Information Resources Identity UPPS
and Access Management Issue No. 6
Effective Date: 02/03/2012
Review: April 1 E2Y
01.01 Information resources residing at or administered by Texas State University are strategic and vital assets belonging to the people of Texas. Title 1, Part 10, Chapter 202, Texas Administrative Code, commonly known as TAC 202, requires the university to appropriately manage access to these information resources. Texas State shall afford an individual access to these resources in a manner consistent with the individual’s institutional affiliations and roles. Individuals shall access these resources only as necessary to fulfill their institutional roles and always in compliance with established laws, regulations, policies, and controls. The university shall hold individuals accountable for their actions relating to such access. [TAC 202.70, TAC 202.71]
01.02 Texas State restricts access to its non-public information resources by authenticating the individual identity and eligibility of all users of those resources. The university assigns unique identification and authentication credentials to individuals for use in asserting their identity and eligibility to use the university’s information resources. Examples include the NetID with its companion password and the Texas State ID number with its companion PIN. Each NetID and Texas State ID number shall be unique university-wide. The person to whom the credentials are assigned is the only authorized user of those credentials.
01.03 The university’s Technology Resources organization is responsible for design, implementation, and operation of the university’s centralized authentication services, including the assignment of identification and authentication credentials to users of Texas State information resources. Technology Resources shall assign, activate, deactivate, reactivate, revoke, or otherwise modify a user’s credentials based upon the user’s verified identity and current university affiliations, as reflected in official university record systems. Owners and administrators of university applications and services shall utilize the university’s standard authentication service and credentials to validate the identity of all users of the application or service unless exempted through the process described in Section 08. of this policy.
01.04 Texas State may authorize individuals to access its information resources using identification and authentication credentials that are issued and verified by third-party identity providers. Texas State may also authorize individuals and service providers to utilize university-provided authentication credentials and services to manage access to information resources owned or operated by third-party service providers. The vice president for Information Technology or designee must approve all such “federated” identity and access management arrangements prior to their implementation. See the Federated Identity Management Attribute Release policy at http://www.vpit.txstate.edu/about/policies.html for more information.
01.05 Access to Texas State information resources is a privilege, not a right. The university reserves the right to deny or revoke access to its information resources, with or without notice, at its sole discretion, subject to the provisions of UPPS No. 04.01.01, Security of Texas State Information Resources, UPPS No. 04.01.07, Appropriate Use of Information Resourcesother university policies.
04.01 User Affiliations. Texas State provides restricted access to its information resources to persons with the following university affiliations:
a. students (as described in Section 05.01);
b. faculty members (as described in Section 05.02);
c. regular and non-student/non-regular staff employees (as described in Section 05.02);
d. retired faculty, administrators, and staff (as specified in UPPS No. 04.04.53, Honors and Benefits for Retired Faculty and Staff);
e. consultants and contractors (as described in Section 05.03);
f. regents, administrators, staff, and other members of The Texas State University System administration (as described in Section 05.04); and
g. guests (as described in Section 05.05).
Individuals may possess multiple concurrent university affiliations (e.g., a staff member enrolled in courses is also a student affiliate). The scope of authorized access and use will vary over time in accordance with the user’s affiliations.
04.02 In accordance with this policy, ITAC will make the initial determination regarding an individual’s eligibility to obtain or retain an active Texas State account. In appropriate situations, software administered by Technology Resources automates these processes for ITAC. ITAC will escalate cases where eligibility is disputed or unclear to the associate vice president for Technology Resources or the vice president for Information Technology for review and resolution.
04.03 The university has established procedures for verifying the identity and affiliations of persons seeking to access and use university information resources. Section 05. describes responsibility for these procedures, which varies according to the person’s purported affiliation. The university shall revoke a person’s access to a university information resource when the person no longer has an affiliation that is eligible to use that resource. The university automatically and periodically validates the eligibility of all users with official university sources, such as faculty and staff personnel records and student enrollment records. The university may use other sources when necessary to accurately assess the status of a person’s ongoing affiliation.
04.04 Unless eligible through another affiliation, Texas State alumni are not eligible to maintain an active university NetID for use in accessing the university’s information resources. Texas State alumni are eligible for email and other information services through the Texas State Alumni Association (see www.txstatealumni.org).
05.01 Students. Organizations that admit students into university educational programs that require or expect students to access the university’s information resources shall, as part of their intake process:
a. verify the identity of the students they admit;
b. ensure that the identifying information of each admitted student is recorded in the university’s identity database; and
c. obtain and securely issue an official Texas State ID number and initial PIN for each student they admit.
Examples of such organizations include Undergraduate Admissions, the Graduate College, Distance and Extended Learning, and Continuing Education.
New students use their Texas State ID number and PIN to create and activate their domain accounts through a self-service process. Students with deactivated domain accounts use the same process to reactivate their domain accounts. Students who cannot validate their identity through the self-service process must contact ITAC to have their identities validated and their PIN reset.
Students are eligible to use information resources for the duration of their enrollment. Eligibility is based on information present in the university’s student information system or an authorized department or program equivalent approved by the associate vice president for Technology Resources.
Students generally retain their eligibility at the end of a semester with the expectation of continued enrollment for the ensuing semester. A student’s domain account remains active for two full semesters following the student’s last semester in attendance. The university will deactivate the account of any student who fails to enroll over the course of three consecutive semesters, unless the student has a current non-student affiliation (e.g., holds faculty, staff, or retiree status).
05.02 Faculty and staff. Faculty and staff employees with current appointments (either paid or unpaid), or agreements for impending employment, are eligible to use the university’s information resources. Eligibility must be supported by official employment records maintained by the university’s Faculty Records or Human Resources departments, as appropriate to the position. Organization heads shall notify Faculty Records or Human Resources, as appropriate, about personnel changes in a timely manner.
ITAC generates domain accounts for new faculty and staff in response to requests from hiring departments and Human Resources, as follows:
a. ITAC receives and processes a completed online NetID Request from the hiring department. The request must include the new employee’s Texas State ID number, which may already exist per a different affiliation or may need to be generated by Faculty Records or Human Resources in the process of initializing the individual’s employment records.
b. ITAC receives and processes a list from Human Resources containing the names and Texas State ID numbers of attendees at the most recent new employee orientation (NEO I).
Hiring departments, Faculty Records, and Human Resources must verify new faculty and staff identities as part of their hiring processes and prior to requesting domain accounts for new hires.
A domain account activated on the basis of impending employment shall expire 45 days beyond the anticipated start date. Hiring departments, Faculty Records, and Human Resources must establish up-to-date employment records for the employee prior to the end of that 45 day period to prevent automatic deactivation of the account.
Generally speaking, faculty and staff employees retain their eligibility until official employment records indicate that their employment with the university has ceased and they have no other authorized affiliation with the university. Because employment separation transactions may be processed after the official separation date, and to ensure that separating employees do not retain access beyond that date, department heads shall notify ITAC of any separating faculty or staff prior to their official separation date, as directed in UPPS No. 04.04.50, Separation of Employment and Interdepartmental Transfers.
05.03 Consultants and Contractors. Consultants and contractors are eligible to use the university’s information resources as specified in and restricted by their contracts, federal and state law, this policy, and other applicable university policies. The applicable Texas State department contract administrator (see definition in UPPS No. 03.04.08, Administration and Management of Major Contracts for Goods or Services) shall ensure that the relevant contracting documents include appropriate provisions for mitigating risk to university information accessible to consultants, contractors, and other external parties under the contract. The Office of the Vice President for Information Technology provides sample non-disclosure agreements and data security and privacy provisions, along with guidance and assistance in their use.
The university shall assign each individual consultant or contractor an individual domain account that is unique for the duration of the contract. The department contract administrator shall request consultant or contractor domain accounts from ITAC at least ten business days before the accounts will be needed. The request should include the name of each individual needing an account and the expected activation period, which should not begin before nor extend beyond the expected duration of that individual’s participation in contract activities. The department contract administrator shall immediately notify ITAC whenever a consultant or contractor ceases to need access to the university’s information resources.
ITAC will set the domain accounts of consultants and contractors to expire upon the expected completion date of the contract or August 31 of the current fiscal year, whichever comes sooner. The department contract administrator is responsible for renewing the domain accounts of consultants and contractors through ITAC prior to their expiration date.
05.04 Members of The Texas State University System (TSUS) Administration. Members of The Texas State University System Board of Regents and members of the TSUS administration staff are eligible to use the university’s information resources for the length of their TSUS affiliation. ITAC assigns domain accounts to these individuals upon request from the assistant to the chancellor or designee. In submitting the request, the assistant to the chancellor affirms the identities of the persons named in the request.
Unless directed otherwise by the vice president for Information Technology, TSUS domain accounts will expire at the end of a TSUS board member’s current term, or August 31 of the current fiscal year, as appropriate. The assistant to the chancellor shall notify ITAC whenever a TSUS account owner ceases to need access to information resources, such as when a TSUS staff member separates from employment.
By August 10 of each fiscal year, ITAC will provide a list of active TSUS domain accounts to the TSUS Information Resources manager (IRM). The TSUS IRM will review the list, denote which TSUS members need their accounts renewed for another year, and return the list to ITAC for processing prior to the August 31 account expiration date.
05.05 Guests. Texas State may assign guest domain accounts to individuals not otherwise affiliated with the university if the accounts are required to support functions directly associated with the university mission. A current faculty or staff account owner must sponsor each guest user. Sponsors must affirm the guest user’s identity and serve as the university contact regarding issues associated with the guest user’s access and use of information resources.
Sponsors should request guest accounts, or provide ITAC with advance notice of an impending need for guest accounts, at least ten business days before the accounts are needed. When requesting or renewing guest accounts, the sponsor will include the sponsor’s NetID, the name of the guest to receive the account, a description of the sponsor’s relationship to the function for which the account is needed, how the function is associated with the university mission, and the expected activation period (start and end dates) for the account.
ITAC will set guest domain accounts to expire at the end of the expected activation period, or on August 31 of the current fiscal year, whichever comes sooner. The sponsor shall notify ITAC of the need for an extension of their guest’s account at least ten business days prior to the account expiration date. The sponsor shall notify ITAC whenever a guest account owner ceases to need their account for access to the university’s information resources.
Individuals may not possess more than one concurrently active domain account. Technology Resources will issue a replacement NetID to an account owner if and only if the existing NetID represents a credible danger to the health or safety of the account owner.[ddv1]
06.02 The university will track each domain account assignment using either the account owner’s Texas State ID number, the account sponsor’s NetID, or the Texas State ID number.
06.03 Only a domain account’s owner is authorized to know and use the password for that domain account and may not disclose the password to another party. No university component, employee, representative, or agent may ask the owner of a Texas State domain account to divulge their password.
06.04 Whenever the university newly activates or reactivates a domain account, it will randomly generate a new, pre-expired password for the associated NetID to force a password change by the account owner upon initial login.
06.05 Account owners shall affirm their knowledge and understanding of their responsibilities relative to information security and the appropriate use of information resources each time they change their account password.
06.06 Authorized Information Technology personnel may unilaterally suspend or block access by an account when, in their professional judgment and in the course of their assigned duties, such action is necessary to:
a. protect the confidentiality, integrity, availability, or functionality of university information resources,
b. protect the university from harm or liability, or
c. prevent use or abuse of the account by a person or persons other than the account’s legitimate owner.
Authorized Information Technology personnel may block access by a domain account without advance notice when presented with a written request from appropriate university authorities, the department head of an employee’s organizational unit, or the sponsor of the account. Reasons for such a block include involuntary employee termination, elevated concern for the security of information resources, and reasonable belief that the account is being used in activities that are prohibited by law, Regents’ Rules, or university policy.
*06.07 The university shall deactivate any domain account that fails to record a successful login for more than 180 consecutive days. The university shall also perform a daily automated review of the account owner information changes in its official information sources (i.e., systems of record). The university will deactivate the domain accounts of individuals who, based upon that review, no longer qualify for ownership of a domain account under the terms of this policy. Owners of deactivated domain accounts must re-validate their identity and possess an eligible university affiliation before they may reactivate their NetID and regain access to the university’s information resources. [ddv2]
06.08 The university may delete, without any notification or recovery obligation, files or other information resources attributable to any domain account that persists in a deactivated state for more than 180 consecutive days.
07. ACCOUNT ACCESS WITHOUT CONSENT
07.01 The university generally prohibits access to electronic records and communications by anyone other than:
a. the designated owner of the account or electronic resource containing the records or communication; or
b. the sender or recipient of a particular communication;
without prior consent from the applicable account owner, sender, or recipient.
However, as a Texas public institution, the university must monitor, review, and disclose electronic records and communications stored or transmitted using the university’s information resources as necessary to:
1) comply with the provisions of the Texas Public Information Act, other pertinent laws, Regents’ Rules, and university policies;
2) satisfy other legal obligations, such as subpoenas and court orders;
3) protect and sustain the operational performance and integrity of university information systems and business processes;
4) facilitate security reviews, audits, and investigations by authorized individuals in the performance of their assigned duties; and
5) protect and support the legitimate interests of the university and other users, as determined by the vice president for Information Technology in consultation with the TSUS associate general counsel.
Users of the university’s information resources expressly consent to monitoring and review by the university for these purposes. If such monitoring or review reveals evidence of possible criminal activity, university administration may provide that evidence to law enforcement officials without notice to the user. Further, all users should understand that while the university takes reasonable precautions, as evidenced by its information security program, it is unable to guarantee the protection of electronic files, data, or e-mails from unauthorized or inappropriate access or disclosure.
Consequently, consistent with TAC 202, Rule § 202.75(9)(D), users should not expect privacy in their use of Texas State information resources.
07.02 Individuals seeking non-consensual access to electronic records or communications residing within a user account or university information resource assigned to another user shall make such requests in writing to the vice president for Information Technology. The requests must fully describe the requested records by type and date, and must specify the authorization (Sections 07.01 a through 07.01 e., above) that permits the access. The vice president for Information Technology or designee, in consultation with the TSUS associate general counsel and other university officials as appropriate to the circumstances, will approve or deny the request. This provision applies to all user accounts and information resources, including those assigned to deceased, incapacitated, or otherwise unreachable individuals.
08. EXEMPTIONS AND EXCEPTIONS
08.01 Individuals desiring an exemption or exception from any provision in this policy shall make the request in writing to the associate vice president for Technology Resources. The written request must specify the provision to be waived and demonstrate a compelling need or unique circumstance that clearly justifies a waiver. The associate vice president will communicate a decision to the requestor within ten business days of the request. The requestor may appeal the associate vice president’s decision to the vice president for Information Technology, whose decision is final.
09. REVIEWERS OF THIS UPPS
9.01 Reviewers of this UPPS include the following:
Associate Vice President for April 1 E2Y
Special Assistant to the Vice President April 1 E2Y
for Information Technology
Information Security Officer April 1 E2Y
Vice President for Information April 1 E2Y
10. CERTIFICATION STATEMENT
This UPPS has been approved by the following individuals in their official capacities and represents Texas State policy and procedure from the date of this document until superseded.
Associate Vice President for Technology Resources; senior reviewer of this UPPS
Vice President for Information Technology