Original Issuance Date: September 14, 2016
Last Revision Date: July 31, 2017

1. Policy Purpose

The purpose of this policy is to establish specific minimum standards for authentication and authentication management across the University of Wisconsin System. This policy is designed to ensure that the UW System manages authentication in a consistent manner and to appropriately safeguard account-based access to information assets.

2. Responsible UW System Officer

UW System Chief Information Officer (CIO)

3. Scope

This policy applies to all authentication administered throughout the UW System, whether centrally managed, managed in a distributed fashion, or departmentally managed. This policy applies to all individuals and entities who intend to access the UW System’s information systems and data. To the extent possible, the elements of Section 6 of this policy should be incorporated into contracts with third party providers.

4. Background

The President of the University of Wisconsin System is empowered to establish information security polices under Regent Policy Document 25-5, Information Technology: Information Security. The UW System is committed to a secure information technology environment in support of its mission. This policy is designed to help ensure strong and consistent authentication standards throughout the computing environments of the UW System.

5. Definitions

Authentication: The process of verifying that someone who holds an account on an IT system is who they purport to be.

Multi-Factor Authentication: Multiple forms of authentication used to increase the likelihood that the login credentials are from the individual to whom they were assigned. The types of credentials typically fall into three categories: something you know, such as a PIN or password; something you have, such as a one-time passcode generator, token or smart card; or something you are, such as a fingerprint or other biometric.

Level of Assurance:  The degree of confidence that someone who holds an account on an IT system is who they purport to be.

Low Risk Data: Data assets classified as being of low risk as defined in UW System Administrative Policy 1031, Information Security: Data Classification and Protection.

Moderate Risk Data:  Data assets classified as being of moderate risk as defined in UW System Administrative Policy 1031, Information Security: Data Classification and Protection.

High Risk Data:  Data assets classified as being of high risk as defined in UW System Administrative Policy 1031, Information Security: Data Classification and Protection.

6. Policy Statement

Authentication methods for medium and high risk data shall meet the standards outlined in UW System Administrative Procedure 1030.A, Information Security: Authentication.

Access to view low risk data does not require authentication. However access to modify low risk data shall use authentication methods that meet the requirements for accessing medium risk data.

The required levels of assurance, the associated authentication requirements, and the procedures to implement this policy are outlined in UW System Administrative Procedure 1030.A, Information Security: Authentication.

7. Related Documents

Regent Policy Document 25-5, Information Security
UW System Administrative Procedure 1030.A, Information Security: Authentication
UW System Administrative Policy 1031, Information Security: Data Classification and Protection

8. Policy History

Revision 1:     July 31, 2017

First approved: September 14, 2016

9. Scheduled Review

July 2018

'