Information Resources Use and Security Policy

Next Previous

3. Account Management

Proper management and use of computer accounts are basic requirements for protecting the university's Information Resources. All offices that create access accounts for applications, networks, or systems are required to manage the accounts in accordance with the university's access management processes. Access to an Information Resource may not be granted by another User without the permission of the Owner or the Owner's delegated custodian of that Information Resource. All accounts are to be created and managed using the following required account management practices:

3.1. All accounts that access non-public university Information Resources must follow an account creation process. This process shall document who is associated with the account, the purpose for which the account was created, and who approved the creation of the account. All accounts wishing to access the university's non-public Information Resources must have the approval of the Owner of those resources. These measures also apply to account created by/for use of outside vendors or contractors (see Section 26).

3.2. Each account having special privileges must adhere to the university's password requirements (see Section 18).

3.3. All accounts must be able to be associated with an identifiable individual or group of individuals that are authorized to use that account (for example, the UT-EID).

3.4. Accounts of individuals on extended leave (more than 120 days) or accounts that have not been accessed more than 120 days must be disabled.

3.5. Accounts of individuals who have had their status, roles, or affiliations with university change must be updated to reflect their current status.

3.6. Accounts must be reviewed at least annually to ensure their current state is correct.

3.7. Password aging and expiration dates must be enabled, where supported by the underlying accounting mechanism, on all accounts created for outside vendors, external contractors, or those with contractually limited access to the university's information resources.