authenticate:

2.3 Where passwords are used, implement a password policy in accordance with the GC Password Guidance.

2.4 Systems are configured with a session or screen lock.

2.5 Systems have an approved log-on banner that requires users to acknowledge and accept their security responsibilities before access is granted.

3. Account management

3.1 Establish criteria to grant access to information systems based on:

3.2 Identify account types (for example, privileged, individual, group, system, application, guest/anonymous and temporary).

3.3 Associate each account with a single (digital) identity (person or non-person).

3.4 Carefully control and manage privileges assigned to users and administrators. Provide a reasonable (but minimal) level of system privileges and rights needed for their role.

3.5 Identify authorized users of information systems and specification of access privileges.

3.6 Ensure that access is revoked, or modified accordingly, when individuals no longer need access or should no longer have access.

3.7 Disable inactive accounts after 90 days for user accounts and after 30 days for temporary and emergency accounts.

3.8 Establish conditions for group membership.

4. Privileged account management

4.1 Establish and administer privileged user accounts, in accordance with subsection B.2.3.2 of the Directive on Security Management, Appendix B: Mandatory Procedures on IT Security Controls with a role-based access schemeFootnote 1 that organizes allowed information system access and privileges into roles, monitoring privileged role assignment, and removing privileged role assignments when no longer required. Privileged accounts are considered to be those that have one or more of the following abilities or accesses:

5. Systems monitoring

5.1 Create audit records for actions against accounts, groups and allocation of privileges.

5.2 Perform audits for compliance with account management requirements at a frequency no longer than monthly.

Page details

Date modified: