SECTION 1. PURPOSE & SCOPE
1.1. PURPOSE: This administrative policy is intended to protect institutional data, ensure appropriate user access, reduce risk of unauthorized user access, and comply with applicable federal, state, and accreditation requirements. The purpose of this administrative policy is to establish the requirements and expectations for provisioning, deprovisioning, disposal of accounts, and their access to Fairmont State University’s Information Technology (IT) resources and strengthen the security of Fairmont State University’s information systems by mandating the use of Multi-Factor Authentication (MFA) for accessing sensitive systems and data. MFA significantly mitigates the risk of unauthorized access resulting from compromised credentials.
1.2. SCOPE: This administrative policy applies to all individuals affiliated with Fairmont State University who access University systems and resources, whether on-premises or remotely. MFA must be employed when accessing sensitive information, including personally identifiable information (PII), financial data, and academic records.
SECTION 2. APPROVAL, DELEGATION & APPLICABILITY
2.1. AUTHORITY: The Chief Information Officer (CIO) has the authority to implement this administrative policy.
2.2. DELEGATION: Authority may be delegated by the CIO to specific units or individuals as necessary to implement the provisions of this administrative policy, subject to the limits set by the administrative policy.
2.3. APPLICABILITY: This administrative policy applies to all affiliated individuals of Fairmont State University, including students, faculty, staff, contractors, visitors, third-party users, and volunteers who are granted access to University IT resources.
SECTION 3. DEFINITIONS
3.1. ACCESS POINT (AP): A device allowing wireless communication over a network
3.2. AFFILIATION: The status of being associated with Fairmont State University, determining the level of access to IT resource
3.3. DEPROVISIONING: Removing access to computer resources.
3.4. DISPOSAL: Permanent removal of access to computer resources and destruction of data.
3.5. EMAIL: Electronic mail sent over a network
3.6. FILESHARES: Networked file systems with varying access privileges
3.7. MULTIFACTOR AUTHENTICATION (MFA): A security process that requires users to provide multiple forms of identification to access systems
3.8. PROVISIONING: Providing access to computer resources.
3.9. PRINCIPLE of LEAST PRIVILEGE (PoLP): The concept of granting the minimum necessary access to resources for performing job duties
3.10. SENSITIVE DATA: Confidential or proprietary information not routinely published for public access or where disclosure is prohibited by laws, regulations, agreements, or policies.
3.11. SINGLE SIGN-ON (SSO): A system that allows users to access multiple applications with one login
3.12. SYSTEM OWNER: The administrator of a computer resource.
3.13. UNIFIED COMPUTER ACCOUNT (UCA): A digital identity used for access to computing resources within the University domain
3.14. VIRTUAL PRIVATE NETWORK (VPN): A secure communication channel over a public network
SECTION 4. POLICY
4.1. POLICY: It is the policy of Fairmont State University to ensure the security, integrity, and proper management of its IT resources. MFA is required for all user accounts accessing University systems, both on-premises and remotely. All account lifecycle activities must be conducted in accordance with this administrative policy to protect institutional data, maintain compliance, and support operational efficiency.
4.2. PROVISIONING: IT Services shall automatically provide access to resources such as email, fileshares, OneDrive, and other services based on the individual's affiliation and role within the University.
4.3. DEPROVISIONING: Access and entitlements associated with an individual’s account shall be revoked immediately upon termination, withdrawal, or any significant change in affiliation. Accounts may be deactivated for inactivity or violations of acceptable use.
4.4. DATA RETENTION & DISPOSAL: Upon deactivation or removal of access, all data associated with the account will be retained for a minimum period, subject to the University’s data retention and disposal policies.
4.5. REVOCATION AND ARCHIVAL TIMELINES: Upon changes to affiliation or account status, deactivation and archival of accounts will occur according to the specified timelines disposition of data will occur according to the specified timelines:
4.5.1. Students: Accounts will be deactivated no sooner than 180 days after departure and not archived.
4.5.2. Faculty and Staff:
4.5.2.1. Faculty and Staff members granted emeritus status will retain access to their email and other applications, as appropriate, in accordance with Board of Governors policy.
4.5.2.2. Computer accounts of employees who voluntarily resign, retire without emeritus status, or whose appointments otherwise end, and are in good standing, will be disabled, but not deleted, upon separation. Email will be forwarded to a designee or the employee's immediate supervisor. Email inbox and OneDrive files will be retained for 90 days after the separation date and can be requested by contacting IT.
4.5.2.3. Computer accounts of employees who are separated and are not in good standing will be immediately disabled and archived upon notification of termination.
4.5.3. Accounts for affiliated individuals (e.g., contractors and volunteers) will be deactivated and archived immediately upon the end of their temporary status.
SECTION 5. COMPLIANCE
5.1. COMPLIANCE: This administrative policy adheres to all applicable federal, state, and local laws regarding data security, privacy, and account management, including FERPA, HIPAA, and University-specific policies.
5.2. NONCOMPLIANCE: Failure to comply with this administrative policy may result in suspension or termination of IT access, disciplinary action, and potential legal consequences depending on the severity of the infraction.
SECTION 6. REVISION HISTORY
6.1. FREQUENCY OF REVIEW: This administrative policy will be reviewed by the CIO at least annually to ensure it remains relevant and aligned with current legal and regulatory standards.
6.2. APPROVED