Information Resources Identity and Access Management
UPPS No. 04.01.02
Issue No. 7
Effective Date: 12/19/2014
Next Review Date: 4/01/2018 (E2Y)
Sr. Reviewer: Associate Vice President for Technology Resources
- Information resources residing at or administered by Texas State University are strategic and vital assets belonging to the people of Texas. Title 1, Part 10, Chapter 202, Texas Administrative Code, commonly known as TAC 202, requires the university to appropriately manage access to these information resources. Texas State shall afford an individual access to these resources in a manner consistent with the individual’s institutional affiliations and roles. Individuals shall access these resources only as necessary to fulfill their institutional roles and always in compliance with established laws, regulations, policies, and controls. The university shall hold individuals accountable for their actions relating to such access (see TAC 202.70 and TAC 202.71).
- This policy applies to all Texas State information resources and to all individuals whose affiliation with Texas State requires or permits their access to those resources, without regard to the manner, form, or location of access.
KEY DEFINITIONS AND RESPONSIBILITIES
– a relationship between an information resource (e.g., computer, network, or online service) and a user of that resource. The university assigns and administers a variety of account types (see list below), the vast majority being individual user domain accounts. In this policy, the term “account” refers to accounts of all types unless a specific type is referenced. The university account types include the following:
Domain Account – assigned to a single individual to facilitate access to the Texas State network domain and information resources within that domain; the owner of an individual user domain account is the only authorized user of that account;
Group and Shared Accounts – have more than one authorized user. Individual accountability is often difficult to ascertain with group accounts. Consequently, group accounts present additional management challenges and should be employed only in low risk or team support situations (e.g., service and privileged accounts). The administrative head of a unit with a group account must establish procedural controls consistent with the risk posed by improper use of the account. Examples of such controls include the maintenance and frequent review of separate activity logs and diligent management of group membership;
Service Account – assigned to a specific information resource or resource group to facilitate services by an external support provider (a support service account) or to authenticate one system or resource to another (a system service account). Service accounts shall be unique to the applicable resource or resource group. Support service accounts shall be enabled only after notice to the information resource owner and only for the duration of an active maintenance engagement;
Privileged (or Super User) Account – assigned to one university employee or a team of university employees for their use in administering university information resources; and
Resource Account – assigned to a specific resource (e.g., meeting room) rather than an individual or group of individuals; resource accounts facilitate the reservation and use of shared resources.
– the individual to whom an account is assigned, generally represented by a NetID or username. University affiliation (see Section 04.) determines account eligibility. Knowledge of the account’s password demonstrates account ownership. The account owner is the only authorized user of the account and is responsible for all computing and network activities attributable to that account. For group accounts, the administrative head of the unit to which the account is issued owns the account. As such, the administrative head shall authorize group membership and hold group members accountable for their use of the account (see also Section 03.01 b.).
– an association between an individual and the university (e.g., student, faculty member, employee, guest, etc.). Individuals may enjoy multiple concurrent affiliations with the university.
– the policies and processes that identify individual users and control access to information resources.
– Texas State’s information resources are explicitly defined in UPPS No. 04.01.07, Appropriate Use of Information Resources. Most Texas State information resources are non-public, meaning that the university must first validate an individual’s identity and university affiliation before affording the individual access to the resources. Unless specifically stated otherwise, the phrase “information resources” in this policy refers to the university’s non-public information resources. Examples of non-public information resources include the university’s encrypted wireless network and its electronic mail system. Examples of public resources include the university’s open wireless network, which allows general Internet access, and public kiosks within the Alkek Library.
– an information technology services organization that provides the university’s user community with a variety of technology support services, including user authentication (e.g. account creation, activation, and de-activation) and authorization (e.g., user role assignment and revocation).
– a unique identifier assigned by the university to an account and its owner. The NetID is used with its associated password to authenticate the account owner’s identity when accessing Texas State information resources. See Section 06. for additional specifics regarding NetID assignment and administration.
– a character string associated with an account and known only to the account owner, used to prove identity or gain access to an information resource. Presenting the account’s NetID and password proves (or authenticates) the NetID owner’s identity. See Section 08.06 in UPPS No. 04.01.01, Security of Texas State Information Resources, for more information about password creation and management.
– a defined set of access privileges, generally associated with a user’s responsibilities or position within an organization or group, which defines the tasks a user can perform. Many automated functions and online services require more finely-tuned access controls than the university’s identification and authentication credentials can afford. In such situations, the designated owner or application administrator should employ additional authorization controls, like role definitions and assignments, to determine and enforce the access and activity controls applicable to an authenticated user.
– one of three periods of instruction during the academic year, identified as fall, spring, and summer, each of which ends with its last commencement date and begins with the day immediately following the last commencement date of the prior period.
– a unique and permanent university identifier that identifies an individual within the university’s identity repository and other internal university databases. The Texas State ID number is used in conjunction with a private Personal Identification Number (PIN) to assert the owner’s identity with a limited set of university information resources.
. Texas State provides restricted access to its information resources to persons with the following university affiliations:
students (as described in Section 05.01);
faculty members (as described in Section 05.02);
regular and non-student/non-regular-staff employees (as described in Section 05.02);
retired faculty, administrators, and staff (as specified in UPPS No. 04.04.53, Honors and Benefits for Retired Faculty and Staff);
consultants and contractors (as described in Section 05.03);
regents, administrators, staff, and other members of The Texas State University System (TSUS) administration (as described in Section 05.04); and
guests (as described in Section 05.05).
Individuals may possess multiple concurrent university affiliations (e.g., a staff member enrolled in courses is also a student affiliate). The scope of authorized access and use will vary over time in accordance with the user’s affiliations.
In accordance with this policy, ITAC will make the initial determination regarding an individual’s eligibility to obtain or retain an active Texas State account. In appropriate situations, software administered by Technology Resources automates these processes for ITAC. ITAC will escalate cases where eligibility is disputed or unclear to the associate vice president for Technology Resources or the vice president for Information Technology for review and resolution.
The university has established procedures for verifying the identity and affiliations of persons seeking to access and use university information resources. Section 05. describes responsibilities for these procedures, which varies according to the person’s purported affiliation. The university shall revoke a person’s access to a university information resource when the person no longer has an affiliation that is eligible to use that resource. The university automatically and periodically validates the eligibility of all users with official university sources, such as faculty and staff personnel records and student enrollment records. The university may use other sources when necessary to accurately assess the status of a person’s ongoing affiliation.
Unless eligible through another affiliation, Texas State alumni are not eligible to maintain an active university NetID for use in accessing the university’s information resources. Texas State alumni are eligible for email and other information services through the Texas State Alumni Association.
PROCEDURES FOR AFFILIATION-SPECIFIC CONDITIONS AND RESTRICTIONS
* . Organizations that admit students into university educational programs that require or expect students to access the university’s information resources shall, as part of their intake process:
verify the identity of the students they admit;
ensure that the identifying information of each admitted student is recorded in the university’s identity database; and
obtain and securely issue an official Texas State ID number and initial PIN for each student they admit.
Examples of such organizations include Undergraduate Admissions, the Graduate College, Distance and Extended Learning, and Continuing Education.
New students use their Texas State ID number and PIN to create and activate their domain accounts through a self-service process. Students with deactivated domain accounts use the same process to reactivate their domain accounts. Students who cannot validate their identity through the self-service process must contact ITAC to have their identities validated and their PIN reset.
Students are eligible to use information resources for the duration of their enrollment. Eligibility is based on information present in the university’s student information system or an authorized department or program equivalent approved by the associate vice president for Technology Resources.
Students generally retain their eligibility at the end of a semester with the expectation of continued enrollment for the ensuing semester. A student’s domain account remains active for two full semesters (excluding summer sessions) following the student’s last semester in attendance. The university will deactivate the account of any student who fails to enroll over the course of three consecutive semesters, unless the student has a current non-student affiliation (e.g., holds faculty, staff, or retiree status).
. Faculty and staff employees with current appointments (either paid or unpaid), or agreements for impending employment, are eligible to use the university’s information resources. Eligibility must be supported by official employment records maintained by the university’s Faculty Records or Human Resources departments, as appropriate to the position. Organization heads shall notify Faculty Records or Human Resources, as appropriate, about personnel changes in a timely manner.
ITAC generates domain accounts for new faculty and staff in response to requests from hiring departments and Human Resources, as follows:
ITAC receives and processes a completed online NetID Request from the hiring department. The request must include the new employee’s Texas State ID number, which may already exist per a different affiliation or may need to be generated by Faculty Records
or Human Resources in the process of initializing the individual’s employment records; and
ITAC receives and processes a list from Human Resources containing the names and Texas State ID numbers of attendees at the most recent new employee orientation (NEO I).
Hiring departments, Faculty Records, and Human Resources must verify new faculty and staff identities as part of their hiring processes and prior to requesting domain accounts for new hires.
A domain account activated on the basis of impending employment shall expire 45 days beyond the anticipated start date. Hiring departments, Faculty Records, and Human Resources must establish up-to-date employment records for the employee prior to the end of that 45-day period to prevent automatic deactivation of the account.
Generally speaking, faculty and staff employees retain their eligibility until official employment records indicate that their employment with the university has ceased and they have no other authorized affiliation with the university. Because employment separation transactions may be processed after the official separation date, and to ensure that separating employees do not retain access beyond that date, department heads shall notify ITAC of any separating faculty or staff prior to their official separation date, as directed in UPPS No. 04.04.50, Separation of Employment and Interdepartmental Transfers.
. Consultants and contractors are eligible to use the university’s information resources as specified in and restricted by their contracts, federal and state law, this policy, and other applicable university policies. The applicable Texas State department contract administrator shall ensure that the relevant contracting documents include appropriate provisions for mitigating risk to university information accessible to consultants, contractors, and other external parties under the contract. The Office of the Vice President for Information Technology provides sample non-disclosure agreements and data security and privacy provisions, along with guidance and assistance in their use.
The university shall assign each individual consultant or contractor an individual domain account that is unique for the duration of the contract. The department contract administrator shall request consultant or contractor domain accounts from ITAC at least 10 business days before the accounts will be needed. The request should include the name of each individual needing an account and the expected activation period, which should not begin before nor extend beyond the expected duration of that individual’s participation in contract activities. The department contract administrator shall immediately notify ITAC whenever a consultant or contractor ceases to need access to the university’s information resources.
ITAC will set the domain accounts of consultants and contractors to expire upon the expected completion date of the contract or August 31 of the current fiscal year, whichever comes sooner. The department contract administrator is responsible for renewing the domain accounts of consultants and contractors through ITAC prior to their expiration date.
. Members of The TSUS Board of Regents and members of The TSUS administration staff are eligible to use the university’s information resources for the length of their TSUS affiliation. ITAC assigns domain accounts to these individuals upon request from the assistant to the chancellor or designee. In submitting the request, the assistant to the chancellor affirms the identities of the persons named in the request.
Unless directed otherwise by the vice president for Information Technology, TSUS domain accounts will expire at the end of a TSUS board member’s current term, or August 31 of the current fiscal year, as appropriate. The assistant to the chancellor shall notify ITAC whenever a TSUS account owner ceases to need access to information resources, such as when a TSUS staff member separates from employment.
By August 10 of each fiscal year, ITAC will provide a list of active TSUS domain accounts to the TSUS Information Resources manager (IRM). The TSUS IRM will review the list, denote which TSUS members need their accounts renewed for another year, and return the list to ITAC for processing prior to the August 31 account expiration date.
. Texas State may assign guest domain accounts to individuals not otherwise affiliated with the university if the accounts are required to support functions directly associated with the university mission. A current faculty or staff account owner must sponsor each guest user. Sponsors must affirm the guest user’s identity and serve as the university contact regarding issues associated with the guest user’s access and use of information resources.
Sponsors should request guest accounts, or provide ITAC with advance notice of an impending need for guest accounts, at least 10 business days before the accounts are needed. When requesting or renewing guest accounts, the sponsor will include the sponsor’s NetID, the name of the guest to receive the account, a description of the sponsor’s relationship to the function for which the account is needed, how the function is associated with the university mission, and the expected activation period (start and end dates) for the account.
ITAC will set guest domain accounts to expire at the end of the expected activation period, or on August 31 of the current fiscal year, whichever comes sooner. The sponsor shall notify ITAC of the need for an extension of their guest’s account at least 10 business days prior to the account expiration date. The sponsor shall notify ITAC whenever a guest account owner ceases to need their account for access to the university’s information resources.
USER ACCOUNT AND NETID ADMINISTRATION
Technology Resources shall utilize a university-standard naming convention in constructing account NetIDs in order to assure their uniqueness and suitability as identifiers. Account owners may not specify or personally choose their NetIDs. The university permanently and irrevocably assigns the NetID to the account owner and will never re-assign that same NetID to another domain account owner except for temporary consultant, contractor, group, or guest affiliations (see Section 03.01 b.).
Individuals may not possess more than one concurrently active domain account. Technology Resources will issue a replacement NetID to an account owner if and only if the existing NetID represents a credible danger to the health or safety of the account owner.
The university will track each domain account assignment using either the account owner’s Texas State ID number, the account sponsor’s NetID, or the Texas State ID number.
Only a domain account’s owner is authorized to know and use the password for that domain account and may not disclose the password to another party. No university component, employee, representative, or agent may ask the owner of a Texas State domain account to divulge their password.
Whenever the university newly activates or reactivates a domain account, it will randomly generate a new, pre-expired password for the associated NetID to force a password change by the account owner upon initial login.
Account owners shall affirm their knowledge and understanding of their responsibilities relative to information security and the appropriate use of information resources each time they change their account password.
Authorized Information Technology personnel may unilaterally suspend or block access by an account when, in their professional judgment and in the course of their assigned duties, such action is necessary to:
protect the confidentiality, integrity, availability, or functionality of university information resources;
protect the university from harm or liability; or
prevent use or abuse of the account by a person or persons other than the account’s legitimate owner.
Authorized Information Technology personnel may block access to a domain account without advance notice when presented with a written request from appropriate university authorities, the department head of an employee’s organizational unit, or the sponsor of the account. Reasons for such a block include involuntary employee termination, elevated concern for the security of information resources, and reasonable belief that the account is being used in activities that are prohibited by law, Regents’ Rules, or university policy.
The university shall deactivate any domain account that fails to record a successful login for more than 180 consecutive days. The university shall also perform a daily automated review of the account owner information changes in its official information sources (i.e., systems of record). The university will deactivate the domain accounts of individuals who, based upon that review, no longer qualify for ownership of a domain account under the terms of this policy. Owners of deactivated domain accounts must re-validate their identity and possess an eligible university affiliation before they may reactivate their NetID and regain access to the university’s information resources.
The university may delete, without any notification or recovery obligation, files or other information resources attributable to any domain account that persists in a deactivated state for more than 180 consecutive days.
PROCEDURES REGARDING ACCOUNT ACCESS WITHOUT CONSENT
* The university generally prohibits access to electronic records and communications by anyone other than:
the designated owner of the account or electronic resource containing the records or communication; or
the sender or recipient of a particular communication without prior consent from the applicable account owner, sender, or recipient. However, as a Texas public institution, the university must monitor, review, and disclose electronic records and communications stored or transmitted using the university’s information resources as necessary to:
comply with the provisions of the Texas Public Information Act, other pertinent laws, Regents’ Rules, and university policies;
satisfy other legal obligations, such as subpoenas and court orders;
protect and sustain the operational performance and integrity of university information systems and business processes;
facilitate security reviews, audits, and investigations by authorized individuals in the performance of their assigned duties; and
protect and support the legitimate interests of the university and other users, as determined by the vice president for Information Technology in consultation with The TSUS associate general counsel.
Users of the university’s information resources expressly consent to monitoring and review by the university for these purposes. If such monitoring or review reveals evidence of possible criminal activity, university administration may provide that evidence to law enforcement officials without notice to the user. Further, all users should understand that while the university takes reasonable precautions, as evidenced by its information security program, it is unable to guarantee the protection of electronic files, data, or e-mails from unauthorized or inappropriate access or disclosure.
Consequently, consistent with TAC 202.76, users should not expect privacy in their use of Texas State information resources.
Individuals seeking non-consensual access to electronic records or communications residing within a user account or university information resource assigned to another user shall make such requests in writing to the vice president for Information Technology. The requests must fully describe the requested records by type and date, and must specify the authorization (see Sections 07.01 a. through 07.01 e.) that permits the access. The vice president for Information Technology or designee, in consultation with The TSUS associate general counsel and other university officials, as appropriate to the circumstances, will approve or deny the request. This provision applies to all user accounts and information resources, including those assigned to deceased, incapacitated, or otherwise unreachable individuals.
EXEMPTIONS AND EXCEPTIONS
- Individuals desiring an exemption or exception from any provision in this policy shall make the request in writing to the associate vice president for Technology Resources. The written request must specify the provision to be waived and demonstrate a compelling need or unique circumstance that clearly justifies a waiver. The associate vice president will communicate a decision to the requestor within 10 business days of the request. The requestor may appeal the associate vice president’s decision to the vice president for Information Technology, whose decision is final.
REVIEWERS OF THIS UPPS
* Reviewers of this UPPS include the following:
Position Date Associate Vice President for Technology Resources April 1 E2Y Special Assistant to the Vice President for Information Technology April 1 E2Y Chief Information Security Officer April 1 E2Y Vice President for Information Technology April 1 E2Y
This UPPS has been approved by the following individuals in their official capacities and represents Texas State policy and procedure from the date of this document until superseded.
Associate Vice President for Technology Resources; senior reviewer of this UPPS
Vice President for Information Technology