Approved by: Chief Information Security Officer
Date Approved: Dec 7, 2017
Responsible Party: Identity and Access Management
I. Policy Statement
The university seeks to effectively and efficiently provide for identity and account management of Temporary and Non-CWRU Employees. Employees are managed through the CWRU Human Capital Management (HCM) system, and temporary and non-CWRU employees (e.g. researcher collaborators) are not managed through CWRU payroll and are not in HCM.
II. Purpose of this Policy
CWRU has historically used an Affiliate account process to provide infrastructure accounts for Temporary and Non-CWRU Employees to permit them authorized access to IT systems where they may provide necessary support for university functions. The Affiliate process has not been centrally managed, creating the opportunity for significant data integrity problems relating to user data, identity information, and privacy standards. This policy sets forth the standards and requirements for centrally managed accounts for Temporary and Non-CWRU Employees, referred to as Affiliate Role Holders.
Employee- a person engaged to work who is paid by the university, and thus has an account in the HCM system, and is privileged in the Identity Management System as either Staff or Faculty.
Temporary Employee- a person engaged to work for CWRU through a temporary staffing agency that requires IT systems access, and is privileged in the Identity Management System as an Affiliate Role Holder, but not paid directly by the university.
Non-CWRU Employee- a person engaged to work for an organization associated with the university, but is not paid by the university that requires IT systems access. Examples include contractors and research collaborators. This person is privileged in the Identity Management System as an Affiliate Role Holder.
Affiliate- a role for a user that is not formally affiliated as a member of the university community, but they are linked to the university in some way and have a CWRU sponsor; examples: contractors, temps, volunteers, parents, external auditors, users from other universities, visiting committee members.
Sponsor-a full-time Employee (as defined above) who can request assignment of an affiliate role for Temporary and Non-CWRU Employee users.
Approver- a University Vice President or Dean, who is also a full-time university employee, or their designee, who is authorized by policy to approve assignment of an affiliate role for Temporary and Non-CWRU Employee users.
IV. The Policy
- Account Integrity
- Affiliate roles shall be managed using the CWRU Identity and Access Management Systems.
- All affiliate roles must be sponsored by an approved School or Department authority. The authority to sponsor roles for Temporary or non-CWRU Employees is assigned to Deans of Schools, Vice Presidents, or their designees who are full-time employees; this is the Sponsor.
- The Information Security Office shall review the list of affiliate role sponsors, for appropriateness and functional responsibility, at least annually.
- All affiliate roles must be assigned to a real person, with an identity that can be verified through applicable documentation or credentials.
- Affiliate roles must include correct and verified personal information.
- Temporary employees often become regular employees, and accurate initial information is vital to preventing account duplication when the Affiliate Role is integrated into the HCM system.
- The authority to sponsor accounts for Temporary or non-CWRU Employees is assigned to Deans of Schools, Vice Presidents, or their designees who are full-time employees.
- A single approved sponsor may sponsor multiple Affiliates.
- When a sponsor leaves CWRU, the Affiliate roles sponsored by that person must be transferred to another sponsor assigned by the School or Department within 30 days.
- Affiliate roles shall be sponsored for the minimum essential timeframe (e.g for the term of the contract, for a contractor), but shall have a maximum lifetime of 1 calendar year. The sponsor must re-sponsor Affiliates periodically.
- The Identity and Access Management system must provide sponsors with a report of the Affiliate Account Holders they have sponsored.
- Request Process
- CWRU UTech will establish a request process that permits timely, authorized affiliate role assignment and service provisioning.
- Access Authorization
- Once an affiliate role is established, an application/service owner will be responsible for provisioning users for authorized access to their application, information, or systems.
- An application/service owner may require more detailed identity information for Affiliate role Holders before access is granted.
- The sponsor must request a suspension of an Affiliate role within one working day of the termination of the relationship between the Affiliate and CWRU.
- Once a role is revoked or suspended, an application/service owner will be responsible for de-provisioning users for authorized access to their application, information, or systems.
- Account Creation for Temporary Employees or Affiliates
- The relevant Sponsor will forward the required identifying information for the temporary employee or affiliate to their Business Unit Approver.
- The Temporary Employee or affiliate will be briefed by the sponsor or designee on all relevant account use protocols and account security policies and that required security training has been completed.
- After the Sponsor & Business Unit Approver have approved the account, and the affiliate account user has agreed to abide by the acceptable use policy, the affiliate may activate their account.