7.1.6 Account Management
A. Purpose
The purpose of this policy is to establish the rules for creation, monitoring, control, and removal of user accounts
B. Persons Affected
This policy applies to all individuals who access The University of Texas at Tyler (the "University") Information Resources.
C. Definitions
N/A
D. Policy
Responsibilities:
- General
- All accounts must be uniquely identifiable using an assigned user name.
- All accounts must use a password that complies with the University's strong password guidelines.
- Accounts of individuals on extended absence of any type (more than 30 days) will be disabled.
- Extended absence: HSC Campus- Accounts of individuals on extended absence of any type (more than 30 days) will be disabled. Main campus- Dates to disable accounts are automated and provided in daily HR data feed.
- All new user accounts that have not been accessed within 30 days of creation will be expired.
- Expired accounts: HSC Campus-All existing non-employee accounts that have not been accessed within 30 days will be expired. All expired accounts will be deleted after 30 days. Main Campus- Expired/disabled accounts may be reactivated within 150 days due to semester-based needs for faculty assignments and student activity. Accounts are deleted after 150 days if no activity.
- All users will have accounts to systems commensurate with their roles in their assigned departments.
- All security rights for new or modified accounts will be communicated to Information Technology (IT) using the Computer Systems Security Form (HSC) or ServiceNow (Main campus).
- All system access should be removed within five (5) business days of either a termination, separation, or account deletion.
- System Administrators
- The System Administrators shall maintain procedures for provisioning new accounts and terminating accounts and be involved with the transfer of employees from one department to another as needed.
- Upon department notification, System Administrators are responsible for removing roles from individuals who change roles within the University or expire accounts if individuals separated from their relationships with the University.
- Appropriate documentation is required to modify a user account to accommodate situations such as name changes, accounting changes and permission changes.
- System Administrators will review existing accounts every 30 days to determine those to expire for non-use.
- System Administrators will communicate to the head of the appropriate department the names of those flagged for expiration as the result of no activity. The department will have one (1) week to respond before the System Administrator expires the account.
- System Administrators must provide a list of accounts for the systems they administer when requested by authorized University management.
- System Administrators must cooperate with authorized University management investigating security incidents.
- University Administrators
- HSC Campus
- Administrators will approve security for their areas of responsibility or delegate that authority to their supervisors using the Security Requestor Authorization for HSC requests.
- Each year the Administrator will audit his/her delegated signature authority lists and either certify the existing delegates or delete them.
- Main Campus
- Administrators will approve security for their areas of responsibility or delegate that authority to their supervisors through ServiceNow requests for Main campus accounts.
- Each year the Administrator will audit their access and role security lists provide by IT and either certify the existing delegates or request changes or removals.
- Supervisors
- HSC Campus
- All supervisors will ensure a current signature authority is on file with IT if initiating security requests.
- All supervisors must work directly with IT within 5 business days before and during personnel transfers to ensure proper account access is both withdrawn and created in a manner consistent with the role(s) of the user. IT may expire a user account if security is not verified or modified by the department receiving the employee. Security granted must be appropriate for the employee's new role. Security verifications/modifications should be communicated using the Computer Systems Security Form within 10 working days of the transfer.
- All supervisors play a vital role in the protection of information resources. IT must receive notification within 24 - 48 hours in all cases when an employee terminates employment.
- Main Campus
- Supervisors will ensure that security changes are submitted through ServiceNow for shared department resource ownership, delegation, access, and PeopleSoft role security.
- Supervisors will ensure that HR is notified within 5 business days of personnel transfers for the HR data feed to be updated and processed through IT’s automated systems. Security granted must be appropriate for the employee's new role. Security verifications/modifications should be communicated using ServiceNow within 10 working days of the transfer.
- All supervisors play a vital role in the protection of information resources. IT must receive notification through HR’s data feed within 24 - 48 hours in all cases when an employee terminates employment.
- Human Resources
- Human Resources shall initiate the network account expiration process.
- Users
- Account passwords must not be given to others.
- Accounts will not be granted without supervisor authorization.
- All users must acknowledge the University's Acceptable Use Policy before access is given to an account.
- Enforcement.
- Violation of this policy may result in disciplinary action, which may include termination for employees and temporaries, a termination of employment relations in the case of contractors or consultants, dismissal for interns and volunteers, or suspension or expulsion in the case of a student. Additionally, individuals are subject to loss of University IT systems access privileges, civil, and criminal prosecution.
H. Review Responsibilities and Dates
The Division Head for this Policy is the Chief Information Officer and this Policy shall be reviewed every two (2) years or sooner, if necessary, by the Division Head or their designee.
APPROVED: 09/2021
AMENDED: 05/2023