University of Florida Identity Management (IdM) Background
UF Identity Management Background It is important to have a reliable method of identifying members of the UF community. UF needs many types of information concerning the members of our community. Grades, Certifications, Employment data are all examples of data stored and attributable to an individual. The UFID is the identifier used for our community members. Designated members of the community are granted rights to access specific UF information and assets. The university is concerned about the proper identification of those who access its information assets. To manage increasing risks, the institution must have strong processes in place to properly identify members of the community and users of its systems.
Such an environment requires that three things be in place for adequate protection and trust:
- Identification: making sure that electronic credentials for access to a system are granted only to the right person (UFID: a unique 8 character number assigned to an individual)
- Authentication: checking the validity of these credentials at the time of access (GatorLink ID and Password)
- Authorization: determining that the person so identified has been granted the authority to perform the requested actions (security roles).
These are the three components Identity Access Management (IAM). The associated policy addresses item number one (1) Identity or Identity Management (IdM).
IdM is an issue that involves much more than the IT organization, since many others in the institution are involved—for example, in admitting and graduating students, hiring and termi-nating staff, and managing all of their roles and privileges. Effective IdM requires an integrated system of business processes, policies, and technologies enabling UF to facilitate and control the community’s access to applications, facility resources, and other services while protecting confidential personal and business information from unauthorized use.
The ITAC-DI committee provides general oversight and UF IdM Administration team is responsible for day to day operation and management of IdM systems. Distributed authority and stewardship of the information is required for the IdM solution to be effective. Policies are instituted to assure that all areas involved are clear in their role and responsibility. Awareness is critical. To maintain trust in the system and, indeed, the campus itself, key departments—such as the registrar, human resources, and finance must acknowledge the importance of IdM.
Several roles have been identified in the IdM processes at UF. They include:
- University IdM Administrator - Extremely limited number of individuals afforded maximum information access and data management capabilities in the Identity management system.
- IdM Manager - Limited numbers of individuals serving in UF’s core (authoritative) offices who have enhanced capabilities for managing Identity Management data.
- Senior Unit Administrator - Dean, Director, Chairperson, or equivalent individual who authorizes individuals to serve as their unit’s IdM Coordinators.
- Primary IdM Coordinator - individual listed as the primary contact to coordinate activity within a unit. They help maintain data regarding Identity with or on behalf of people within a defined scope of authority. This is normally at UF department or college level.
- IdM Coordinator – additional individuals who help maintain Identity data with or on behalf of people within a defined scope of authority. Some units or department may not require additional coordinators.
- Identity Owner - individuals associated with the University who have UFID numbers. Each person has a responsibility to provide accurate and complete information to the university to assist the Identity management process.
IdM policy should be considered in the context of other policy issues and must address privacy and institutional data security. The policy, guidelines and procedure will clarify roles, responsibilities, and accountability of all those involved. The policy will document IdM data content requirements. Compliance is an important factor. Institutions are increasingly being held accountable for protecting Personal Identification Information (PII).
IdM is concerned with making sure the individuals assigned a credential are known by the institution. The identity data provides content and a level of assuredness for the individual assigned the UFID and subsequent access credentials. The identity data is a statement of “How well we know the individual and how much we will entrust with the individual”. An applicant for admission to UF is self identified and therefore not well known. This is Level of Assurance = 1. A faculty member who is in your department is well known to the IdM coordinator and with complete and accurate data in the IdM data base will be given a Level of Assurance = 2. We may categorize these as weak (LOA1) and strong (LOA2) identity levels of assurance, respectively.
Individuals working in the Identity Management service roles must be carefully considered, trained in Privacy Policy restricted data handling. The Identity system, procedures and staff who conduct them contribute directly to the experience UF constituents encounter with UF services each day. Great care and responsibility should be taken when working with Identity Management.
The University of Florida is dedicated to preventing unauthorized information access, maintaining information accuracy, and ensuring the appropriate use of information. We strive to put in place appropriate physical, electronic, and managerial safeguards to secure the information we collect in all formats: on paper, electronically, and verbally. These security practices are consistent with the policies of the university and with the laws and regulatory practices of the State of Florida and multiple federal agencies.
The UF worker with responsibilities in the Identity Management area must be dedicated to preserving personal privacy while confirming accurate and complete identity information for UF to rely upon when interacting with the individual. Individuals have no legal requirement to provide any information to us. However, many UF services and products will not be available to individuals without adequate identity credentials.
Back to University of Florida Identity Management (IdM) Policy
