Provisioning and Deprovisioning Policy

Version 1.2

For Students, Faculty, Staff, Guests, Alumni

Purpose

The purpose of this policy is to define the University’s IT Resources access issuance, modification, or revocation for entities affiliated with the University.

Scope

This IT policy, and all policies referenced herein, shall apply to all members of the University community, including faculty, students, administrative officials, staff, authorized guests, delegates, and independent contractors (the “User(s)” or “you”) who use, access, or otherwise employ, locally or remotely, the University’s IT Resources, whether individually controlled, shared, stand-alone, or networked.

Policy Statement

  • With appropriate authorization, access to University IT Resources is granted to entities (person or non-person) following the Principle of Least Privilege.
  • When an entity’s (person or non-person) role or affiliation is modified or terminated, and access is no longer required to the University’s IT Resources, it is the managing supervisor's responsibility (or higher) to notify Human Resources and the IT Service Desk Level 1, as applicable, of the status change.
  • All provisioning and deprovisioning requests must be kept in the University’s IT ticketing system to enable an appropriate review of compliance with this policy.  
  • IT Resources that do not use centrally managed services (e.g., Central Authentication Service) and automatic provisioning/deprovisioning processes must be manually provisioned/deprovisioned by the individual(s) responsible for that resource.
  • Non-centrally managed accounts include but are not limited to:
    • Service and administrative accounts,
    • Academic Computing Environment (ACE) accounts,
    • Database accounts,
    • Application-based accounts, or
    • Corporate and generic accounts.

Definitions

Corporate accounts are departmental or group email accounts.

Deprovisioning is the term used when account access is suspended or disabled from use.

IT Resources include computing, networking, communications, application, telecommunications systems, infrastructure, hardware, software, data, databases, personnel, procedures, physical facilities, cloud-based vendors, Software as a Service (SaaS) vendors, and any related materials and services.

Principle of Least Privilege (POLP) is the cybersecurity practice that individuals should have access to only IT Resources and functions required to perform their stated duties.

Provisioning is the term used for creating or providing specific account access.

Related Policies and Procedures

Implementation Information

Review Frequency Annual
Responsible Person Senior Director of IT Security and Assurance 
Approved By CISO
Approval Date March 1, 2017

Revision History

VersionDateDescription
1.0 03/01/2017 Initial document
1.0.1 03/07/2018 Grammatical changes only. No adjustments to policy.
1.0.2 06/25/2018 Updated disclaimers, scope, and definitions
1.0.3 09/30/2019 Updated definitions
1.0.4 11/11/2019 Updated policy statement
1.1 12/04/2020 Updated the purpose and policy statements
1.2 11/09/2021 Updated policy statement

Policy Disclaimer Statement

Deviations from policies, procedures, or guidelines published and approved by Information Security and Assurance (ISA) may only be done cooperatively between ISA and the requesting entity with sufficient time to allow for appropriate risk analysis, documentation, and possible presentation to authorized University representatives. Failure to adhere to ISA written policies may be met with University sanctions.

 Need Help?

IT Service Desk

Fordham.edu/ITHelp
Online Support
718-817-3999
[email protected]

Walk-In Centers

McShane Center 229 | RH
Leon Lowenstein SL18 | LC

View Our Walk-In Hours

Social Media

Follow us on Twitter
Follow us on Instagram
Check out our Blog