UMGC Policy X-1.10 UMGC Policy on Identity and Access Management

Purpose

This Policy establishes information security standards for the identity and access management processes relevant to University Information Technology Resources.

Scope and Applicability

This Policy applies to all University Information Systems and Information Technology Resources. All Users are responsible for adhering to this Policy.

Definitions

Defined terms are capitalized throughout this Policy and can be found in the Information Governance Glossary.

1. Information System Stewards must adhere to the University's Account Management Policies, UMGC Policy X-1.19A Account Management (UMGC Learner Community) and UMGC Policy X-1.19B Account Management (UMGC Workforce), when creating, administering, and disabling University Accounts.
2. Users must take security awareness training within 90 days of their hire date as required by UMGC Policy X-1.05 Information Security Awareness and Training Policy.

1. University Information Resources that provide authentication services shall uniquely identify (e.g., username) Users prior to allowing access to the said systems.
2. Whenever possible and reasonable, any application or Information System, whether on premise or in the cloud, should use Single Sign-on authentication.
3. Unique identifiers shall not be reused once assigned to a User.
4. Multi-Factor Authentication (MFA) should be used to protect Critical Information Systems (CIS) whenever possible and reasonable to do so.
5. Passwords must be constructed in accordance with the minimum requirements of the most recent University System of Maryland IT Security Standards and where technically feasible, should further meet the following requirements:
   1. Authorized User Account passwords must meet a minimum length of 12 characters.
   2. Administrative and Privileged Account passwords must meet a minimum length of 12 characters.
   3. Passwords must contain a mix of alphanumeric characters. Passwords must not consist of all digits, all special characters, or all alphabetic characters.
   4. Automated controls must ensure that passwords are changed at least annually for general Users, and at 90-day intervals for administrative- level accounts.
   5. User IDs associated with a password must be disabled for a period of time after not more than 6 consecutive failed login attempts. A minimum of 10 minutes is required for the reset period.
   6. Password must not be the same as the User ID.
   7. Store and transmit only encrypted representation of passwords.
   8. Passwords must not be displayed on screens.
   9. Users must not share passwords except with other approved Users of an Account that has been documented as a Functional ID. Functional ID passwords must be changed upon termination or transfer of an Employee or Contractor with whom the Account password(s) have been shared.
   10. Initial passwords and password resets must be issued pre-expired forcing the User to change the password upon first use.
   11. Password reuse must be limited by not allowing the last 10 passwords to be reused. In addition, password age must be at least 2 days before it can be reset.
   12. When a User password is reset or redistributed, the validation of the User identity must be at least as strong as when originally established.
   13. Expired passwords must be changed before any other system activity is allowed.

1. Information System Stewards are responsible for ensuring that audit trails are maintained to record appropriate events and actions occurring in the Information System.
2. Audit procedures are to be defined to periodically review the audit records of Information Systems for unusual or suspicious activities or suspected violations.

Exceptions

Exceptions to this Policy should be submitted to Information Security for review and approval. If an exception is requested, a compensating control or safeguard should be documented and approved.

1. Any Employee, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy shall notify Information Security as soon as practicable.
2. Any Employee, Contractor, or other third-party performing duties on behalf of the University who violates this Policy may be denied access to Information Resources and may be subject to disciplinary action, up to and including termination of employment or contract or pursuit of legal action.

1. USM IT Security Standards, v.5, dated July 2022
2. NIST SP 800-171r3 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”, dated May 2024
3. Cybersecurity Maturity Model Certification (CMMC), v.2.0, dated December 2021

1. UMGC Policy X-1.02 Data Classification 
2. UMGC Policy X-1.04 Information Security 
3. UMGC Policy X-1.05 Information Security Awareness and Training Policy
4. UMGC Policy X-1.06 Information Security Incident Response 
5. UMGC Policy X-1.12 Acceptable Use 
6. UMGC Policy X-1.19A Account Management (UMGC Learner Community) 
7. UMGC Policy X-1.19B Account Management (UMGC Workforce)