Information Technology Identity and Access Management Policy
Authority: Information Technology
Date Enacted or Revised: Enacted September 20, 2022
Purpose
The purpose of this policy is to establish the rules that govern the issuance and maintenance of the digital identities at McNeese State University.
Scope
This policy applies to all McNeese State University employees, students, and individuals authorized to access University services and facilities.
Definitions
- Identity Management: The creation and maintenance of the unique University account that distinguishes one individual from another as well as confirmation of the account owner’s identity.
- Access Management: The assurance that only authorized University account owners are granted access to use University information systems.
Policy
The Office of Information Technology is responsible for establishing processes and procedures that enable secure, centralized access to University information systems.
Identity Management
All University accounts will be comprised of a unique ID number, McNeese login, and email address. Accounts will be created for individuals within the following categories:
- Students: Students admitted, enrolled, and attending the University; inherently included in this category are former students that have graduated or left the University.
- Employees: Employees with a full or part-time appointment.
- Authorized Individuals: Other individuals (e.g., vendors, courtesy assignments) who are authorized to be onsite, unescorted, and to use University services and facilities.
Access Management
Authentication to a University information system constitutes an official identification of an individual to the University; therefore, the use of a McNeese login for authentication is required to access all University information systems. The Office of Information Technology will use the following access guidelines:
- The creation of local accounts and/or use of authentication that does not use a McNeese login is prohibited.
- Multi-factor authentication is mandatory for all applicable services (e.g., VPN, email, etc.).
- Access to University information systems will be based on the principle of least privilege.
Account Owner Responsibilities
University account owners will be held accountable for the actions that occur within a University information system that has been authenticated using their McNeese login; therefore, University account owners are responsible for safeguarding their McNeese login, which includes but is not limited to:
- Creating and using passwords that adhere to best practices;
- Changing a password immediately and notifying the Office of Information Technology when there is reason to believe a password has been improperly disclosed, accessed, or used by an unauthorized person;
- Not sharing a McNeese login with someone else to access a University information system;
- Not using someone else’s McNeese login to authenticate to a University information system;
- Leaving McNeese login information in a location that can be readily obtained by another individual (e.g., writing a password on a note);
- Leaving a computer/workstation without securing it (e.g., locking it, logging out); and
- Accessing data within a University information system that is not related to job responsibilities.
Policy Compliance
Compliance Measurement
The Office of Information Technology will verify compliance to this policy through various methods, including but not limited to system monitoring, business tool reports, and internal and external audits.
Exceptions
Any exception to the policy must be approved by the Office of Information Technology in advance.
Non-Compliance
An employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.
Any student who violates this policy will be subject to appropriate disciplinary action in accordance with the Student Handbook.
Any individual affiliated with the University who violates this policy will be subject to appropriate corrective action, including but not limited to termination of the individual’s relationship with the University.
Communication
This policy is distributed via the University Policies webpage.