AC-2(3): Access Control – Disable Accounts

NIST Baseline: Moderate

Tarleton disables accounts after 180 days for all accounts, except for student accounts, under the following circumstances:
- The account has expired;
- The account is no longer associated with the user or group;
- The account is in violation of Tarleton State University policy; and/or
- The account has been inactive for 180 days (in both on-prem and/or Azure).
Under special circumstances, exceptions can be made to the above, but must be reviewed and approved by applicable management and/or the Chief Information Security Officer (CISO). Documentation of exceptions shall be maintained by the information resource owner or designee.

See applicable internal procedures for disabling accounts.