Beginning Monday, June 24 2024, Shared Accounts, which are accessed with a password, will be subject to the OU Password Policy. The policy requires a password change every 30 days. Additionally, to enhance security and the ability to improve auditing, password changes will require the use of PingID.
Article Intended For
All university users (OU/OUHSC) which access Shared Accounts with a password. For information about accessing a Shared Mailbox or Shared Room/Calendar resource please visit Organization/Shared Accounts: Setting up a Shared Mailbox.
What is on this page?
Overview
A Shared Account, with a password, is an enterprise system account which is accessed independent of an individuals personal account and allows multiple users to share the same identity. Extra care must be taken to secure Shared Accounts because of the significant risks to systems, applications, and services that could result from misuse, creating or exposing vulnerabilities, and/or facilitating unauthorized access.
The use of Shared Accounts is discouraged as it lacks accountability and the use of Shared Accounts is prohibited for users accessing Category A, Category B, Category C, and Category D1 information. (Prohibited Data: Healthcare, Payment Card, Student, Confidential Research Data)
Shared Account Usage
Examples of standard Shared Account usages includes:
- Management of university web pages.
- Generic shared log in for non-OU IT provided departmental software (e.g., SurveyMonkey, Trello, or AirTable).
- *Access to Shared Mailboxes/Calendars/Room resources (e.g., something@ou/ouhsc.edu)
*Shared Mailboxes/Calendars are configured using security groups and do not require password changes as group members access the resources using their individual credentials. See Organization/Shared Accounts: Setting up a Shared Mailbox for more information.
Examples of licenses/access that are not included for Shared Accounts include, but are not limited to:
- Microsoft licensing (e.g., Word, Excel, OneDrive) via desktop application or M365 online.
- Access to additional 3rd party services provided by OU IT(e.g., DropBox, Zoom, Qualtrics, MyMedia, or Adobe)
Account Sponsor Expectations and Responsibilities
Shared Accounts must have a designated sponsor and co-sponsor. These sponsors are are expected to:
- Only grant access to the shared account to those with a job-related need.
- Avoid saving passwords in scripts and configuration files that can be read by non-authorized individuals.
- Develop internal processes to facilitate the changing of shared account passwords when
- Anyone with knowledge of the password leaves the unit
- Anyone with knowledge of the password changes responsibilities and no longer requires access to the account
- The password is required to change due to the 30-day policy.
Shared Accounts sponsors are required to:
- Ensure Shared Accounts do not access prohibited data.
- Audit and attest, on a semi-annual basis, that the Shared Account is not accessing prohibited data. These audits and attestations will be shared with the Chief Information Security Officer (CISO) and Board of Regents.
- Notify OU IT to disable the account when it is no longer in use.