Identity and Access Management Policy
Policy 2.2 Identity and Access Management Policy
Category: Information Security
Effective: June 19, 2017
Revision History: None
Review Date: June 2020
PURPOSE AND SCOPE
. The purpose of this policy is to define the standard by which West Virginia
University (WVU) establishes and maintains the electronic identities of faculty,
staff, students and others with an affiliation.
. This policy applies to all University staff, faculty, and students as well
as any third-parties who are doing work on behalf of the University.
- Purpose . The purpose of this policy is to define the standard by which West Virginia University (WVU) establishes and maintains the electronic identities of faculty, staff, students and others with an affiliation.
- Information Technology Services (ITS) is responsible for the operation, management and oversight of the WVU Identity and Access Management (IAM) Program, which assigns and manages official identities for the University. IAM is critical to ensuring that unauthorized access to information, systems, applications and physical areas is prevented, along with potentially fraudulent activity. This includes the assignment of the individuals’ WVUID numbers, usernames (also referred to as WVU Login) and email addresses.
- Any WVU employee, student or affiliate using a WVU-owned workstation, computer or device connecting to WVU’s wired network to access a restricted resource must use WVU Login credentials as provided through a recognized directory service.
- Any WVU employee, student or affiliate using a WVU-owned or personally-owned workstation, computer or device connecting to WVU’s wireless encrypted network must use WVU Login credentials as provided through a recognized directory service.
- Any WVU employee, student or affiliate authenticating to a WVU-restricted software service must use WVU Login credentials.
- WVU’s public software services are not required to use WVU Login credentials.
- IAM controls for funded research are subject to the data security requirements as provided by the granting agency or WVU’s Internal Review Board.
- All students, employes and affiliates are responsible for safeguarding their WVU Login credential as defined in the Acceptable Use of Data and Technology Resources Policy and Sensitive Data Protection Policy.
- Access management: The business rules, processes, technologies and policies for managing digital identities and controlling how they can be used to access restricted resources or software services.
- Affiliate: A person or organization that maintains a relationship with WVU but might not be an employee or student (e.g., an attendee at a WVU-sponsored camp).
- Authorization: The permission required to access a restricted resource or software service from a person, department or other business entity with the power to grant such access. Authorizing access requires confirming that the requestor has a legitimate business need to use the resource or software service.
- Directory service: The technical components that work in whole, or in part, to verify the authenticity of a personal identity or a resource such as Active Directory (AD), Active Directory Federation Services (ADFS), Shibboleth, Central Authentication Service (CAS) and Oracle Internet Directory (OID).
- Identity management: The set of business processes and supporting infrastructure for creating, maintaining and using digital identities. It is also a broad administrative function focused on confirming that individuals are who they claim to be and on controlling access to the resources with appropriate, identity-based restrictions.
- Public software services: WVU systems or services that are publicly accessible without restrictions such as www.wvu.edu or admissions.wvu.edu.
- Restricted resource: A service that requires authentication to gain access such as a network drive or file storage.
- Restricted software service: Any application or system that requires authentication and supports WVU’s academics or administrative operations or services.
- WVUID number: An internally-generated number used to identify individuals associated with WVU.
- WVU Login: The official University credentials required to access restricted resources or software services.
- WVU’s Chief Information Officer, supported by the Chief Information Security and Privacy Officer, will coordinate with appropriate University entities on the implementation and enforcement of this policy.
- Violation or non‐compliance of this policy will be addressed in accordance with established WVU disciplinary policies and procedures, as issued and enforced by the appropriate authorities. Failure to comply with this or other related standards may result in disciplinary action up to and including termination of employment or studies.
- All other University policies are also applicable to the electronic environment.
Relevant institutional policies include, but are not limited to:
- ITS Policy 1.0 - Acceptable Use of Data and Technology Resources
ITS Policy 3.2 - Sensitive Data Protection
- Faculty Handbook
- Code of Student Rights and Responsibilities (Code of Conduct)
- WVU Talent and Culture Policies
Board of Governor's Rules and Policies
- WV Higher Education Policy Commission Rules and Policies
- All other University policies are also applicable to the electronic environment. Relevant institutional policies include, but are not limited to: