Skip to main content
West Virginia University Information Technology Services
Get Help

Identity and Access Management Policy

Policy Number: 1.11.2.3
Category: Information Security
Effective: January 31, 2022
Revision History: Originally effective June 19, 2017, Updated July 1, 2019
Review Date: January 30, 2025

  1. PURPOSE And SCOPE

    1. The purpose of this Policy is to establish the rules that govern the issuance and maintenance of the Digital Identities at West Virginia University, West Virginia University Institute of Technology, and Potomac State College of West Virginia University (“University Accounts”).
    2. This Policy applies to all University Accounts issued to employees, students, and Authorized Individuals (“University Account Owners”) to access University Services and Facilities.

  2. IDENTITY AND ACCESS MANAGEMENT PROGRAM RESPONSIBILITIES

    1. The University Identity and Access Management Program (“IAM”) is responsible for establishing processes and procedures that enable secure, centralized access to University Information Systems. IAM accomplishes this mission through the following activities:
      1. Identity Management. The creation and maintenance of the unique University Accounts that distinguish one individual from another as well as the confirmation of a University Account Owner’s identity when the individual requests access to a University Information System (“Authentication”).
      2. Access Management. The assurance that only authorized University Account Owners are granted access to use University Information Systems and that such access is granted on the basis of Least Privilege.
    2. Responsibilities carried out by IAM in support of identity and access management include:
      1. Administering all authentication and password management systems;
      2. Employing appropriate encryption to protect the privacy of Credentials (“WVU Login”) during transmission;
      3. Providing a self-service site to allow University Account Owners to view and manage their University Accounts, such as changing a password or setting a Chosen Name;
      4. Establishing mechanisms to ensure the individual or entity attempting to Authenticate to a University Information System is the individual to which the WVU Login was assigned;
      5. Synchronizing WVU Login between University Information Systems and codifying the rules related to these activities; and,
      6. Coordinating federated identity processes, single sign-on, and other means of securely accessing University Information Systems.

  3. IDENTITY MANAGEMENT AT THE UNIVERSITY

    1. University Accounts will be created for individuals within the following categories:
      1. Students. Students admitted, enrolled, and attending the University; inherently included in this category are former students that have graduated or left the University.
      2. Employees. Employees with a full- or part-time appointment, retired employees, and individuals with Emeriti status pursuant to BOG Governance Rule 1.9 and BOG Faculty Rule 4.2.
      3. Sponsored Individuals. Individuals (e.g., vendors) who are authorized to be onsite, unescorted, and to use University Services and Facilities when administrative or academic systems do not otherwise grant appropriate access via roles within Banner or MAP (“Sponsored Accounts”).
    2. All University Accounts will be created pursuant to the Identity and Authentication Management Standard and will be comprised of an individual’s legal name, birth date, a unique ID number (“WVUID”), WVU Login, and an email address.
    3. The official repository for University Accounts is known as Enterprise Directory Services (“EDS”).

  4. ACCESS MANAGEMENT AT THE UNIVERSITY

    1. Authentication to a University Information System constitutes an official identification of an individual to the University; therefore, Authentication is required to access all University Information Systems.
    2. When technically possible, use of EDS for Authentication is preferred for all University Information Systems.
    3. Use of EDS, whether used in part of whole, is required to Authenticate individuals to all University Information Systems that store Sensitive Data.
    4. The creation of local accounts for Authentication should only be utilized when use of EDS is technically not possible.
    5. Two-Factor Authentication (“2FA”) is mandatory for all University Accounts with an Active Role including current students, employees, and Sponsored Individuals.
      1. University Accounts with a Passive Role (e.g., retirees, alumni) may be required to use 2FA for select University Information Systems.
      2. All University Information Systems storing Sensitive Data must employ 2FA in conjunction with EDS for Authentication.
      3. All Privileged Access accounts must employ 2FA in conjunction with EDS for Authentication.
      4. University Information Systems that do not utilize EDS for Authentication must implement 2FA when technically possible.
      5. 2FA Whitelisting is not permitted for any University school, department, program, division, or individual.
    6. Unauthenticated Access to University Information Systems will be permitted only in exceptional circumstances (e.g., public kiosks) or when the service is intended to be publicly accessible without restrictions (e.g., University website). Such systems must be explicitly configured for Unauthenticated Access.
    7. Pursuant to the Acceptable Use of Technology Resources and Data, access to University Information Systems will be based on Least Privilege.
    8. Access to University Technology Resources will be managed pursuant to the Access Management Standard.
    9. At a minimum, Data Custodians must annually review user access privileges within the University Information System that house the data for which they are responsible and remove those individuals no longer requiring access. See Data Classification Policy.

  5. UNIVERSITY ACCOUNT OWNER RESPONSIBILITIES

    1. University Account Owners will be held accountable for the actions that occur within a University Information System that has been Authenticated using their WVU Login; therefore, University Account Owners are responsible for safeguarding their WVU Login, which includes, but is not limited to:
      1. Successfully completing annual cybersecurity training;
      2. Creating and using passwords that conform to the Password Standard;
      3. Changing password immediately and notifying ITS when there is reason to believe a password has been improperly disclosed, accessed, or used by an unauthorized person;
      4. Never misusing their account or a University Information System. Misuse includes but is not limited to:
        1. Creating unapproved local accounts to access University Information Systems;
        2. Sharing their WVU Login with someone else to access a University Information System;
        3. Using someone else’s WVU Login to Authenticate to a University Information System;
        4. Leaving their WVU Login in a location that can be readily obtained by another individual (e.g., writing a password on a note affixed to a monitor or underneath a keyboard);
        5. Leaving their computer/workstation without securing it (e.g., locking it, logging out);
        6. Accessing data within a University Information System that is not related to their job responsibilities; or,
        7. Failing to change their WVU Login password after it has been accessed and/or used by an unauthorized person.

  6. DEFINITIONS

    1. "Active Role” means the individual is actively accessing University Information Systems on a day-to-day basis. Individuals with Active Roles include current students, faculty, staff, and those vendors or consultants who are engaged with the University and require access to University Information Systems and/or data.
    2. "Authentication” means verifying the identity of a user, process, or device to allow access to a University Information System.
    3. “Chosen Name” means any name a student or employee chooses to use other than their legal name.
    4. "Credentials” means the username and password that authoritatively binds a Digital Identity to an individual.
    5. "Digital Identity” means the unique representation of a subject engaged in an online transaction. A Digital Identity is always unique in the context of a digital service but does not necessarily need to uniquely identify the subject in all contexts.
    6. "Enterprise Directory Services” means any identity directory service utilized by IAM which includes but is not limited to, Active Directory, Oracle Internet Directory, and Oracle Directory Server Enterprise Edition.
    7. "Information System Owner” means the official responsible for the overall procurement, development, integration, modification, or operation and maintenance of a University Information System.
    8. "Least Privilege” means granting the minimum system resources and authorizations needed to perform its function or restricting access privileges of authorized personnel to the minimum functions necessary to perform their job.
    9. “Data Custodian” means the University executive officers or their designees who have planning and policy-level responsibilities for data in their functional areas.
    10. "Organizational Users” means an employee, student, or individual the University deems to have equivalent status of an employee or student, including, but not limited to, contractors, guest researchers, and individuals from another organization or University.
    11. "Passive Role” means the individual may have at one time been granted an Active Role or will be in the future, but currently accesses University Information Systems on an infrequent basis. Individuals with Passive Roles include retiree, alumni, and admits.
    12. “Privileged Access” means accounts, separate from named-user accounts, that provide administrative rights to perform functions that make changes to an overall system, network, database, or server. Privileged functions include, but are not limited to, installing updates, editing registry, managing default access accounts, changing file-level permissions, and modifying operating system, configuration, or application settings. Non-privileged access means access granted to users permitting them to conduct normal daily functions.
    13. "Two-Factor Authentication (2FA)” means a second form of authentication, such as mobile device, phone, or hardware token, is required when authenticating using WVU Login credentials. More information can be found at https://twofactor.wvu.edu.
    14. "University Information Systems” means an information system or University-owned device that is on the campus network, requires Authentication, and is used to support the academic, administrative, research, and outreach activities of the University such as Office 365, Mix (Gmail), eCampus, STAR, and MAP.
    15. "University Services and Facilities” means any facility or service owned, maintained, or offered by the University. These include but are not limited to, dining hall meals, University-owned or controlled buildings, library and athletic facilities, entry to athletic events, certain on-campus and off-campus purchases, and any other facility or service so deemed by the University.
    16. "Whitelisting” means the process used to identify software programs that are authorized to execute on a University Information System or authorized Universal Resource Locators (“URL”) websites.

  7. EXCEPTIONS

    1. Pursuant to the Email Policy, Health Sciences Center (“HSC”) Information Technology Services is responsible for generating email addresses for HSC employees.
    2. Physical access controls to University Facilities are addressed in Access Control Standard and Protocols, maintained by the University Police Department.

  8. ENFORCEMENT AND INTERPRETATION

    1. Any employee who violates this Policy will be subject to appropriate disciplinary action.
    2. Any student who violates this Policy will be subject to appropriate disciplinary action in accordance with the Student Code of Conduct.
    3. Any individual affiliated with the University who has access to a University Data Center and violates this Policy will be subject to appropriate corrective action, including, but not limited to, termination of the individual’s relationship with the University.
    4. The University’s Chief Information Officer, supported by the Chief Information Security Officer, will coordinate with appropriate University entities on the implementation and enforcement of this Policy.
    5. Responsibility for interpretation of this Policy rests with the Chief Information Officer.

  9. AUTHORITY AND REFERENCES

    1. BOG Governance Rule 1.11 – Information Technology Resources and Governance
    2. All other University policies are also applicable to the electronic environment. Relevant institutional documents include, but are not limited to:
      1. Acceptable Use of Data and Technology Resources Policy
      2. Electronic Mail Policy
      3. Sensitive Data Policy
      4. Password Standard
      5. Identity and Authentication Management Standard
      6. Access Management Standard
      7. Access Control Standard and Protocols
      8. Faculty Handbook
      9. Code of Student Rights and Responsibilities (Code of Conduct)
      10. WVU Talent and Culture Policies

Connect With Us

Service Desk Hours and Contact

Service Desk Hours

Monday – Friday: 7:30 a.m. – 8 p.m.
Saturday and Sunday: Noon – 8 p.m.

Closed on official University holidays.

Contact Us

Information Technology Services
One Waterfront Place
Morgantown, WV 26506

(304) 293-4444 | 1 (877) 327-9260
ITSHelp@mail.wvu.edu

Get Help

Maintenance Schedule

To function effectively and securely, applications and the systems that support them must undergo regularly planned maintenance and updates.

See Schedule