Description

Access to Texas A&M University information resources is commonly controlled by a logon ID associated with an authorized account. Proper administration of these access controls (e.g. NetIDs or logon IDs and passwords) is important to ensure the integrity of University information and the normal business operation of University-managed and administered information resources.

Applicability

  • The information resource owner, or designee, is responsible for ensuring that the risk mitigation measures described in this Control are implemented.

  • The intended audience for this Control includes, but is not limited to, all information resources owners and custodians.

Implementation

  • 1

    An approval process is required prior to granting access authorization for an information resource. The approval process shall document the acknowledgement of the account holder to follow all terms of use (Information Resource related Rules, SAPs and Texas A&M Information Security Controls) and the granting of authorization by the resource owner or their designee.

  • 2

    Each person is to have a unique logon ID and associated account for accountability purposes. Role accounts (e.g., guest or visitor) are to be used in very limited situations, and must provide individual accountability.

  • 3

    Access authorization controls are to be modified appropriately as an account holder’s employment or job responsibilities change.

  • 4

    Account creation processes are required to ensure only authorized individuals receive access to information resources.

    • 4.1

      Individuals shall only have the ability to access those transactions and functions for which they are authorized.

  • 5

    Processes are required to disable logon IDs that are associated with individuals who are no longer employed by, or associated with, the University. In the event that the access privilege is to remain active, the department (e.g., owner, department head) shall document that a benefit to the University exists.

  • 6

    All new logon IDs that have not been accessed within a reasonable period of time (as established by risk management decisions) from the date of creation will be disabled.

  • 7

    All logon IDs that have not been used/accessed within a period of six months shall be disabled. Exceptions can be made where there is an established unit procedure. These actions shall be reviewed and approved by the unit head. Documentation of exceptions shall be maintained by the information resource owner or designee.

  • 8

    Passwords associated with logon IDs shall comply with all Identification and Authentication security controls.

  • 9

    Information custodians or other designated staff:

    • 9.1

      Shall have a documented process for removing the accounts of individuals who are no longer authorized to have access to TAMU information resources.

    • 9.2

      Shall have a documented process to modify a user account to accommodate situations such as name changes, accounting changes and permission changes.

    • 9.3

      Shall periodically review existing accounts for account management compliance.