AC-2: Account Management
NIST Baseline: Low
DIR Required By: 07/20/2023
Review Date: 04/17/2024
- Each person must have a unique logon ID and associated account for accountability purposes.
- These accounts shall be issued and/or sponsored by Tarleton State University (Tarleton) through Tarleton-based account managers (i.e. sponsors that are full-time Tarleton employees), especially for vendor/third-party accounts that require access to Tarleton information resources.
- Each user needing access to Tarleton information resources requiring a Tarleton account (other than student and employee accounts) must complete required training (including Information Security Awareness Training) before receiving their Tarleton account credentials. See Control AT-2, Literacy Training and Awareness, for additional information.
- Tarleton employees must complete Texas A&M University System (TAMUS) required training (including Information Security Awareness Training) within 30 days of hire and any required renewal of such training thereafter in accordance with Control AT-2, Literacy Training and Awareness and TAMUS Regulation 33.05.02, Required Employee Training.
- Individuals are not permitted to use account credentials for which they are not a designated user by the Tarleton Office of Innovative Technology Solutions (OITS); therefore, sharing of passwords is prohibited.
- Any exceptions to the above must be documented and approved by the Chief Information Security Officer (CISO).
- These accounts shall be issued and/or sponsored by Tarleton State University (Tarleton) through Tarleton-based account managers (i.e. sponsors that are full-time Tarleton employees), especially for vendor/third-party accounts that require access to Tarleton information resources.
- Tarleton utilizes different account types for various use-cases. These accounts include employee accounts, student accounts, non-working retiree accounts, emeritus accounts, guest accounts, administrator accounts, service accounts, and local accounts.
- Employee Accounts – budgeted, wage, graduate assistant, student worker, working retiree, and other employees administratively employed by Tarleton
- These accounts are typically requested by the following account managers/sponsors: supervisors, human resources, the Provost’s Office and/or another hiring authority, as applicable.
- These accounts are disabled upon termination of employment or other circumstances deemed appropriate by the supervisor, human resources, the CISO, or another designee.
- These accounts are disabled due to inactivity typically after 180 days and then deleted after they have been disabled for 90 days under normal circumstances.
- Student Accounts – students receive access to their student account upon being admitted to the university.
- Once registered, students retain account access each semester that they are enrolled, if a student isn’t considered “active” in Banner by the 25th class day of each long semester, their account is deleted on the 32nd class day.
- Students can request to retain their student account for longer than the above-mentioned time frame under special, pre-approved circumstances.
- Non-working Retiree Accounts – past employees of Tarleton that are no longer employed, but have requested an account for post-retirement access to a Tarleton-provided email.
- Emeritus Accounts – past employees of Tarleton that are no longer employed, but have been granted emeritus status by the Texas A&M University System (TAMUS). These accounts will remain until OITS is instructed to remove them.
- Vendor Accounts – Tarleton and TAMUS affiliates, contractors, vendors, visiting scholars, and other users that require workstation or information resource access; these types of accounts must be sponsored by a full-time Tarleton employee.
- Vendor accounts are requested by a Tarleton employee who sponsors the third-party/contractor. These requests are evaluated by the Tarleton OITS Security Team. The vendor must complete ISA training before receiving access to their vendor account.
- The sponsor must provide the timeline needed for the vendor account; the account will be set to be automatically disabled after this time has lapsed. This is a maximum of one year.
- These accounts are disabled due to inactivity typically after 180 days and then deleted after they have been disabled for 90 days under normal circumstances.
- Administrator Accounts – These accounts are used by OITS staff to conduct privileged actions to Tarleton information resources.
- Service Accounts –These non-human domain accounts are linked to systems or tasks that require privileges.
- Local Accounts – Accounts for access to an information resource such as an individual workstation, server, or enterprise application
- Employee Accounts – budgeted, wage, graduate assistant, student worker, working retiree, and other employees administratively employed by Tarleton
- Authorized access controls/privileges are to be modified appropriately as an account holder’s employment or job responsibilities change.
- Account managers (i.e. an employee’s supervisor, etc.) are responsible for ensuring that applicable personnel in OITS, human resources, the Provost’s Office, and/or other applicable areas providing access privileges to specific Tarleton information resources are notified when an employee and/or third-party user’s job responsibilities change and/or terminate so that the user’s account and access privileges are modified accordingly.
- Account management processes involving personnel termination and/or transfer processes align so that an account holder that no longer requires access to Tarleton information resources is properly terminated and disabled in a timely manner. See Control AC-2(3), Access Control – Disable Accounts, for additional information on when accounts are disabled.
- Information resource custodians shall document processes for removing accounts of individuals no longer employed or authorized to access Tarleton information resources. Any exceptions to these processes must be provided to the CISO for review and documented.
- Logon IDs that have not accessed Tarleton information resources within a reasonable period of time, after 180 days from the date of creation, shall be disabled.
- Information resource custodians shall have documented processes in place to modify a user’s account to accommodate situations such as name changes, account changes, and permission changes.
- These custodians shall periodically review existing accounts for account management compliance.
- Tarleton has the right to monitor the use of accounts accessing Tarleton information resources to ensure compliance with federal, state, Texas A&M University System (TAMUS), and/or Tarleton regulations and policies.
- Confidential information should only be accessible to authorized users requiring that information as related to their job duties/responsibilities or otherwise as applicable by law.
- Any files or other records containing confidential information shall be identified, documented, and protected.
- Information resources containing confidential information provided between Tarleton departments or from a Tarleton department to a third-party vendor/contractor shall be protected in accordance with the conditions imposed by the providing department.
- Role-based access controls or secure Single-Sign-On access to cloud and/or local services should be implemented where possible.