{"id":1954,"date":"2024-08-28T14:39:11","date_gmt":"2024-08-28T14:39:11","guid":{"rendered":"https:\/\/www.tarleton.edu\/security-controls-catalog\/?page_id=1954"},"modified":"2025-07-25T15:14:11","modified_gmt":"2025-07-25T15:14:11","slug":"ac-2-account-management","status":"publish","type":"page","link":"https:\/\/www.tarleton.edu\/security-controls-catalog\/access-control-ac\/ac-2-account-management\/","title":{"rendered":"AC-2: Account Management"},"content":{"rendered":"\n<h1 class=\"wp-block-heading has-large-font-size\">AC-2: Account Management<\/h1>\n\n\n\n<div style=\"height:20px\" aria-hidden=\"true\" class=\"wp-block-spacer\"><\/div>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"font-size:16px\"><strong>NIST Baseline: &nbsp;<\/strong>Low&nbsp;<\/h2>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"font-size:16px\"><strong>DIR Required By:<\/strong> 07\/20\/2023&nbsp;<\/h2>\n\n\n\n<h2 class=\"wp-block-heading\" style=\"font-size:16px\"><strong>Review Date: &nbsp;<\/strong>04\/17\/2024<\/h2>\n\n\n\n<ul class=\"wp-block-list its-nested-list\">\n<li>Each person must have a unique logon ID and associated account for accountability purposes.&nbsp; \n<ul class=\"wp-block-list\">\n<li>These accounts shall be issued and\/or sponsored by Tarleton State University (Tarleton) through Tarleton-based account managers (i.e. sponsors that are full-time Tarleton employees), especially for vendor\/third-party accounts that require access to Tarleton information resources.&nbsp;\n<ul class=\"wp-block-list\">\n<li>Each user needing access to Tarleton information resources requiring a Tarleton account (other than student and employee accounts) must complete required training (including Information Security Awareness Training) before receiving their Tarleton account credentials.&nbsp; See <a href=\"https:\/\/www.tarleton.edu\/security-controls-catalog\/awareness-and-training-at\/at-2-literacy-training-awareness\/\">Control AT-2, Literacy Training and Awareness<\/a>, for additional information. <\/li>\n\n\n\n<li>Tarleton employees must complete <a href=\"https:\/\/policies.tamus.edu\/33-05-02.pdf\">Texas A&amp;M University System (TAMUS) required training<\/a> (including Information Security Awareness Training) within 30 days of hire and any required renewal of such training thereafter in accordance with <a href=\"https:\/\/www.tarleton.edu\/security-controls-catalog\/awareness-and-training-at\/at-2-literacy-training-awareness\/\">Control AT-2, Literacy Training and Awareness<\/a> and <a href=\"https:\/\/policies.tamus.edu\/33-05-02.pdf\">TAMUS Regulation 33.05.02, Required Employee Training<\/a>. <\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Individuals are not permitted to use account credentials for which they are not a designated user by the Tarleton Office of Innovative Technology Solutions (OITS); therefore, sharing of passwords is prohibited.&nbsp;<\/li>\n\n\n\n<li>Any exceptions to the above must be documented and approved by the Chief Information Security Officer (CISO).&nbsp;<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Tarleton utilizes different account types for various use-cases. These accounts include employee accounts, student accounts, non-working retiree accounts, emeritus accounts, guest accounts, administrator accounts, service accounts, and local accounts.&nbsp;\n<ul class=\"wp-block-list\">\n<li><strong>Employee Accounts <\/strong>\u2013 budgeted, wage, graduate assistant, student worker, working retiree, and other employees administratively employed by Tarleton&nbsp;\n<ul class=\"wp-block-list\">\n<li>These accounts are typically requested by the following account managers\/sponsors: supervisors, human resources, the Provost\u2019s Office and\/or another hiring authority, as applicable.&nbsp;&nbsp;<\/li>\n\n\n\n<li>These accounts are disabled upon termination of employment or other circumstances deemed appropriate by the supervisor, human resources, the CISO, or another designee.&nbsp;&nbsp;<\/li>\n\n\n\n<li>These accounts are disabled due to inactivity typically after 180 days and then deleted after they have been disabled for 90 days under normal circumstances.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Student Accounts <\/strong>\u2013 students receive access to their student account upon being admitted to the university.&nbsp;\n<ul class=\"wp-block-list\">\n<li>Once registered, students retain account access each semester that they are enrolled, if a student isn\u2019t considered \u201cactive\u201d in Banner by the 25<sup>th<\/sup> class day of each long semester, their account is deleted on the 32<sup>nd<\/sup> class day. &nbsp;&nbsp;<\/li>\n\n\n\n<li>Students can request to retain their student account for longer than the above-mentioned time frame under special, pre-approved circumstances and must be requested prior to their account being deleted.\u00a0<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Non-working Retiree Accounts<\/strong> \u2013 past employees of Tarleton that are no longer employed, but have requested an account for post-retirement access to a Tarleton-provided email.&nbsp;<\/li>\n\n\n\n<li><strong>Emeritus Accounts<\/strong> &#8211; past employees of Tarleton that are no longer employed, but have been granted emeritus status by the Texas A&amp;M University System (TAMUS). &nbsp;These accounts will remain until OITS is instructed to remove them. &nbsp;<\/li>\n\n\n\n<li><strong>Vendor Accounts <\/strong>\u2013 Tarleton and TAMUS affiliates, contractors, vendors, visiting scholars, and other users that require workstation or information resource access; these types of accounts must be sponsored by a full-time Tarleton employee.&nbsp;\n<ul class=\"wp-block-list\">\n<li>Vendor accounts are requested by a Tarleton employee who sponsors the third-party\/contractor. These requests are evaluated by the Tarleton OITS Security Team. The vendor must complete ISA training before receiving access to their vendor account.&nbsp;&nbsp;<\/li>\n\n\n\n<li>The sponsor must provide the timeline needed for the vendor account; the account will be set to be automatically disabled after this time has lapsed. This is a maximum of one year.&nbsp;<\/li>\n\n\n\n<li>These accounts are disabled due to inactivity typically after 180 days and then deleted after they have been disabled for 90 days under normal circumstances.<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li><strong>Administrator Accounts <\/strong>\u2013 These accounts are used by OITS staff to conduct privileged actions to Tarleton information resources.&nbsp;&nbsp;<\/li>\n\n\n\n<li><strong>Service Accounts <\/strong>\u2013These non-human domain accounts are linked to systems or tasks that require privileges.&nbsp;<\/li>\n\n\n\n<li><strong>Local Accounts <\/strong>&#8211; Accounts for access to an information resource such as an individual workstation, server, or enterprise application&nbsp;<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Authorized access controls\/privileges are to be modified appropriately as an account holder\u2019s employment or job responsibilities change.&nbsp;&nbsp;&nbsp;\n<ul class=\"wp-block-list\">\n<li>Account managers (i.e. an employee\u2019s supervisor, etc.) are responsible for ensuring that applicable personnel in OITS, human resources, the Provost\u2019s Office, and\/or other applicable areas providing access privileges to specific Tarleton information resources are notified when an employee and\/or third-party user\u2019s job responsibilities change and\/or terminate so that the user\u2019s account and access privileges are modified accordingly.&nbsp;&nbsp;&nbsp;<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Account management processes involving personnel termination and\/or transfer processes align so that an account holder that no longer requires access to Tarleton information resources is properly terminated and disabled in a timely manner.&nbsp; See <a href=\"https:\/\/www.tarleton.edu\/security-controls-catalog\/access-control-ac\/ac-2-3-access-control-disable-accounts\/\">Control AC-2(3), Access Control &#8211; Disable Accounts<\/a>, for additional information on when accounts are disabled.&nbsp;\n<ul class=\"wp-block-list\">\n<li>Information resource custodians shall document processes for removing accounts of individuals no longer employed or authorized to access Tarleton information resources.&nbsp; Any exceptions to these processes must be provided to the CISO for review and documented.&nbsp;&nbsp;<\/li>\n\n\n\n<li>Logon IDs that have not accessed Tarleton information resources within a reasonable period of time, after 180 days from the date of creation, shall be disabled.&nbsp;<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Information resource custodians shall have documented processes in place to modify a user\u2019s account to accommodate situations such as name changes, account changes, and permission changes.&nbsp;&nbsp;\n<ul class=\"wp-block-list\">\n<li>These custodians shall periodically review existing accounts for account management compliance.&nbsp;<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Tarleton has the right to monitor the use of accounts accessing Tarleton information resources to ensure compliance with federal, state, Texas A&amp;M University System (TAMUS), and\/or Tarleton regulations and policies.&nbsp;&nbsp;<\/li>\n\n\n\n<li>Confidential information should only be accessible to authorized users requiring that information as related to their job duties\/responsibilities or otherwise as applicable by law.&nbsp;&nbsp;&nbsp;\n<ul class=\"wp-block-list\">\n<li>Any files or other records containing confidential information shall be identified, documented, and protected.&nbsp;&nbsp;&nbsp;<\/li>\n\n\n\n<li>Information resources containing confidential information provided between Tarleton departments or from a Tarleton department to a third-party vendor\/contractor shall be protected in accordance with the conditions imposed by the providing department.&nbsp;&nbsp;<\/li>\n<\/ul>\n<\/li>\n\n\n\n<li>Role-based access controls or secure Single-Sign-On access to cloud and\/or local services should be implemented where possible.&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<hr class=\"wp-block-separator alignfull has-text-color has-tarleton-purple-color has-alpha-channel-opacity has-tarleton-purple-background-color has-background is-style-wide\"\/>\n\n\n\n<h3 class=\"wp-block-heading has-medium-font-size\"><strong>References\/Additional Resources<\/strong><\/h3>\n\n\n\n<p><a href=\"https:\/\/policies.tamus.edu\/33-05-02.pdf\">TAMUS Regulation 33.05.02, Required Employee Training<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"<p>AC-2: Account Management NIST Baseline: &nbsp;Low&nbsp; DIR Required By: 07\/20\/2023&nbsp; Review Date: &nbsp;04\/17\/2024 References\/Additional Resources TAMUS Regulation 33.05.02, Required Employee Training<\/p>\n","protected":false},"author":1,"featured_media":580,"parent":871,"menu_order":2,"comment_status":"closed","ping_status":"closed","template":"","meta":{"_acf_changed":false,"inline_featured_image":false,"advgb_blocks_editor_width":"","advgb_blocks_columns_visual_guide":"","footnotes":""},"class_list":["post-1954","page","type-page","status-publish","has-post-thumbnail","hentry"],"acf":[],"coauthors":[],"author_meta":{"author_link":"https:\/\/www.tarleton.edu\/security-controls-catalog\/author\/brian-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-2-3\/","display_name":"brian"},"relative_dates":{"created":"Posted 2 years ago","modified":"Updated 9 months ago"},"absolute_dates":{"created":"Posted on August 28, 2024","modified":"Updated on July 25, 2025"},"absolute_dates_time":{"created":"Posted on August 28, 2024 2:39 pm","modified":"Updated on July 25, 2025 3:14 pm"},"featured_img_caption":"","featured_img":false,"series_order":"","_links":{"self":[{"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/pages\/1954","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/pages"}],"about":[{"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/types\/page"}],"author":[{"embeddable":true,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/comments?post=1954"}],"version-history":[{"count":2,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/pages\/1954\/revisions"}],"predecessor-version":[{"id":2667,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/pages\/1954\/revisions\/2667"}],"up":[{"embeddable":true,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/pages\/871"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/"}],"wp:attachment":[{"href":"https:\/\/www.tarleton.edu\/security-controls-catalog\/wp-json\/wp\/v2\/media?parent=1954"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}