Digital Identity Lifecycle Management

PURPOSE
This document establishes the guidelines for the creation and removal of University digital account identities.  These guidelines are put forth to assist the University in managing the lifecycle of digital identities and associated entitlements ensuring the right people have access to the right resources at the right time as well as meeting regulatory and compliance requirements.

SCOPE
The guidelines apply to all University employees, faculty, students, contractors, consultants, guests, temporary employees, and all individuals having access to University resources.

ACCOUNT CREATION
All users must be assigned a unique user account with only the privileges allotted by their respective role.  There must be a formal registration process for provisioning a University account requiring the appropriate authorization.  Account creation, updates, disabling, suspending, resetting, and re-enabling must be a defined process.  All such account activity must be recorded in a secure audit trail.

1.0 Students
Student accounts will be created once an applicant is admitted to the University. Student accounts will be confirmed by the office of Academic Records.  The account provisioning process begins when a student record is entered into the Banner system. Students must acknowledge that they received information of selected security and/or acceptable use policies and guidelines and will be responsible for complying with them.

2.0 Faculty and Staff
Employee accounts will be created once the employee’s information is entered into the Banner system.  The account provisioning process begins when the appropriate senior staff member or supervisor within the hiring department enters information into the Account-Request system.  Permanent and temporary staff accounts will be confirmed by the Human Resources office and Faculty accounts will be confirmed by the Human Resources office or the office of Academic Affairs.  Employees must acknowledge that they received information of selected security and/or acceptable use policies and guidelines and will be responsible for complying with them.

3.0 Contractors and Consultants
A contractor or consultant is defined as someone who has a substantial presence on campus, and/or acts in a similar role as a staff member but is not an employee of the university, and requires access to University resources. A temporary account is to be used to obtain and manage time-limited (365-days or less) temporary account credentials for non-Bryant employees who are working with Bryant faculty and staff.  The faculty or staff member requesting the temporary account becomes the sponsor and is responsible for the proper usage and management of the account. Temporary accounts are authorized by a senior staff member or supervisor within the requesting department.  Temporary contractor accounts should be confirmed by the supervisor/manager of the requesting department.  The temporary account provisioning process begins when the contractor’s information is entered into the Temporary-Account Request system. Not all contractors will have a record in Banner.  Contractors and Consultants must acknowledge that they received information of selected security and/or acceptable use policies and guidelines and will be responsible for complying with them.

4.0 Special Use Accounts
Every unique user account must correspond to an individual unless there is operational need for a Special Use Account Identify (SUAI).  SUAI’s will be assigned in cases in which multiple individuals need access to the same account or an individual system requires a unique configuration due to technical limitations. Previously the SUAI was referred to as a generic account.  The SUAI will be assigned to a sponsoring individual. The sponsor is responsible for the proper usage and management of the account. SUIA’s are created by a special request (in writing). SUIA’s are authorized by a senior staff member or supervisor within the requesting department.  Accounts for University organizations are considered SUAI’s and their account creation begins when the information is entered into the Organizations-Account Request system.

ACCOUNT REMOVAL
There must be a formal de-registration process for removing (de-provisioning) a University account requiring the appropriate authorization.

5.0 Students
Removal of student accounts must be approved by the Office of Academic Records. Student accounts will be removed 90 days after non-enrollment or graduation.

6.0 Faculty and Staff
Termination of employee accounts must be verified by Human Resources. Terminated employee accounts will be disabled and will immediately lose all access to university resources as soon as possible but no later than the end of the business day of their termination. Extensions and/or continued access for terminated employees may be granted only after an extensive approval process has been completed.

Supervisors may be granted access to an account if an individual is involuntarily removed from a position to ensure continuity of communication for business or academic purposes. Also upon special request (in writing), a supervisor will be granted access to the employee account after an employee voluntarily leaves the university. Instructions for access must be defined, shared with IT and recorded as part of the secure audit trail.  Employee accounts will be removed after 90 days and electronic mailbox and personal network storage space purged.

7.0 Contractors and Consultants
Contractor and consultant accounts are time limited and will be removed on their expiration date.

8.0 Special Use Accounts
SUAI’s assigned to a separating employee will be reassigned to another university sponsor. In general, the account is reassigned to another accepting employee designated by the original sponsor prior to their separation or by a senior staff member or supervisor.  The SUAI’s security credential(s) should be reset at time of reassignment.
SUAI’s will be disabled per request from the sponsor. SUAI’s will also be disabled if owners cannot be contacted during review periods to verify their activity.  All disabled SUAI’s will be removed after 90 days.

9.0 All Other Accounts
All other accounts must be disabled after 180 days of inactivity.  All disabled accounts must be deleted after 180 days of being disabled.  Inactive faculty accounts will be checked to determine if the faculty member is on sabbatical or away for an extended leave period.

10.0 Access Control Principles
Account entitlements should adhere to the following principles:

  • Principle of Least Privilege: States that if nothing has been specifically configured for an individual or the groups, he/she belongs to, the user should not be able to access that resource (i.e. Default no access).
  • Separation of Duties: Separating any conflicting areas of responsibility so as to reduce opportunities for unauthorized or unintentional modification or misuse of organizational assets and/or information.
  • Need to know: It is based on the concept that individuals should be given access only to the information that they absolutely require in order to perform their job duties.
11.0 Appropriate Use of Administrator Access
Administrator Access is defined as a level of access above that of a normal user. Use of Administrator Access should be consistent with an individual's role or job responsibilities as prescribed by management. When an individual's role or job responsibilities change, Administrator Access should be appropriately updated or removed. In situations where it is unclear whether a particular action is appropriate, and within the scope of current job responsibilities, the situation should be discussed with management.

12.0 Exceptions
Any requests for exceptions to this policy must be submitted in writing and will be reviewed on a case by case basis.  Exceptions shall be permitted only after written approval from the Vice President/CIO.  The list of exceptions shall be reviewed annually and cancelled as required.

13.0 Verification Process
There shall be an ongoing process for reviewing accounts to verify they should remain active in their current state and to assure that all accounts maintain the proper entitlements.

14.0 Enforcement
The University considers any violation of the directives outlined within this document to be an objectionable offense. Failure to comply may subject the violator to disciplinary action by the University.

15.0 Enacted and Revisions
Date Enacted: 4/22/2015
Revision: 1.0
Last Reviewed: 10/24/2016
Next Review: October 2017

16.0 Standards and Reference Categories
ISO 27003:2013 9.1,9.2,9.3,9.4