not mobile

Information Technology Handbook

Section 3. IT Management

Section 3 Introduction

Version date May 19, 2014

Knowledge Management provides information technology systems, tools, governance, and support to facilitate the creation and management of data and the use of information and knowledge for effective analysis and decision making both at the System and institution levels. IT Management establishes and advances an environment and a set of practices that support agile and accessible collection, transformation, warehousing, retrieval, analysis, and exchange of vital enterprise data and decision-support information.

Definitions

The following definitions of shall, will, must, may, may not, and should are used throughout this Handbook.

  1. Shall, Will, and Must indicate a legal, regulatory, or policy requirement. Shall and Will are used for persons and organizations, and Must for inanimate objects.
  2. May indicates an option.
  3. May Not indicates a prohibition.
  4. Should indicates a recommendation that, in the absence of an alternative providing equal or better protection from risk, is an acceptable approach to achieve a requirement. The focus of “should” statements generally is more outcome-based; i.e., an alternate method to achieve the requirement may be developed assuming it is documented as effectively managing risk.

The following definitions of Critical System, Principle of Least Privilege (PoLP), Sensitive Information, System Owner, and Users are used throughout this section.

  1. A Critical System is a system whose failure or malfunction will result in not achieving organization goals and objectives.
  2. The Principle of Least Privilege (PoLP) describes minimal user profile or access privileges to information resources based on allowing access to only what is necessary for the users to successfully perform their job requirements.
  3. Sensitive Information is information maintained by USG institutions, the USO, and the GPLS that requires special precautions, as determined by institution standards and risk management decisions, to ensure its accuracy and integrity by using integrity, verification, and access controls to protect it from unauthorized modification or deletions.
  4. A System Owner is the manager or agent responsible for the function that is supported by the resource or the individual upon whom responsibility rests for carrying out the program that uses the resources. The system owner is responsible for establishing the controls that provide the security. The system owner of a collection of information is the person responsible for the business results of that system or the business use of the information.
  5. Users are individuals who use the information processed by an information system.
Section Number Section Name Compilation Date Published Date Compliance Date Revision Date(s)
3.1 Information System
User Account Management
November 2012 March 2013 July 2013 May 2014

3.1 Information System User Account Management

Version date May 19, 2014

Controlling access to information systems and managing user accounts are critical business processes that support effective use of information resources. Effective use of information resources is a shared responsibility among functional owners. For example, the registrar would likely be the functional owner of at least part of Banner, while information technology (IT) operations (to include core IT support and information technology) and management/support functions (e.g., front-line managers and human resources) both play key roles in ensuring that personnel changes are communicated to concerned parties.

At its core, information system user account management refers to the process by which an individual’s access and permissions within information systems is initially activated, periodically reviewed, and timely deactivated consistent with that individual’s roles and responsibilities as an employee. To be effective, an account provisioning process should ensure that the creation of accounts and the access to applications and data are consistent while maintaining required privacy and protecting information systems. Information systems user account management must be addressed in order to lower the risks and threats facing users, hosts, networks, and business operations.


3.1.1 Information System User Account Management Procedures

The University System of Georgia (USG) recognizes the system’s information resources/systems are strategic and vital assets belonging to the people of Georgia. These assets require a degree of protection commensurate with their value.

Information systems must be protected from unauthorized access, loss, contamination, or destruction. Proper management and protection of information systems is characterized by ensuring the confidentiality, integrity, and availability of the system.

User account access is a continual process and vital to the proper management and security of information systems. Chief information officers (CIOs), chief information security officers (CISOs), system owners, and Human Resources management will work together to create institutional procedures focused on good communication, accuracy of user account data, and protection of confidential/sensitive data.

3.1.1.1 Purpose

Establish procedures to address user account management for information systems including granting, reviewing, inactivation, updating, and/or terminating account access for all USG administrators, executives, faculty, staff, researchers, clinical care providers, and students, along with the University System Office (USO) [which includes the Shared Services Center (SSC)], the Georgia Public Library System (GPLS), and the Georgia Archives. These procedures also apply to all individuals or representatives of entities in relationship with the USG through formal, informal, contract, or other types of agreements who interact with USG information systems.

3.1.1.2 Scope, Authority, Enforcement, Exceptions

3.1.1.3 Procedures

  1. Institutions shall identify and categorize information systems that process or store confidential or sensitive information, or are critical systems. The suggested responsible parties are the CIO and the CISO.
  2. Institutions will identify the owner for each critical system or systems containing confidential or sensitive information. The list of designated systems and the associated owners will be made available upon request. The suggested responsible parties are the CIO and the CISO.
  3. Institutions will maintain an up-to-date mapping of users to information system(s). The CIO will provide the system owner with user ID information. The suggested responsible party is the system owner, with support from the CIO.
  4. Only authorized users should be allowed physical, electronic, or other access to information systems.
  5. The institution will define both procedural and technical access controls. The suggested responsible parties are the system owner, Human Resources, the CIO, and the CISO. Access controls must include, but may not be limited to:
    • Documented procedures to grant, review, deactivate, update, and/or terminate account access;
    • Ensure appropriate resources are available and maintained to adequately authenticate and verify authorized access; and,
    • Ensure appropriate resources are available and maintained to prevent and detect unauthorized use.
  6. The system owner and the user share the responsibility of preventing unauthorized access to USG information systems.
  7. The system owner will analyze user roles and determine level of access required to perform a job function. The level of authorized access must be based on the principle of least privilege (PoLP).
  8. Managers and Human Resources will notify the CIO of personnel status changes in job function, status, transfers, referral privileges, and/or affiliation. User authorization shall be reviewed and revised by the system owner. The suggested responsible parties are the system owner, Human Resources, and the CIO.
  9. Access to an information system must be reviewed regularly. At a minimum, the information system owner must review user access to the information system every four (4) months and document findings with the CIO and CISO.
  10. The system owner will update information system access no more than five (5) business days after terminations and no more than thirty (30) days after other personnel status changes.

3.1.1.4 Recommended Process Flow Chart

Flow Chart


Information Technology Services
© Board of Regents of the University System of Georgia