IT Account Creation, Retention and Expiration Standards
Overview
This document addresses the requirements for university accounts to ensure compliance with university policies. To manage and access university systems and data and conduct business on behalf of the university, persons must have a university account that is in accordance with this standard.
Policy Reference
APM 30.15 Password and Authentication Policy
APM 30.10 Identity and Access Management Policy
APM 30.11 University Data Classification and Standards
Scope
These standards establish account management, provisioning, and retention requirements for all university faculty, staff, students, and other affiliates using UI technology resources at any data classification level.
Standards
- Account types – (See definitions in Section 6 below)
- Multifactor authentication (MFA) is required for all individual accounts
Provisioning of accounts includes creation of accounts for affiliated or sponsored individuals.
- Provisioning:
- Student accounts are created automatically based on admission, registration and other SIS managed criteria.
- Employee accounts are not automatically created, but are generally created at the time of employment or changes in employee roles.
- Employee accounts will not be created until a personnel action is started.
- Affiliation:
- Student Affiliation
- Independent Study
- Admitted in the current or future term
- Eligible to register in a future term (up to 3 semesters)
- Graduated within the past 2 years
- Late registration grace period is 2 weeks into the term
- Employee Affiliation
- Active employment record with Human Resources
- 9-month faculty appointment recorded with Human Resources
- Other affiliations
- Retirees - Honored Staff or Emeritus Faculty
- Student Affiliation
- Passwords (See Password Policy and Password Standards):
- For new employees, Human Resources will validate identification and gather identifying information that will be used in the account creation and password setting processes in the personnel setup process.
- New students will be identified through their admission application process. That process will gather identifying information that will be used in the account creation and password setting processes.
- In order to use the online password setting process, a valid alternate email and/or phone number must be in the Banner system.
- University guests wanting to access university resources require registration through sponsorships or automated systems.
- When an account is initially established, the password must be changed by the user at first use of the account.
- All passwords must be unique and not easily guessed.
- Account names:
- Can be from 2-20 characters in length
- Must be all lowercase
- Must start with an alphabetic character
- Must only contain alphanumeric ASCII characters
- Cannot be re-used, and no new owner is allowed
- For individual accounts, usernames must be based on owner’s full name for easier identification in systems which cannot display ownership
- Student usernames have the following conventions:
- The first part is 1-4 characters from their last name, first name, or a combination
- The second part is the last 4 numbers of their Vandal number
- If an account has been disabled or deleted, and needs to be reinitiated, the default will be to use the previous account name, unless there are significant changes in access or other mitigating circumstances. (See Role Changes – Section D-4)
- Email address restrictions:
- Primary email address prefix must match the username (example: jvandal => jvandal@uidaho.edu)
- Firstname.Lastname email aliases (proxyAddresses) have been allowed in the past but are no longer offered. They are still recorded and maintained
- Email address must match the AD userPrincipalName for easier end-user authentication
- When an account is renamed (due to personal name change) the previous email address is kept as an alias (proxyAddress) indefinitely
- Display names:
- Address books must display the name as “Last, First (email)” – example “Vandal, Joe (jvandal@uidaho.edu)” where possible
- Display names in Active Directory will reflect the legal name by default, but first name portion may be updated to use a preferred name upon request (e.g., “Smith, Robert” may be updated to “Smith, Bob” or “Smith, Roberta” or “Smith, R.”) as long as it is consistent with the user’s identity
- Not all systems currently support use of Active Directory display name and may still reflect the legal name from Banner
- The university reserves the right to refuse a preferred name. Instances that may result in this prohibition include arbitrary or repeated name changes; the use of profane words; names that may be used for fraudulent purposes or misrepresentation
- Account Renaming:
- Accounts may be renamed by request if there is an associated name change in Banner
- Accounts may be renamed by request if the standard naming convention creates an offensive word in English or another language
- Auditing:
- Account creation, updates, and deletions must be logged, and monitored for anomalous activity
- Password changes on accounts must be logged and audited for anomalies
- Account Review:
- Access that accounts have must be reviewed annually by data stewards and/or system owners
- Identity Vetting:
- Account information, with the exception of password, should only be provided to the owner of the account whose identity has been verified. Delivery methods may include:
- Email to a previously confirmed alternate email address, including one provided on the admissions or employment application
- Mail to a previously confirmed mailing address, including one provided on the admissions or employment application, or found on a government-issued photo ID
- In person, after verifying against VandalCard, or State or Government issued photo ID
- Passwords for accounts should only be set by the account owner through ITS tools (e.g., help.uidaho.edu password reset) and never delivered in mail or email, even with a verified identity. Support personnel should assist the user in setting the password
- Limited-use guest accounts may have passwords delivered to U of I email address of the sponsor of the accounts, since the user identity cannot be reasonably verified
- Video verification is permissible if quality is sufficient to verify photo ID
- Audio or Phone verification is permissible using three points of information provided by the customer only if they do not yet have an established Security Profile. Possible data points, in addition to full name:
- Phone Number
- Duo Push verification
- Email address
- Student or Vandal ID number
- Last time a password was set
- Previous employment positions with dates
- Previous enrollment dates (starting, ending, or most recent semester before current)
- Mailing Address
- Account information, with the exception of password, should only be provided to the owner of the account whose identity has been verified. Delivery methods may include:
- Affiliation:
- When the relationship with the university changes, the account will be deleted/retained in accordance with the specific type of account and affiliation
- Disabling:
- Inactive accounts will be disabled and subsequently deleted, following 180 days of inactivity, regardless of current individual affiliation. Exceptions may be granted for individuals known to be on extended leave or sabbatical
- Exceptions may also be granted for non-appointed faculty and graduate assistants with ongoing university responsibilities. These will be extended for an additional 120 days
- Employees placed on administrative leave will have their primary account(s) disabled and security questions disabled unless otherwise arranged and approved by General Counsel
- Affiliation w/ university has ended
- University policies are violated
- Deletion of Accounts:
- Accounts are automatically deleted 4 weeks after being disabled, unless associated with ongoing affiliation or manual steps are taken to extend a sponsorship for the disabled account
- While some systems support recovery of deleted accounts for a number of days after deletion, ITS does not guarantee this will always be possible
- Role Changes:
- The account name will be changed when an employee changes to a new role, unless there is not a significant change in access required for the new role
- If there is not a significant change in the type of role as agreed upon by the outgoing and ingoing areas, the account may be retained. (Example: promotion under the same executive, or in the same area.)
- Role changes that require a new account name:
- Leaving a role that had HIPAA access per the employee benefits plan and the new role does not
- University roles that are associated with external parties, where loss of contact may have significant business or compliance impact (major vendors, Student Financial Aid, Athletics)
- If required by the departing supervisor
- When a user is placed on administrative leave, an account may be created with a new name to allow access to essential services and allow for required communications
- Honored Staff Retirees may elect to maintain a University account per FSH 3730, but these will not be maintained by default. Retirees may request a new @gold.uidaho.edu account for any ongoing access needs, if they don't retain another UI account (e.g., @alumni ). Any requests to maintain the existing account must be approved by the affected department(s) and ITS
- Emeriti may elect to maintain a University account per FSH 1565, but this will not be created by default. Emeriti may retain their @uidaho.edu email address
- The account name will be changed when an employee changes to a new role, unless there is not a significant change in access required for the new role
- Sponsored Accounts:
- Full-time, benefits eligible UI employees may sponsor an account for an otherwise unaffiliated individual if there is a documented and legitimate work or academic reason for sponsorship of the account. Sponsorship may be used only when affiliation is not otherwise expected
- Sponsored accounts are required when an employment record or enrollment record is not available and an account is needed
- Sponsored accounts are not issued when an individual account can be issued
- Sponsored accounts are not intended for new employees that have not yet been appointed on the system
- Sponsorship of an account is automatically removed if the owner becomes an employee of the university
- Information needed for sponsorship
- Vandal number or UI username of eligible sponsor
- Work phone number
- Vandal number of sponsored person or the person’s full name, address, date of birth, alternate email, and cell phone number so a Vandal number can be created
- Reason for sponsorship
- Duration of sponsorship
- Sponsored accounts expire within one year maximum
- Sponsored accounts may be renewed/revised, at any time, by the sponsor
- Temporary Accounts
- Will not be created or assigned when an individual account access method is available
- Guest accounts may be issued based upon a temporary affiliation with the university
- Sponsoring department person is responsible for tracking which guest account is assigned to which individual
- Temporary accounts will be disabled when:
- Guest accounts are available to use for up to 90 days
Other References
NIST SP800-171 (January 2016)
NIST SP800-53r4 (April 2013)
CIS Controls version 7
Definitions
Privileged Account
Individual account utilized for elevated access to systems or data, which may include authority to make changes to access permissions, roles, security configuration, or non-public data of other users. (APM 30.10)
Individual Account
Primary account assigned to a single individual for access to technology resources, including interactive logon to computers, email, VPN, Banner, or other UI resources. (APM 30.10)
Functional Account
Account used by applications and processes and not interactively by end users. (APM 30.10)
Shared Account
Account used or shared where multiple users know the password or otherwise use the account for interactive logon. (APM 30.10).
SIS
Student Information System. (i.e. Banner)
Remote Access
Access to an information system communicating through an external network (Internet).
Local Access
Access to an information system directly and not through a network.
Multifactor Authentication
Two or more factors to achieve authentication, including something you know (password); something you have (cryptographic device, hardware or software token); or something you are (biometric).
Security Functions
Hardware and software of an information system responsible for enforcing system security controls or policy and supporting the isolation of code and data.
For further clarification, refer to the APM or NIST SP800-171.
Standards Owner
UI Information Technology Services (ITS) is responsible for the content and management of these standards.
VERSION | AUTHOR(S) | DATE | NOTES |
---|---|---|---|
V1 | M. Parks, M. George | 6/19/19 | Original standards document |
V1.1 | M. Parks, D. Ewart | 6/23/20 | Clarified honored staff account lifecycle |
V1.2 | M. Parks, D. Ewart | 8/3/22 | Extended student affiliation for graduates |