Account Management
1. General
Prairie View A&M University information resources are strategic assets, which being property of the State of Texas, must be managed as valuable state resources. Access to information resources is normally controlled by a Logon ID associated with an authorized user account. Proper administration of these Logon IDs is very important to ensure the security of confidential information and normal business operations of information resources.
2. Applicability
This procedure applies to all University information resources. The purpose of this procedure is to provide a set of measures that will mitigate information security risks associated with Account Management. The intended audience for this procedure includes, but is not limited to, all information resources data/owners, management personnel, and system administrators.
3. Definitions
-
Confidential Information: information that is accepted from disclosure requirements under the provisions of applicable state or federal law, e.g. the Texas Public Information Act.
-
Account: information: resource users are typically assigned logon credentials, which include, at the minimum, a unique user name and password.
-
Information Resources (IR): the procedures, equipment, and software that are designed, employed, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information or data.
-
Logon ID: a user name that is required as the first step to logging into a secure system. Generally, a logon ID must be associated with a password to be of any use.
-
Mission Critical Information: information that is defined by the University or information resource owner to be essential to the continued performance of the mission of the University or department. Unavailability of such information would result in more than an inconvenience. An event causing the unavailability of mission critical information would result in consequences such as significant financial loss, institutional embarrassment, and failure to comply with regulations or legal obligations, or closure of the University or department.
-
Owner of an Information Resource: an entity responsible for:
4. Procedures
-
An approval process is required prior to granting access authorization to an information resource. The approval process shall document the acknowledgement of the account holder to follow all terms of use and the granting of authorization by the resource owner or their designee.
-
Each person is to have a unique Logon ID and associated account for accountability purposes. Role accounts (e.g., guest or visitor) are to be used in very limited situations, and must provide individual accountability when used to access mission critical and/or confidential information.
-
Access authorization controls are to be modified appropriately as an account holders employment or job responsibilities change.
-
Account creation processes are required to ensure that only authorized individuals receive access to information resources.
-
Processes are required to disable Logon IDs that are associated with individuals that are no longer employed by, or associated with the University. In the event that the access privilege is to remain active, the department (e.g., owner, department head) shall document that a benefit to the University exists.
-
All access privileges to information resources must be reviewed at least biannually by the owners (department heads or administrators), and documented as such.
-
Passwords associated with Logon IDs shall comply with the University Password .
-
Information Security Administrators or other designated staff:
a. Shall have a documented process for removing the accounts of individuals who are no longer authorized to have access to University information resources.
b. Shall have a documented process to modify a user account to accommodate situations such as name changes, accounting changes and permission changes.
c. Shall have a documented process for periodically reviewing existing accounts for validity.
|