University Policy 121

Student WCUid Account Lifecycle Policy

Initially Approved: December 14, 2015
Policy Topic: Information Security
Administering Office: Office of CIO

I. POLICY STATEMENT

Security and licensing cost are two major concerns related to creation and deletion of WCUid accounts for students. It is important to define the lifecycle of these accounts and to establish guidelines for all areas of the university that depend on these accounts.

The purpose of this policy is to define the stages and timing of the student WCUid account lifecycle.


II. SCOPE AND APPLICATION OF THE POLICY

  1. This policy applies to all University departments that depend on student use of their WCUid accounts;
  2. This policy applies to all information technology applications that authenticate with the student WCUid account.
  3. In addition to their student WCUid, students that are also employees may have a staff WCUid which is governed by University Policy 95.

III. POLICY DEFINITIONS

For the purpose of this policy the following definitions apply:

  1. “Identity” shall mean an account assigned to an individual that provides for authentication and authorization of access roles and privileges within systems.
  2. “WCUid account” shall mean an account created in WCU’s corporate Active Directory as an individual’s identity for most WCU owned or licensed systems. WCUid accounts are accounts with @wcu.edu or @catamount.wcu.edu domain names.
  3. “Applicant” shall mean an individual who has submitted an application to the university that has been processed in the Enterprise Resource Planning (ERP) system.
  4. “Active Student” shall mean a person either (1) enrolled or eligible to enroll in classes (within stop-out period) or (2) that graduated from the university within three major terms
  5. “Former Student” shall mean a person that took classes from the university. This term includes alumni, either degreed or non-degreed.
  6. “Alumni degreed” shall mean a person that was awarded a degree by the university.
  7. “Alumni non-degreed” shall mean a person who graduated from a non-degree program (e.g. certificate), or who took at least 3 credits from the university AND made a donation.
  8. “Stop-Out Period” shall mean the break or pause in enrollment during the student's degree seeking period that lasts for one or more course enrollment periods. During the stop out period the student may resume enrollment in classes without requiring any form of readmission by the university. WCU’s stop-out period is three major terms (Fall, Spring, and Summer).

IV. STUDENT WCUid ACCOUNT LIFECYCLE STAGE S

  1. Applicant – The Applicant has applied to the university and their application has been processed in the ERP system. The applicant will receive notification that they can claim their WCUid account. The account will not be automatically created prior to being claimed and will not be assigned a default password. The account will be part of the “Applicant Group.”
  2. Active Student – When a person is considered an active student, the WCUid account will be added to the “Active Student Group.”
  3. Former Student – The WCUid account will remain in the “Active Student Group” until the conclusion of the WCU stop-out period. At which time it will be terminated and removed from the “Active Student Group.”

V. NON-WCUid IDENTITIES

There may be systems used by WCU that authenticate with an identity other than the WCUid. This, for example, may allow alumni to access certain systems operated or licensed by WCU with a personal identity or another WCU-affiliated identity that is not a WCUid.


VI. RESPONSIBILITIES

  1. It shall be the responsibility of the IT Division to maintain and operate the systems that automate the creation and deletion of student WCUid accounts and to grant and remove access to the major IT services according to the guidelines of this policy.
  2. It shall be the responsibility of each relevant unit (e.g. Undergraduate and Graduate Admissions, Registrar) to appropriately code in the ERP system and other administrative systems applicant and student records so that the automated identity management processes will take the actions appropriate at each stage of the student lifecycle.

VII. POLICY REVIEW

Data Security and Stewardship Committee – The charge of this committee is to oversee the implementation of this policy, ensure procedures are up to date, coordinate all relevant security policy reviews, and assist offices with risk assessments, etc.

VIII. RELATED POLICIES AND REFERENCES

International Standards Organization (ISO/IEC 27002, 9.2 User access management)

University Policy 95 Data Network Security and Access Control

Office of Web Services