Policy Number: IT.2.3.1S
Category: Information Security
Effective: July 1, 2019
Revision History: Replaces the Identity and Access Management Standard originally effective September 28, 2011; updated April 17, 2012
Review Date: June 30, 2022
PURPOSE, SCOPE, AND RESPONSIBILITIES
- Pursuant to the Identity Management and Access Management Policy, Information Technology Services (“ITS”) is responsible for issuing Digital Identities (“University Accounts”) to Organizational Users associated with West Virginia University, West Virginia University Institute of Technology, and Potomac State College of West Virginia University (“University Account Owners”). ITS accomplishes this responsibility through its Identity and Access Management Program (“IAM”).
- The purpose of this Standard is to outline the minimum requirements for IAM to generate a University Account and is based on the Identity and Authentication Control Family of NIST 800-53 and NIST 800-63-3 Digital Identity Guidelines
- This Standard applies to the creation and management of all University Accounts created by IAM for University Account Owners.
- The Chief Information Security Officer is responsible for the implementation and enforcement of this Standard. IAM is responsible for issuing official University Accounts.
- A University Account is the Digital Identity of an Organizational User and is comprised of three attributes: a unique ID number (“WVUID”), Credentials (“WVU Login”), and an email address.
- The University’s primary identifier for all information systems and electronic
communications is the WVUID.
- The WVUID must be a 9-digit number that is unique to a single person and must never be reused.
- Individuals must never have more than one WVUID and the same WVUID must not be used for multiple people.
- If duplicate WVUID numbers are identified, all reasonable steps must be taken to eliminate those as soon as they are discovered.
- The official username used in conjunction with a password to access University
Information Systems is the WVU Login.
- WVU Login usernames must be unique to each individual and never reused
- The format for WVU Login usernames is the initials of the first name, middle name, and last name combined with a five-digit consecutively assigned number. Example: Jane Anne Doe would be jad00001 and Jane Alexandria Doe would be jad00002.
- WVU Login username will be active for all admitted and enrolled students and active employees. Retirees with Emeritus status are considered active employees.
- Pursuant to the Electronic Mail Policy, only University-issued email accounts may be used to conduct University business. All University email accounts will be issued according to requirements within the Email Account Standard.
- The authoritative repository of University Accounts will be maintained within Enterprise Directory Services (“EDS”) which is comprised of multiple technical components to facilitate both Identity Management and Authentication.
- Those individuals with the role of EDS Administrators will be the only individuals permitted to add, modify, or delete University Accounts.
- EDS Administrators will issue three types of University Accounts: Individual Accounts, Service Accounts, and Resource Accounts.
- Shared Accounts, through which multiple individuals use the same account and credentials to access a system, are prohibited.
- Individual Accounts will automatically be issued to University students and employees based on information provided from Authoritative Sources.
- Accounts for other Organizational Users (e.g., system vendors, consultants, or conference attendees) must be requested by someone with an active WVU Login.
- All individuals must activate their Individual Account using the account claiming process at https://login.wvu.edu to synchronize passwords for all connected accounts.
- Claiming a University Account requires confirmation of identity. To do so,
the individual must provide the following:
- Legal first and last name;
- Birth date; and,
- WVUID, employee number, or Social Security number.
- Once a University Account has been claimed, the individual must create a strong password that meets the Password Standard. The individual will then use the WVU Login username and password (“Credentials”) to facilitate Authentication.
- Start and end access dates for Individual Accounts will be based on the information entered in the Authoritative Sources for each individual and passed to EDS.
- Passwords for Individual Accounts are required to be changed at minimum once every year. The account will be disabled if the individual does not reset the password to continue access.
- IAM will create Service Accounts for those University Information Systems that need to Authenticate to perform a specific activity, such as sending email.
- Service Accounts must only be created and used for a specific purpose.
- Service Accounts must be requested by the Information System Owner. A short description of the business case that necessitates the creation of the account is required to approve creation.
- All Service Accounts must have a designated Service Account Owner (“SAO”) who is responsible for management of access to the account.
- Service Account username format must be a name that is as close to the name
of the application/service followed by with the prefix "srv" to indicate
it is a Service Account (e.g., srvsqulserver1).
- IAM will create a password for all Service Accounts and share with the SAO to manage the account. Passwords must be changed for Service Accounts annually; however, the SAO may coordinate with IAM if it is necessary to change the password more frequently.
- Passwords for all Service Accounts must meet the Password Standard.
- IAM will inventory and conduct an annual audit of all Service Accounts. Those Service Accounts no longer needed will be disabled.
- IAM will create Resource Accounts to manage non-person items or information
systems, such as conference rooms, equipment, and departmental shared inboxes
- Resource Accounts must be created and used for a specific purpose, such as
to conduct services on behalf of a University department.
- Resource Accounts must be requested by the department chair or resource owner. A short description of the business case that necessitates the creation of the account is required to approve creation.
- All Resource Accounts must have a designated Resource Account Owner (“RAO”) who is responsible for management of access to the account.
- The format for the username of a Resource Account will vary depending on
the purpose of the account but should attempt to be as close to the name
of the resource as possible.
- IAM will create a password for all Resource Accounts and share with the RAO to manage the account. Passwords must be changed for Service Accounts annually; however, the RAO may coordinate with IAM if it is necessary to change the password more frequently.
- All individuals other than the RAO who are granted access to a Resource Account
will Authenticate using their personal WVU Login credentials.
- Passwords for all Resource Accounts must meet the Password Standard.
- IAM will inventory and conduct an annual audit of all Resource Accounts. Those Resource Accounts no longer needed will be disabled
- IAM will create Resource Accounts to manage non-person items or information systems, such as conference rooms, equipment, and departmental shared inboxes and calendars.
- When technically possible, EDS, whether used in part or whole, must be used to Authenticate individuals to a University Information System or federated system using their WVU Login.
- When technically possible, all University Information Systems must Authenticate
via a central Identity Provider that enables single sign-on, such as Shibboleth
or Active Directory Federation Services.
- University Account data received from EDS to enable Authentication to a University Information System must not be further shared, whether within the University or outside of it, without expressed approval of ITS.
- “Authentication” means verifying the identity of a user, process, or device
to allow access to a University Information System. IAM utilizes the following
Identity Providers to facilitate both Single Sign On and Federated Identity
authentication: Shibboleth, Central Authentication Services (CAS), Active
Directory (AD), Oracle Directory Server Enterprise Edition (DSEE), and Oracle
Internet Directory (OID).
- Single Sign On (SSO) is when a University Account Owner uses the same WVU Login credentials to access University Information Systems.
- Federated Identity is when a University Account Owner uses their WVU Login to access information systems outside of the University by establishing a trust with the University or when the University establishes a trust with an outside entity that provides access to University Information Systems by individuals who do not have WVU Login credentials.
- “Authoritative Sources” means an entity that has access to, or verified copies of, accurate information from an issuing source that can confirm the validity of the identity evidence supplied by an applicant during identity proofing. The University’s student authoritative source is Banner, employee authoritative source is MAP, and the Identity Repository (“IdR”) is the repository for other Organizational Users.
- “Digital Identity” means the unique representation of a subject engaged in an online transaction. A digital identity is always unique in the context of a digital service but does not necessarily need to uniquely identify the subject in all contexts.
- “Identity Provider” means a system that creates, maintains, and management identity information while also providing authentication services to applications within the campus network or federation, such as Shibboleth or Active Directory Federation Services ("ADFS").
- “Identity Management” means the creation and maintenance of the unique University Accounts that distinguish one individual from another. IAM utilizes the following technical components to create and manage University Accounts: SailPoint, Active Directory, OID, and IdR.
- “Organizational Users” means an employee, students, or individual the University deems to have equivalent status of an employee or student including, but not limited to, contractors, guest researchers, and individuals from another organization or University.
- “University Information System” means an information system or device that is on the campus network, requires Authentication, and is used at the University to support the academic, administrative, research, and outreach activities of the University such as O365, eCampus, STAR, MAP, and University-owned devices.
- “Authentication” means verifying the identity of a user, process, or device to allow access to a University Information System. IAM utilizes the following Identity Providers to facilitate both Single Sign On and Federated Identity authentication: Shibboleth, Central Authentication Services (CAS), Active Directory (AD), Oracle Directory Server Enterprise Edition (DSEE), and Oracle Internet Directory (OID).