ITS Digital Credential Policy
1. Overview
Digital credentials provide the access and rights to organizational technology systems and services. They are used to identify, authenticate, and control access for users accessing IT resources.
2. Purpose
The purpose of this policy is to define who is eligible for a university generated digital credential and the roles and responsibilities for ensuring this policy is adhered to.
3. Scope
This policy applies to all University of Akron managed digital credentials and only discusses digital credential eligibility and lifecycle. This document does not discuss service eligibility.
4. Background
The University of Akron is committed to a secure information technology environment in support of its mission as outlined in University Rule 3359-11-10.3: “Information technology security and system integrity policy”. Identity and Access Management (IAM) is the foundation for a secure enterprise.
5. Definitions
- Data Owner – The individual or group who has accountability and authority to make decisions about a specific set of data. The Data Owner is responsible for the function or functions that collect and use the information, determines the levels of protection for the information, makes decisions on appropriate use of the information, and determines the appropriate classification of the information. This role generally falls to a functional academic or administrative area such as the Registrar, Human Resources, or the offices of the CFO and Provost.
- Data Steward – The person who is identified by the Data Owner to act, and to approve or deny access to data, on behalf of the Data Owner.
- Digital Credentials – A user’s identification and authentication information, typically a username and passphrase, broadly referred to as an information system account.
- Emergency Account – A digital credential used strictly for emergency access to critical systems when other authentication methods are not available. These accounts are reserved for IT use.
- Employee – Regular full-time and part-time faculty, staff, contract professionals, whether compensated or not, who receive a digital credential from the university.
- Guest Account – A digital credential provided to a sponsored individual who is not a student or employee and would not otherwise qualify for a university provided digital credential.
- IT Systems – The electronic information processing, storage, and transmission systems, which include but are not limited to computers, terminals, printers, peripherals, mobile devices, networks, online and offline storage media and related equipment, software, and data files that are owned, operated, managed, or maintained by the University of Akron or contracted vendors or partners. IT Systems also include but are not limited to institutional and departmental information systems, faculty research systems, desktop computers, the university’s campus network, and the university general access computer clusters.
- IT Services – The platforms and applications used to create, process, transmit, store, secure, or present information on IT systems which include but are not limited to email, telecommunications, network access, digital credentials, file storage, web applications, information security, and enterprise resource planning.
- Local Account – A digital credential that only exists within an information system and is authenticated locally to that information system.
- Non-Affiliated Party – Any person or group who is not directly attached to the University of Akron through employment, partnership, or student status.
- Privileged Account – A user’s unique digital credential that is granted permissions not normally granted to a user’s primary digital credential. This account has a single owner who is responsible for all actions taken by this account.
- Service Account – A digital credential that is not provided to a user, rather is only used for programmatic functions and automated processes.
-
°µºÚ±¬ÁÏnet ID – A user’s unique username within the University of Akron systems.
6. Policy
- Digital Credential Types
- Digital credential types include: °µºÚ±¬ÁÏnet ID (individual), privileged accounts, local accounts, guest accounts, emergency accounts, and service accounts.
- Eligibility
- °µºÚ±¬ÁÏnet ID
- Students
- Students who are enrolled, or eligible to enroll, in courses at the University of Akron are eligible for a digital credential consisting of a °µºÚ±¬ÁÏnet ID and passphrase.
- Employees
- Current employees are eligible for a digital credential consisting of a °µºÚ±¬ÁÏnet ID and passphrase for the duration of their employment.
- Retirees
- Retirees are permitted to keep their °µºÚ±¬ÁÏnet ID unless special circumstances arise as directed by Human Resources.
- Special Populations
- Departments may request to extend access to some or all University of Akron IT systems and IT services, including digital credentials, to affiliated parties including:
- Sponsored Guests
- Student Employees & Graduate Assistants
- External Contractors
- Other Affiliated Parties
- Eligibility is only applicable for the duration of the affiliation or until the party’s affiliation changes to a different, permanent status.
- Departments may request to extend access to some or all University of Akron IT systems and IT services, including digital credentials, to affiliated parties including:
- Students
- Privileged Account
- Students
- Only students employed by the university and performing a job function requiring elevated permissions to IT systems and data access are eligible for a privileged account with approval from the Department Head, Data Owner, or Data Steward.
- Employees
- Current employees requiring elevated permissions to IT systems or data including but not limited to network/system administration and back-office ERP access are eligible for a privileged account with approval from the Department Head, Data Owner, or Data Steward.
- Eligibility is only applicable for the duration of the required access and will be removed immediately upon expiration of the required access.
- Retirees
- Retirees are not eligible for a privileged account.
- Special Populations
- Student Employees requiring elevated permissions to IT systems and/or Protected Institutional Data including but not limited to network/system administration, and back-office ERP access are eligible for a privileged account with approval of the Department Head, Data Owner, or Data Steward.
- External contractors requiring elevated permissions to IT systems or data including but not limited to network/system administration and back-office ERP access are eligible for a privileged account with approval from the Department Head, Data Owner, or Data Steward.
- Eligibility is only applicable for the duration of the required access and will be removed immediately upon expiration of the required access.
- The process for obtaining a privileged account is covered under ITS: Digital Credential Standard.
- Students
- Local Account
- Only Information Technology staff are eligible for local accounts on university information systems.
- Local accounts are only authorized at the discretion of the Office of Information Security and with the approval of the Chief Information Security Officer.
- Emergency Account
- Only Information Technology staff are eligible for emergency accounts on university information systems.
- Emergency accounts are only authorized at the discretion of the Office of Information Security and with the approval of the Chief Information Security Officer.
- Service Account
- Individuals are not eligible for service accounts.
- Departments may request service accounts as needed for business purposes.
- Service accounts are authorized at the discretion of Information Technology Services (ITS).
- °µºÚ±¬ÁÏnet ID
- Digital Credential Use
- Each digital credential type has a specific use and is not authorized to be used for multiple purposes.
- The use case for each digital credential type is covered by the ITS: Digital Credential Standard.
- Digital Credential Lifecycle
- Digital credentials have a lifecycle from creation to removal.
- The lifecycle for the digital credentials is covered by the ITS: Digital Credential Standards.
- Exceptions
- Exceptions to the eligibility for digital credentials must be submitted to IT Security Services and include:
- The nature of the exception.
- A reasonable explanation for why the exception is required.
- Any risks created by the exception.
- Any risks created by not granting the exception.
- Approval by the Department Head, Data Steward, and Data Owner.
- The Chief Information Security Officer (CISO) or Information Security designee, in coordination with Human Resources, has the final approval authority for exceptions to this policy.
- Exceptions to the eligibility for digital credentials must be submitted to IT Security Services and include:
7. Policy Compliance
- Roles and Responsibilities
- The identity access management team or delegate is responsible for reviewing and updating digital credential eligibility, including associated special populations.
- Information Technology Services will conduct periodic reviews of credential eligibility throughout the year to ensure compliance.
- The Chief Information Officer is responsible for enforcing this policy.
- Non-Compliance
- ITS will disable accounts associated with parties deemed to be ineligible by this policy and lacking an approved exception.
- ITS will notify supervisors or appropriate sponsors of accounts to be disabled.
8. Related Documents
University Rule 3359-11-10: Acceptable Use Policy
University Rule 3359-11-10.3: Information Security and System Integrity Policy
ITS: Digital Credential Standard
9. Policy History
Approval Authority: Chief Information Officer
Policy Manager: Chief Information Security Officer
Effective Date: 09/30/2022
Prior Effective Dates: 12/13/2021
Review Date: 12/01/2022