Skip Navigation
Skip to Menu Toggle Button

UMGC Policy X-1.10 Identity and Access Management

Policy CategoryPolicy OwnerVersion Effective DateReview CyclePolicy Contact
X. Information Governance, Security & TechnologyChief Transformation OfficerMarch 28, 2023Every 2 yearsinfosec@umgc.edu
  1. Purpose

    The purpose of this policy is to establish information security standards for the identity and access management processes relevant to University of Maryland Global Campus ("UMGC" or "University") Information Technology Resources.

  2. Scope and Applicability

    This policy applies to all University Information Systems and Information Technology Resources. All Users are responsible for adhering to this policy.

  3. Definitions

    Defined terms are capitalized throughout this Policy and can be found in the Information Governance Glossary.

  4. Account Management
    1. Information System Stewards must adhere to the University's Account Management Policies, UMGC Policy X-1.19A Account Management (UMGC Learner Community) and UMGC Policy X-1.19B Account Management (UMGC Workforce), when creating, administering, and disabling University Accounts.
    2. Users must take security awareness training within 90 days of their hire date as required by UMGC Policy X-1.05 Information Security Awareness and Training Policy.
  5. Authentication
    1. University Information Resources that provide authentication services shall uniquely identify (e.g., username) users prior to allowing access to the said systems.
    2. Whenever possible and reasonable, any application or Information System, whether on premise or in the cloud, should use Single Sign-on authentication.
    3. Unique identifiers shall not be reused once assigned to a user.
    4. Multi-Factor Authentication (MFA) should be used to protect Critical Information Systems (CIS) whenever possible and reasonable to do so.
    5. Passwords must be constructed in accordance with the minimum requirements of the most recent University System of Maryland IT Security Standards and where technically feasible, should further meet the following requirements:
      1. Authorized User Account passwords must meet a minimum length of 8 characters.
      2. Administrative and Privileged Account passwords must meet a minimum of 10 characters.
      3. Shared account passwords must be changed upon termination or transfer of an Employee or Contractor with whom the account password(s) have been shared.
      4. Passwords must contain a mix of alphanumeric characters. Passwords must not consist of all digits, all special characters, or all alphabetic characters.
      5. Automated controls must ensure that passwords are changed at least annually for general users, and at 90-day intervals for administrative- level accounts.
      6. User IDs associated with a password must be disabled for a period of time after not more than 6 consecutive failed login attempts. A minimum of 10 minutes is required for the reset period.
      7. Password must not be the same as the User ID.
      8. Store and transmit only encrypted representation of passwords.
      9. Password must not be displayed on screens.
      10. Users must not share passwords except with other approved Users of a shared account.
      11. Initial passwords and password resets must be issued pre-expired forcing the user to change the password upon first use.
      12. Password reuse must be limited by not allowing the last 10 passwords to be reused. In addition, password age must be at least 2 days.
      13. When a user password is reset or redistributed, the validation of the User identity must be at least as strong as when originally established.
      14. Expired passwords must be changed before any other system activity is allowed.
  6. Auditing
    1. Information System Stewards are responsible for ensuring that audit trails are maintained to record appropriate events and actions occurring in the Information System.
    2. Audit procedures are to be defined to periodically review the audit records of Information Systems for unusual or suspicious activities or suspected violations.
  7. Exceptions

    Exceptions to this policy should be submitted to the Sr. Director, Information Security for review and approval. If an exception is requested, a compensating control or safeguard should be documented and approved.

  8. Enforcement
    1. Any Employee, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy shall notify the Sr. Director, Information Security as soon as practicable.
    2. Any Employee, Contractor, or other third-party performing duties on behalf of the University who violates this Policy may be denied access to Information Resources and may be subject to disciplinary action, up to and including termination of employment or contract or pursuit of legal action.
  9. Standards Referenced
    1. USM IT Security Standards, v.5, dated July 2022
    2. NIST SP 800-171r2 “Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations”, dated February 2020
    3. Cybersecurity Maturity Model Certification (CMMC), v.2.0, dated December 2021
  10. Related Policies
    1. UMGC Policy X-1.02 Data Classification 
    2. UMGC Policy X-1.04 Information Security 
    3. UMGC Policy X-1.05 Information Security Awareness and Training Policy
    4. UMGC Policy X-1.06 Information Security Incident Response 
    5. UMGC Policy X-1.12 Acceptable Use 
    6. UMGC Policy X-1.19A Account Management (UMGC Learner Community) 
    7. UMGC Policy X-1.19B Account Management (UMGC Workforce)
  11. Effective Date: This policy is effective as of the Version Effective Date set forth above.