UM Account Security Standard

   
Issued Under Authority of UM Information Security Policy
Responsible Office UM Information Security Office
Category Identity and User Security

IN PLAIN LANGUAGE

Your University account is the key to University systems and data, so protecting it is essential. This standard sets the rules for how accounts are created, maintained, and closed, and requires strong passphrases — at least 13 characters for regular accounts and 20 for administrative ones — along with multi-factor authentication (MFA) wherever possible. Accounts with elevated privileges must be used carefully and only for their intended purpose. If you think your account has been compromised, report it immediately. These requirements apply to everyone who accesses University systems, including students, staff, contractors, and third parties.

1. Purpose

The purpose of this Standard is to establish minimum requirements for securing user, service, and privileged accounts that provide access to University of Montana information systems and digital University Data. Strong account security reduces the risk of unauthorized access, data compromise, and misuse of University resources.

This Standard implements identity and access protection requirements established by the UM Information Security Policy and aligns with the National Institute of Standards and Technology (NIST) Digital Identity Guidelines.

2. Scope

This Standard applies to:

  • All accounts used to access University information systems or digital University Data
  • User, service, and privileged accounts
  • Accounts managed centrally or locally by UM IT, UM System IT, or Distributed IT
  • Accounts used by employees, students, affiliates, contractors, and third parties acting on behalf of the University

This Standard applies across all University of Montana System campuses and environments, including on-premises, cloud-hosted, and third-party systems.

3. Account Types

For purposes of this Standard:

Standard Account — An account used by an individual for routine access to systems and services.

Privileged Account — An account with elevated permissions used for administrative or management functions.

Service Account — An account used by applications or services to interact with systems or resources.

Account types must be clearly distinguished and managed according to risk.

4. Roles and Responsibilities

4.1 Chief Information Security Officer (CISO)

The CISO is responsible for:

  • Establishing and maintaining this Standard
  • Approving exceptions to account security requirements
  • Escalating material account-related risks to executive leadership

4.2 Information Technology Organizations

UM IT, UM System IT, and Distributed IT are responsible for:

  • Implementing and enforcing account security controls
  • Managing account provisioning, modification, and de-provisioning processes
  • Maintaining inventories of privileged and service accounts

4.3 System and Application Owners

System and Application Owners are responsible for:

  • Ensuring accounts associated with their systems comply with this Standard
  • Approving access and privilege levels based on business need

4.4 All Users

All users are responsible for:

  • Protecting their account credentials
  • Complying with passphrase and MFA requirements
  • Reporting suspected account compromise or misuse

5. Account Provisioning and Lifecycle

  • Accounts must be provisioned through approved processes
  • Accounts must be associated with a valid individual, role, or service
  • Access must be reviewed periodically and adjusted or removed when no longer required
  • Accounts must be de-provisioned promptly upon role change, separation, or expiration

6. Passphrase Requirements

6.1 General Principles

  • Passphrases must be unique and not reused across systems
  • Passphrases must not contain personally identifiable information or easily guessable terms
  • Passphrases must be changed when compromise is suspected or confirmed

6.2 Minimum Length

Standard Accounts — Minimum of 13 characters.

Privileged and Service Accounts — Minimum of 20 characters. Passphrases must be changed at least annually or more frequently based on risk.

7. Multi-Factor Authentication (MFA)

  • MFA is required for access to University systems where technically feasible
  • MFA is mandatory for administrative and privileged access
  • Less secure MFA methods (e.g., SMS) should not be used for privileged or service accounts

8. Privileged and Service Account Management

  • Privileged and service accounts must be used only for their intended purpose
  • Routine activities must not be performed using privileged accounts
  • Ownership and purpose of privileged and service accounts must be documented
  • Where available, approved Privileged Account Management (PAM) solutions must be used

9. Monitoring and Review

  • Account activity must be logged in accordance with the Audit Log Management Standard
  • Accounts must be reviewed periodically to ensure continued necessity and appropriate privilege
  • Weak or compromised credentials may be reset or disabled by the Information Security Office

10. Exceptions

Exceptions to this Standard must:

  • Be documented with risk justification
  • Identify compensating controls where applicable
  • Be approved by the CISO or designee
  • Be reviewed periodically

11. Enforcement

Failure to comply with this Standard may result in:

  • Account restriction or suspension
  • Corrective action consistent with University policy
  • Additional monitoring or security controls

12. Review and Maintenance

This Standard must be reviewed at least annually and updated as necessary to reflect changes in risk, technology, or regulatory requirements.

13. References

  • UM Information Security Policy
  • UM User Security Awareness & Responsibilities Standard
  • UM Identity Verification & Proofing Standard
  • UM Audit Log Management Standard
  • UM Incident Response Standard
  • NIST SP 800-63B, Digital Identity Guidelines
Print Article