Tags: Shared Accounts, Shared Devices, Data Protection, Authentication, FERPA, GLBA, NIST
Status: Final Draft
Last Revision Date: April 29, 2025
Statement of Purpose
The use of shared accounts and shared devices creates opportunities for misuse of Electronic Information Resources. Some of Clackamas Community College’s missions are supported using shared accounts and/or devices. To mitigate the increased risk associated with these resources, strict requirements and controls are necessary to enforce user accountability, safeguard sensitive data, and comply with applicable legal and regulatory standards.
Policy Summary
Shared computers can expose sensitive data belonging to the users of these systems. In order to protect these users, controls shall be implemented to ensure that data cannot persist beyond the user’s session. End-users shall be required to acknowledge understanding of these procedures through onboarding or policy agreements.
Shared accounts can prevent the attribution of activities to a specific individual. Using a password repository to log access to a stored credential mitigates some of this risk. Furthermore, when an employee departs, changing any shared passwords this individual had access to prevents continued access.
This policy aligns with requirements defined by FERPA, GLBA, and industry standards including NIST 800-53 and ISO/IEC 27001. It supersedes any prior guidelines on shared access and device controls.
Policy
Computer Labs and Kiosks
Electronic Information Resources located in computer labs and other publicly accessible areas of Clackamas Community College campuses are intended to serve multiple populations on a first-come, first-serve basis. These Electronic Information Resources may be used to access sensitive and/or private data. To protect the privacy of this data:
- a. Controls shall be implemented to prevent data persistence beyond the current user session.
- b. Where individual logins are permitted on a system, controls must be present to remove the user’s profile from the device.
- c. Users shall be informed of the actions necessary to invoke data removal operations and shall be directed to complete those actions when finished with their use of the Electronic Information Resource.
- d. Users must acknowledge their understanding of secure use procedures during onboarding, training, or via posted usage policies.
- e. Appropriate physical access controls shall be implemented as specified in Policy 113 - Physical Access.
Shared Accounts
The use of shared accounts should be avoided whenever possible; however, certain operational scenarios, such as break-glass emergency access, may necessitate their use.
-
Shared account credentials shall be stored using a repository that:
a. Is encrypted using industry-standard encryption methods
b. Is accessible only to authorized users
c. Logs the credential accessed, the account used to access the credential, and the date and time of credential access
d. Supports Multi-Factor Authentication (MFA) for access to shared credentials, where technically feasible
-
The password, PIN, or similar authentication mechanism for a shared account shall be changed when any Clackamas Community College staff member with prior access has their access revoked for any reason.
-
Access to shared credentials must be role-based and limited to individuals with a documented business need. Data Owners or System Owners must approve access assignments and removals.
-
Shared account use shall be reviewed at least annually to verify continued necessity and proper configuration.
-
Shared and break-glass accounts must implement MFA where technically feasible. Refer to Policy 102c – Multi-Factor Authentication (MFA) for detailed requirements, approved MFA methods, and special considerations for emergency account access.
Exemptions
None.
Exceptions
Exceptions to this policy must be pre-approved in writing by the Chief Information Officer (CIO). Exception requests must include: