3.1 Information System User Account Management
Controlling access to information systems and managing user accounts are critical business processes that support effective use of information resources. Effective use of information resources is a shared responsibility among functional owners. For example, the registrar would likely be the functional owner of at least part of Banner, while information technology (IT) operations (to include core IT support and information technology) and management/support functions (e.g., front-line managers and human resources) both play key roles in ensuring that personnel changes are communicated to concerned parties.
At its core, information system user account management refers to the process by which an individual’s access and permissions within information systems is initially activated, periodically reviewed, and timely deactivated consistent with that individual’s roles and responsibilities as an employee. To be effective, an account provisioning process should ensure that the creation of accounts and the access to applications and data are consistent while maintaining required privacy and protecting information systems. Information systems user account management must be addressed in order to lower the risks and threats facing users, hosts, networks, and business operations.
3.1.1 Information System User Account Management Procedures
The University System of Georgia (USG) recognizes the system’s information resources/systems are strategic and vital assets belonging to the people of Georgia. These assets require a degree of protection commensurate with their value.
Information systems must be protected from unauthorized access, loss, contamination, or destruction. Proper management and protection of information systems is characterized by ensuring the confidentiality, integrity, and availability of the system.
User account access is a continual process and vital to the proper management and security of information systems. CIOs, CISOs, system owners, and Human Resources management will work together to create institutional procedures focused on good communication, accuracy of user account data, and protection of confidential/sensitive data.
Establish procedures to address user account management for information systems including granting, reviewing, inactivation, updating, and/or terminating account access for all USG administrators, executives, faculty, staff, researchers, clinical care providers, and students, along with the University System Office (USO), and the Georgia Public Library System (GPLS). These procedures also apply to all individuals or representatives of entities in relationship with the USG through formal, informal, contract, or other types of agreements who interact with USG information systems.
18.104.22.168 Scope, Authority, Enforcement, Exceptions
- BoR Policy Manual, Section 11
- USG Information Security Program Policy
- USG Appropriate Use Policy (AUP)
- Institutions shall identify and classify information systems that process or store confidential or sensitive information, or are critical systems. The suggested responsible party(ies) is the CIO and/or the CISO.
- Institutions will identify the owner for each critical system or systems containing confidential or sensitive information. The list of designated systems and the associated owners will be made available upon request. The suggested responsible party(ies) is the CIO and/or the CISO.
- Institutions will maintain an up-to-date mapping of users to information system(s). The CIO will provide the system owner with user ID information. The suggested responsible party is the system owner, with support from the CIO.
- Only authorized users should be allowed physical, electronic, or other access to information systems.
- The institution will define both procedural and technical access controls. The suggested responsible parties are the system owner, Human Resources, the CIO, and the CISO. Access controls must include, but may not be limited to:
- Documented procedures to grant, review, deactivate, update, and/or terminate account access;
- Ensure appropriate resources are available and maintained to adequately authenticate and verify authorized access; and,
- Ensure appropriate resources are available and maintained to prevent and detect unauthorized use.
- The system owner and the user share the responsibility of preventing unauthorized access to USG information systems.
- The system owner will analyze user roles and determine level of access required to perform a job function. The level of authorized access must be based on the principle of least privilege (PoLP).
- Managers and Human Resources will notify the CIO of personnel status changes in job function, status, transfers, referral privileges, and/or affiliation. User authorization shall be reviewed and revised by the system owner. The suggested responsible parties are the system owner, Human Resources, and the CIO.
- Access to an information system must be reviewed regularly. At a minimum, the information system owner must review user access to the information system every four (4) months and document findings with the CIO and CISO.
- The system owner will update information system access no more than five (5) business days after terminations and no more than thirty (30) days after other personnel status changes.
22.214.171.124 Recommended Process Flow Chart
126.96.36.199 Terms and Definitions
Confidential Information is information whose improper use or disclosure could adversely affect the ability of the institution to accomplish its mission, records about individuals protected under the Family Educational Rights and Privacy Act of 1974 (FERPA) and other applicable laws, or data not releasable under the Georgia Open Records Act or the Georgia Open Meetings Act.
A Critical System is a system whose failure or malfunction will result in not achieving organization goals and objectives. The Principle of Least Privilege (PoLP) describes minimal user profile or access privileges to information resources based on allowing access to only what is necessary for the users to successfully perform their job requirements.
Sensitive Information is information maintained by USG institutions, the USO, and the GPLS that requires special precautions, as determined by institution standards and risk management decisions, to ensure its accuracy and integrity by using integrity, verification, and access controls to protect it from unauthorized modification or deletions.
A System Owner is the manager or agent responsible for the function that is supported by the resource or the individual upon whom responsibility rests for carrying out the program that uses the resources. The system owner is responsible for establishing the controls that provide the security. The system owner of a collection of information is the person responsible for the business results of that system or the business use of the information.
Users are individuals who use the information processed by an information system.