IA-4: Identifier Management

NIST Baseline:  Low 

DIR Required By:  07/20/2023 

Review Date:  07/10/2024 

  • The information resource custodians will manage information system identifiers for users and devices by: 
    • Following the applicable information resource owner and/or information resource custodians authorization process to assign a user, group, role, or device identifier (See Control AC-2, Account Management for additional information); 
    • Selecting and assigning an identifier that identifies an individual user, group, role, or device; and 
    • Preventing the reuse of user, group, role, or device identifiers after the account has been deleted and/or the device has been surplussed. 
  • All logon IDs, with the exception of student accounts, that have not been used/accessed within a period of 90 days shall be disabled, see Control AC 2(3), Access Control – Disable Accounts for additional information.  
    • Under special circumstances, exceptions can be made to the above, but must be reviewed and approved by applicable management and/or the Tarleton Chief Information Security Officer (CISO). Documentation of exceptions shall be maintained by the information resource owner or designee.   
  • A user’s access authorization shall be appropriately modified or removed when the user’s employment or job responsibilities change within the university. 

References/Additional Resources

None.  See any applicable internal procedures.