We identify ourselves to University Information Resources by using a unique username, and we prove that identity by authenticating with a strong password. Though there are times when we use more than one authentication factor, the username and password combination remains our root form. The unique username is intended to provide individual accountability – that is, the only person who could be logging in is the one with that username, because only that user knows the strong password. University policy, along with State and Federal requirements, mandate usernames and passwords not be shared.
There are extremely rare circumstances, though, when operational or technological needs require more than one person having access to an Information Resource at the same time. Some test equipment or laboratory equipment must be left on all the time to collect data or to run experiments, but must still be locked when unattended. If multiple people are required to review the results of the experiments or must otherwise check the equipment, they must know the necessary password to gain access.
In such a case, to maintain positive control of the equipment while still allowing needed access and maintaining proper security, an exemption to the policy regarding sharing passwords is necessary. To ensure all are aware of the controls which must be in place to allow proper security, all personnel who will be sharing this access must be identified and must be cognizant of the risks. The exemption form contains the necessary fields for users and equipment. This will also be used to perform any required audits of the process.
The overall exemption process is as follows:
- Requester gathers and provides documentation justifying the exemption (see list below)
- Requester submits request for exemption using the online exemption request form.
- The Chief Information Security Officer (CISO) makes the decision
- The CISO communicates the decision
- Denial – notify the requester with an explanation for denial
- Approval – notify requester, assign expiration date
Supporting documentation for the exemption request includes, but isn’t limited to:
- The location of the system (building, room)
- Owning department, along with responsible personnel (dean/director/chair, requester, etc.)
- How the system will be used
- List of users sharing the account
- How misuse of the system will be prevented
Note: If you are not able to access the online form, download the form to your computer by right-clicking on this link: Exemption Request Form
- Internet Explorer – “Save Target As …”
- Firefox – “Save Link As …”
- Chrome – “Save link as …”
1. Download the form to your computer (requires Microsoft Excel 2007 or later)
2. Read tab “1-Instructions Page”
3. Fill out tab “2-General Form”
4. Fill out tab “Group Acct and Password”
5. Begin collecting the necessary signatures
For more information regarding the exemption process, please contact Information Security at grc@uthscsa.edu, or the Information Security Hotline at 210-567-0707.