Identity and Access Management Policy
Policy Number: IT.2.3
Category: Information Security
Effective: July 1, 2019
Revision History: Originally effective June 19, 2017
Review Date: June 30, 2022
PURPOSE, SCOPE, AND RESPONSIBILITIES
- The purpose of this Policy is to establish the rules that govern the issuance and maintenance of the Digital Identities at West Virginia University, West Virginia University Institute of Technology, and Potomac State College of West Virginia University (“University Accounts”).
- This Policy applies to all University Accounts issued to employees, students, and Authorized Individuals (“University Account Owners”) to access University Services and Facilities.
IDENTITY AND ACCESS MANAGEMENT PROGRAM RESPONSIBILITIES
- The University Identity and Access Management Program (“IAM”) is responsible
for establishing processes and procedures that enable secure, centralized
access to University Information Systems. IAM accomplishes this mission through
the following activities:
- Identity Management The creation and maintenance of the unique University Accounts that distinguish one individual from another as well as the confirmation of a University Account Owner’s identity when the individual requests access to a University Information System (“Authentication”).
- Access Management The assurance that only authorized University Account Owners are granted access to use University Information Systems and that such access is granted on the basis of Least Privilege.
- If duplicate WVUID numbers are identified, all reasonable steps must be taken to eliminate those as soon as they are discovered.
- Responsibilities carried out by IAM in support of identity and access management
- Administering all authentication and password management systems;
- Employing appropriate encryption to protect the privacy of Credentials (“WVU Login”) during transmission;
- Providing a self-service site to allow University Account Owners to reset their passwords;
- Establishing mechanisms to ensure the individual or entity attempting to Authenticate to a University Information System is the individual to which the WVU Login was assigned;
- Synchronizing WVU Login between University Information Systems and codifying the rules related to these activities; and,
- Coordinating federated identity processes, single sign-on, and other means of securely accessing University Information Systems.
- The University Identity and Access Management Program (“IAM”) is responsible for establishing processes and procedures that enable secure, centralized access to University Information Systems. IAM accomplishes this mission through the following activities:
IDENTITY MANAGEMENT AT THE UNIVERSITY
- University Accounts will be created for individuals within the following categories:
- Students Students admitted, enrolled, and attending the University; inherently included in this category are former students that have graduated or left the University.
- Employees Employees with a full- or part-time appointment, retired employees, and individuals with Emeriti status pursuant to BOG Governance Rule 1.9 and BOG Faculty Rule 4.2.
- Authorized Individuals Other individuals (e.g., vendors, courtesy assignments) who are authorized to be onsite, unescorted, and to use University Services and Facilities.
- All University Accounts will be created pursuant to the Identity and Authentication Management Standard and will be comprised of a unique ID number (“WVUID”), WVU Login, and an email address.
- The official repository for University Accounts is known as Enterprise Directory Services.
- University Accounts will be created for individuals within the following categories:
ACCESS MANAGEMENT AT THE UNIVERSITY
- Authentication to a University Information System constitutes an official identification of an individual to the University; therefore, the use of WVU Login for Authentication is required to access all University Information Systems.
- The creation of local accounts and/or use of Authentication that does not use WVU Login is prohibited.
- Two-Factor Authentication (“2FA”) is mandatory for all University Accounts
with an Active Role including current students, employees, and Authorized
- University Accounts with a Passive Role (e.g., retirees, alumni) will not be required to use 2FA.
- All University Information Systems storing Sensitive Data must employ 2FA in conjunction with use of WVU Login.
- 2FA Whitelisting is not permitted for any University school, department, program, division, or individual.
- Unauthenticated Access to University Information Systems will be permitted only in exceptional circumstances (e.g., public kiosks) or when the service is intended to be publicly accessible without restrictions (e.g., University website). Such systems must be explicitly configured for Unauthenticated Access.
- Pursuant to the Acceptable Use of Technology Resources and Data, access to University Information Systems will be based on Least Privilege.
- At a minimum, Data Stewards must annually review user access privileges for the University Information System for which they are responsible and remove those individuals no longer requiring access.
UNIVERSITY ACCOUNT OWNER RESPONSIBILITIES
- University Account Owners will be held accountable for the actions that occur
within a University Information System that has been Authenticated using
their WVU Login; therefore, University Account Owners are responsible for
safeguarding their WVU Login, which includes, but is not limited to:
- Successfully completing annual cybersecurity training;
- Creating and using passwords that conform to the Password Standard;
- Changing password immediately and notifying ITS when there is reason to believe a password has been improperly disclosed, accessed, or used by an unauthorized person;
- Never misusing their account or a University Information System. Misuse
includes but is not limited to:
- Creating local accounts to access University Information Systems;
- Sharing their WVU Login with someone else to access a University Information System;
- Using someone else’s WVU Login to Authenticate to a University Information System;
- Leaving their WVU Login in a location that can be readily obtained by another individual (e.g. writing a password on a note affixed to a monitor or underneath a keyboard);
- Leaving their computer/workstation without securing it (e.g., locking it, logging out);
- Accessing data within a University Information System that is not related to their job responsibilities; and,
- Failing to change their WVU Login password after it has been accessed and/or used by an unauthorized person.
- University Account Owners will be held accountable for the actions that occur within a University Information System that has been Authenticated using their WVU Login; therefore, University Account Owners are responsible for safeguarding their WVU Login, which includes, but is not limited to:
- "Active Role” means the individual is actively accessing University Information Systems on a day-to-day basis. Individuals with Active Roles include current students, faculty, staff, and those vendors or consultants who are engaged with the University and require access to University Information Systems and/or data.
- "Authentication” means verifying the identity of a user, process, or device to allow access to a University Information System.
- "Credentials” means the username and password that authoritatively binds a Digital Identity to an individual.
- "Digital Identity” means the unique representation of a subject engaged in an online transaction. A Digital Identity is always unique in the context of a digital service but does not necessarily need to uniquely identify the subject in all contexts.
- "Enterprise Directory Services” means a repository of account registration gathered from authoritative sources of record for individuals (e.g., Banner, MAP, Identity Repository) that provides the comprehensive picture of their relationship with the University by merging identification and role information. The technical components that work in whole, or in part, to verify the authenticity of a personal identity or a resource at the University includes Active Directory (AD), Active Directory Federation Services (ADFS), Shibboleth, and Central Authentication Service (CAS).
- "Information System Owner” means the official responsible for the overall procurement, development, integration, modification, or operation and maintenance of a University Information System.
- "Least Privilege” means granting the minimum system resources and authorizations needed to perform its function or restricting access privileges of authorized personnel to the minimum functions necessary to perform their job.
- "Organizational Users” means an employee, student, or individual the University deems to have equivalent status of an employee or student, including, but not limited to, contractors, guest researchers, and individuals from another organization or University.
- "Passive Role” means the individual may have at one time been granted an Active Role or will be in the future, but currently accesses University Information Systems on an infrequent basis. Individuals with Passive Roles include retiree, alumni, and admits.
- "Two-Factor Authentication (2FA)” means a second form of authentication, such as mobile device, phone, or hardware token, is required when authenticating using WVU Login credentials. More information can be found at https://twofactor.wvu.edu.
- "University Information Systems” means an information system or University-owned device that is on the campus network, requires Authentication, and is used to support the academic, administrative, research, and outreach activities of the University such as Office 365, Mix (Gmail), eCampus, STAR, and MAP.
- "University Services and Facilities” means any facility or service owned, maintained, or offered by the University. These include but are not limited to, dining hall meals, University-owned or controlled buildings, library and athletic facilities, entry to athletic events, certain on-campus and off-campus purchases, and any other facility or service so deemed by the University.
- "Whitelisting” means the process used to identify software programs that are authorized to execute on a University Information System or authorized Universal Resource Locators (“URL”) websites.
- Pursuant to the Email Policy, Health Sciences Center (“HSC”) Information Technology Services is responsible for generating email addresses for HSC employees.
- Physical access controls to University Facilities are addressed in Access Control Standard and Protocols, maintained by the University Police Department.
ENFORCEMENT AND INTERPRETATION
- Any employee who violates this Policy will be subject to appropriate disciplinary action.
- Any student who violates this Policy will be subject to appropriate disciplinary action in accordance with the Student Code of Conduct.
- Any individual affiliated with the University who has access to a University Data Center and violates this Policy will be subject to appropriate corrective action, including, but not limited to, termination of the individual’s relationship with the University.
- The University’s Chief Information Officer, supported by the Chief Information Security Officer, will coordinate with appropriate University entities on the implementation and enforcement of this Policy.
- Responsibility for interpretation of this Policy rests with the Chief Information Officer.
AUTHORITY AND REFERENCES
- BOG Governance Rule 1.11 – Information Technology Resources and Governance
- All other University policies are also applicable to the electronic environment.
Relevant institutional documents include, but are not limited to:
- Acceptable Use of Data and Technology Resources Policy
- Electronic Mail Policy
- Sensitive Data Policy
- Password Standard
- Identity & Authentication Standard
- Access Control Standard and Protocols
- Faculty Handbook
- Code of Student Rights and Responsibilities (Code of Conduct)
- WVU Talent and Culture Policies