Provisioning and Deprovisioning Policy

Version 1.5

For Students, Faculty, Staff, Guests, Alumni

Purpose

The purpose of this policy is to define the University’s IT Resources access issuance, modification, or revocation for entities affiliated with the University.

Scope

This IT policy, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrative officials, staff, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.

Policy Statement

Access to University IT Resources must only be granted to entities (person or non-person) following the Principle of Least Privilege.
When an entity’s (person or non-person) role or affiliation is modified or terminated, or access is no longer required, it is the responsibility of the managing supervisor (or higher) to notify Human Resources and IT Service Desk, as applicable, of the status change.
All provisioning and deprovisioning requests must be kept in the University’s IT ticketing system to enable an appropriate review of compliance with this policy.
IT Resources that do not use centrally managed services (e.g., Central Authentication Service) or have an automatic provisioning/deprovisioning process in place must be manually provisioned/deprovisioned by the individual(s) responsible.
Non-centrally managed accounts include but are not limited to:
- Service and administrative accounts,
- Educational Technologies and Research Computing accounts,
- Database accounts,
- Application-based accounts, or
- Corporate and Generic Accounts.

Definitions

Corporate Accounts are departmental or group email accounts.

Deprovisioning is the term used when account access is suspended or disabled from use.

Generic Accounts are considered accounts not derived using the faculty, staff, or student naming convention. There is no corresponding ID associated with a Generic Account. These accounts do not identify the person or entity using the account. See the Generic Account Policy.

IT Resources include computing, networking, communications, application, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.

Principle of Least Privilege is the cybersecurity practice that individuals should have access to only IT Resources and functions required to perform their stated duties.

Provisioning is the term used to create or provide specific accounts and applicable access.

Related Policies and Procedures

Implementation Information

Review Frequency	Annual
Responsible Person	Senior Director of IT Security and Assurance
Approved By	CISO
Approval Date	March 1, 2017

Revision History

Version	Date	Description
1.0	03/01/2017	Initial document
1.0.1	03/07/2018	Grammatical changes only. No adjustments to the policy
1.0.2	06/25/2018	Updated disclaimers, scope, and definitions
1.0.3	09/30/2019	Updated definitions
1.0.4	11/11/2019	Updated policy statement
1.1	12/04/2020	Updated the purpose and policy statements
1.2	11/09/2021	Updated policy statement
1.3	11/11/2022	Updated definitions, links, and Sr Director title
1.4	03/30/2023	Updated policy statement and definitions
1.5	04/30/2024	Updated policy statement, scope, and disclaimer

Policy Disclaimer Statement

Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) will only be considered cooperatively between ISA and the requesting entity with sufficient notice to allow for conducting appropriate risk analysis, documentation, review, and notification to authorized University representatives where necessary. Failure to adhere to ISA written policies may be met with University sanctions up to and including dismissal.