AC-2 Account Management
Statement
Access to West Texas A&M University information resources is commonly controlled by a logon ID associated with an authorized account. Proper administration of these access controls is important to ensure the integrity of University information and the normal business operation of University-managed and administered information resources.
Applicability
The intended audience for this control includes, but is not limited to, all information resource data/owners, management personnel, and system administrators.
The information resource owner or custodian is responsible for ensuring that the implementation measures described below are implemented.
Implementation
WTAMU utlizes unique account types for various campus roles. This includes employee accounts, student accounts, and guest accounts. Each account type requires distinct management as defined below, individuals may be issued accounts fitting more than one role. Users shall use the accounts for the role which it is issued.
Employee accounts include any account issued to any employee used to fulfill their employement responsibilities.
- The resource owner or custodian may fulfill the role of account manager for systems that do not authenticate using user credentials managed by IT. For systems using IT managed credentials an IT administrator shall serve in the custodian role and serve as an account manager.
- Account managers shall define, and document types of accounts used within the system (ie user, shared)
- Account managers shall establish the conditions for role or group membership within the system.
- Account managers shall specify users within the University which are authorized to use the system, the group or role users’ responsibilities would require and privileges needed within the system.
- An approval process is required prior to granting access to an information resource, for systems that contain sensitive or confidential data approval must be provided by the system owner or a University Vice President.
- Access shall be granted only to those whose role with the University aligns with the purpose of the system.
- Passwords associated with shared logon IDs shall be changed when an individual with access to the shared login has left the University or transferred to a role where access to the shared account is no longer needed.
- Account managers shall have documented process for timely removal of accounts for individuals meeting the following conditions:
- upon termination of employment
- upon transfer to another department.
- upon changes in a user’s responsibilities that eliminate the need for system access
- Account managers shall monitor account usage and periodically review existing accounts for validity.
- Documentation of exceptions shall be maintained by the information resource owner or designee.
Student accounts are issued to students upon admission to the University, and shall be used for access to all resources used in an Academic setting. This includes but not neccesarily limited to: LMS access, student access to the Student Information System, student email, campus labs, and campus wifi.
- IT shall manage all student accounts including processes and procedures to govern creation, and removal of accounts.
- Account managers shall establish the conditions for any special role or group membership within the system.
- Account managers shall specify users within the University which are authorized to use the system, the group or role users’ responsibilities would require and privileges needed within the system.
- Account managers shall monitor account usage and periodically review existing accounts for validity.
- Documentation of exceptions shall be maintained by the information resource owner or designee.
Guest accounts include any account issued to an individual who is not either a student or employee.
- Formal approval is required prior to granting guest access to any information resource. Access to systems that contain sensitive or confidential data approval must be provided by the system owner or a University Vice President. Approvals will be valid for up to 1 calendar year before a renewal is required.
- IT shall manage all guest accounts including processes and procedures to govern creation, and removal of accounts.
- Account managers shall define, and document types of accounts used.
- Account managers shall establish the conditions for role or group membership within the system.
- Access shall be granted only to those whose role with the University aligns with the purpose of the system.
- Account managers shall have documented process for timely removal of accounts when no longer needed.
- Account managers shall monitor account usage and periodically review existing accounts for validity.
- Documentation of exceptions shall be maintained by the information security office.