External Privileged Account Policy

Policy Purpose

This policy defines the procedure for provisioning accounts for external vendors who require privileged access to University resources.

Policy Statement

It shall be the policy of the University of Arkansas-Fort Smith to securely provision accounts for external vendors when necessary to access University resources.

Applicability

This policy applies to all third-party vendors who have accounts that the University has created, manages, and owns which.

Definitions

External / Third Party Vendor – A vendor that is external from the University that provides services directly to the University system.

Policy Procedure

1. Creation of account in Active Directory – Create account in Active Directory and Azure sync.
2. Setting password expiration – Determine password expiration requirements. If necessary, disable password expiration. Account should be set to deactivate after 90 days except under special circumstances with Director approval.
3. Assign account owner – Assign a responsible entity for maintaining the password and renewing before expiration.
4. Creation of Conditional Access Policy (if applicable) – Create a conditional access policy to provide the least privileges needed for functional operations to the account.

Enforcement

IT shall be responsible for enforcing the external privileged accounts policy and its procedures.

Policy Management

This policy is managed by the IT department. The IT Director and appointed IT personnel are the primary administrators of this policy. The responsible executive is the VCFA.

Exclusions

This policy does not apply to accounts not created, managed, and owned by the University.

Effective and Approved Date

This internal policy was approved by Terry Meadows – Director of IT/CIO on 09/07/2023

Last Updated

This policy was last updated by Terry Meadows - Director of IT/CIO on 6/17/2025