Information Security Controls Catalog AC-2
Last Review: 10/1/2022
Statement
Access to West Texas A&M University information resources is commonly controlled by a logon ID associated with an authorized account. Proper administration of these access controls is important to ensure the integrity of University information and the normal business operation of University-managed and administered information resources.
Applicability
The intended audience for this control includes, but is not limited to, all information resource data/owners, management personnel, and system administrators.
The information resource owner or custodian is responsible for ensuring that the implementation measures described below are implemented.
Implementation
- The resource owner or custodian may fulfill the role of account manager for systems that do not authenticate using user credentials managed by IT. For systems using IT managed credentials an IT administrator shall serve in the custodian role and serve as an account manager.
- Account managers shall define, and document types of accounts used within the system (ie user, shared, guest)
- Account managers shall establish the conditions for role or group membership within the system.
- Account managers shall specify users within the University which are authorized to use the system, the group or role users’ responsibilities would require and privileges needed within the system.
- An approval process is required prior to granting access to an information resource, for systems that contain sensitive or confidential data approval must be provided by the system owner or a University Vice President.
- Access shall be granted only to those whose role with the University aligns with the
- Passwords associated with shared logon IDs shall be changed when an individual with access to the shared login has left the University or transferred to a role where access to the shared account is no longer needed.
- Account managers shall have documented process for timely removal of accounts for individuals meeting the following conditions:
- upon termination of employment
- upon transfer to another department.
- upon changes in a user’s responsibilities that eliminate the need for system access
- Account managers shall monitor account usage and periodically review existing accounts for validity.
- Documentation of exceptions shall be maintained by the information resource owner or designee.