Access Control Policy

PURPOSE:

The purpose of the Access Control Policy is to establish controls for the creation, management, and monitoring of user accounts in order to ensure secure access to TTUHSC information and information systems. These resources must be protected from unauthorized access, loss, corruption, or destruction to ensure the confidentiality, integrity and availability of these resources.

SCOPE:

This policy applies to all parties responsible for managing TTUHSC user accounts with access to information and information systems.

POLICY:

Account Management (AC-2)

  1. Domain user accounts must be uniquely identifiable using a centrally-assigned user name from TTUHSC IT. TTUHSC IT defines user identity and establishes user identification in the TTUHSC IT 56.09 Identification and Authentication Policy.
  2. All users must acknowledge and agree to TTU's eRaider Terms of Use before an account is provisioned to a user.
  3. Supervisors must notify TTUHSC IT to update account access of individuals, who have had their status, roles, or affiliations with the university changed to reflect changes to their status in a timely manner.
  4. Supervisors, with approval from HR, must notify TTUHSC IT to revoke accounts of individuals, who have become separated from the university to reflect changes to their status in a timely manner.
  5. Supervisors, with approval from HR, must notify TTUHSC IT to reinstate accounts of individuals that were revoked for cause. All other reinstatements are managed by TTUHSC HR.
  6. Information owners or their designee:
    1. Shall have a documented process for removing the accounts of individuals who are no longer authorized to have access to TTUHSC information and information systems.
    2. Shall have a documented process to modify a user account to accommodate situations such as name changes, accounting changes, and permission changes.
    3. Shall periodically review existing accounts for account management compliance.
  7. Where supported by the underlying accounting mechanism, all user accounts must have a password expiration that complies with the 56.09 Identification and Authentication policy. TTUHSC may exempt service accounts from this requirement based on a risk assessment of the system and supported application/service.
  8. All vendor, consultant, and contractor accounts must comply with all requirements of this section.

Access Enforcement (AC-3)

  1. All systems with information not entirely classified as Public Information must use authentication.
  2. All systems using authentication must require users to use unique, individually assigned credentials. Shared accounts must be assigned to a primarily responsible individual and issuance requires the approval of the ISO.
  3. Access to information must be controlled through centralized authentication where possible and overseen by both Custodians and Information Owners to ensure only authorized individuals are allowed access to university-managed information.
  4. System administrators must document user access.
  5. TTUHSC information systems must authenticate user credentials prior to allowing access to the university Information or the information system.
  6. Where possible, systems must authenticate end-user passwords against identified, centralized systems in this preference order:
    1. Single sign-on.
    2. Authentication against TTUHSC centralized systems.
    3. Local system account name and password with TTUHSC IT approval.
  7. Custodians must not bypass access controls in production systems except under safe conditions and approval by the ISO.

Separation of Duties (AC-5)

Separation of duties must be implemented such that operational information system functions are separated into distinct jobs to prevent a single person from harming a development or operational information system or the services it provides, whether by an accidental act, omission, or intentional act.

  1. Information owners are required to consider separation of duties when approving access within systems such as separation of duties between programmers and developers.
  2. Custodians must ensure access control enforces separation of duties when setting up information system access.
  3. TTUHSC must use adequate controls to provide separation of duties for tasks that are susceptible to fraud or other unauthorized activity.

Least Privilege (AC-6)

The university employs the principle of least privilege, allowing only authorized access for users (or processes acting on behalf of users) which are necessary to accomplish assigned tasks in accordance with university missions and business functions.

Only team members whose job role includes IT administration may be given elevated, administrator privileges.

Anyone using accounts with elevated privileges must adhere to the following requirements:

  1. Individuals who use administrative accounts with elevated privileges must use these accounts only for their intended administrative purposes.
  2. Information owners or their designee must maintain records of all users who have access to administrative account credentials.
  3. The password for a shared administrator account must change when any individual knowing the password no longer should have access (e.g., terminated university employee, change in support vendor staff, or changes in university employee role).
  4. Departments that require third-party contractors to have elevated privileges must do one of the following:
    1. Hire the contractor as a "non-Tech employee" through the regular ePAF process, or
    2. Request elevated privileges for the departmental system owner or custodian who must then supervise the contractor's work within the owner's/custodian's elevated account access.
  5. When granting a third party elevated privileges for auditing, software development, software installation, or other defined needs, the third party's access must:
    1. Be authorized by the information owner;
    2. Have an expiration date where supported; and
    3. Be removed when the work is complete.
  6. Prior to permitting users access to university information or information systems, information owners or their designee must ensure the duties assigned to users require access to university information or information systems.

Unsuccessful Logon Attempts (AC-7)

  1. As technology permits, the information system owner, or designee, shall enforce account lockouts after no more than ten consecutive failed attempts.
  2. Accounts locked out due to multiple incorrect logon attempts should stay locked out for a minimum of 15 minutes.
  3. As technology permits, accounts that have access to information classified as Moderate or High impact should remain locked until reset by an administrator or university approved authentication system.

System Use Notification (AC-8)

  1. TTUHSC information systems must display an acceptable use message or banner before login to the information system.
  2. The logon banner must have warning statements that include the following topics:
    • Unauthorized use is prohibited;
    • Usage may be subject to security testing and monitoring;
    • Misuse is subject to criminal prosecution; and
    • Users have no expectation of privacy except as otherwise provided by applicable privacy laws.
  3. Information systems containing only information intended for Public access do not require an approved system use notification message unless required by the information system's risk posture.

Session Lock (AC-11)

  1. The information system owner, or designee shall:
    1. Prevent access to an information system by initiating a session lock after 15 minutes of inactivity or upon receiving a request from a user; and
    2. Retain the session lock until the user reestablishes access using established identification and authentication procedures.
  2. Session locks greater than 15 minutes must be reviewed and approved by TTUHSC IT.

Permitted Actions Without Identification or Authentication (AC-14)

  1. The information system owner or their designee is responsible for:
    1. Identifying activities that can be performed on the information system without identification or authentication consistent with university missions or business functions; and
    2. Documenting and providing supporting rationale in the unit's annual risk assessment for the information system user's actions not requiring identification or authentication.
  2. Public university websites and publicly-accessible kiosks are excluded from these requirements.

Remote Access (AC-17)

  1. Remote access to the TTUHSC network must use TTUHSC IT-approved methods.
  2. TTUHSC requires the same policies for authentication and authorization for local and remote access. TTUHSC IT may require additional authentication or approvals for remote access.
  3. TTUHSC IT must document and regularly review usage restrictions, configuration and connection requirements, and implementation guidance for all types of remote access allowed.
  4. TTUHSC IT must approve access to TTUHSC's VPN prior to connection.
  5. All remote access must authenticate through TTUHSC IT's centralized authentication mechanism.
  6. Faculty, staff, and students with an authorized user account will be granted remote access to university information systems only via the Remote Desktop Gateway. Remote access using other mechanisms must be reviewed and approved by TTUHSC IT.

Wireless Access (AC-18)

The main objective of the wireless network is to provide an internet connection that can be used to allow connectivity where a wired solution is not feasible (e.g., mass access areas such as a lecture room, conferences areas, certain exterior spaces, etc.). In general, it is not intended to be a replacement for the wired infrastructure in conducting TTUHSC business. However, there may be situations where a wired infrastructure is not feasible and wireless access may be used to access the TTUHSC information systems if appropriate security measures are taken.

  1. Only TTUHSC IT may configure wireless networks at TTUHSC.
  2. Unauthorized access points and network attached wireless devices are prohibited on the TTUHSC network. Periodic monitoring will be conducted to identify unauthorized networks. Information system owners (i.e., device owners or owners of information systems) will be contacted and requested to comply with this policy.
  3. Individuals and departments are prohibited from extending the TTUHSC network through means of wireless technologies.
  4. Access to the TTUHSC wireless network shall be authenticated using TTUHSC IT-approved methods.
  5. Students, faculty, and staff must access TTUHSC's wireless network using their TTUHSC user accounts.
  6. Guests are authorized to use the HSC-Guest wireless network under the following conditions:
    1. Initial access is gained by using the wireless guest password provided by TTUHSC IT or as posted in public areas.
    2. When prompted, the guest must accept the Wireless Guest Acceptable Use Policy.
  7. The TTUHSC WiFi network provides "best effort" service for all TTUHSC students, faculty, staff, and guests campus-wide. Use of the wireless network for activities requiring highly reliable service is not recommended.
  8. Limited special requests may be granted by TTUHSC IT (e.g., projects requiring approved isolated wireless devices). Each special request form shall be submitted to the IT Solution Center and may require a site evaluation. If granted, all instructions provided by TTUHSC IT in the special request communication must be followed.

Mobile Access (AC-19)

  1. TTUHSC Information policies govern all devices used to store, transmit, or process university information which include, but are not limited to: tablets, smartphones, desktop computers and laptops. The Mobile Device Standard specifically addresses management of mobile devices used to perform TTUHSC business.
  2. All mobile devices used to store or process university information must use a method to control access to the device as follows:
    1. Mobile devices that store or process Sensitive information or higher must use a complex password created following the TTUHSC Password Standard.
    2. Mobile devices that store or process Sensitive information or higher must use at a minimum a PIN, gesture lock, biometrics or password to access the device.
  3. Regulated information stored or processed directly on mobile devices or approved removable media must be encrypted. Confidential and Sensitive information stored or processed directly on mobile devices or approved removable media must be encrypted or use other compensating controls to protect the confidentiality and integrity of the information.
  4. Sensitive information or higher transmitted to/from university or mobile devices must use encryption.
  5. Mobile devices used to store or process Sensitive information or higher should be kept in the owner's direct possession or be otherwise physically secured using reasonable means. Any mobile devices used to store or process Sensitive information or higher should not be left unattended in public places or automobiles.
  6. Users must immediately report loss or theft of any mobile devices used to store or process Sensitive information or higher to TTUHSC IT and/or the TTUHSC Office of Institutional Compliance.
  7. Mobile devices must use TTUHSC-approved methods and configurations in accordance with all TTUHSC policies when connected to TTUHSC networks.
  8. Mobile devices must use authentication systems managed by TTUHSC IT when connecting to campus networks.
  9. Mobile devices that are TTUHSC resources and/or used to access Sensitive information or higher must be managed with the TTUHSC Mobile Device Management platform.
  10. Any mobile device that is personally owned cannot contain Confidential information or higher.

Use of External Information Systems (AC-20)

  1. TTUHSC business units must use established terms and conditions for contracts to protect the confidentiality, integrity, and availability of TTUHSC information and information systems managed by or connected to by third parties. Terms and conditions for contracts are managed by the TTUHSC Contracting Office.
  2. TTUHSC business units must use established rules requiring vendors and contractors to provide similar, if not equal, controls to protect TTUHSC's information and information systems. Agreements containing the established rules are managed by the TTUHSC Contracting Office.
  3. All categories (classes) of TTUHSC information may be stored on non-university information systems as long as the information is verifiably protected according to the respective TTUHSC minimum security standards and approved by the information owner and TTUHSC IT.

Publicly Accessible Content (AC-22)

The information owner, or designee must:

  1. Designate individuals authorized to post information onto a publicly accessible information system;
  2. Train authorized TTUHSC personnel to ensure that publicly accessible information does not contain Sensitive information or higher;
  3. Must establish procedures to ensure the proposed content of information does not contain Sensitive information or higher prior to posting onto the publicly accessible information systems; and
  4. Must establish procedures to ensure the periodic review of content on the publicly accessible information system does not contain Sensitive information or higher, and remove such information if discovered.

Violations

Any violation of this policy may result in disciplinary action, up to and including termination of employment. TTUHSC reserves the right to notify the appropriate law enforcement authorities of any unlawful activity and to cooperate in any investigation of such activity.

  1. Disciplinary Repercussions

    Misuse of TTUHSC Information or Information Systems is a violation of the policies contained herein and can result in disciplinary action in accordance with, but not limited to, TTUS Regulations 07.07 Employee Conduct, Coaching, Corrective Action, and Termination and HSC OP 77.05 Suspension and Retention, as well as the Student Handbook.

Exemption Requests

To request an exemption from any part of this TTUHSC IT policy, initiate a ticket with a business use case explanation in the IT Client Services ticketing system.

Related Statutes, Policies, and Requirements

Digital Millennium Copyright Act

Digital Millennium Copyright Act of 1998

Health Insurance Portability and Accountability Act

HIPAA, Title 45, Subchapter C, Part 164

Payment Card Industry (PCI) Data Security Standard (DSS)

PCI-DSS: 12.3 Acceptable Usage

Texas Administrative Code

TAC 202, Subchapter C, 70-76

Texas Public Information Act

Texas Public Information Act

Texas Security Control Standards Catalog

Texas DIR Security Control Standards Catalog

TTUHSC IT Roles and Responsibilities

Information and Information System Roles and Responsibilities