Tarleton Office of Innovative Technology Solutions (OITS)
Administrator/Special Access Standard

Effective: February 11, 2020

Revised: April 24, 2025

Procedure Summary

This standard applies to all information resources managed by Tarleton State University (Tarleton) and Tarleton users. The purpose of this standard is to provide a set of measures that will mitigate information security risks associated with the administrator’s special access. There may also be other or additional measures that will provide appropriate mitigation of the risks.

The assessment of potential risks and the application of appropriate mitigation measures are to be determined by the information resource owner or their designee. In accordance with Texas Administrative Code (TAC) Chapter 202 ‐ Information Security Standards. As per TAC §202.72, an information resource owner that decides not to implement some or all of the standards provided in this SAP must justify and document such exceptions based on information security risk management decisions and/or business functions. The information resource owner must then report any exceptions to these standards to the designated information security officer (ISO)/chief information security officer (CISO).

Please see the Tarleton Security Controls Catalog, specifically Access Control (AC)-2(7), for additional information and requirements.

Procedures and Responsibilities

University departments shall maintain a list or lists of personnel who have administrator or special access accounts for departmental information resources systems. The appropriate department head, director, or their designee shall review this list on a regular basis and when users within their department change/leave.
All users of administrator and special access accounts shall have account management instructions, training, and authorization.
Each individual who uses administrator and special access accounts must do investigations only under the direction of the ISO/CISO.
Each individual who uses administrator and special access accounts will use the account privilege most appropriate for their work being performed (i.e., user account vs. administrator account).
The password for a shared administrator and special access account must change when an individual using the shared account leaves the department and/or the university or upon a change in the vendor personnel assigned to the Tarleton contract.
When a system has only one administrator, there shall be a password escrow standard in place so that someone other than the administrator can gain access to the administrator account in an emergency.
When special access accounts are needed for internal or external audit, software development, software installation, or other defined need, they:
- must be authorized,
- must be created with a specific expiration date, and
- must be removed when work is complete.

Definitions

Descriptive data (e.g., logs): information created by a computer system or information resource that is electronically captured and which relates to the operation of the system and/or movement of files, regardless of format, across or between a computer system or systems. Examples of captured information are dates, times, file size, and locations sent to and from.

Information Resources (IR): the standards, equipment, and software that are designed, employed, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information or data.

Information Security Officer (ISO) / Chief Information Security Officer (CISO): responsible for administering Tarleton’s information security functions and reports to the information resources manager (IRM).

User data: User-generated electronic forms of information that may be found in the content of a message, document, file, or other form of electronically stored or transmitted information.