Policy

Original Issuance Date: December 15, 2023

Last Revision Date: March 4, 2024

Effective Date: December 1, 2024

1.     Policy Purpose

To provide structure for the deployment and management of Information Technology (IT) Identity and Access Management (IAM) controls used to mitigate Information Security (IS) threats throughout the University of Wisconsin (UW) System.

2.     Responsible UW System Officer

Associate Vice President for Information Security

3.     Scope and Institutional Responsibilities

This policy applies to all UW System institutions, including UW System Administration, and all individuals and entities who intend to access UW System’s information systems and data. This policy applies to all Identity, Authentication, and access management processes, where technically feasible, administered throughout UW System. This includes Identity Provider services administered by UW System institutions as well as Federations shared with external Identity Providers.

4.     Background

The President of UW System is empowered to establish IS policies under the provisions of Regent Policy Document 25-5, Information Technology: Information Security. UW System is committed to a secure information technology environment in support of its mission. This policy is designed to ensure strong and consistent Identity, Authentication, and access management standards throughout UW System.

5.     Definitions

Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions. Terms and definitions found within this policy include:

Authentication

Authentication Assurance

Authorizations

Federated Identity Provider

Federation

Identity

Identity Assurance

Identity Provider

Secret

User Affiliation

6.     Policy Statement

A.  Accounts, Authorizations, and Authentication

Institutions must manage accounts and Identities throughout their lifecycle to ensure Identity Assurance, Authentication Assurance, and Authorizations are commensurate with the level of risk for the required access to the applications, systems, and data.

Secrets used for Authentication must be secured with encryption or equivalent technology when at rest and in transit. Encryption must use National Institute of Standards and Technology (NIST)-approved and supported cryptography standards.

B. Access Management

All information systems must apply access controls to data and services based on Authorizations and commensurate with the Data Classification and criticality of the system.

More stringent controls required by federal and state laws, regulations, and oversight bodies must be applied, where applicable.

C. Identity and Access Management Providers

Applications and systems should use Single Sign-on (SSO) Identity and Authentication services from an institution, UW System, or Federated Identity Provider.

Institution Identity Provider services must maintain controls outlined in SYS1030.A, Information Security: Identity and Access Management Standard.

D. IAM Architecture Documentation

Institutions must maintain, as an artifact of their design, deploy, and maintain processes, high-level IAM architecture documentation that includes the following:

  1. Identifies the Federations, and the institution and UW System, Identity Providers used by the institution.
  2. Describes the institution’s approach to Identities, accounts, role-based access control (RBAC), and the principle of least privilege.
  3. Defines the institution’s approach to Privileged and Highly Privileged Authorizations and the required Identity and Authentication Assurances.
  4. Identifies Identity and Authentication Assurance and lifecycle management requirements for their common types of User Affiliations and outlines the notification information flows for deactivating accounts and identities.

7.     Related Documents

NIST Special Publication 800-63

NIST Special Publication 800-175B

Regent Policy Document 25-5, Information Technology: Information Security

UW System Administrative Procedure 1030.A, Information Security: Identity and Access Management Standard

8.     Policy History

Revision 1: March 4, 2024

First approved: December 15, 2023

9.     Scheduled Review

December 2025