AC-1: Access Control – Policy and Procedures
NIST Baseline: Low
Privacy Baseline: Yes
DIR Required By: 07/20/2023
Review Date: 04/17/2024
Purpose –
The Access Control Policy and associated controls describe the requirements for providing access to Tarleton State University (Tarleton) information resources. Requirements are defined for managing accounts and implementing access controls, separation of duties, and least privilege.
Scope and Roles –
This policy applies to information resources owned or managed by Tarleton. The intended audience includes the Tarleton Chief Information Officer (CIO), Deputy CIO, Chief Information Security Officer (CISO), and Information Resource Owners and Custodians.
Compliance –
The Access Control Policy and associated controls are implemented to ensure compliance with the Texas Department of Information Resources (DIR) Security Control Standards Catalog as required by Title 1 Texas Administrative Code §202.76 and Texas A&M University System Regulation 29.01.03, Information Security.
Implementation –
- Information resource owners and/or their designees are responsible for ensuring that access controls are implemented for the information resources under their control.
- In accordance with Control AC-2, Account Management, account access processes should be documented in procedures for managing access to information resources, administering user accounts and privileges, and monitoring user access to information resources.
- The CISO or their designee is responsible for helping ensure that this policy and supporting procedures are periodically reviewed and updated, as needed.