skip to main content
Infrastructure Division of Information Technology

Identity Services

Appropriate Use Policy


Texas A&M Identity Services collects demographic, role and contact data to support identity management, provisioning, authentication, and authorization. Texas A&M service providers may request limited access to approved datasets. All requests are subject to a rigorous, cross functional review to determine appropriateness of use.

The following data governance policies are designed to ensure compliant use of that information, protecting the security and privacy of that data.

  1. Texas A&M Identity Services data use must be authorized by the appropriate data custodians for student, employee or other data using the identity data request form (doc|pdf).

    • This form is used by the service provider to specify what data elements are needed for what purpose.

    • The data obtained must be used only for the specific purpose and by the named requestor identified on the request form. The data may not be redistributed, cannot be used for any other purpose, and cannot be supplied to other applications. The data may not be used to produce derivative works or in the creation and/or publication of reports without explicit permission.

    • Texas A&M Identity Services data consumers will be contacted annually to verify continued need for data access.

  2. Texas A&M Identity Services data use must comply with the applicable Federal and State of Texas regulations concerning privacy and security as well as complying with applicable University policy.

    • Texas A&M Identity Services data use is specifically bound by the University FERPA Policy and University Acceptable Use Guidelines.

    • Campuses or units that have local applicable laws such as the Qatar "Data Protection Law" and, when applicable, GDPR for EU citizens resident in the EU must ensure these protections are followed.

    • If there is a third party contractual obligation that has specific identity data protection requirements it is the responsibility of the requesting unit or program to first discuss with Texas A&M Identity Services.

  3. Texas A&M Identity Services data consumers must provide information on what Texas A&M Identity Services data they store locally.

  4. Texas A&M Identity Services data consumers must apply all required controls to ensure the security and privacy of identity data whether at rest (stored) or in motion (transmitted).

    • All systems receiving data must have an annual risk assessment completed and a current (less than 30 days old) vulnerability scan performed by Division of IT Security Assessment.

    • All systems receiving data must install Division of IT supplied forwarder and provide data (access logs and other system logs) to the SIEM operated by IT Security Operations.

    • Utilize security best practices as posted at http://security.tamu.edu/.

  5. Consumers of Texas A&M Identity Services data responsible for any security breach traceable to their use or specific authorization will be reported to the Chief Information Security Officer.

  6. All systems receiving data are subject to periodic audits, annual risk assessments, and monthly vulnerability assessments.