University Policies and Procedures Manual (previously Business Policies and Procedures Manual)

Account, Identity, and Authentication Management

UPPM 87.03

For more information contact:
   Information Technology Services

1.0   Overview and Purpose

1.1  Information Assurance Policies Generally

The purposes of the information assurance policies in UPPM Chapter 87: Information Technology and Security are to:

  • Set requirements to ensure the privacy, confidentiality, integrity, and availability of Washington State University (WSU) data;
  • Support institutional goals and strategies with appropriate methods for administratively, technically, and operationally protecting data; and
  • Define the criteria WSU follows to meet requirements for protecting data, which are determined by Information Owners.

The policies in this chapter comply with Federal Information Processing Standards (FIPS 199), which are intended to help organizations achieve a common level of quality and interoperability in information technology (IT) by requiring categorization of systems as low-impact, moderate-impact, or high-impact for the stated security objectives of confidentiality, integrity, and availability. To determine the potential consequence of a loss event, the Federal Information Processing Standards:

  • Define WSU Information Owners’ impact categorization rating (Low, Moderate, or High);
  • Dictate which security controls are mandatory based upon the categorization level;
  • Define the strength, frequency, and formalization of those controls; and
  • Influence audit burden and continuous monitoring rigor.

See UPPM 87.01 for definitions, general information, and violations related to this policy, as well as additional information regarding roles and responsibilities.

1.2   Specific Policy Overview and Purpose

Appropriate criteria and robust controls regarding account, identity, and authentication management are critical to ensure the confidentiality, privacy, integrity, and availability of institutional systems and data. This policy sets forth the roles, responsibilities, and requirements to ensure WSU’s compliance with applicable standards, thereby advancing WSU’s academic, research, and administrative missions.

2.0   Applicability 

This policy applies to all WSU system users who have contact with, or potentially may have contact with, WSU data, applications, and computing resources.

Security control exceptions to policy statements in UPPM Chapter 87 are managed and maintained in accordance with UPPM 87.23.

3.0   Roles and Responsibilities

 

3.1  Chief Information Officer (CIO)

The Chief Information Officer (CIO) of WSU, or designee, is responsible for administering this policy and reviewing it on an annual basis.

3.2  Information System Owners

WSU Information System Owners, or their delegates, are responsible and accountable for developing appropriate Standard Operating Procedures (SOPs) for this policy’s implementation. 

3.3  Office of Information Security and Assurance (OISA)

WSU’s Office of Information Security and Assurance (OISA) shall maintain the standard (PDF) associated with this policy and provide guidance for the associated procedures for the implementation of this policy (see examples (PDF)).

Note: While all units are required to adhere to the standard established by OISA (NIST SP 800-53), procedural examples for implementation are optional.

4.0   Requirements 

4.1   Office of CIO Authority

The Office of the CIO is authorized to create, distribute, and maintain institutional accounts, identifiers, and authentication credentials for authorized institutional information system users for the purposes of:

  • Enabling and supporting WSU’s mission and business objectives; and 
  • Protecting institutional user accounts, identifiers, authenticators, and information resources.

The Office of the CIO is responsible for defining authenticator content and requirements for verifying institutional information system users.

4.2  Information Owner and Information System Owner Authority

Information Owners, or their delegates, give Information System Owners the authority to create, manage, and maintain information system accounts and identifiers that are appropriate for their organization and their areas of responsibility. 

Information System Owners, or their delegates, must:

  • Identify and assign the types of information system accounts to support the mission and business functions that apply to their areas of responsibility;  
  • Specify the devices that are allowed to make local, remote, or network connections to moderate- and high-impact systems. These devices must be uniquely identified and authenticated prior to establishing the connections; and   
  • Assign unique identifiers to authorized users and groups. Conditions for group membership are to be documented, and previously used identifiers are not reused. For moderate- and high-impact systems, identifiers must uniquely represent user status (g., faculty, staff, student, contractor).  

4.3   Account Types and Requirements

Account types may include: 

  • individual user;
  • system (privileged);
  • service;
  • family/guardian of student;
  • customer;
  • vendor;
  • contractor; or
  • other third-party affiliates.

Individual user accounts require multi-factor authentication. The authentication process for privileged accounts must implement mechanisms to prevent replay attacks.  

WSU information system users include faculty, staff, and students who are part of the WSU ecosystem. Non-organizational users include external entities such as alumni, business partners, vendors, contractors, customers, and other third-party affiliates.  

  • Before accessing WSU’s institutional information systems, all users must have individual identifiers and be authenticated. 
  • When authenticating non-organizational users, WSU will use a restricted identity management profile, and a list of the accepted external authenticators will be maintained.

When shared accounts or authenticators are employed on high-impact systems, users are required to be individually authenticated before granting access to the shared accounts or resources.  

4.4   Authentication Management

The Office of the CIO must define authenticator content and requirements for verifying institutional information system users. Individual authenticators may include the following to authenticate information system user identities: 

  • passwords; 
  • tokens; 
  • passcodes; 
  • personal identification numbers (PINs); 
  • biometrics; or 
  • digital certificates. 

Authenticators must be assigned by the appropriate business unit (BU) and be of sufficient strength for their intended use. When used to access moderate- and high-impact systems, an authenticator must be classified at a level equal with the classification of the information it protects.  

  • When initial and replacement authenticators are distributed to an individual user, group, or device, the identity of the user, group, or device receiving the authenticator must be verified.   
  • Verifying credentials for moderate- and high-impact systems is to include providing strong evidence of identity and address confirmation. For high-impact systems, verification must be done in person.  

Password-based authentication for access to high-impact systems must: 

  • Require long passwords and passphrases while enforcing complexity rules;  
  • Use automated tools to assist with creating a strong password;  
  • Maintain an updated list of commonly used and compromised passwords, preventing their use during password creation or updates; and  
  • Ensure secure transmission and storage of passwords.  

Moderate- and high-impact systems must use centralized public-key-based account, identity, and authentication management. This can involve federation with external identity providers via WSU services. If public key infrastructure is used, certificates are to be validated, and mechanisms are to be implemented to support path discovery and revocation.  

Authentication information must be obscured to protect the information from being used by unauthorized individuals.   

Authentication mechanisms for access to hardware, software, and/or firmware that implements cryptographic algorithms, and key generation must meet applicable laws.   

Information System Owners, or their delegates, must define the circumstances or situations that require information system users to re-authenticate.

Activities associated with the use of information system user and/or device accounts, identifiers, and authenticators are subject to monitoring and logging in accordance with UPPM 87.50  and UPPM 87.25

5.0   Training

See UPPM 87.21 for training requirements related to UPPM Chapter 87.

In addition to the requirements in UPPM 87.21, Information System Owners are responsible for ensuring that users receive appropriate information security and privacy training commensurate with their roles, responsibilities, and authorized access to information systems under the Information System Owner’s authority.

_______________________
Revisions: Feb. 2026 (Rev. 651 – NEW)