Policy 7.5 Account Management
SCOPE: FACULTY, STAFF, STUDENTS, AND GUESTS
1. POLICY STATEMENTS
1.1. Information resources residing at or administered by LIT are strategic and vital assets belonging to the people of Texas. Title 1, Part 10, Chapter 202, Texas Administrative Code, commonly known as TAC 202, requires LIT to appropriately manage access to these information resources.
1.2. LIT shall afford an individual access to these resources in a manner consistent with the individual’s institutional affiliations and roles. Individuals shall access these resources only as necessary to fulfill their institutional roles and always in compliance with established laws, regulations, policies, and controls.
2. USER RESPONSIBILITIES
2.1. Users are responsible for the security of any computer account issued to them and are accountable for any activity that takes place in their account.
2.2. Users who discover or suspect that the security of their account has been compromised must immediately change their password and report the incident to LIT Information Technology. LIT Information Technology shall escalate the incident to the ISO if the compromise may increase the risk to other institutional information resources. Any suspected or attempted violation of system security should be reported immediately to the ISO or LIT Information Technology.
3. GENERAL
3.1. Each information system that uses login credentials shall have a designated account manager. Unless specifically indicated via contract, software license agreement, or other formal assignation, LIT Information Technology shall serve as the account manager.
3.2. Identification and Authentication
3.2.1. The identity of authorized users shall be authenticated before access to LIT information resources is granted. To facilitate authentication, each authorized user will be assigned an account with a unique logon ID (e.g., UserID, Banner ID number).
3.2.2. Initial authentication shall be performed as part of the account creation process. Authorized users will be prompted to authenticate prior to each subsequent access to LIT information resources unless pass-through authentication from authorized systems has been implemented (e.g., Single Sign On).
3.2.3. Shared User Accounts
3.2.3.1. Shared user accounts are to be used in very limited situations and must provide individual accountability when used to access mission critical or confidential information.
3.2.3.2. Shared user accounts must be approved by the ISO.
3.3. Authorization and Access
3.3.1. Access shall not be granted to information resources without authorization from appropriate information owners. Authorization shall be based on mission/business functions and intended system use.
3.3.2. Where possible and practical, group and role membership shall be utilized to assign privileges to users.
3.3.3. For business functions in which separation of duties are required, access authorizations shall support this requirement. This may require the creation of additional groups or roles.
3.3.4. LIT access control is based on the principle of least privilege, in which access is authorized only as necessary to accomplishes assigned tasks in accordance with LIT’s mission and business functions.
3.3.5. Access controls shall be modified appropriately as a user’s employment or job responsibilities change. Information owners shall notify account managers under the following conditions:
3.3.5.1. An account is no longer necessary.
3.3.5.2. A user’s employment status or affiliation changes.
3.3.5.3. A user’s job responsibilities or need-to-know changes.
3.3.6. A user’s account shall be deactivated whenever their affiliation with LIT no longer qualifies them to possess an active account.
3.3.6.1. Staff and full time faculty accounts are deactivated as part of the HR exit process. 3.3.6.2. Student accounts will remain active for two long semesters after their last semester of enrollment to facilitate communication and re-enrollment. After two long semesters, accounts shall be deactivated and removed.
3.3.6.3. Adjunct faculty accounts are deactivated during semesters in which the faculty are not teaching classes and shall be removed after being deactivated for two long semesters.
3.3.7. Where possible and practical, logon IDs associated with deactivated accounts shall be prevented from being reused for no less than 180 days.
3.3.8. Computing accounts will be reviewed for compliance with this policy and business requirements by the information owner on an annual basis each fall semester and periodically thereafter based on risk assessment. As part of this review,
3.3.8.1. Information owners shall notify account managers of any changes in a timely manner. These notifications shall be documented.
3.3.8.2. Information owners shall document the annual review and maintain the documentation as per record retention requirements.
3.4. System Administrator, Special Access, and Service Accounts
3.4.1. Under circumstance in which it is necessary for authorized custodians or system administrators to share an administrator or special access account to perform their duties, there shall be a process to provide individual accountability when accessing confidential information or critical systems. Access to administrator or special access accounts shall be documented and reviewed at least annually.
3.4.2. Access to service accounts used for interaction between devices, applications, or services shall be documented and reviewed at least annually.
3.4.3. In cases in which a system has only one administrator, there shall be a password escrow procedure in place to allow an appropriate individual other than that system administrator to gain access to the administrator account in an emergency situation.
3.4.4. Passwords for shared system administrator/special access and service accounts shall change when an individual knowing the password is no longer employed with LIT or no longer performs functions requiring access to those accounts.
3.5. Non-LIT Users
3.5.1. Non-LIT users, such as vendors, auditors, or other third parties, are eligible for LIT computing accounts provided that there is a documented business need.
3.5.2. The request for account for a non-LIT user must come from the sponsoring unit.
3.5.3. Where possible, non-LIT user accounts shall be identified as such and created with an expiration date.
3.6. Audit trails and/or transaction logging shall be implemented where appropriate, based upon risk assessment, in order to provide individual accountability for changes to mission critical information, software, and automated security or access rules.
4. REQUIRED DOCUMENTATION
4.1. Requests for access and associated authorizations must be documented using approved institutional forms or through approved electronic means.
4.2. Notification of access changes must be submitted to account managers through approved electronic means.
4.3. Annual account reviews must be documented.
4.4. Documentation shall be retained as per appropriate records retention requirements.
5. EXCEPTIONS
5.1. Information resources designed for use by the general public in which only public information is disseminated do not require unique identification and authorization. This includes, but may not be limited to, LIT’s public web site and the guest wireless network.
5.2. Temporary passwords that are transmitted for the sole purpose of establishing a new password or changing a password can be excepted from the requirement to encrypt provided it is a one-time transmission and the user must also change the password upon first logon.
6. AUTHORITY AND RESPONSIBILITY
Questions related to this policy should be addressed to the IRM at irm@lit.edu.