Information Security Standards

Account Management


Texas A&M University-Commerce information resources are strategic assets, which being property of the State of Texas, must be managed as valuable state resources. Access to information resources is normally controlled by a Logon ID associated with an authorized user account. Proper administration of these Logon IDs is very important to ensure the security of confidential information and normal business operations of information resources.


This procedure applies to all University information resources. The purpose of this procedure is to provide a set of measures that will mitigate information security risks associated with Account Management. The intended audience for this procedure includes, but is not limited to, all information resources owners, management personnel, and system administrators.


1. An approval process is required prior to granting access authorization to an information resource. The approval process shall document the acknowledgement of the account holder to follow all terms of use and the granting of authorization by the resource owner or their designee.

2. Each person is to have a unique Logon ID and associated account for accountability purposes. Role accounts (e.g., guest or visitor) are to be used in very limited situations, and must provide individual accountability when used to access mission critical and/or confidential information.

3. Access authorization controls are to be modified appropriately as an account holders employment or job responsibilities change.

a. Account creation processes are required to ensure that only authorized individuals receive access to information resources.

b. Processes are required to disable Logon IDs that are associated with individuals that are no longer employed by, or associated with the University. In the event that the access privilege is to remain active, the department (e.g., owner, department head) shall document that a benefit to the University exists.

c. All access privileges to information resources must be reviewed at least biannually by the owners (department heads or administrators), and documented as such.

d. Passwords associated with Logon IDs shall comply with the University Information Security Standard Administrative Procedure, Identification, Authentication, and Passwords.

e. Information Security Administrators or other designated staff:

i. Shall have a documented process for removing the accounts of individuals who are no longer authorized to have access to University information resources.

ii. Shall have a documented process to modify a user account to accommodate situations such as name changes, accounting changes and permission changes.

iii. Shall have a documented process for periodically reviewing existing accounts for validity.


University Information Security Standard Administrative Procedure, Identification, Authentication, and Passwords


Last Updated March 31, 2014