Identification, Authentication, and Authorization Policy

Tags Policy

Policy Statement

All users of Bowdoin College IT resources will be assigned a unique identity to securely authenticate to College IT resources that they have been authorized to access.

Authority

This policy is approved by the Chief Information Officer.

Summary

To ensure the security and integrity of both College data and data belonging to individuals, this policy establishes requirements for the digital identification of all users of Bowdoin computer systems and networks. Identified users will securely authenticate to College systems and access only resources that they have been authorized to access.

Applicability

This policy covers students, faculty, staff, outside agents, contractors and any and all individuals or entities using any Bowdoin College IT resource.

Identification

Management of Identifiers

  • Linked Identifiers. Bowdoin College maintains dual records identifying all employees, students, and others who use the College’s computing resources. These records correlate Bowdoin ID and Bowdoin Account records.

  • Uniqueness. Each identifier (College ID or Bowdoin Account) is unique; that is, each identifier is associated with a single person or other entity.

  • One Identifier per Individual. An individual may have no more than one College ID number and one personal Account.

  • Non-Reassignment. Once an identifier is assigned to a particular person it is always associated with that person. It is never subsequently reassigned to identify another person or entity.

    • Alternative IDs (alternative names registered along with a personal Bowdoin ID) may be reassigned after a waiting period.

  • Social Security Number. Social Security Numbers shall not be used to identify Bowdoin employees or students.

Bowdoin College Accounts

Types of Bowdoin Accounts

  • Regular Personal Bowdoin Accounts. Regular Accounts are available to:

    • Authorized, registered students

    • Regular faculty and staff

    • Emeritus faculty and staff

  • Sponsored Personal Bowdoin Accounts. Sponsored Accounts are available to all others subject to the following conditions:

    • The ID is to be used by a specific, named individual

    • The ID is sponsored by a person who has a Bowdoin Account

    • The sponsor accepts responsibility for ensuring that the sponsored ID is used in support of work consistent with the College’s mission or instruction, research, and public service, and in a manner consistent with the College’s policies.

  • Other Bowdoin Accounts. IDs are available to identify other kinds of entities such as groups, departments, mailing lists, roles, computer-based services, etc.

Expiration of Bowdoin Accounts

Graduating Students

  • If no action is taken by the graduate, the account will be deactivated on October 31 of the graduation year.  For non-graduates, the account will be deactivated within 30 days of the student's date of resignation. 

  • A graduate may petition to extend their account by up to three months by submitting a request to the IT Service Desk.

  • To renew an extension, a graduate may submit a request to the IT Service Desk prior to the expiration date of the extension that was granted. An extension can be renewed every 3 months to a maximum of 1 year.

Employee Terminations

  • Once the effective termination date has been determined by Human Resources, the Bowdoin account of a terminated employee is disabled at 11:59pm on that date. Exceptions to disabling such accounts and the duration of the exceptional extension require approval from Human Resources. If denied, requests may be made to the President for consideration.

  • An employees mailbox and account data is retained for 90 days past termination before it is deleted, unless an exceptional circumstance requires longer retention, which requires approval from Human Resources.

  • The employee's supervisor may request access to a terminated employees mailbox for a business purpose. This business purpose must be approved by Human Resources. If approved, the supervisor shall be permitted access to the mailbox of a terminated employee for up to 90 days after the employee's termination date at which time the access to the mailbox and the mailbox itself will typically be removed. For members of academic departments, the Dean for Academic Affairs Office must also grant approval and would serve as supervisor. Exceptional requests for extended access which have been denied, may be made to the President for consideration.

    • Access to terminated employee mailboxes or data will only be granted where they can be audited and controlled.

  • Employees who receive emeritus status will receive access to a new account with a new email address and their existing account will go through the normal termination process.

Other Bowdoin Account Terminations

  • Sponsored Personal Bowdoin Accounts or Other Bowdoin Accounts that have not been logged into for more than 12 months will be disabled and the account owner will need to contact the IT Service Desk to have the account re-enabled.

  • Any accounts found to be in violation of our policies or found to be partaking in illegal activity may be disabled at any time.

Eligibility for Bowdoin IDs

  • College ID and Regular Personal Accounts. Eligibility begins when the individual accepts the offer of student registration or employment. Eligibility ends when a person’s active association with the College ends (i.e. when an employee is no longer employed and does not have emeritus status, or a student is no longer registered). A grace period may be allowed as a courtesy after eligibility ends.

  • Sponsored Accounts. A sponsored Account is sponsored for a specific period of time. The sponsor determines the length of sponsorship; sponsorship must be renewed to keep the ID valid. There is no grace period: the entry becomes invalid immediately at the end of the sponsorship period.

  • Reactivation. A Account may be reactivated if the individual subsequently rejoins the College, either via regular association or sponsorship.

  • Suspension. The use of a Account may be revoked if it is used in a manner inconsistent with Bowdoin policies or if an individual is subject to other administrative action that denies them College privileges.

College ID

A College identification number is automatically assigned to regular, continuing employees and to students. This number appears on the printed Bowdoin Identification Card.

Authentication

Access to non-public College IT resources will be achieved by individual and unique logins, and will require authentication, minimally a username and password combination. Authentication credentials will not be coded into programs or queries unless they are encrypted, and only when no other reasonable options exist. Please see the IT Security Standard: Authentication for specific details required for authentication to Bowdoin systems.

Authentication Methods

Authentication methods involve presenting both a public identifier (such as a user name or identification number) and private authentication information such as a personal identification number (PIN), password, token, or information derived from a cryptographic key.

Authentication against Bowdoin’s central computing infrastructure is recommended when possible. One of the following methods must be implemented:

  • Strictly controlled passwords

  • Biometric identification

  • Physical Token

No Unencrypted Authentication

Unencrypted authentication and authorization mechanisms are only as secure as the network they use. Traffic across the network may be monitored, rendering these mechanisms vulnerable to compromise. Therefore, all College services must use only encrypted authentication mechanisms unless otherwise authorized. In particular, historically insecure services, such as Telnet, FTP, SNMP, POP, and IMAP must be replaced by their encrypted equivalents.

User Responsibilities

  • Official Actions. Use of a Account and authentication method to identify oneself to an on-line system constitutes an official identification of the user to the College, in the same way that presenting an ID Card does. Users can be help responsible for all actions taken during authenticated sessions.

  • Integrity. Regardless of the authentication method used, users must use only the Account and authentication information that they have been authorized to use (i.e. a user must never identify themselves falsely as another person or entity).

  • Confidentiality. Regardless of the authentication method used, users must keep authentication information confidential (i.e. a user must not knowingly or negligently make it available for use by an unauthorized person).

  • Reporting Problems. Anyone suspecting that their authentication information was compromised should immediately contact the Bowdoin IT Service Desk.

  • Disciplinary Action. Individuals who are found to have knowingly violated one of these provisions will be subject to disciplinary action. The possible disciplinary actions for violations, which can include termination of employment or student status, will depend on the facts and circumstances of each case.

Authorization

Access to information and IT system resources will be granted on a “need to know” or “minimum necessary” basis and must be authorized by the immediate information owner. Any of the following methods are acceptable for providing access:

  • Context-based access. Access control based on the context of a transaction (as opposed to being based on attributes of the initiator or target). The “external” factors might include time of day, location of users, strength of user authentication, etc.

  • Role-based access. Access control model that permits the specification and enforcement of enterprise-specific security policies in a way that maps more naturally to an organizations structure and business activities. Each user is assigned to one or more predefined roles, each of which has been assigned the various privileges needed to perform that role.

  • User-based access. Security mechanism used to grant users of a system access based upon the identity of the user.

Identification and Authentication of Local Systems

This section contains recommendations and requirements for systems and services that use local identification and authentications methods rather than centrally supported methods.

  • User Accounts. Systems should use personal Accounts to identify their users. This will be less confusing for users, and will ease future transition to centrally supported authentication.

  • No Clear-Text (unencrypted) Passwords. Systems may not transmit reusable passwords across the network unencrypted. Such passwords are vulnerable to capture and abuse.

  • Support Password Quality. System should check proposed passwords and reject those that are likely to be easily guessable.

 

Implementation

Effective Date

April 8, 2019
Review Frequency Annual
Responsible Officer Chief Information Officer
Print Article

Related Articles (1)

Information on what an account extension is, what it would be used for, and who can request one.