UMGC Policy X-1.10

Identity and Access Management

Policy Category Policy No. & Title Policy Owner Effective Date Revision Number Revision Eff. Date Review Cycle

X
Information Governance, Security & Technology

X-1.10
Identity and Access Management

VP of Information Security

July 1, 2021

N/A

N/A

Every 3 years

  1. Purpose

    The purpose of this policy is to establish information security standards for the identity and access management processes relevant to University of Maryland Global Campus ("UMGC" or "University") Information Technology Resources.

  2. Scope and Applicability

    This policy applies to all University Information Systems and Information Technology Resources. All Users are responsible for adhering to this policy.

  3. Definitions

    Capitalized terms shall have the meaning ascribed to them herein and shall have the same meaning when used in the singular or plural form or any appropriate tense.

    1. Account: An established relationship between a User and a computer, network, or Information System which is assigned a credential such as a username and password.

    2. Administrative Account: An Account with elevated privileges intended to be used only when performing management tasks, such as installing updates and application software, managing user accounts, and modifying operating system and application settings.

    3. Authorized User: A User who has been granted authorization to access electronic Information Technology Resources and is current in their privileges.

    4. Contractor: A person or a company that undertakes a contract to provide materials or labor to perform a service.

    5. Critical Information Systems (CIS): Inter-related components of Information Resources working together where the loss of confidentiality, integrity, availability, or privacy could be expected to have a severe or catastrophic adverse effect on organization operations, organization assets, or individuals.

    6. Employee: University staff and faculty, including nonexempt, exempt, and overseas staff and collegiate faculty.

    7. Information Technology Resource: Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by UMGC directly or by a third party under a contract with UMGC which requires the use of such equipment. The term includes computers, mobile devices, software, firmware, services (including support services), and UMGC's network via a physical or wireless connection, regardless of the ownership of the Information Technology Resource connected to the network.

    8. Information System: Inter-related components of Information Technology Resources working together for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

    9. Information System Steward: A UMGC staff member or other individual providing services to the University who is responsible for the development, procurement, compliance, and/or final disposition of an Information System.

    10. Multi-Factor Authentication (MFA): Authentication using two or more different factors to achieve authentication. Factors include something you know (e.g., PIN, password); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric).

    11. Privileged Account: An Account that is authorized to perform security-relevant functions that an ordinary Account is not authorized to perform.

    12. Single Sign-On: An authentication process that allows an Authorized User to access multiple applications with one set of login credentials. SSO is a common procedure in enterprises, where a client accesses multiple resources connected to a local area network (LAN).

    13. Unique Identifier: Unique data used to represent a person's identity and associated attributes.

    14. User: A University community member, including but not limited to, staff, faculty, students, alumni and individuals working on behalf of the University, including third party vendors, Contractors, consultants, volunteers and other individuals who may have a need to access, use or control University Data.

  4. Account Management

    1. Information System Stewards must adhere to the University's Account Management Policy when creating, administering, and disabling University Accounts.

    2. Users must take security awareness training within 90 days of their hire date as required by the Information Security Awareness and Training Policy.

  5. Authentication

    1. University Information Resources that provide authentication services shall uniquely identify (e.g., username) users prior to allowing access to the said systems.

    2. Whenever possible and reasonable, any application or Information System, whether on premise or in the cloud, should use Single Sign-on authentication.

    3. Unique identifiers shall not be reused once assigned to a user.

    4. Multi-Factor Authentication (MFA) should be used to protect Critical Information Systems (CIS) whenever possible and reasonable to do so.

    5. Passwords must be constructed in accordance with the minimum requirements of the most recent University System of Maryland IT Security Standards and where technically feasible, should further meet the following requirements:

      1. Authorized User Account passwords must meet a minimum length of 8 characters.

      2. Administrative and Privileged Account passwords must meet a minimum of 10 characters.

      3. Shared account passwords must be changed upon termination or transfer of an Employee or Contractor with whom the account password(s) have been shared.

      4. Passwords must contain a mix of alphanumeric characters. Passwords must not consist of all digits, all special characters, or all alphabetic characters.

      5. Automated controls must ensure that passwords are changed at least annually for general users, and at 90-day intervals for administrative- level accounts.

      6. User IDs associated with a password must be disabled for a period of time after not more than 6 consecutive failed login attempts. A minimum of 10 minutes is required for the reset period.

      7. Password must not be the same as the User ID.

      8. Store and transmit only encrypted representation of passwords.

      9. Password must not be displayed on screens.

      10. Users must not share passwords except with other approved Users of a shared account.

      11. Initial passwords and password resets must be issued pre-expired forcing the user to change the password upon first use.

      12. Password reuse must be limited by not allowing the last 10 passwords to be reused. In addition, password age must be at least 2 days.

      13. When a user password is reset or redistributed, the validation of the User identity must be at least as strong as when originally established.

      14. Expired passwords must be changed before any other system activity is allowed.

  6. Auditing

    1. Information System Stewards are responsible for ensuring that audit trails are maintained to record appropriate events and actions occurring in the Information System.

    2. Audit procedures are to be defined to periodically review the audit records of Information Systems for unusual or suspicious activities or suspected violations.

  7. Exceptions

    Exceptions to this policy should be submitted to the VP of Information Security for review and approval. If an exception is requested, a compensating control or safeguard should be documented and approved.

  8. Enforcement

    1. Any Employee, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy shall notify the VP of Information Security as soon as practicable.

    2. Any Employee, Contractor, or other third-party performing duties on behalf of the University who violates this Policy may be denied access to Information Resources and may be subject to disciplinary action, up to and including termination of employment or contract or pursuit of legal action.

  9. Related Policies

    1. Acceptable Use

    2. Account Management

    3. Data Classification

    4. Information Security

    5. Information Security Awareness and Training

    6. Information Security Incident Management

  10. Effective Date: This policy is effective as of the Effective Date set forth above.