This Control applies to all Texas A&M information resources. The intended audience for this Control includes all owners and custodians of information resources.

Information resources shall be configured to uniquely identify and authenticate all users of university information resources (See Control AC-2, Account Management).

• 1.1

  Users must be uniquely identified and authenticated before the information resource may grant that user access.

• 1.2

  Unique identification of individuals in group accounts (e.g. shared privilege accounts) may need to be considered for additional accountability of activity.

Multi-factor authentication should be implemented based on documented risk management decisions for access to privileged or non-privileged accounts where one of the factors is provided by an asset separate from the information being accessed.

Multi-factor authentication is required for any information resource that stores or processes Confidential or Critical data.