User Account Credentials Management Policy: IB
The purpose of this policy is to establish standards for the administration of user account credentials that access South Plains College information technology resources. These resources must be protected from unauthorized access, loss, corruption, or destruction, thus ensuring the confidentiality, integrity and availability of these resources. Proper management of account credentials provides a means of assuring accountability and protecting SPC resources. The standards established in this policy include issuing account credentials, granting access to approved resources, account credential maintenance and deactivation processes.
The SPC User Account Credentials Management policy applies to those responsible for the management of user account credentials on South Plains College information technology resources.
Creating unique domain user account credentials is an automated process utilizing the current approved SPC account naming convention and is based on assigned roles within the Enterprise Resource Planning (ERP) system (e.g. faculty, staff, student worker, student, visitor, alumni, etc.) The level of authorized access will be based on the principle of least privilege (PoLP), but if a user is assigned multiple roles, the most privileged role will take precedence.
- The creation of a user account credential issues a unique, non-transferable electronic identity known as the “username” and a corresponding “password”. Usernames will remain in effect throughout the individual’s official affiliation with SPC. (IB-A User Account Credentials Eligibility).
- Usernames are not reused.
- When an individual changes roles or ends their affiliation, SPC-IS deactivates the user account credentials that no longer meet SPC's eligibility requirements (IB-A User Account Credentials Eligibility) and removes non-standard access.
- Upon user activation, account holders are authorized to access the resources dictated by their role membership.
- SPC-IS requires users to change passwords per IC User Account Credential Password Policy. (IC – User Accounts Password)
- Requests for exceptions to this policy must be submitted in writing (SPC-IS Policy Exception Form) to the Associate Dean of Information Services and will be reviewed on a case by case basis. Requests shall be justified, documented, and communicated as part of the risk assessment process.
Related Policies, References and Attachments:
An index of approved SPC-IS policies can be found on the SPC Information Technology Services Policies website at https://www.southplainscollege.edu/human_resources/policy_procedure/?%20. Reference materials, legal compliance guidelines, and policy enforcement are available in the IA-Policy Compliance Document. The SPC Information Security Program and SPC Information Security User Guide are also available on the Information Technology Services Policies website.
DIR Security Controls Catalog Control Group: AC-2
Approved by: Executive Council, 9/17/2018
Next Review: August 1, 2020