AC-2 Account Management

Description

Information system account types include, for example, individual, shared, group, system, guest/anonymous, emergency, developer/manufacturer/vendor, temporary, and service. Some of the account management requirements listed above can be implemented by organizational information systems.

The identification of authorized users of the information system and the specification of access privileges reflects the requirements in other security controls in the security plan. Users requiring administrative privileges on information system accounts receive additional scrutiny by appropriate organizational personnel (e.g., system owner, mission/business owner, or chief information security officer) responsible for approving such accounts and privileged access.

Organizations may choose to define access privileges or other attributes by account, by type of account, or a combination of both. Other attributes required for authorizing access include, for example, restrictions on time-of-day, day of-week, and point-of-origin.

In defining other account attributes, organizations consider system-related requirements (e.g., scheduled maintenance, system upgrades) and mission/business requirements, (e.g., time zone differences, customer requirements, remote access to support travel requirements).

Failure to consider these factors could affect information system availability.

Temporary and emergency accounts are accounts intended for short-term use. Organizations establish temporary accounts as a part of normal account activation procedures when there is a need for short-term accounts without the demand for immediacy in account activation. Organizations establish emergency accounts in response to crisis situations and with the need for rapid account activation. Therefore, emergency account activation may bypass normal account authorization processes. Emergency and temporary accounts are not to be confused with infrequently used accounts (e.g., local logon accounts used for special tasks defined by organizations or when network resources are unavailable). Such accounts remain available and are not subject to automatic disabling or removal dates.

Conditions for disabling or deactivating accounts include, for example:

  1. when shared/group, emergency, or temporary accounts are no longer required; or
  2. when individuals are transferred or terminated. Some types of information system accounts may require specialized training.

Applicability

The information resource owner, or designee, is responsible for ensuring that the risk mitigation measures described in this Control are implemented.

The intended audience for this Control includes, but is not limited to, all information resources owners and custodians.

Implementation

TAMU-CC shall:

  1. Identify and select the following types of information system accounts to support organizational missions/business functions: An approval process is required prior to granting access authorization for an information resource. The approval process shall document the acknowledgement of the account holder to follow all terms of use (Information Resource-related Rules and TAMU-CC Information Security Controls) and the granting of authorization by the resource owner or their designee;
  2. Assigns account managers for information system accounts. Each person is to have a unique logon ID and associated account for accountability purposes. Role accounts (e.g., guest or visitor) are to be used in very limited situations and must provide individual accountability;
  3. Establishes conditions for group and role membership. Access authorization controls are to be modified appropriately as an account holder’s employment or job responsibilities change;
  4. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account;
  5. Requires approvals by Primary Custodian for requests to create information system accounts. Account creation processes are required to ensure only authorized individuals receive access to information resources.
    1. Individuals shall have the ability to access those transactions and functions for which they are authorized;
  6. Creates, enables, modifies, disables, and removes information system accounts in accordance with the TAMU-CC Security Control Catalog.
    1. Processes are required to disable logon IDs that are associated with individuals who are no longer employed by, or associated with, the University. In the event that the access privilege is to remain active, the department (e.g., owner, department head) shall document that a benefit to the University exists;
    2. All new logon IDs that have not been accessed within a reasonable period of time (as established by risk management decisions) from the date of creation will be disabled
    3. All logon IDs that have not been used/accessed within a period of six months shall be disabled. Exceptions can be made where there is an established unit procedure. These actions shall be reviewed and approved by the unit head. Documentation of exceptions shall be maintained by the information resource owner or designee.
    4. Passwords associated with logon IDs shall comply with all Identification and Authentication security controls.
  7. Monitors the use of information system accounts;
  8. Information custodians or other designated staff:
    1. Shall have a documented process for removing the accounts of individuals who are no longer authorized to have access to TAMU information resources.
    2. Shall have a documented process to modify a user account to accommodate situations such as name changes, accounting changes and permission changes.
    3. Shall periodically review existing accounts for account management compliance.
  9. Authorizes access to the information system based on:
    1. A valid access authorization;
    2. Intended system usage; and
    3. Other attributes as required by the organization or associated missions/business functions;
  10. Reviews accounts for compliance with account management requirements annually; and
  11. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.
  12. Confidential information shall be accessible only to authorized users. An information file or record containing any confidential information shall be identified, documented, and protected in its entirety. Information resources assigned from one TAMU-CC department to another or from a TAMU-CC department to a contractor or other third party, at a minimum, shall be protected in accordance with the conditions imposed by the providing TAMU-CC department.
  13. TAMU-CC implements role-based (e.g., students, employees, third parties, guests) access control or adopts a secure Single Sign-on access to cloud and local services (InCommon Federation assurance profile InCommon), where possible.

Revision History

Last Updated: February 21, 2025

Previous Versions:

  • June 29, 2023
  • May 31, 2022
  • March 25, 2021
  • September 16, 2019

Chief Information Security and Privacy Officer

Submit a Ticket

News

See All News

Events

See All Events