Identity and Authentication Management Standard

Policy Number: 1.11.2.3.1
Category: Information Security
Effective: August 16, 2022
Revision History: Replaces the Identity and Access Management Standard originally effective September 28, 2011; updated April 17, 2012; updated July 1, 2019
Review Date: August 15, 2025

PURPOSE, SCOPE, AND RESPONSIBILITIES
1. Pursuant to the Identity and Access Management Policy, Information Technology Services (“ITS”) is responsible for issuing Digital Identities to Organizational Users and information systems (“University Accounts”) associated with West Virginia University, West Virginia University Institute of Technology, and Potomac State College of West Virginia University (“University Account Owners”). ITS accomplishes this responsibility through its Identity and Access Management Program (“IAM”).
2. The purpose of this Standard is to outline the minimum requirements for IAM to generate a University Account and is based on the Identity and Authentication Control Family of NIST 800-53 and NIST 800-63-3 Digital Identity Guidelines.
3. This Standard applies to the creation and management of all University Accounts created by IAM.
4. The Chief Information Officer (“CIO”), supported by the Chief Information Security Officer (“CISO”), is responsible for the implementation and enforcement of this Standard. IAM is responsible for issuing official University Accounts.
UNIVERSITY ACCOUNTS
1. The authoritative repository of University Accounts will be maintained within Enterprise Directory Services (“EDS”) which is comprised of multiple technical components to facilitate both Identity Management and Authentication.
2. Those individuals with the role of EDS Administrators will be the only individuals permitted to add, modify, or delete University Accounts.
3. EDS Administrators will issue the following person and non-person accounts:
  1. Person Accounts: WVU Login Account and Personal Administrative Account.
  2. Non-person Accounts: Service Accounts, Shared Application Accounts, and Emergency Access Accounts.
4. All University Accounts must have a unique ID number (“WVUID”) assigned. The WVUID is the University’s primary identifier for all University Information Systems and electronic communications.
  1. The WVUID must be a 9-digit number that is unique to a single account and must never be reused.
  2. University Accounts must never have more than one WVUID and the same WVUID must not be used for multiple accounts.
  3. If duplicate WVUID numbers are identified, all reasonable steps must be taken to eliminate those as soon as they are discovered.
5. The creation and management of passwords for all University Accounts must meet the requirements outlined within the Password Standard.
WVU Login Accounts
1. IAM issues WVU Login Accounts as the Digital Identity for University students and employees based on information provided from Authoritative Sources.
2. Sponsored Accounts for other Organizational Users (e.g., system vendors, consultants, or conference attendees) must be requested by an individual with an active WVU Login Account (“Sponsor”).
3. A WVU Login Account is comprised of five attributes: the individual’s legal name, birth date, WVUID number, username and password (“Credentials”), and an email address.
4. All WVU Login Accounts must have an individual’s legal first, middle, and last name assigned to it.
  1. Pursuant to the Identity and Access Management Policy, IAM will provide the ability for an individual to designate a chosen name that will display within University Information Systems instead of the individual’s legal first and last name. Chosen name may not display in all University Information Systems due to system limitations.
  2. Chosen names will not appear on documents generated by University Information Systems that require an individual’s legal name such diplomas, transcripts, or tax documents.
5. WVU Login usernames must be unique to each account and never reused.
  1. The format for WVU Login usernames is the initials of the first name, middle name, and last name combined with a five-digit consecutively assigned number. Example: Jane Anne Doe would be jad00001 and Jane Alexandria Doe would be jad00002.
  2. WVU Login username will be active for all admitted and enrolled students and active employees. Retirees with Emeritus status are considered active employees.
6. Changes to assigned WVU Login usernames are not permitted for convenience or user preference. Username will only be changed in the following circumstances:
  1. The system-generated username could be considered derogatory, insensitive, or offensive; or,
  2. As otherwise mandated by the Office of General Counsel, University Police Department, the CIO, or CISO.
7. All individuals must activate their WVU Login Account using the account claiming process at https://login.wvu.edu to synchronize passwords for all connected accounts.
8. Claiming a WVU Login Account requires confirmation of identity. To do so, the individual must provide the following:
  1. Legal first and last name;
  2. Birth date; and,
  3. WVUID, employee number, or Social Security number.
9. Once a WVU Login Account has been claimed, individual will then use the WVU Login Credentials to facilitate Authentication to University Information Systems that utilize EDS for Authentication.
10. Start and end access dates for WVU Login Accounts will be based on the information entered in the Authoritative Sources for each individual and passed to EDS.
11. Start and end dates for Sponsored Accounts will be based on the information entered directly into EDS provided by Sponsors. Sponsored Accounts must be no longer than one year from date of request. Sponsor must annually renew each Sponsored Account.
12. Sponsored Account requests can only be submitted by an individual with an employee role and valid WVU Login account.
13. Passwords for all WVU Login Accounts are required to be changed at minimum every year. An account will be disabled if the individual does not reset the password to continue access.
Personal Administrative Accounts
1. IAM creates Personal Administrative Accounts for individuals with Privileged Access to University Information Systems, to separate this Privileged Access from being conducted by an individual’s WVU Login Account.
  1. The format for Personal Administrative Account usernames must include the individual’s WVU Login username with a prefix or suffix to indicate the service to which the account is being granted access (e.g., jad00001-da).
  2. The individual’s supervisor must approve all request for Personal Administrative Accounts.
  3. Personal Administrative Accounts must be audited annually to ensure such access should be continued.
Service Accounts
1. IAM creates Service Accounts for those University Information Systems that need to Authenticate to interact with the operating system and must only be used by University Information Systems.
2. Service Accounts are non-person accounts that must only be created and used for a specific purpose, such as sending email or running scripts.
3. A Service Account is comprised of two attributes: WVUID and username which are both unique to each Service Account and muse never be reused.
4. Service Account username format must be a name that is as close to the name of the application/service (e.g., sqlserver1).
5. Service Accounts must be granted Least Privilege with explicit permission assigned.
6. Separate Service Accounts must be created to conduct either non-privileged or Privileged Access. Service Accounts must never be granted the ability to conduct both non-privileged and Privileged Access.
7. Service Accounts must be requested by the Information System Owner. A short description of the business case that necessitates the creation of the account is required to approve creation.
8. All Service Accounts must have a designated Service Account Owner (“SAO”) and backup owner who are responsible for management of the account. The Service Account Owner and the backup owner are the only persons who have access to manage the account.
9. SAO or backup owner will create a password for the account via the Service Account Console. Passwords that meet the Password Standard must be changed for Service Accounts every three years; however, if the password does not meet the requirements within the Password Standard the password must be changed more frequently.
10. Service Accounts must never be used in place of an individual using their WVU Login or Personal Administrative Account to access University Information Systems. Service Accounts must only be logged into by a person to conduct information system maintenance, development, or troubleshooting purposes. Interactive logins must be prohibited when technically possible or alerts set up for those accounts where interactive logins are permitted.
11. IAM will maintain an inventory all Service Accounts. This inventory will include:
  1. Account Username;
  2. Service Account Owner;
  3. Purpose/privileges granted to the account;
  4. Product the account supports;
  5. What host(s) the account authenticates to;
  6. The target (e.g., database, application) the account interacts with and how frequently;
  7. Why those entitlements are required for the account; and,
  8. Who has access to the account.
12. IAM will conduct an annual audit of all Service Accounts. Those Service Accounts no longer needed will be disabled.
Shared Application Accounts
1. Shared Application Accounts are non-person accounts, through which multiple individuals use the same account and credentials to access a University Information System.
2. Shared Application Accounts must only be created by IAM.
3. Separate Shared Application Accounts must be created to conduct either non-privileged or Privileged Access. Shared Application Accounts must never be granted the ability to conduct both non-privileged and Privileged Access.
4. Shared Application Accounts granted the ability to conduct non-privileged functions must be managed using a Password Vault (e.g., LastPass). Shared Application Accounts granted the ability to conduct Privileged Access must be managed using a Privileged Access Management tool (e.g., BeyondTrust).
5. All Shared Application Accounts must have a designated Shared Application Account Owner (“SAAO”) and backup owner who are responsible for management of the account.
6. SAAO is responsible for approving other individuals access to the Shared Application Account.
7. IAM will maintain an inventory all Shared Application Accounts. This inventory will include:
  1. Account Username;
  2. Shared Application Account Owner;
  3. Purpose/privileges granted to the account;
  4. Product the account supports;
  5. What host(s) the account authenticates to;
  6. The target (e.g., database, application);
  7. Why those entitlements are required for the account; and,
  8. Who has access to the account.
8. SAAO must conduct an annual audit of all individuals with access to the Shared Application Accounts they manage and remove those individuals who no longer need access.
9. IAM will conduct an annual audit of all Shared Application Accounts and disable those no longer needed.
Emergency Access Accounts
1. IAM also creates Emergency Access Accounts granted administrative access within University information systems (e.g., Active Directory) to be used only in emergency situations when other accounts cannot be used to login to the service. These accounts are also known as Break-Glass Accounts.
  1. Emergency Access Accounts must not be maintained in Enterprise Directory Services. Credentials must be stored within a Password Vault and only be known to individuals authorized to use them.
  2. Emergency Access Accounts are highly privileged and must not be assigned to a specific individual, connected to any personal mobile devices, hardware tokens that travel with an employee, or other University Account credentials.
  3. Emergency Access Accounts must be monitored to alert when used.
Authentication
1. Pursuant to the Identity and Access Management Policy, all University Information Systems must utilize Authentication to constitute an official identification of an individual to the University.
2. University Information Systems storing Sensitive Data must utilize EDS in conjunction with Two-Factor Authentication (“2FA”) to Authenticate individuals.
3. When technically possible, use of EDS to Authenticate individuals to a University Information System or federated system using their WVU Login is preferred.
4. Creation of local accounts for Authentication should only be utilized when use of EDS is technically not possible. Such accounts must meet the password creation and management requirements within the Password Standard.
5. University Information Systems that do not utilize EDS for Authentication must implement 2FA, when technically possible.
6. University Account data received from EDS to enable Authentication to a University Information System must not be further shared, whether within the University or outside of it, without expressed approval of ITS.
Exceptions
1. Resource Accounts may be created by various groups on campus to manage non-person and non-information system items, such as conference rooms, equipment, and departmental shared email inboxes and calendars. Resource Accounts are not created by IAM or managed as University Accounts; however, IAM must be notified when such an account is created to ban the username from being issued for official University Accounts.
2. Local Administrative Accounts, separate from WVU Login accounts, may be created to provide administrative access for an individual to conduct Privileged Access. IAM does not create these accounts and they are not managed as University Accounts; however, such accounts must meet the requirements of Personal Administrative Accounts identified within Section 4 of this Standard.
3. Vendor-created and managed accounts may be used by University Information Systems. Such accounts are not created and managed by IAM; however, IAM must be notified of such accounts to add them to the University Account inventory.
Definitions
1. “Personal Administrative Accounts” means accounts with full privileges intended to be used only when performing personal computer management tasks, such as installing updates and application software, managing user accounts, and modifying operating system and application settings.
2. “Authentication” means verifying the identity of a user, process, or device to allow access to a University Information System.
  1. Single Sign On (SSO) is when a University Account Owner uses the same WVU Login credentials to access University Information Systems.
  2. Federated Identity is when a University Account Owner uses their WVU Login to access information systems outside of the University by establishing a trust with the University or when the University establishes a trust with an outside entity that provides access to University Information Systems by individuals who do not have WVU Login credentials.
3. “Authoritative Sources” means an entity that has access to, or verified copies of, accurate information from an issuing source that can confirm the validity of the identity evidence supplied by an applicant during identity proofing. The University’s student authoritative source is Banner, employee authoritative source is MAP, and the Identity Repository (“IdR”) is the repository for other Organizational Users.
4. “Digital Identity” means the unique representation of a subject engaged in an online transaction. A digital identity is always unique in the context of a digital service but does not necessarily need to uniquely identify the subject in all contexts.
5. “Enterprise Directory Services” means the repository for digital account registration at the University and includes:
  1. Active Directory. A Microsoft directory service for Windows domain networks.
  2. Oracle Internet Directory. A Lightweight Directory Access Protocol (LDAP) directory server that stores identity data.
  3. Oracle Directory Server Enterprise Edition. An LDAP server that provides identity virtualization, storage, and synchronization services.
6. “Identity Management” means the creation and maintenance of the unique University Accounts that distinguish one individual from another. IAM utilizes the following technical components to create and manage University Accounts: SailPoint, Active Directory, OID, and IdR.
7. “Identity Provider” means a system that creates, maintains, and management identity information while also providing Authentication services to applications within the campus network or federation.
8. “Password Vault” means a software program that keeps a number of passwords in a secure digital location that are accessed using a single master password. Also called Password Manager (e.g., LastPass).
9. “Privileged Access Manager” means a tool that provides secure privileged access to critical assets (e.g., BeyondTrust).
10. “Preferred Name” is any name a student or employee chooses to use other than their legal name.
11. “Privileged Access” means accounts that have administrative rights to perform functions that make changes to an overall system, network, database, or server. Privileged functions include, but are not limited to, installing updates, editing registry, managing default access accounts, changing file-level permissions, and modifying operating system, configuration, or application settings. Non-privileged access means access granted to users permitting them to conduct normal daily functions.
12. “Sponsored Accounts” means accounts created for individuals who are authorized to be onsite, unescorted, and to use University Information Systems when administrative or academic systems do not otherwise grant appropriate access via roles within Banner or MAP.
13. “Organizational Users” means an employee, students, or individual the University deems to have equivalent status of an employee or student including, but not limited to, contractors, guest researchers, and individuals from another organization or University.
14. “University Information System” means an information system or device that is on the campus network, requires Authentication, and is used at the University to support the academic, administrative, research, and outreach activities of the University such as O365, eCampus, STAR, MAP, and University-owned devices.

PURPOSE, SCOPE, AND RESPONSIBILITIES

UNIVERSITY ACCOUNTS

WVU Login Accounts

Personal Administrative Accounts

Service Accounts

Shared Application Accounts

Emergency Access Accounts

Authentication

Exceptions

Definitions

Related Documents

Service Desk Hours

Contact Us

Maintenance Schedule