IA-04-727 Identifier Management

Identifier Management

IA-04-727
Identifier Management
Identification and Authentication
Protect
Identification and Authentication
LOW, MOD, HIGH
P1
Yes
August 17, 2016

Program managers or designated representatives shall authorize the assignment of an identifier to individuals, groups, roles, and devices under their control. Person identifiers shall follow the nomenclature:

Standard and Joint Assignment Users: firstInitial-lastName
Contractors and Vendors: firstInitial-lastName-CTR
Administrator Role Accounts: firstInitial-lastName-[CA|SA|DA]
(In the event the prescribed nomenclature is already in use, replace firstInitial with firstName)

Service accounts (identifiers) shall follow the nomenclature: serviceShortDescription

Device identifiers shall follow the nomenclature: pgmCode-last7CharsOfSerialNumber-[(WK)Workstation/Desktop|(NB)Notebook/Laptop][(W)indows|(M)ac|(L)inux]

Authorized officials shall positively verify the identity of the user to be assigned an identifier and authenticator prior to requesting such access.

For Texas A&M University System (“System” or “TAMUS”) affiliates, this includes confirmation of the user’s TAMUS UIN.

For non-TAMUS affiliates, a unique identifier such as a work email address or phone number may be used for a Level 1 assurance authenticator (such as guest wireless). A government-issued photo identification shall be required for a Level 2 assurance authenticator (such as contractor/vendor network access).

Agency and joint assignment employees maintain their identifier and authenticator for the duration of employment. All other user identifiers and authenticators are valid for a maximum of one (1) year from the date of issue; continued access must be validated by the sponsoring authorized official annually. Expired and disabled user identifiers shall remain in place for at least 90 days to prevent reuse of the identifier. After six months of inactivity, the user identifier shall be deleted.

Computer identifiers (also known as machine or service/role accounts) remain valid for the life of the computer so long as the computer remains connected to the enterprise network. After 60 days of inactivity, the computer identifier shall be disabled. After six months of inactivity, the computer identifier shall be deleted.

Unauthorized users are able to gain access to information systems by claiming to be an authorized user.
The organization manages information system identifiers by: a. Receiving authorization from [Assignment: organization-defined personnel or roles] to assign an individual, group, role, or device identifier; b. Selecting an identifier that identifies an individual, group, role, or device; c. Assigning the identifier to the intended individual, group, role, or device; d. Preventing reuse of identifiers for [Assignment: organization-defined time period]; and e. Disabling the identifier after [Assignment: organization-defined time period of inactivity].
The organization manages information system identifiers for users and devices by receiving authorization from a designated official to assign an individual user identifier (user-id), preventing reuse of user-ids, and disabling user-ids to information resources and data under their authority.
A user’s access authorization shall be appropriately modified or removed when the user’s employment or job responsibilities within the state organization change.
Obtain identification and authentication policy; procedures addressing identifier management; security plan; information system design documentation; information system configuration settings and associated documentation; list of information system accounts; other relevant documents or records and ascertain if : (I)the organization manages user identifiers by uniquely identifying each user. (ii)the organization manages user identifiers by verifying the identity of each user. (iii)the organization manages user identifiers by receiving authorization to issue a user identifier from an appropriate organization official. (iv)the organization manages user identifiers by issuing the identifier to the intended party. (v)the organization defines in the security plan, explicitly or by reference, the time period of inactivity after which a user identifier is to be disabled.