AC-02-727 Account Management

Account Management

AC-02-727
Account Management
Access Control
LOW, MOD, HIGH
P1
Yes
August 17, 2016

Each user of Agency-owned information resources shall be assigned a uniquely identifiable account. Information system accounts types include: TTI Users, TTI Affiliate Users, TTI Guests, TTI Computer Administrators, TTI Server Administrators, TTI Domain Administrators, TTI Service Accounts, Local Administrators, Local Service Accounts, and Local Users.

TTI Users are budgeted, wages, graduate assistant, student worker, working retiree, retiree emeritus, and other employees administratively located (ADLOC) in Part 12 of the Texas A&M University System (Texas A&M Transportation Institute). The chief information officer is the information resource owner for these accounts and the NIS directory service administration function is the resource manager. These accounts are requested by the hiring authority for a new employee via the Network User Account Request workflow on the TTI help desk portal at https://helpdesk.tti.tamu.edu. These accounts are provisioned by the resource manager once approved by the employee's supervisor. These accounts are automatically disabled upon termination of employment or other circumstances deemed appropriate by the supervisor, human resources, chief information security officer, or other designee of the agency director. These accounts are de-provisioned by the resource manager after an appropriate duration of inactivity (typically 6 months).

TTI Joint Assignment Users are TAMUS employees in an other than Part 12 ADLOC requiring workstation access. The chief information officer is the information resource owner for these accounts and the NIS directory service administration function is the resource manager. These accounts are requested by a TTI employee authorized to sponsor the user via a Joint Assignment User Account Request workflow on the TTI help desk portal at https://helpdesk.tti.tamu.edu. These accounts are provisioned by the resource manager once approved by the sponsor's program manager/division head. These accounts are automatically disabled upon termination of employment or other circumstances deemed appropriate by the supervisor, human resources, chief information security officer, or other designee of the agency director. These accounts are de-provisioned by the resource manager after an appropriate duration of inactivity (typically 6 months).

TTI Sponsored Users are non-TAMUS affiliates, contractors, vendors, visiting scholars, and other users that require workstation access or access to specific information resources. The chief information officer is the information resource owner for these accounts and the NIS directory service administration function is the resource manager. These accounts are requested by a TTI employee authorized to sponsor the guest via a Sponsored User Account Request workflow on the TTI help desk portal at https://helpdesk.tti.tamu.edu. These accounts are provisioned by the resource manager once approved by the sponsor's program manager/division head and the guest completes or provides evidence of current TAMUS information security awareness training. These accounts are valid for up to one (1) year and are automatically disabled on the scheduled expiration date, and may be renewed by submitting an updated Sponsored User Account Request to repeat this process. These accounts are de-provisioned by the resource manager after an appropriate duration of inactivity (typically 6 months). Guest wireless access is available via self-service by connecting to the ttilink-guest wireless SSID and following the on-screen instructions, and does not require the creation of a TTI Guest account.

TTI Computer/Server/Domain Administrators are TTI users with a valid business need for privileged access to an information resource. For domain accounts, the chief information officer is the information resource owner for these accounts and the chief information security officer is the resource manager. These accounts are requested by the user, their program manager/division head, or higher authority via a Privileged User Account Request workflow on the TTI help desk portal at https://helpdesk.tti.tamu.edu. The accounts are approved by the user's program manager/division head and the chief information security officer after review of the request's scope and justification. These accounts are automatically disabled upon termination of employment or other circumstances deemed appropriate by the supervisor, human resources, chief information security officer, or other designee of the agency director. These accounts are de-provisioned by the resource manager after an appropriate duration of inactivity (typically 6 months).

Local Administrators are only authorized for information resources that do not have network connectivity or other circumstances in which domain-managed accounts cannot be used. The information resource owner and chief information security officer must approve these accounts and shall be documented as a security control exception.

TTI Service (Role) Accounts are managed domain accounts for the specific purpose of machine-to-machine automated interaction. The chief information officer is the information resource owner for these accounts and the chief information security officer is the resource manager. These accounts are requested by the owner/custodian for the information resource where the account will be implemented and approved by the chief information security officer after review of the request's scope and justification. These accounts are valid indefinitely and require a complex password that must be updated on a scheduled basis not to exceed 365 days, or when a user with knowledge of the account password is no longer approved for access. These accounts are de-provisioned by the resource manager when no longer required.

Local Service Accounts are managed local machine accounts for the specific purpose of information resource automation that does not require connectivity with other information resources. The information resource owner is the resource owner for these accounts and the information resource custodian is the resource manager for these accounts. These accounts are valid indefinitely and require a complex password that must be updated on a scheduled basis not to exceed 365 days, or when a user with knowledge of the account password is no longer approved for access. These accounts are de-provisioned by the resource manager when no longer required.

Local User Accounts are standalone accounts for users to access information resources that do not have network connectivity. The information resource owner is the resource owner for these accounts and the information resource custodian is the resource manager. These accounts must adhere to the same standard of security controls as TTI Domain User accounts. These accounts are only authorized for information resources that do not have network connectivity or other circumstances in which domain-managed accounts cannot be used, and must be approved in advance by the chief information security officer.

Membership in security and distribution groups is requested by the information resource owner or a designated representative for the resource affected by the group, and submitted to Network & Information Systems via email to helpdesk@tti.tamu.edu. The information resource owner is responsible for reviewing group membership on a regular basis (not to exceed every 6 months) to ensure membership is limited to users with a valid business purpose.

Unauthorized access is gained to information systems.
The organization: a. Identifies and selects the following types of information system accounts to support organizational missions/business functions: [Assignment: organization-defined information system account types]; b. Assigns account managers for information system accounts; c. Establishes conditions for group and role membership; d. Specifies authorized users of the information system, group and role membership, and access authorizations (i.e., privileges) and other attributes (as required) for each account; e. Requires approvals by [Assignment: organization-defined personnel or roles] for requests to create information system accounts; f. Creates, enables, modifies, disables, and removes information system accounts in accordance with [Assignment: organization-defined procedures or conditions]; g. Monitors the use of, information system accounts; h. Notifies account managers: 1. When accounts are no longer required; 2. When users are terminated or transferred; and 3. When individual information system usage or need-to-know changes; i. Authorizes access to the information system based on: 1. A valid access authorization; 2. Intended system usage; and 3. Other attributes as required by the organization or associated missions/business functions; j. Reviews accounts for compliance with account management requirements [Assignment: organization-defined frequency]; and k. Establishes a process for reissuing shared/group account credentials (if deployed) when individuals are removed from the group.
The organization has: a. Implemented role-based access to help in identifying and selecting only those accounts that enable organization mission/ business function. b. Formulated process flow for approval of access request to information systems. c. Defined policies and procedures for creating, modifying, disabling and removing user accounts in the system.
Confidential information shall be accessible only to authorized users. An information file or record containing any confidential information shall be identified, documented, and protected in its entirety. Information resources assigned from one state organization to another or from a state organization to a contractor or other third party, at a minimum, shall be protected in accordance with the conditions imposed by the providing state organization.
Obtain access control policy; procedures addressing account management; security plan; list of active system accounts along with the name of the individual associated with each account; lists of recently transferred, separated, or terminated employees; list of recently disabled information system accounts along with the name of the individual associated with each account; system-generated records with user IDs and last login date; other relevant documents or records and ascertain if (I) the organization manages information system accounts, including authorizing, establishing, activating, modifying, reviewing, disabling, and removing accounts; (ii) the organization defines in the security plan, explicitly or by reference, the frequency of information system account reviews and the frequency is at least annually; (iii) the organization reviews information system accounts in accordance with organization-defined frequency; and (iv) the organization initiates required actions on information system accounts based on the review. (v) determine if the organization employs automated mechanisms to support information system account management functions. (vi) the organization defines in the security plan, explicitly or by reference, a time period for each type of account after which the information system terminates temporary and emergency accounts; and (vii) the information system automatically terminates temporary and emergency accounts after organization-defined time period for each type of account. (viii) the organization defines in the security plan, explicitly or by reference, a time period after which the information system disables inactive accounts; and (ix) the information system automatically disables inactive accounts after organization-defined time period. (x) the organization employs automated mechanisms to audit account creation, modification, disabling, and termination actions; and (xi) the organization employs automated mechanisms to notify, as required, appropriate individuals.