and
Access Management Issue No. 5
Effective
Date: 2/15/2011
Review:
April 1E2Y
01.01 Information
resources residing at or administered by Texas State University-San Marcos are
strategic and vital assets belonging to the people of Texas. Title 1, Part 10,
Chapter 202, Texas Administrative Code, commonly known as TAC 202, requires the
university to appropriately manage access to these information resources. The
university shall afford an individual access to these resources in a manner
consistent with the individual’s institutional affiliations and roles. Individuals shall access these resources only
as necessary to fulfill their institutional roles and always in compliance with
established laws, regulations, policies, and controls. The university shall
hold individuals accountable for their actions relating to such access (TAC
202.70, TAC 202.71).
01.02 Texas
State restricts access to its non-public information resources by
authenticating the individual identity and eligibility of all users of those
resources. The university assigns unique identification and authentication credentials
to individuals for use in asserting their identity and eligibility to use the
university’s information resources. Examples include the NetID with its
companion password and the Texas State ID number with its companion PIN. Each NetID
and Texas State ID number shall be unique university-wide. The person to whom
the credentials are assigned is the only authorized user of those credentials.
01.03 The
university’s Technology Resources organization is responsible for design,
implementation, and operation of the university’s centralized authentication
services, including the assignment of identification and authentication
credentials to users of Texas State information resources. Technology Resources shall assign, activate,
de-activate, re-activate, revoke, or otherwise modify a user’s credentials
based upon the user’s verified identity and current university affiliations, as
reflected in official university record systems. Owners and administrators of
university applications and services shall utilize the university’s standard
authentication service and credentials to validate the identity of all users of
the application or service unless exempted through the process described in Section
08. of this policy.
01.04 Texas
State may authorize individuals to access its information resources using
identification and authentication credentials that third parties issue and authenticate.
Texas State may also authorize individuals and service providers to utilize
university-issued identification and authentication credentials with
university-provided authentication services to manage access to information
resources owned or operated by third parties. The vice president for
Information Technology or designee must approve all “federated” identity and
access management arrangements prior to implementation.
01.05 Access
to Texas State information resources is a privilege, not a right, and all users
are subject to the provisions of UPPS No. 04.01.07,
Appropriate Use of Information Resources in their use of those resources. The
university reserves the right to deny or revoke access to its information
resources, with or without notice, at its sole discretion.
04.01 User Affiliations – Texas State provides restricted
access to its information resources to persons with the following university
affiliations:
a. Students (as described in Section
05.01);
b. Faculty members (as described in Section
05.02);
c. Regular and non-student/non-regular
staff employees (as described in Section 05.02);
d. Retired faculty, administrators, and
staff (as specified in UPPS No.
04.04.53, Honors and Benefits for Retired Faculty and Staff);
e. Consultants and contractors (as
described in Section 05.03);
f. Regents, administrators, staff, and
other members of the Texas State University System administration (as described
in Section 05.04); and
g. Guests (as described in Section 05.05).
Individuals
may possess multiple concurrent university affiliations (e.g., a staff member
enrolled in courses is also a student affiliate). The scope of authorized access
and use will vary over time in accordance with the user’s affiliations.
04.02 In
accordance with this policy, the Information Technology Assistance Center
(ITAC) will make the initial determination regarding an individual’s
eligibility to obtain or retain an active Texas State account. In appropriate
situations, software administered by Technology Resources will automate these
processes for ITAC. ITAC will escalate cases where eligibility is disputed or
unclear to the associate vice president for Technology Resources or the vice
president for Information Technology for review and resolution.
04.03 Texas
State has established procedures for verifying the identity and affiliations of
persons seeking to access and use university information resources. Section 05.
describes responsibility for these procedures, which varies according to the person’s
purported affiliation. The university shall revoke a person’s access to a
university information resource when the person no longer has an affiliation
that is eligible to use that resource.
The university automatically and periodically validates the eligibility
of all users with official university sources, such as faculty and staff
personnel records and student enrollment records. The university may use other
sources when necessary to accurately assess the status of a person’s ongoing
affiliation.
04.04 Unless
eligible through another affiliation, Texas State alumni are not eligible to maintain
an active university NetID for use in accessing the university’s information
resources. Texas State alumni are eligible for email and other information services
through the Texas State Alumni Association (see www.txstatealumni.org).
05.01 Students – Organizations that admit students
into university educational programs which require or expect students to access
the university’s information resources shall, as part of their intake process:
·
verify
the identity of the students they admit;
·
ensure
that the identifying information of each admitted student is recorded in the
university’s identity database; and
·
obtain
and securely issue an official Texas State ID number and initial PIN for each
student they admit.
Examples
of such organizations include Undergraduate Admissions, the Graduate College,
Correspondence and Extension, and Continuing Education.
New
students use their Texas State ID number and PIN to create and activate their domain
accounts through a self-service process. Students with de-activated domain accounts,
such as those returning after an absence of one or more semesters, use the same
process to re-activate their domain accounts. Students who do not know their
Texas State ID number or PIN must contact the Office of the Registrar to have
their identities validated prior to having their PIN reset.
Students
are eligible to use information resources for the duration of their enrollment
in a current or future course or semester. Eligibility is based on information present
in the university’s student information system or the relevant department or
program equivalent.
Students
generally retain their eligibility at the end of a long-term semester with the
expectation of continued enrollment for the ensuing long-term semester. Their domain
accounts automatically remain active until all opportunities to enroll for the ensuing
long-term semester have expired, normally the official census date of that semester.
Following a long-term semester’s census date, and for the duration of that semester,
the university will de-activate the domain accounts of students who are not
enrolled, including students who withdraw later in the semester, unless the
student is:
·
enrolled
in a future course or semester;
·
eligible
for a domain account via a non-student affiliation; or
·
a
recent Texas State graduate and allowed to retain access to electronic mail and
certain information resources for ninety days following graduation.
Students
who lose access to their domain accounts under the provisions of this section
may have their accounts temporarily re-activated for up to one week for transition
purposes, such as establishing an email forward.
Students
who lose access to their domain accounts under the provisions of this section
may have their accounts re-activated for a longer period if the purpose of the
extension directly supports the university mission. One common example is that
of a graduate student who is not enrolled, but still working on a thesis or
dissertation. To obtain such an extension, a university faculty member or
department head must submit a written request on the student’s behalf to ITAC. The
request must include all of the following:
·
the
student’s name and NetID;
·
a
description of how the extension supports the university mission; and
·
the
expected duration of the extension, not to extend beyond August 31, of the
current fiscal year, or August 31, of the succeeding fiscal year if requesting
the extension in August.
05.02 Faculty
and staff – Faculty and staff employees with current appointments (either paid
or unpaid) or agreements for impending employment are eligible to use the
university’s information resources. Eligibility must be supported by official
employment records maintained by the university’s Faculty Records and Human
Resources departments, as appropriate to the position. Organization heads shall
notify Faculty Records and Human Resources, as appropriate, about personnel
changes in a timely manner.
ITAC
generates domain accounts for new faculty and staff in response to requests
from hiring departments and Human Resources, as follows:
a. ITAC receives and processes a
completed online NetID Request from the hiring department. The
request must include the new employee’s Texas State ID number, which may already
exist per a different affiliation or may need to be generated by Faculty
Records or Human Resources in the process of initializing the individual’s
employment records.
b. ITAC receives and processes a list
from Human Resources containing the names and Texas State ID numbers of
attendees at the most recent new employee orientation (NEO I).
Hiring
departments, Faculty Records, and Human Resources must verify new faculty and
staff identities during the hiring processes, prior to requesting new domain
accounts for new hires.
A faculty or staff
domain account activated for impending employment shall expire forty-five days
beyond the anticipated employment start date. Hiring departments, Faculty Records,
and Human Resources must establish up-to-date employment records for the
employee prior to the end of that forty-five day period to prevent automatic
deactivation of the account.
Generally
speaking, faculty and staff employees retain their eligibility until official
employment records indicate that their employment with the university has
ceased and they have no other authorized affiliation with the university. Because
employment separation transactions are sometimes processed after the official
separation date, and to ensure that separating employees do not retain access
beyond the official separation date, department heads shall notify ITAC of any separating
faculty or staff prior to their official separation date, as directed in UPPS No.
04.04.50, Separation of Employment and Interdepartmental Transfers.
05.03 Consultants
and Contractors – Consultants and contractors are eligible to use the
university’s information resources as specified in and restricted by their
contracts, federal and state law, this UPPS, and other applicable university
policies. The applicable Texas State department contract administrator (see
definition in UPPS
No. 03.04.08, Administration and Management of Major Contracts for Goods or
Services) shall ensure that the relevant contracting documents include
appropriate provisions for mitigating risk to university information accessible
to consultants, contractors, and other external parties under the contract. The
Office of the Vice President for Information Technology provides sample non-disclosure agreements and data
security and privacy provisions,
along with guidance and assistance in their use.
The
university shall assign each individual consultant or contractor with an
individual domain account that is unique for the duration of the contract. The department contract administrator shall
request consultant or contractor domain accounts from ITAC at least ten
business days before the accounts will be needed. The request should include
the name of each individual needing an account and the expected activation
period, which should not begin before nor extend beyond the expected duration
of that individual’s participation in contract activities. The department
contract administrator shall immediately notify ITAC whenever a consultant or contractor
ceases to need access to the university’s information resources.
ITAC
will set the domain accounts of consultants or contractors to expire upon the
expected completion date of the contract or August 31 of the current fiscal
year, whichever comes sooner. The department contract administrator is
responsible for renewing contractor or consultant domain accounts through ITAC prior
to their expiration date.
05.04 Members
of the Texas State University System (TSUS) Administration – Members of the
TSUS Board of Regents and members of the TSUS administration staff are eligible
to use the university’s information resources for the length of their TSUS
affiliation. The university (ITAC) assigns domain accounts to these individuals
upon request from the assistant to the chancellor or designee. In submitting
the request, the assistant to the chancellor affirms the identities of the
persons named in the request.
Unless
directed otherwise by the vice president for Information Technology, TSUS domain
accounts shall be initially set to expire at the end of a TSUS board member’s
current term or August 31 of the current fiscal year, as appropriate. The
assistant to the chancellor shall notify ITAC whenever a TSUS account owner
ceases to need access to information resources, such as when a TSUS staff member
separates from employment.
By
August 10 of each fiscal year, ITAC will provide a list of active TSUS domain accounts
to the TSUS information resources manager (IRM). The TSUS IRM will review the list, denote
which TSUS members need their accounts renewed for another year, and return the
list to ITAC for processing prior to the August 31 account expiration date.
05.05 Guests
– Texas State may assign guest domain accounts to individuals not otherwise
affiliated with Texas State if the accounts are required to support functions directly
associated with the university mission. A current faculty or staff account
owner must sponsor each guest user. Sponsors must affirm the guest user’s
identity and serve as the university contact regarding issues associated with
the guest user’s access and use of information resources.
Sponsors
should request guest accounts, or provide ITAC with advance notice of an
impending need for guest accounts, at least ten business days before the
accounts are needed. When requesting or renewing guest accounts, the sponsor
will include the sponsor’s NetID, the name of the guest to receive the account,
a description of the sponsor’s relationship to the function for which the
account is needed, how the function is associated with the university mission,
and the expected activation period (start and end dates) for the account.
ITAC
will set guest domain accounts to expire at the end of the expected activation
period or on August 31 of the current fiscal year, whichever comes sooner. The
sponsor is responsible for determining if their guest will require access
beyond the account expiration date and for notifying ITAC of the need for an
extension at least ten business days prior to the account expiration date. The sponsor
shall notify ITAC whenever a guest account owner ceases to need their account
for access to the university’s information resources.
06.02 The
university will track each domain account assignment using the account owner’s Texas
State ID number or the account sponsor’s NetID or Texas State ID number.
06.03 Only the domain account’s owner may know and
use the domain account’s password and may not disclose the password to another
party. No university component, employee, representative, or agent may ask the
owner of a Texas State domain account to divulge their password.
06.04 Whenever
the university newly activates or reactivates a domain account, it will randomly
generate a new, pre-expired password for the associated NetID to force a
password change by the account owner upon initial login.
06.05 Account
owners shall affirm their knowledge and understanding of their responsibilities
relative to information security and the appropriate use of information
resources each time they change their account password.
06.06 Authorized
Information Technology personnel may unilaterally suspend or block access by an
account when, in their professional judgment and in the course of their
assigned duties, such action is necessary to:
a.
protect
the confidentiality, integrity, availability, or functionality of university
information resources,
b.
protect
the university from harm or liability, or
c.
prevent
use or abuse of the account by a person or persons other than the account’s legitimate
owner.
Authorized
Information Technology personnel may block access by a domain account without advance
notice when presented with a written request from appropriate university
authorities, the administrative head of an employee’s organizational unit, or
the sponsor of the account. Reasons for such a block include involuntary employee
termination, elevated concern for the security of information resources, and
reasonable belief that the account is being used in activities that are
prohibited by law, Regents’ Rules, or university policy.
06.07 The
university shall de-activate any domain account that is unused (i.e., no logins
are recorded) for more than 180 consecutive days. Owners of de-activated domain
accounts must re-validate their identity and re-activate their NetID to regain
access to the university’s information resources.
06.08 The
university may delete, without any obligation to restore, files or other
information resources attributable to any domain account that persists in a
de-activated state for more than 180 consecutive days.
07. PROCEDURES FOR ACCOUNT ACCESS WITHOUT CONSENT
07.01 The
university generally prohibits access to electronic records and communications
by anyone other than:
·
the
designated owner of the account or electronic resource containing the records
or communication; or
·
the
sender or recipient of a particular communication;
without prior consent from the applicable
account owner, sender, or recipient.
However, as a Texas public institution, the
university must monitor, review, and disclose electronic records and
communications stored or transmitted using the university’s information
resources as necessary to:
a.
comply with the provisions of the Texas Public
Information Act, other pertinent laws, Regents’ Rules, and university policies;
b.
satisfy other legal obligations, such as subpoenas
and court orders;
c.
protect and sustain the operational performance and
integrity of university information systems and business processes;
d.
facilitate security reviews, audits, and
investigations by authorized individuals in the performance of their assigned
duties; and
e.
protect and support the legitimate interests of the
university and other users, as determined by the vice president for Information
Technology in consultation with the university attorney.
Consequently, consistent with Texas Administrative
Code Chapter 202, Rule § 202.75(9)(D), users should not expect privacy in their
use of Texas State information resources.
07.02 Individuals seeking non-consensual access to
electronic records or communications residing within a user account or
university information resource assigned to another user shall make such
requests in writing to the vice president for Information Technology. The requests
must fully describe the requested records by type and date, and must specify
the authorization (Sections 07.01 a. through 07.01 e. above) that permits the
access. The vice president for Information Technology or designee, in
consultation with the university attorney and other university officials as
appropriate to the circumstances, will approve or deny the request. This
provision applies to all user accounts and information resources, including
those assigned to deceased, incapacitated, or otherwise unreachable
individuals.
08. EXEMPTIONS AND EXCEPTIONS
08.01 Individuals
desiring an exemption or exception from any provision in this policy shall make
the request in writing to the associate vice president for Technology Resources.
The written request must specify the provision to be waived and demonstrate a
compelling need or unique circumstance that clearly justifies a waiver. The associate
vice president will communicate a decision to the requestor within ten business
days of the request. The requestor may appeal the associate vice president’s decision
to the vice president for Information Technology, whose decision is final.
9.01 Reviewers
of this UPPS include the following:
Position Date
Associate
Vice President for April
1 E2Y
Technology Resources
Special
Assistant to the Vice President April 1
E2Y
for Information Technology
Information
Security Officer April
1 E2Y
Director,
Infrastructure Services April
1 E2Y
Vice
President for April
1 E2Y
Information
Technology
10. CERTIFICATION
STATEMENT
This UPPS
has been approved by the following individuals in their official capacities and
represents Texas State policy and procedure from the date of this document
until superseded.
Associate
Vice President for Technology Resources; senior reviewer of this UPPS
Vice President for Information Technology
President