Access Control Policy and Procedures (AC-1)

Access controls are the rules for establishing user identity, administering user accounts, and initiating and monitoring access to information resources.

Account Management (AC-2)

Access to Texas A&M University information resources is commonly controlled by a logon ID associated with an authorized account. Proper administration of these access controls (e.g. NetIDs or logon IDs and passwords) is important to ensure the integrity of University information and the normal business operation of University-managed and administered information resources.

Access Enforcement (AC-3)

Access policies and management ensures enforcement of approved authorization for logical access to information technology resources. Access to Texas A&M University information resources is commonly controlled by a logon ID associated with an authorized account. Proper administration of these access controls (e.g. NetIDs or logon IDs and passwords) is important to ensure the security of confidential information and normal business operation of University-managed and administered information resources.

Separation of Duties (AC-5)

This Control addresses how information resource owners and custodians shall ensure that principle of Separation of Duties is implemented to prevent errors and/or fraud. It also provides procedures for appropriately managing the creation, use, monitoring, control and removal of accounts with special access privileges based on the duties of staff. Separation of Duties is achieved by disseminating the tasks and associated privileges for a specific security process among multiple users and chains of command. This ensures no single individual or organization should be in a position to both perpetuate and conceal irregularities resulting in unauthorized or unintentional modification or misuse of the university’s information resources. Technical support staff may have special access account privilege requirements in comparison with typical users.

Least Privilege (AC-6)

The university employs the principle of least privilege, allowing only authorized accesses for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with university missions and business functions.

Unsuccessful Logon Attempts (AC-7)

Access to Texas A&M University information resources is commonly controlled by a logon ID and password associated with an authorized account. Proper administration of these access controls includes ensuring the integrity of University information and the normal business operation of University-managed and administered information resources.

System Use Notification (AC-8)

Before granting access to Texas A&M University information systems, users receive notification at login acknowledging the usage conditions defined by the University.

Session Lock (AC-11)

The university employs session lock to ensure user sessions are locked after a period of user inactivity.

Permitted Actions without Identification or Authentication (AC-14)

The university identifies, documents, and provides supporting rationale in the security plan for any actions that may be performed on an information resource without identification or authentication.

Remote Access (AC-17)

Remote access to University information resources should be authorized with established and documented usage restrictions, configuration/connection requirements, and implementation guidance for each type of remote access allowed.

Wireless Access (AC-18)

A wireless computer network is intended to span a relatively small limited area using one or more of the following technologies to access the information resources systems: • Wireless Local Area Networks (based on the IEEE 802.11 family of standards); • Wireless Personal Area Networks (based on the Bluetooth and/or Infrared (IR) technologies); and/or, • Wireless Handheld Devices which includes text-messaging devices, personal digital assistant (PDAs) and smartphones.

Access Control for Mobile Devices (AC-19)

The portability of mobile devices have the potential to effect the security exposure of the information contained or processed by the devices.

Uses of External Information Systems (AC-20)

Units within the university shall implement terms and conditions, consistent with any trust relationships established with other organizations owning, operating, and/or maintaining external information resources, allowing authorized individuals to: a. Access the information system from external information systems; and b. Process, store, or transmit university information using external information resources.

Publicly Accessible Content (AC-22)

Units within the university shall develop policies governing the procedures to post information on publicly accessible information resources to ensure only authorized university personnel have access to publicly post content.