Account Management | AC-2

Description

  • Each user of MCC-owned information resources must be assigned a uniquely identifiable account.
  • An approval process is required before granting access authorization for an information resource. The approval process must:
    • positively establish the identity of a user and determine the appropriate user role(s) before access is granted; and
    • document the account holder’s acknowledgement that they have read and agree to the Acceptable Use Policy (AUP) and to their responsibilities as a user of ISS information resources.
  • Before an account is enabled:
    • the account holder’s supervisor or sponsor must approve the account by signing the Request for System Access form; and
    • the new user must sign the Request for System Access and Acceptable Use
  • Accounts must be reviewed periodically. Accounts that have not been accessed within a reasonable period (as established by risk management decisions) from the date of creation will be disabled.

Types of Information System Accounts

Information system account types include: MCC employee Users, Sponsored Guest Users, Administrator Users (for Workstation/Server/Domain/Application), Local Administrators, and Service Accounts.

  • MCC Employee Users are budgeted, wage, graduate assistant, student worker, working retiree, retiree emeritus, and other employees.
    • These accounts are requested by Human Resources for a new employee upon hiring. Users must sign the AUP before receiving an account. By signing, the user acknowledges their understanding and agreement to follow all policies and procedures outlined in the AUP, as a user of MCC information resources.
    • These accounts are disabled upon termination of employment or other circumstances deemed appropriate by the supervisor, human resources, the Chief Information Technology Officer (CITO), or their designee. See control PS-4.
    • These accounts are disabled after an appropriate duration of inactivity (typically 6 months).
  • Sponsored Guest Users are MCC affiliates, contractors, vendors, visiting scholars, and other users that require workstation access or access to specific information resources.
    • These accounts are requested by an MCC employee authorized to sponsor the user. Accounts are requested by completing the form for third parties.
    • These accounts are provisioned by the Infrastructure Team once approved by the sponsor's program manager/department head and the form for third parties is signed.
    • These accounts are valid for the expected length of time until project completion and are automatically disabled on the scheduled expiration date. The account sponsor can renew the account by submitting an updated form for third parties.
    • These accounts are disabled upon termination of employment or other circumstances deemed appropriate by the supervisor, human resources, the CITO or their designee. See control PS-4.
    • These accounts are disabled after an appropriate duration of inactivity (typically 6 months).
  • Administrator Users are Information Technology staff with a valid business need for privileged access to an information resource such as a workstation, server, or an enterprise application 
    • These accounts are requested by the user, their supervisor, department head, or higher authority.
    • These accounts are approved by the user's program manager/department head and the Chief Information & Technology Officer's designee for the information resource after review of the request's scope and justification.
  • Local Administrator Accounts are non-domain accounts with privileged access to an information resource such as an individual workstation, server, or enterprise application.
    • Local administrator accounts must be approved by the Information Resource Owner and the Chief Information & Technology Officer's designee for the information resource.
    • Local administrator accounts must be documented as a security control exception.
  • Service Accounts are managed domain accounts for the specific purpose of machine-to-machine automated interaction.
    • These accounts are requested by the owner/custodian for the information resource where the account will be implemented and approved by the Chief Information & Technology Officer's designee after review of the request's scope and justification.

Last updated: 5/13/2026

Contact Hours or Questions?

Information on Tech Support