Controlling access to information systems and managing user accounts are critical business processes that support effective use of information resources. Effective use of information resources is a shared responsibility among functional owners. For example, the registrar would likely be the functional owner of at least part of Banner, while information technology (IT) operations (to include core IT support and information technology) and management/support functions (e.g., front-line managers and human resources) both play key roles in ensuring that personnel changes are communicated to concerned parties.
At its core, information system user account management refers to the process by which an individual’s access and permissions within information systems is initially activated, periodically reviewed, and timely deactivated consistent with that individual’s roles and responsibilities as an employee. To be effective, an account provisioning process should ensure that the creation of accounts and the access to applications and data are consistent while maintaining required privacy and protecting information systems. Information systems user account management must be addressed in order to lower the risks and threats facing users, hosts, networks, and business operations.
3.1.1 Information System User Account Management Procedures
The University System of Georgia (USG) recognizes the system’s information resources/systems are strategic and vital assets belonging to the people of Georgia. These assets require a degree of protection commensurate with their value.
Information systems must be protected from unauthorized access, loss, contamination, or destruction. Proper management and protection of information systems is characterized by ensuring the confidentiality, integrity, and availability of the system.
User account access is a continual process and vital to the proper management and security of information systems. Chief information officers (CIOs), chief information security officers (CISOs), system owners, and Human Resources management will work together to create institutional procedures focused on good communication, accuracy of user account data, and protection of confidential/sensitive data.
Establish procedures to address user account management for information systems including granting, reviewing, inactivation, updating, and/or terminating account access for all USG administrators, executives, faculty, staff, researchers, clinical care providers, and students, along with the University System Office (USO) [which includes the Shared Services Center (SSC)], the Georgia Public Library System (GPLS), and the Georgia Archives. These procedures also apply to all individuals or representatives of entities in relationship with the USG through formal, informal, contract, or other types of agreements who interact with USG information systems.
18.104.22.168 Scope, Authority, Enforcement, Exceptions
- Institutions shall identify and categorize information systems that process or store confidential or sensitive information, or are critical systems. The suggested responsible parties are the CIO and the CISO.
- Institutions will identify the owner for each critical system or systems containing confidential or sensitive information. The list of designated systems and the associated owners will be made available upon request. The suggested responsible parties are the CIO and the CISO.
- Institutions will maintain an up-to-date mapping of users to information system(s). The CIO will provide the system owner with user ID information. The suggested responsible party is the system owner, with support from the CIO.
- Only authorized users should be allowed physical, electronic, or other access to information systems.
- The institution will define both procedural and technical access controls. The suggested responsible parties are the system owner, Human Resources, the CIO, and the CISO. Access controls must include, but may not be limited to:
- Documented procedures to grant, review, deactivate, update, and/or terminate account access;
- Ensure appropriate resources are available and maintained to adequately authenticate and verify authorized access; and,
- Ensure appropriate resources are available and maintained to prevent and detect unauthorized use.
- The system owner and the user share the responsibility of preventing unauthorized access to USG information systems.
- The system owner will analyze user roles and determine level of access required to perform a job function. The level of authorized access must be based on the principle of least privilege (PoLP).
- Managers and Human Resources will notify the CIO of personnel status changes in job function, status, transfers, referral privileges, and/or affiliation. User authorization shall be reviewed and revised by the system owner. The suggested responsible parties are the system owner, Human Resources, and the CIO.
- Access to an information system must be reviewed regularly. At a minimum, the information system owner must review user access to the information system every four (4) months and document findings with the CIO and CISO.
- The system owner will update information system access no more than five (5) business days after terminations and no more than thirty (30) days after other personnel status changes.
22.214.171.124 Recommended Process Flow Chart