Tarleton Office of Innovative Technology Solutions (OITS)
Account Management Standard

Effective: February 11, 2020

Revised: April 24, 2025

Procedure Summary

Tarleton State University’s (Tarleton or university) information resources are strategic assets which, as property of the State of Texas, must be managed as valuable state resources in accordance with Texas Government Code Chapter 2054. Access to university information resources is normally controlled by a logon ID associated with an authorized account. Proper administration of these logon IDs is very important to ensure the security of confidential information and the normal business operation of university managed and administered information resources.

This standard applies to university information resources that store or process mission critical and/or confidential information. The purpose of this standard is to provide a set of measures that will mitigate information security risks associated with account management. There may be other or additional measures that will provide appropriate mitigation of the risks. The assessment of potential risks and the application of appropriate mitigation measures will be determined by the information resource owner or their designee. In accordance with Texas Administrative Code (TAC) Chapter 202 ‐ Information Security Standards, each department and/or resource owner may elect not to implement some or all of the risk mitigation measures provided in this standard based on information security risk management decisions and business functions. Such risk management decisions must be documented and reported to the designated information security officer. The intended audience for this standard includes, but is not limited to, all information resources data owners, management personnel, and system administrators.

Please see the Tarleton Security Controls Catalog, specifically Access Control (AC)-2, for additional information and requirements.

Procedures and Responsibilities

An approval/authorization process is required prior to granting access for an information resource. The approval process shall document the acknowledgment of the account holder to follow all terms of use and the granting of authorization by the resource owner or their designee. Each person will have a unique logon ID and associated account for accountability purposes.
Role accounts (e.g., guest or visitor) will be used in very limited situations and must provide individual accountability when used to access mission critical and/or confidential information.
- Account creation processes are required to ensure that only authorized individuals receive access to information resources.
- Processes are required to disable logon IDs that are associated with individuals who are no longer employed by, or associated with, the university.
  - In the event that the access privilege is to remain active, the department (e.g., owner, department head) shall document that a benefit to the university exists and provide that information to the Tarleton CISO in accordance with Tarleton Security Controls Catalog AC-2, Account Management Section 4.1.
- Passwords associated with logon IDs shall comply with the university’s internal password authentication standard.
- System administrators or other designated staff:
  - Shall have a documented process for removing the accounts of individuals who are no longer authorized to have access to Tarleton information resources;
  - Shall have a documented process to modify a user account to accommodate situations such as name changes, accounting changes and permission changes; and
  - Shall have a documented process for periodically reviewing existing accounts for validity.

Definitions

Account: information resource users are typically assigned logon credentials which include, at the minimum, a unique user name and password.

Confidential Information: information that is excepted from disclosure requirements under the provisions of applicable state or federal law, e.g. the Texas Public Information Act.

Information Resources (IR): the standards, equipment, and software that are designed, employed, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information or data.

Information Security Officer (ISO) / Chief Information Security Officer (CISO): responsible for administering the information security functions within the university and reports to the information resources manager (IRM).

Logon ID: a user name that is required as the first step in logging into a secure system. Generally, a logon ID must be associated with a password to be of any use.

Mission Critical Information: information that is defined by the university or information resource owner to be essential to the continued performance of the mission of the university or department. Unavailability of such information would result in more than an inconvenience. An event causing the unavailability of mission critical information would result in consequences such as significant financial loss, institutional embarrassment, failure to comply with regulations or legal obligations, or closure of the a department or the university

Owner of an Information Resource: an entity responsible for a business function and for determining controls and access to information resources supporting that business function.