Skip to main content Skip to navigation

Information Security, Risk and Compliance

IMP 03: User Account Management Policy

Information Classification - Public

Policy Introduction and Purpose

The User Account Management Policy sets out the requirements for the effective management of user accounts, privileged user accounts and access rights.

For the purpose of this policy, 'user account' refers to the set of credentials provided to all Warwick members used to grant access to digital services, information resources, and manage access to University facilities.

These user accounts function as a form of identity for each and every member of the University in the digital environment.

The management of, and compliance with, this policy is essential in order to ensure that access to the University’s information and information systems is secure and restricted to authorised users.

Scope and Definitions

The policy covers everyone who has a contractual (formal or informal/implied) relationship with the University, including employees, students, visiting academics, and consultants. Please note that this list is not exhaustive.   

For the purposes of this Policy, we will refer to everyone covered as “members”. 

The policy covers all information processed by the University, regardless of ownership or format.

All users, their user account and all information systems used to conduct University business, or which are connected to the University network, must be managed in accordance with this policy.

Responsibilities

The Chief Information & Transformation Officer (CITO) retains overall accountability for this Policy.  The Chief Information Security Officer (CISO) has delegated authority for ensuring the Policy meets legal and regulatory requirements; for keeping this Policy up to date; and for ensuring that controls, checks and audits are carried out as part of compliance with this Policy. 

Operational Responsibilities

Role 

Function 

Designate of Head of Department (e.g. academic lead on research, individuals with delegated authority for information, system administrators)

Responsible – for overseeing compliance with the Policy within areas of responsibility

Head of Department

Accountable – for compliance with this policy within Departments

Information Risk and Compliance Team (with escalation to CISO and CITO required)

Consult – to discuss organisational level compliance with the Policy

IDG Digital Business Partners

Inform – must be informed of the content of the Policy to communicate it to their departments

User Account Eligibility

Each type of account will have access rights and functionality set according to the level of access to information resources needed to carry out their role.

User accounts will only be provided for:
  • Current University of Warwick members
  • Emeritus members and those who have otherwise been granted honorary or associate status (associates will include staff from other organisations which provide services to the University who may require access to the University’s information systems in order to fulfil their contractual obligations to the University.)
  • Students waiting to graduate
  • Prospective students
The following may be provided accounts on a temporary basis if access to the University network is a requirement for carrying out University work: Contractors, other workers or guests of the University.

Authorisation to Manage

The management of user accounts and privileges on the University’s information systems is restricted to suitably trained and authorised members as covered by the IMP04 Information Management and Security Training and Awareness Policy.

Authorisation to manage accounts is granted by the CITO or their designate. Federated IT Departments who operate their own identity management system will be responsible for managing accounts in their area.

Account Management

Accounts will only be issued to those who are eligible for an account and whose identity has been verified.

When an account is created, a unique identifier (usercode) will be assigned to the individual for their sole use.

This usercode must not be assigned to any other person at any time (usercodes will not be recycled).

Where a date can be identified for the end of an individual’s contractual relationship with the University (e.g. end of course, end of temporary contract etc.) an expiry date must be set for their account upon account creation. 

Expiry dates must be set as part of the University leavers’ processes.

On issue of account credentials, users must be informed of the requirement to comply with the University’s Information Management policies and must complete all required training as outlined in IMP 04 Information Management and Security and Training and Awareness Policy.

Access rights granted to users will be restricted to the minimum required in order for them to fulfil their roles, in accordance with the principle of least privilege. This provides a degree of protection should an account become compromised. When setting a user’s access rights, permissions must be set individually for that user rather than copied from another account to avoid the inadvertent granting of additional rights.

Users’ access rights must be adjusted appropriately and in a timely manner to reflect any changes in any user’s circumstances (e.g. when a member of staff changes their role, or a member of staff or student leaves the University). This includes the removal of rights as well as the addition of new rights.

It is the responsibility of the University department that is sponsoring a guest’s (external user) access to certain defined University systems, that this arrangement is managed appropriately which includes ensuring their access is restricted only to the information needed to carry out specific tasks and is time limited.

System owners must regularly review access permissions. The frequency of these reviews will be determined by system owners and based on the severity of risk presented by the system. For high-risk systems, reviews must be as frequent as possible. Reviews must occur at least once a year, and for privileged accounts, at least once a month. Risk levels must be determined according to the IMST 01 Information Classification Standard.

All accounts provided by the University are University owned assets.

Privileged Account Management

Privileged accounts are accounts used for the administration of information systems and are distinct from user accounts. These accounts must only be used by system administrators when undertaking specific tasks which require special privileges. System administrators must use their user account at all other times.

Privileged account provision and permissions must be reviewed on a monthly basis.

Access rights granted to users will be restricted to the minimum required in order for them to fulfil their roles.  

The access rights of privileged accounts must be adjusted appropriately and in a timely manner to reflect any changes in a user’s circumstances (e.g., when a member of staff changes their role, or leaves the University). Privileged Users must inform the Service desk immediately of any changes to their circumstances.   

Only Privileged Accounts are permitted to install software applications that have been approved for use and are suitably licensed. Only software approved by the IDG Software Approval process can be installed.

Privileged Users will use their discretion when installing drivers, etc., but must ensure they are obtained from reputable sources.  

Service Accounts

Service accounts, which are used for automated processes and application integrations, must be managed with stringent security measures to prevent unauthorised access and misuse.

These accounts must be created only when necessary and must be approved by IDG. Each service account must have a unique identifier and be assigned the minimum privileges required to perform its intended functions.

Passwords for service accounts must be complex, stored securely, and rotated regularly.

Additionally, service accounts must be monitored continuously for unusual activity, and any anomalies must be investigated promptly.

Access reviews for service accounts must be conducted periodically to ensure compliance with security policies and to deactivate any accounts that are no longer needed.

Guest Accounts

All guests to the University requiring a user account must have a sponsor (a University member with responsibility for the guest).

It is the sponsor’s responsibility to ensure the guest only has access to the resources that they need and that access is removed when it is no longer required.

Access for each guest must be reviewed every three months or sooner. If sponsors are leaving their role then they must ensure that they have passed on and communicated the transfer of responsibility.

Variable and temporary workers

All variable and/or temporary members must have access to University systems revoked at the point of leaving the University regardless of whether future engagement is to be considered.

Access can only be returned at the point these individuals enter a new contractual arrangement with the University.

User Account Lifecycle

The User Account lifecycle refers to the stages a user account goes through from creation to deactivation.

This lifecycle ensures that user access is managed efficiently and securely.

The requirements of this are set out in the User Account Lifecycle Standard (N.B. Standard currently in development).

This Standard is based on the principle of removing user access to resources as soon as it is no longer required.

User accounts will be managed according to an associated lifecycle.

Staff accounts are created upon the confirmation of employment, typically triggered through the relevant HR process.

Other accounts are subject to creation in line with their own lifecycle (e.g. applicants, students, guests etc).

The end of lifecycle process for staff accounts will begin upon termination of employment.

Information exclusively linked to members accounts will be deleted in line with the User Account Management Standard.

The end of lifecycle process for student accounts will begin upon graduation or upon permanent suspension of studies. Students will retain some access to systems which will gradually be revoked as part of the account closure unless complete access needs to be revoked for security or disciplinary reasons.

All other accounts will be managed according to the principle of providing access to resources for the duration required by the role and no further.

Exceptions

‘Exception requests’ under this policy must be submitted to the CITO or their designate.  

Activities that have received prior approval by the Research Governance and Ethics Committee will be exempt, but the CITO must be notified. 

This policy may have an impact on users of assistive technology or assistive software due to their disability. These individual cases will be considered on a case by case basis.

Compliance Monitoring

It is everyone’s responsibility to report instances of non-compliance with this policy to the Information Risk and Compliance Team. The Information Risk and Compliance Team will use report data, and any other tools made available to it to monitor compliance with this policy, standards, SOPs. Issues that are deemed to merit escalation or further discussion will be brought to the attention of the Information Security and Data Protection Committee via the CISO. Where non-compliance presents a significant risk, it will be subject to the staff or student disciplinary process.

Version Date Created Date Published Next review Notes/Outcomes
1.0 June 2025 22 July 2025 July 2026 A new policy that replaces IS05 User Account Management Policy and IS05a Privileged User Account Management Policy.

.

Let us know you agree to cookies

We use cookies to give you the best online experience. Please let us know if you agree to functional, advertising and performance cookies. You can update your cookie preferences at any time.

Cookie policy