Online Identity Management Policy

1.  PURPOSE

This policy defines the rules for the provisioning, management, and de-provisioning of access to Framingham State University (FSU) information systems.

2. POLICY STATEMENT

Access to FSU information systems[1] shall be restricted to authorized individuals who have been properly authenticated. Access rights will be issued, re-issued, maintained, modified, or terminated based on the user’s verified identity, employment status, appropriate management approvals, and business justification.

The rules, practices, and procedures in this policy for the provisioning, management, and de-provisioning of access to FSU information systems shall be based on generally-accepted information security best practices within Higher Education.

3.  ASSIGNED ROLES AND RESPONSIBILITIES

4.  RULES AND PROHIBITIONS

4.1 Provisioning: Individuals are automatically assigned a persistent, unique identifier that cannot be re-assigned (a.k.a. username) only after information about them has been entered into the University’s administrative and student information system (a.k.a. Banner).  Banner is the authoritative source of information used to verify employment status and/or relationship with the University.  The association between the username and person is maintained in the University’s enterprise directory. 

Once students are accepted and declare their intent to attend, or when they register for a course, they are also provisioned for authentication to the campus computing network, myFramingham portal, Microsoft 365 applications and services, and Canvas.

Anyone employed by the University is provisioned for authentication to the campus computing network, myFramingham portal, Microsoft 365 applications and services, and Canvas only after the Office of Human Resources or the Division of Graduate and Continuing Education enters information about them into Banner.

Supervisors of independent contractors, consultants, third party service providers, and any other individual that is not on the University’s payroll must submit a formal request for access to Information Technology Services (ITS) for a pre-determined amount of time.Banner and the enterprise directory are the authoritative source of information used to verify the individual’s relationship with the University.The association between the username and person is maintained in the University’s enterprise directory.

4.2 Credentialing: Individuals are issued one set of login credentials (username and password) to access the campus computing network, myFramingham portal, Microsoft 365 applications and services, and Canvas.  New users are issued a temporary one-time use password to an automated self-service application they use to verify their own identity in order to activate their login credentials to these systems.  During this process they are also required to indicate that they have read and agree to the University’s Acceptable Use Policy.  The user is then prompted to change the temporary password after completing this process and create a new one.  The new password (known only by them) is then used in combination with the username as the login credential to access information systems for authorized use.

Login credentials will not be activated until this process is complete. Login credentials for access to Banner are not activated as part of this process until additional criteria are met according to the University’s policy on “Granting Access Privileges to Administrative and Student Information Systems”.

4.3 Password Management: Passwords to protected information systems are never distributed and are known only by the individual authorized to use it.  Use of strong passwords and periodic changes are enforced.  The University’s policy on passwords to information systems and network services specifies the required composition of strong passwords, what must be done to protect passwords, and the minimum time interval for changing passwords.  Individuals must reset passwords themselves using a similar process as described above by first answering a challenge question that they provided an answer to when originally activating their login credentials.  Passwords are never transmitted over the network in the clear.

4.4 Application Level Security: Additional access controls (beyond login credentials) that are used to restrict and grant permissions to perform certain functions pertaining to the administration of protected information and systems must be maintained in accordance with the following policies:

• Granting Access via Multi-Factor Authentication (MFA)
• Granting Access to the Campus Computing Network
• Granting Access to the my.Framingham Portal
• Granting Access to Microsoft 365 Applications and Services
• Granting Access to the Canvas Academic Suite of Applications
• Granting Access Privileges to Administrative and Student Information Systems

4.5 De-provisioning: The Office of Human Resources must provide Information Technology Services timely notification of any change of employment status for all personnel on the payroll along with a formal request to modify or remove electronic access privileges (including deactivating their username and password) for an individual no longer needing or authorized to have access to secured University information systems.  The Division of Graduate and Continuing Education, academic departments and administrative offices must also provide Information Technology Services with the same notification and request to modify or remove access for all non-payroll contractors, consultants and all other third party users of information systems to whom they provided authorization to grant access.  All contractor accounts will be disabled at the end of each fiscal year unless formal requests with appropriate authorizations are provided.  Student access and credentials will be deprovisioned after 6 consecutive semesters of non-access.

5.  RELATED UNIVERSITY PROGRAMS, POLICIES, OPERATIONAL PLANS AND PROCEDURES

6.  ENFORCEMENT OF POLICY VIOLATIONS

Failure to comply with this policy, intentionally or unintentionally, may result in one or more of the following:

• Termination, without notice, of access privileges to information and technology resources.
• Disciplinary action, up to and including termination of employment.
• Civil or criminal penalties as provided by law.

7.  REVIEW AND REVISION HISTORY

Policies must be reviewed annually by the policy owner. If a policy has been revised, then it must have all necessary approvals before being published. In the last column, indicate whether the activity was a review or a revision; if a revision, summarize the changes.