IT/PPS 04.21 - Banner Access and Review

POLICY STATEMENT

Texas State University is committed to ensuring proper access to the Banner administrative system.

1. PURPOSE

   1. The purpose of this policy is to ensure that access to the Banner administrative system is granted, reviewed, and maintained in accordance with the Principle of Least Privilege and institutional Identity and Access Management (IAM) standards. Regular access reviews are required to confirm that Banner access for staff remains appropriate, authorized, and aligned with current job responsibilities.

2. SCOPE

   1. This policy applies to all staff who have been granted access to the Banner system and to all departments responsible for overseeing such access.

3. PERIODIC REVIEW OF BANNER ACCESS

   1. Best practice and institutional IAM standards mandate periodic reviews of Banner access to ensure that:

      1. access is limited to the minimum level necessary to perform assigned duties;

      2. access remains appropriate based on current role and employment status; and

      3. inactive, unnecessary, or excessive access is promptly modified or removed.

4. ROLES AND RESPONSIBILITIES

   1. Department directors are accountable for ensuring that Banner access reviews are completed and documented for staff within their departments. Directors may delegate review activities to appropriate personnel but retain responsibility for compliance.

   2. Technology Resources is responsible for:

      1. providing required access review reports;

      2. managing the annual Third-Party Role Review process; and

      3. supporting audit and compliance activities related to Banner access.

   3. The Enterprise Systems Reporting Team provides access to Banner security and usage reports required to support this policy.

5. ACCESS REVIEW REQUIREMENTS

   1. Banner access reviews will be conducted bi-annually and annually to ensure continuous compliance with IAM and least-privilege standards.

6. BI-ANNUAL ACCESS REVIEW PROCESS

   1. Prerequisite (One-Time-Setup)

      Department directors of the designees must request inclusion as recipient for the following reports by contacting the Enterprise Systems Reporting Team at bi-reporting@txstate.edu.

      1. Report 1673 – Banner Security Access Audit Report; and

      2. Report 1129 – Inactive Banner Users Report.

      The reports are produced and distributed every six months, and they must be reviewed on receipt.

   2. Bi-Annual Review Tasks

      1. Review Report 1673 – Banner Security Access Audit Report

         This report identifies individuals whose Banner access eligibility may have changed (e.g., new hires, transfers).

         Required Actions:

         1. review all department staff listed; and

         2. if access is no longer appropriate or requires modification, submit the proper access change or removal request.

      2. Review Report 1129 – Inactive Banner Users Report

         This report identifies users who have not logged in within the allowable timeframe, as defined by UPPS No. 07.08.05, Student Information System Access Privileges.

         1. Guest – 30 days;

         2. Student employee – 120 days; and

         3. Faculty or staff – 366 days.

         Required Actions:

         1. evaluate whether continued Banner access is required; and

         2. if access is no longer justified, submit a request for removal in accordance with least-privilege principles

   3. Documentation and Evidence

      1. For each bi-annual review cycle, the reviewer must:

         1. send an email to their supervisor stating either no action was required, or access changes were required, requested, and implemented (including the names of affected staff); and

         2. retain this communication as evidence of compliance by saving it within an email folder, or in an approved institutional repository (e.g., shared drive, Teams channel).

      2. This documentation will serve as audit evidence that access reviews were performed.

7. ANNUAL ACCESS REVIEW PROCESS

   1. An annual Banner access review will be conducted as part of the Third-Party Role Review, managed by Technology Resources. This review typically occurs in May.

   2. Prerequisite (One-Time Setup)

      Participants will receive instructions via email on how to request access to Report TZG0017.

   3. Annual Review Tasks

      1. review Report TZG0017, filtered by department;

      2. validate each staff members’ Banner access aligns with current job duties and least-privilege standards;

      3. submit access modification or removal requests, as necessary;

      4. complete and return the provided certification form confirming all Banner access has been reviewed and validated; and

      5. if access is no longer appropriate or requires modification, submit the proper access change or removal request.

8. COMPLIANCE AND ENFORCEMENT

   1. Failure to complete required Banner access reviews or maintain appropriate documentation may result in audit findings and corrective actions. Non-compliance with this policy may be addressed in accordance with Information Technology governance and security policies.

9. POLICY REVIEW

   1. This policy shall be reviewed periodically by Technology Resources to ensure alignment with evolving IAM standards, audit requirements, and institutional security practices.

10. REVIEWERS OF THIS PPS

    1. Reviewers of this PPS include the following:

       Position	Date
       Associate Vice President for Technology Resources	March 1 E5Y
       Chief Technology Officer	March 1 E5Y
       Vice President for Information Technology	March 1 E5Y

11. CERTIFICATION STATEMENT

    This PPS has been approved by the following individuals in their official capacities and represents Texas State Information Technology policy and procedure from the date of this document until superseded.

    Associate Vice President for Technology Resources; senior reviewer of this PPS

    Vice President for Information Technology