( QUESTION NO 3 )

Account Management Policy for the Military College of Signals (MCS),

NUST. It includes detailed processes, examples, and additional sections to
provide a comprehensive framework
Introduction:
This policy establishes guidelines and procedures for creating,
managing, monitoring, and terminating user accounts within the Military
College of Signals' information systems. The goal is to ensure proper
authorization, accountability, and security for all account-related activities while
aligning with NIST SP 800-53 standards.
By enforcing strong account management practices, this policy seeks to:
i) Protect institutional data from unauthorized access or misuse.
ii) Enable operational efficiency by clearly defining roles and
responsibilities.
iii) Support compliance with national regulations and international
standards for cybersecurity.
2. Scope
This policy applies to:
1. All employees (faculty and staff), students, contractors, and external partners
who use MCS systems.
2. All accounts that provide access to MCS information resources, including:
- Email accounts.
- Administrative system accounts.
- Learning management system (LMS) accounts.
- Remote access or virtual private network (VPN) accounts.
- Specialized systems for research or classified information.

3. Policy Statements:

3.1. Account Types and Definitions

1. Privileged Accounts:*
- Examples: System administrators, database administrators, IT support.
 - Purpose: Manage and configure institutional systems and networks.
- Requirements: Must be assigned to personnel with advanced training and
authorization.

2. Standard User Accounts:

- Examples: Students, faculty, non-technical staff.
- Purpose: Access regular institutional resources, including email, LMS, and
library systems.
- Restrictions: No administrative privileges or direct system access.
3. Guest Accounts:
- Examples: Visiting lecturers, event participants, temporary staff.
- Purpose: Short-term access with limited permissions.
- Expiry: Automatically disabled after a pre-approved duration.

4. Service Accounts:
- Examples: Accounts for applications or scripts.
- Purpose: Facilitate automated tasks like database backups or application
integration.
- Restrictions: Non-interactive and monitored for anomalous behavior.

3.2. Account Creation and Approval Process:

1. Request Submission:
- Account requests must be submitted via the official IT support portal or
form.
- Requests must include the requester’s name, role, department, and
justification for access.
2. Verification:
- The IT department will verify the identity of the requester through
institutional records or direct communication.

3. Approval:
 - The department head must approve all account creation requests.
- Privileged account requests require approval from the Information Security
Officer (ISO).

4. Implementation:
Once approved, the IT team will create the account and assign access
permissions based on the requester’s role.
A unique user ID and temporary password will be issued, requiring the user to
reset the password upon first login.

3.3. Authentication Requirements

1. Multi-Factor Authentication (MFA):
- Required for all administrative and remote access accounts.
- Methods: Combination of passwords, biometrics (e.g., fingerprint), or time-
based one-time passwords (TOTP).
2. Password Policy:
- Minimum Length: 12 characters.
- Complexity: Include upper and lower-case letters, numbers, and symbols.
- Expiration: Changed every 90 days.
- Storage: Passwords must be encrypted using NIST-approved hashing
algorithms.
3. Account Lockout:
- Accounts will be locked after 5 failed login attempts and require
administrative intervention for reactivation.
3.4. Account Access and Permissions
1. Access Control:
- Permissions will follow the principles of least privilege and need-to-know to
minimize security risks.
- Example: A student should only access their own academic records, not
others’.
2. Periodic Reviews:
 - Supervisors and the IT department will review user access permissions every
6 months to ensure alignment with job responsibilities.
Inappropriate or unnecessary access will be revoked immediately.
3.5. Monitoring and Auditing:
1. Activity Logging:
- All login attempts, file accesses, and administrative actions must be logged.
- Logs will include details such as user ID, timestamp, IP address, and activity
performed.

2. Regular Audits:
- The Information Security Team will conduct audits quarterly to detect
unauthorized access, dormant accounts, and policy violations.

3. Incident Response:
- Any suspicious or unauthorized activity must be escalated to the Information
Security Incident Response Team (ISIRT) within 24 hours.

3.6. Account Deactivation and Termination

1. User Departure:
- For employees: Accounts must be disabled within 24 hours of employment
termination.
- For students: Accounts will be disabled upon graduation or withdrawal from
MCS.

2. Dormant Accounts:
- Accounts inactive for 90 days will be flagged for review.
- If no justification is provided, they will be disabled.

3. Guest Accounts:
- Automatically expire after the pre-approved duration. Extensions require
new approvals.
4. Roles and Responsibilities
1. System Administrators:
- Manage account lifecycles and implement access controls.

2. Department Heads:
- Authorize account creation and review access requests.

3. Users:
- Protect account credentials and report suspicious activity.

4. Information Security Team:

- Monitor logs, conduct audits, and respond to incidents.

5. Human Resources:
- Notify the IT team of employee departures promptly to ensure timely
account termination.

5. Compliance and Penalties

1. Compliance:
- Adherence to this policy is mandatory for all users. Violations will result in
disciplinary action as per institutional regulations.

2. Penalties:
- Unauthorized access or misuse of accounts may lead to:
- Account suspension.
- Academic penalties for students.
- Termination of employment for staff.
 - Legal action under applicable laws.

6. Review and Updates:

1. This policy will be reviewed annually by the IT Governance Committee or
when significant changes occur in institutional operations or NIST guidelines.
2. Feedback from audits and incidents will be incorporated into policy revisions.