Original Issuance Date: December 15, 2023
Last Revision Date: March 4, 2024
Effective Date: December 1, 2024
1. Policy Purpose
To provide structure for the deployment and management of Information Technology (IT) Identity and Access Management (IAM) controls used to mitigate Information Security (IS) threats throughout the University of Wisconsin (UW) System.
2. Responsible UW System Officer
Associate Vice President for Information Security
3. Scope and Institutional Responsibilities
This policy applies to all UW System institutions, including UW System Administration, and all individuals and entities who intend to access UW System’s information systems and data. This policy applies to all Identity, Authentication, and access management processes, where technically feasible, administered throughout UW System. This includes Identity Provider services administered by UW System institutions as well as Federations shared with external Identity Providers.
4. Background
The President of UW System is empowered to establish IS policies under the provisions of Regent Policy Document 25-5, Information Technology: Information Security. UW System is committed to a secure information technology environment in support of its mission. This policy is designed to ensure strong and consistent Identity, Authentication, and access management standards throughout UW System.
5. Definitions
Please see SYS 1000, Information Security: General Terms and Definitions, for a list of general terms and definitions. Terms and definitions found within this policy include:
Authentication
Authentication Assurance
Authorizations
Federated Identity Provider
Federation
Identity
Identity Assurance
Identity Provider
Secret
User Affiliation
6. Policy Statement
A. Accounts, Authorizations, and Authentication
Institutions must manage accounts and Identities throughout their lifecycle to ensure Identity Assurance, Authentication Assurance, and Authorizations are commensurate with the level of risk for the required access to the applications, systems, and data.
Secrets used for Authentication must be secured with encryption or equivalent technology when at rest and in transit. Encryption must use National Institute of Standards and Technology (NIST)-approved and supported cryptography standards.
B. Access Management
All information systems must apply access controls to data and services based on Authorizations and commensurate with the Data Classification and criticality of the system.
More stringent controls required by federal and state laws, regulations, and oversight bodies must be applied, where applicable.
C. Identity and Access Management Providers
Applications and systems should use Single Sign-on (SSO) Identity and Authentication services from an institution, UW System, or Federated Identity Provider.
Institution Identity Provider services must maintain controls outlined in SYS1030.A, Information Security: Identity and Access Management Standard.
D. IAM Architecture Documentation
Institutions must maintain, as an artifact of their design, deploy, and maintain processes, high-level IAM architecture documentation that includes the following:
I. Identifies the Federations, and the institution and UW System, Identity Providers used by the institution.
II. Describes the institution’s approach to Identities, accounts, role-based access control (RBAC), and the principle of least privilege.
III. Defines the institution’s approach to Privileged and Highly Privileged Authorizations and the required Identity and Authentication Assurances.
IV. Identifies Identity and Authentication Assurance and lifecycle management requirements for their common types of User Affiliations and outlines the notification information flows for deactivating accounts and identities.
7. Related Documents
NIST Special Publication 800-63
NIST Special Publication 800-175B
Regent Policy Document 25-5, Information Technology: Information Security
8. Policy History
Revision 1: March 4, 2024
First approved: December 15, 2023
9. Scheduled Review
December 2025