These standards for compliance are for the Access Control Services Policy.

Standards

1. Policy provision (1) requires that electronic services secured by access controls be configured to use institutionally managed access control services as suitable services become available. Current institutional managed access control services include:

   1. NetID Login Service.

      To begin using this service, please see the NetID Login Service description (https://it.wisc.edu/services/netid-login-service/), or search the DoIT Help Desk Knowledge Base (http://kb.wisc.edu/search.php?q=netid+login+service.)

   2. Campus Active Directory.

      To begin using this service, please see the Campus Active Directory description (https://it.wisc.edu/services/campus-active-directory/), or search the DoIT Help Desk Knowledge Base (http://kb.wisc.edu/search.php?q=active+directory+service.)

   Special Cases:

   If the NetID Login Service cannot meet the needs of an application or system, and it is still desired that the application or system authenticate using NetID, special NetID authentication arrangements can be made under the following conditions:

   1. A UW-Madison unit must request that an application or system be authorized to use NetID by submitting the “Identity Data Integration Request” form at http://it.wisc.edu/services/iam.

   2. For an application or system to handle NetID and password, the following steps need to be taken:

      1. Appropriate security controls must be in place to protect NetID and password, for example, encryption of the password.

      2. There must be an initial and periodic audit to assure that the appropriate security controls are adequately implemented and operational.

      3. Staff who develop or manage the authenticating application or system must be trained to use and maintain NetID authentication in a secure manner.

   3. Specific applications, systems or agreed upon deployment limits must be identified that can meet the requirements above.

   Exceptions:

   UW-Madison applications and systems are exempt if migration to the available institutionally managed access control services is currently impractical for technical or operational reasons.

   1. Example technical reason: the available institutionally managed access control services do not support an access control method compatible with the system or application.

   2. Example operational reason: the migration of several different systems or applications must be coordinated because they share a locally managed credential.

   The number of applications and systems that qualify for an exemption will become smaller as the capabilities of the institutionally managed access control services are expanded to support a wider range of applications and systems.

2. Policy provision (2) requires that electronic services secured by access controls be configured to comply with the appropriate use standards for the institutionally managed credentials. Current appropriate use standards include:

   1. NetID Appropriate Use Standards (https://kb.wisc.edu/itpolicy/cio-netid-appropriate-use-standards).

   2. University Directory Service (UDS) Responsible Use Policy (https://policy.wisc.edu/library/UW-517).

   Additional appropriate use standards may be adopted as institutionally managed credentials are added.

Contact

Please address questions or comments to itpolicy@cio.wisc.edu.