ITS Digital Credential Standard

1.   Overview

Digital credentials provide the access and rights to organizational technology systems and services. They are used to identify, authenticate, and control access for users accessing IT resources.

2.   Purpose

The purpose of this standard is to define the University of Akron’s digital credential standards including account lifecycle management, passphrase requirements, and multifactor authentication requirements.

3.   Scope

This standard applies to all University of Akron managed digital credentials and defines credential lifecycles and authentication standards. 

4.   Background

The University of Akron is committed to a secure information technology environment in support of its mission as outlined in University Rule 3359-11-10.3: “Information technology security and system integrity policy”. Identity and Access Management (IAM) is the foundation for a secure enterprise.

5.   Definitions

  • Data Owner – The individual or group who has accountability and authority to make decisions about a specific set of data. The Data Owner is responsible for the function or functions that collect and use the information, determines the levels of protection for the information, makes decisions on appropriate use of the information, and determines the appropriate classification of the information.  This role generally falls to a functional academic or administrative area such as the Registrar, Human Resources, or the offices of the CFO and Provost.
  • Data Steward – The person who is identified by the Data Owner to act, and to approve or deny access to data, on behalf of the Data Owner.
  • Digital Credentials – A user’s identification and authentication information, typically a username and passphrase.
  • Emergency Account – A digital credential used strictly for emergency access to critical systems when other authentication methods are not available.  These accounts are reserved for IT use.
  • Employee – Regular full-time and part-time faculty, staff, contract professionals, whether compensated or not, who receive a digital credential from the university.
  • Guest Account – A digital credential provided to a sponsored individual who is not a student or employee and would not otherwise qualify for a university provided digital credential.
  • IT Services – The platforms and applications used to create, process, transmit, store, secure, or present information on IT systems which include but are not limited to email, telecommunications, network access, digital credentials, file storage, web applications, information security, and enterprise resource planning.
  • IT Systems – The electronic information processing, storage, and transmission systems, which include but are not limited to computers, terminals, printers, peripherals, mobile devices, networks, online and offline storage media and related equipment, software, and data files that are owned, operated, managed, or maintained by the University of Akron or contracted vendors or partners. IT Systems also include but are not limited to institutional and departmental information systems, faculty research systems, desktop computers, the university’s campus network, and the university general access computer clusters.
  • Local Account - A digital credential that only exists within an information system and is authenticated locally to that information system.
  • Multifactor Authentication (MFA) – A mechanism used to enhance the protection of a user’s digital credential that requires multiple methods of proving that a user is who they say they are, typically a passphrase and mobile application that grants permission or provides a rotating, time-based, numeric code.
  • Non-Affiliated Party – Any person or group who is not directly attached to the University of Akron through employment, partnership, or student status.
  • Privileged Account – A digital credential that is granted permissions not normally granted to a user’s primary digital credential. This account has a single owner who is responsible for all actions taken by this account.
  • Protected Institutional Data – Any information classified as more restricted than Public Use by the Data Owner, or appointed Data Steward(s), according to ITS Data Classification Standards.
  • Service Account – A digital credential that is not provided to a user, rather is only used for programmatic functions and automated processes.
  • UAnet ID – A user’s unique username within the University of Akron systems. 

6.   Standard

  • Digital Credential Types
    • Digital credential types include: UAnet ID (individual), privileged accounts, guest accounts, local accounts, emergency accounts, and service accounts.
  • Digital Credential Use
    • Do not share digital credentials.  Sharing digital credentials is a violation of University Rule 3359-11-10: Access & Acceptable Use Policy.
    • UAnet ID
      • UAnet IDs are provided strictly for the use of the individual assigned to the account.
      • UAnet IDs are to be used for standard, non-elevated, access to information and systems.
      • UAnet IDs are not to be used for privileged access to information and systems.
    • Privileged Account
      • Privileged accounts are provided strictly for the use of the individual assigned to the account.
      • Privileged accounts are to be used only for accessing information and systems and/or performing system activities that require elevated permissions.
      • Privileged accounts should not be used for standard activities that do not require elevated permissions.
    • Guest Account
      • Guest accounts are provided strictly for the use of the individual assigned to the account.
      • Guest accounts are to be used for standard, non-elevated, access to information and systems.
      • Guest accounts are not to be used for privileged access to information and systems. If privileged access is needed, a privileged account will be provided in lieu of a guest account.
    • Local Account
      • Local accounts are provided strictly for the use of the individual assigned to the account.
      • Local accounts are to be used strictly for systems that do not support federated authentication and authorization.
      • If a user has local accounts on multiple systems, the passwords must be unique to each system.
    • Emergency Account
      • Emergency accounts are intended strictly for use when federated authentication systems that are normally used are not available, such as when a federated authentication system is experiencing a service outage.
      • Access to emergency accounts should be limited to no more than three trusted individuals.
      • If an emergency password is used, the password must be changed immediately upon restoration of the federated authentication system.
      • The Office of Information Security must be notified immediately by the system owner if an emergency account is used.
    • Service Account
      • Service accounts are intended strictly for use with programmatic functions and/or automated processes.
      • Access to service account credentials should be limited to no more than three trusted individuals.
  • Credential Lifecycle
    • UAnet ID
      1. Digital Credential Creation
        1. Students
          1. Students are provided a University of Akron digital credential consisting of a UAnet ID and passphrase when they apply to the university.
        2. Employees
          1. Employees are provided a University of Akron digital credential consisting of a UAnet ID and passphrase upon being designated as hired in the university Enterprise Resource Planning (ERP) system.
          2. Newly hired faculty will be provided their digital credential up to 60 days prior to their official start date.
          3. Newly hired staff and contract professionals will be provided their digital credential up to 7 days prior to their official start date.
        3. Alumni
          1. Alumni will be provided a new digital credential in a 3rd party email system.
          2. The new digital credential will match the alumni’s UAnet ID.
          3. The 3rd party email provider will manage the digital credential including but not limited to management of the authentication mechanism(s) such as passphrases, multifactor authentication, passphrase resets, and account verification.
        4.  Retirees
          1. Emeritus Retirees
            • Emeritus retirees retain their University of Akron digital credential if they remain actively using the account.
          2. Non-Emeritus Retirees
            • Retirees not identified as Emeritus will be provided a new digital credential in a 3rd party email system.
            • The new digital credential will match the retiree’s UAnet ID.
            • The 3rd party email provider will manage the digital credential including but not limited to management of the authentication mechanism(s) such as passphrases, multifactor authentication, passphrase resets, and account verification.
          3. Special Populations
            1. Sponsored Guests, External Contractors, and Other Affiliated Parties
              • Departmental personnel can request a Sponsored Guest digital credential.
              • The digital credential is available immediately and remains active for six months.  
              • The digital credential may be extended depending on the nature of the affiliation and business need. The extension must be approved by ITS and can be extended for an additional six months. 
              • If the Sponsored Guest account needs to be active for more than 12 months, an exception to this policy must be requested.
      2. Digital Credential Review
        1. UAnet IDs for non-privileged student, employee, and retiree access do not require review.
        2. Special PopulationsSponsored Guests, External Contractors, and Other Affiliated Parties
          1. Departmental personnel must review Sponsored Guest digital credentials quarterly to verify that the associated account or permission is still required.
          2. The departmental personnel who sponsored the account must notify ITS of any accounts or permissions that are no longer required.
          3. ITS will remove unnecessary accounts or permissions upon notification.
      3. Digital Credential Removal
        1. Students
          1. Student digital credentials are automatically disabled after 2 full semesters of inactivity.
          2. Students retain their unique UAnet ID indefinitely, but the accounts are disabled until the student has an active affiliation with the university.
        2. Employees
          1. Employee digital credentials are disabled and group access to resources are removed immediately upon separation.
          2. If an employee holds additional roles with the university that requires them to retain access to university systems and/or services, such as an employee role and an active student role, at the time of separation, a new digital credential will be created and associated with the applicable role(s).
        3. Aumni
          1. Alumni digital credentials will be removed after 24 months of inactivity or upon request by the individual.
        4. Retirees 
          1. Emeritus Retirees
            1. Emeritus Retirees retain their University of Akron digital credential from their employment if they are active in the HR Management system.
            2. If no longer active, Emeritus Retirees will be provided a new digital credential in a 3rd party email system and be subject to the provisions of a Regular Retiree in this Standards document.
          2. Non-Emeritus Retirees
            1. University of Akron digital credentials of retirees not identified as Emeritus will be disabled immediately upon separation.
            2. If a retiree holds additional roles within the university that requires them to retain access to university systems and/or services, such as a retiree role and an active student role, at the time of separation, a new digital credential will be created and associated with the applicable role(s).
            3. Retiree digital credentials in the 3rd party email system will be removed after 24 months of inactivity or upon request by the retiree.
        5. Special Populations
          1. Sponsored Guests
            1. Sponsored Guests will be disabled after six months if a request for an extension was not requested by the sponsor. Extensions can only be requested for an additional six months. Any access beyond a cumulative 12 months requires a security review by the Office of Information Security.
          2. Student Employees and Graduate Assistants
            1. Student Employees and Graduate Assistance will have their account’s disabled on their termination date.
          3. External Contractors
            1. External Contractors will be disabled after six months if a request for an extension was not requested by the sponsor. Extensions can only be requested for an additional six months. Any access beyond a cumulative 12 months requires a security review by the Office of Information Security.
    • Privileged Accounts
      1. Digital Credential Creation
        1. Employees
          1. Employees requiring elevated access to IT resources or data will be provided with a secondary digital credential that will be used to access the associated restricted resources or data.
          2. The privileged account will be generated by ITS after appropriate vetting and training has been completed.
        2. Special Populations
          1. Student Employees
            • Departmental student employee hiring managers must request the creation of a new student employee or graduate assistant digital credential.
          2. External Contractors
            • Departmental personnel can request a privileged digital credential for contractors.
            • The digital credential is available immediately and remains active for the duration of the engagement.
      2. Digital Credential Review
        1. Employees
          1. Privileged accounts shall be reviewed annually by the employee’s supervisor to verify that the associated permissions are still required as part of the employee’s job function.
          2. The employee’s supervisor must immediately notify ITS of any accounts or permissions that are not required.
        2. Special Populations
          1. Student Employees & Graduate Assistants
            • Departmental student employee hiring managers must review their student employee or graduate assistant account permissions every semester.
            • The departmental student employee hiring managers must notify ITS of any accounts or permissions that are no longer required.
            • ITS will remove unnecessary accounts or permissions upon notification.
          2. External Contractors
            • Departmental personnel must review privileged digital credentials every six months to verify that the associated account or permission is still required.
            • The departmental personnel who sponsored the account must notify ITS of any accounts or permissions that are no longer required.
      3. Digital Credential Permission Changes
        1. All permissions associated with privileged accounts will be removed upon the person’s change of role or position in the university.
        2. New permissions will then be added to the associated privileged account as appropriate for the new role.
      4. Digital Credential Removal
        1.  Employees
          1. Privileged accounts shall be disabled immediately upon separation from the university.
        2. Special Populations
          1. Student Employees & Graduate Assistants
            • Student Employees and Graduate Assistance will have their account’s disabled on their termination date.
          2. External Contractors
            • Privileged accounts will be disabled immediately upon expiration or termination of the agreement or upon notification from the sponsoring department. 
    • Local Accounts
      • Digital Credential Creation
        • Employees
          • IT employees requiring local accounts on IT systems will be provided with a digital credential unique to the system.
          • The local account will be generated by the system owner after appropriate vetting and training has been completed.
          • The employee will immediately change the password associated with the local account upon receipt of the digital credential.
        • Special populations
          • Student Employees
            • ITS student employee hiring managers must request the creation of a local digital credential if required to complete their job functions.
            • The local account will be generated by the system owner after appropriate vetting and training has been completed.
            • The student employee will immediately change the password associated with the local account upon receipt of the digital credential.
      • Digital Credential Review
        • Employees
          • The system owner will review local accounts quarterly and immediately upon any staffing changes.
        • Special Populations
          • Student Employees
            • ITS student employee hiring managers must review their student employee account permissions every semester and upon any staffing changes.
            • ITS will remove unnecessary accounts or permissions upon notification.
      • Digital Credential Permission Changes
        • All permissions associated with local accounts will be removed upon the person’s change of role in ITS.
        • New permissions will then be added to the associated local account as appropriate for the new role.
      • Digital Credential Removal
        • Employees
          • Local accounts shall be disabled immediately upon change in department, responsibility, or employment status with the university.
        • Special Populations
          • Student Employees
            • Local accounts shall be disabled immediately upon change in department, responsibility, or employment status with the university.
    • Emergency Accounts
      • Digital Credential Creation
        • IT system owners may create emergency accounts on IT systems they are responsible for.
        • The digital credential will be unique to the system and the credentials kept secret.
        • The system owner may share the credentials with no more than three trusted ITS personnel.
      • Digital Credential Review
        • The system owner will review emergency accounts quarterly and immediately upon any staffing changes.
      • Digital Credential Permission Changes
        • IT system owners are responsible for maintaining the permissions of emergency accounts.
      • Digital Credential Removal
        • Emergency accounts typically do not get removed; however, access to the credentials must be limited to not more than three trusted ITS personnel.
        • Emergency account passwords must be changed immediately after use and at least annually if not used.
    • Service Accounts
      • Digital Credential Creation
        • Departments may request service account digital credentials for programmatic use and/or automated processes.
        • The digital credential will be unique to the department and the credentials must be kept secret.
        • The digital credential will be available immediately.
      • Digital Credential Review
        • Departmental personnel must review service account digital credentials at least annually to verify that the associated account or permission is still required.
        • The departmental personnel who requested the account must notify ITS of any accounts or permissions that are no longer required.
        • ITS will remove unnecessary accounts or permissions upon notification.
      • Digital Credential Permission Changes
        • All permissions associated with service accounts will be removed upon the notification from the department.
        • New permissions will then be added to the associated service account as appropriate.
      • Digital Credential Removal
        • Service accounts shall be disabled immediately upon notification from the department.
        • Service accounts that go unused for more than six months will be disabled.
        • ITS will notify the department when a service account is disabled.
  • Passphrases
    • Any digital credential that utilizes a passphrase as a means of authentication must meet the following complexity standards.
      1. Must be at least 10 characters long.
      2. Must include at least 1 letter, 1 number, and 1 special character.
      3. Must NOT be a word or name.
      4. Will not expire if utilizing MFA.
        1. Must be changed every 120 days if not utilizing MFA.
  • Multifactor Authentication (MFA)
    • All employees and students must utilize MFA to secure their University of Akron provided digital credential that utilizes a UAnet ID.
      • College Credit Plus students are exempted from the MFA requirement, though they are strongly urged to use MFA if possible.
      • MFA shall be used to secure any other university provided digital credential that supports MFA.
    • All members of special populations requiring access to IT systems or services must utilize MFA to secure their University of Akron provided digital credential that utilizes a UAnet ID.
      1. MFA shall be used to secure any other university provided digital credential that supports MFA.

7.   Standard Compliance

  • Roles and Responsibilities
    • ITS is responsible for reviewing, updating, and publishing the Digital Credential Standard.
    • Departmental hiring managers, supervisors, and guest sponsors must conduct the defined digital credential reviews at the time specified by ITS.
    • Departmental hiring managers, supervisors, and guest sponsors must report any changes to privileged account permissions to ITS immediately.
  • Exceptions
    • Any exception to this standard for employees must be approved by the requestor’s Department Head and the university’s Chief Information Security Officer (CISO) in advance.
    • Any exception to this standard for students must be validated by the Information Security team and approved by the university’s Chief Information Security Officer (CISO).
  •  Non-Compliance
    • ITS may remove permissions from any digital credential, at any time, if the account is used in violation of any federal, state, or local regulation or any university technology policy.
    • ITS will remove permissions from privileged accounts if account reviews are not conducted by the appropriate party.
    • Re-establishment of privileged accounts or permissions must be submitted in writing, containing approval from the Department Head and functional unit, as appropriate, to the Chief Information Security Officer (CISO) before privileged accounts or permissions will be restored.
    • ITS will notify the appropriate party of an account being disabled or the removal of permissions due to regulatory or policy violation.

    8.   Related Documents

    University Rule 3359-11-10: Acceptable Use Policy
    University Rule 3359-11-10.3: Information Security and System Integrity Policy
    University Rule 3359-11-10.4: Customer Information Security Policy
    ITS: Data Classification Standards
    ITS: Digital Credential Policy

    9.   Standard History

    Approval Authority: Chief Information Officer
    Policy Manager: Chief Information Security Off    icer
    Effective Date: 09/30/2022
    Prior Effective Dates: 12/13/2021
    Next Review Date: 12/01/2023

     

    Contact IT Security      Contact IT Service Desk