University of Victoria, Horizontal UVic Identity Management Project

Identity Management Project

Draft Identity Management Policy

  1. Policy Purpose

    The purpose of this policy is to promote integration of the University's IT resources, and to ensure secure, auditable and efficient use of Identity Information through the use of a central Identity Management System.

  2. Definitions

    Administrative Authorities - Individuals with administrative responsibility for Units ( e.g. Vice-presidents, executive directors, deans, chairs, directors and other Unit heads ) and individuals with functional ownership of University Resources.

    Identity Management System - A central system for managing Identity Information.

    Identity Management Administrator - The person or group responsible for establishing, maintaining and implementing guidelines in support of the Identity Management Standards, and for day-to-day operations of the Identity Management System.

    Identity Management Committee - The committee responsible for establishing and maintaining Identity Management Standards in support of the Identity Management Policy.

    Identity Information - Recorded information of a common interest, pertaining to the identity and characteristics of an identifiable entity, including but not limited to people, groups, buildings and IT resources.

    Independent Information System - An electronic system, other than the Identity Management System that stores or processes Identity Information.

    Unit - An identifiable group of Users including but not limited to Faculties, Departments, Divisions and Centers.

    University Resources - Assets and infrastructure owned by, explicitly controlled by, or in the custody of the University including but not limited to data, electronic services, and information systems.

    User - A user of University Resources.

  3. Policy Statement

    To further the University's purposes, Administrative Authorities, Units and Users shall manage Identity Information in accordance with University policies, standards, and guidelines to ensure:

    • Identity Information is managed in a manner consistent with the provisions of the Freedom of Information and Protection of Privacy Act, the University Act, and other applicable legislation,
    • Secure and auditable access to Identity Information, and,
    • Efficient maintenance and use of Identity Information.

  4. Implementation of Policy

    • The central Identity Management System is the authoritative source for Identity Information.
    • Identity Information must not be managed independently of the Identity Management System. That is, if a given piece of Identity Information is updated in an Independent Information System, the corresponding entry in the Identity Management System must also be updated, and vice versa. Independent maintenance of Identity Information is permitted only with the expressed written permission of the Identity Management Committee.
    • The Identity Management Committee, which reports to the Chief Information Officer (CIO), must maintain and publish within the Identity Management Standards:
      • the types of Identity Information managed by the Identity Management System, and hence subject to this policy;
      • the acceptable uses (including access, further re-use, and local storage) for each type of Identity Information, in accordance with the provisions of the Freedom of Information and Protection of Privacy Act, the University Act, and other applicable legislation.
    • The Identity Management Administrator will authorize access to Identity Information on a functional (e.g. need to know) basis, in accordance with University policies, standards and guidelines. Authorizations must be recorded for auditing purposes.
    • Authorization to access Identity Information must be obtained from the Identity Management Administrator for each Independent Information System. That is, users or administrators of a given Independent Information System may not grant access to Identity Information to users or administrators of another Independent Information System without authorization from the Identity Management Administrator.

  5. Authority

    Responsibility is delegated by the Board of Governors to the Vice-Presidents, subject to regular due diligence reporting to the Board on statutory requirements and on areas of significant risk.

  6. Related Policies and Documents

    • # ???? Information Technology Security Policy
    • # 6030 Responsible Use of Information Technology
    • Individual unit operating procedures 

gsagert@UVic.ca


 Created: June 1, 2004              Last Modified: May 16, 2005 



Legal Notices