Skip to content
Home » IT Policies » Shared Account Policy

Shared Account Policy

Document ID: SAP-001
Version: 1.0
Effective Date: ____________________
Approved By: ____________________
Last Review Date: ____________________
Next Review Date: ____________________

1. Purpose

The purpose of this Shared Account Policy is to establish requirements for the creation, use, management, and monitoring of shared accounts. The organization seeks to minimize the use of shared accounts whenever possible because they reduce accountability, increase security risk, and complicate auditing and incident investigations.

Where shared accounts are necessary due to technical or operational constraints, they shall be subject to enhanced security controls and oversight.

2. Scope

This policy applies to:

  • Employees
  • Contractors
  • Consultants
  • Temporary workers
  • Interns
  • Vendors
  • Third-party service providers
  • Managed Service Providers (MSPs)

This policy applies to:

  • Operating systems
  • Business applications
  • Cloud platforms
  • Databases
  • Network devices
  • Service accounts
  • Kiosk systems
  • Shared workstations
  • Point-of-sale systems
  • Manufacturing systems
  • Laboratory systems
  • Administrative systems

3. Policy Statement

Each individual shall be assigned a unique user account whenever technically feasible.

Shared accounts shall be prohibited unless a documented business or technical requirement exists that cannot reasonably be met through individual user accounts or delegated access.

When shared accounts are permitted, they shall be managed using enhanced security controls to maintain accountability and reduce risk.

4. Guiding Principles

The organization follows these principles:

  • Individual accountability
  • Least Privilege
  • Need-to-Know
  • Default Deny
  • Separation of Duties
  • Strong authentication
  • Continuous monitoring
  • Auditability

5. Individual User Accounts

Every employee, contractor, consultant, and authorized user shall receive an individual account whenever technically feasible.

Individual accounts shall be used for:

  • Email
  • Business applications
  • Cloud services
  • VPN access
  • Administrative functions
  • File access
  • Collaboration platforms
  • Remote access

Shared credentials shall not replace individual identities.

6. Permitted Use of Shared Accounts

Shared accounts may be approved only when:

  • The system does not support individual user accounts.
  • Operational requirements necessitate shared access.
  • A legacy application cannot support modern identity management.
  • A kiosk or public terminal requires a common login.
  • A manufacturing or operational technology system requires shared access.
  • Temporary emergency access is necessary.
  • A documented business justification has been approved.

Convenience alone is not an acceptable justification.

7. Approval Requirements

Before a shared account is created:

  • Business justification shall be documented.
  • Management approval shall be obtained.
  • System owner approval shall be obtained.
  • Information Security approval shall be obtained where applicable.
  • A designated account owner shall be assigned.

8. Account Ownership

Every shared account shall have an assigned owner responsible for:

  • Maintaining the account
  • Reviewing authorized users
  • Requesting access changes
  • Reporting misuse
  • Initiating account removal when no longer needed
  • Participating in periodic access reviews

Ownership shall not be assigned to a group or department without identifying an accountable individual.

9. Authentication Requirements

Shared accounts shall use strong authentication controls.

Where technically feasible, shared accounts shall:

  • Require Multi-Factor Authentication (MFA)
  • Use strong passwords or passphrases
  • Store credentials securely
  • Avoid hard-coded credentials
  • Rotate passwords after personnel changes or suspected compromise

Passwords shall not be shared through insecure methods such as email, instant messaging, or handwritten notes.

10. Least Privilege

Shared accounts shall receive only the minimum permissions necessary to perform authorized business functions.

Administrative privileges shall not be assigned unless specifically approved and documented.

11. Administrative Shared Accounts

Shared administrative accounts should be avoided whenever technically feasible.

If unavoidable, additional safeguards shall include:

  • Multi-Factor Authentication (MFA)
  • Privileged Access Management (PAM), where available
  • Session logging
  • Administrative activity monitoring
  • Time-limited access where supported
  • Enhanced review procedures

12. Credential Management

Credentials for shared accounts shall:

  • Be protected against unauthorized disclosure
  • Be changed promptly after:
    • Personnel departures
    • Contractor terminations
    • Suspected compromise
    • Unauthorized disclosure
  • Be stored in an approved password management solution where available

Credentials shall not be embedded in scripts or configuration files unless properly protected.

13. Monitoring and Logging

Use of shared accounts shall be logged where technically feasible.

Monitoring may include:

  • Login events
  • Failed authentication attempts
  • Administrative actions
  • Configuration changes
  • Privileged operations
  • File access
  • Remote access
  • Password changes

Additional logging mechanisms should be implemented to help identify the individual using the shared account whenever possible.

14. Access Reviews

Shared accounts shall be reviewed periodically to verify:

  • Continued business necessity
  • Authorized users
  • Assigned permissions
  • Account owner
  • Authentication methods
  • Monitoring controls

Reviews should occur:

  • At least annually
  • Following organizational changes
  • After security incidents
  • During audits

Higher-risk shared accounts may require more frequent reviews.

15. Account Deactivation

Shared accounts shall be disabled or removed when:

  • No longer required
  • The associated system is retired
  • Operational requirements change
  • A replacement solution supports individual accounts
  • Security risks outweigh business benefits

16. Prohibited Activities

The following are prohibited unless specifically authorized:

  • Using shared accounts for routine administrative work when individual accounts are available
  • Sharing individual user credentials
  • Creating undocumented shared accounts
  • Circumventing identity management controls
  • Using default vendor accounts without proper security controls
  • Allowing unauthorized individuals to use shared accounts

17. Exception Management

Exceptions require:

  • Documented business justification
  • Risk assessment
  • Management approval
  • Information Security approval where applicable
  • Compensating security controls
  • Defined review and expiration dates

Approved exceptions shall be reviewed periodically.

18. Responsibilities

Executive Management

  • Support accountability and secure identity management
  • Approve governance requirements
  • Allocate appropriate resources

Managers

  • Approve business justification for shared accounts
  • Review continued business need
  • Participate in periodic access reviews

System Owners

  • Approve shared account creation
  • Assign account owners
  • Review permissions
  • Ensure compliance with this policy

IT Department

  • Create and manage approved shared accounts
  • Implement authentication controls
  • Maintain logging
  • Remove unnecessary shared accounts
  • Rotate credentials as required

Information Security

  • Assess risks associated with shared accounts
  • Review exceptions
  • Monitor high-risk shared accounts
  • Investigate misuse
  • Assess compliance

Users

  • Use shared accounts only for authorized purposes
  • Protect shared credentials
  • Report suspected compromise immediately
  • Comply with this policy

19. Compliance

Compliance with this policy is mandatory.

Violations may result in:

  • Removal of access
  • Account suspension
  • Disciplinary action
  • Contract termination
  • Legal action where applicable

20. Policy Review

This policy shall be reviewed at least annually or following:

  • Technology changes
  • Regulatory updates
  • Security incidents
  • Organizational restructuring
  • Audit findings

21. Related Policies

  • Information Security Policy
  • Access Control Policy
  • Identity and Authentication Policy
  • Least Privilege Policy
  • Privileged Access Management (PAM) Policy
  • Password Policy
  • Multi-Factor Authentication (MFA) Policy
  • Logging and Monitoring Policy
  • Acceptable Use Policy
  • Incident Response Policy
  • Joiner, Mover, Leaver (JML) Policy

Document Objective

This policy establishes the organization’s requirements for minimizing the use of shared accounts and ensuring that any approved shared accounts are managed with appropriate security controls, accountability, and oversight. It promotes individual accountability while recognizing that certain legacy, operational, or technical environments may require shared accounts. This vendor-neutral policy aligns with widely recognized security frameworks, including NIST CSF, ISO/IEC 27001, CIS Controls, SOC 2, HIPAA, PCI DSS, CMMC, and the FTC Safeguards Rule.