The purpose of this policy is to establish minimum standards for authentication and authentication management for Georgetown University network systems. This policy is designed to ensure that the technology system administrators manage authentication in a consistent manner and to safeguard NetID-based access to information assets in accordance with data protection best practices and industry standards; and, to ensure that accountholders that have access to University technology systems are authenticating in accordance with data protection best practices and industry standards.
Two-factor authentication is recognized as an industry best practice in preventing unauthorized access to an institution’s enterprise accounts, financial, operational, and academic systems.
This policy applies to all authentication administered throughout the GU network, whether centrally managed by UIS, managed by a designated technology service provider, or departmentally managed. This policy applies to all individuals and entities who are authorized to access the GU network’s information systems and data.
3. Policy Statement
The University has implemented two-factor authentication for all NetID-enabled access to technology resources that store, process, transact or transmit any data classified as Personally Identifiable Information, financial information, protected health information, and data critical to the operation of the University (including but not limited to research, electronic mail, library and archives, and other University business systems). Further, any accountholder that is designated a system administrator, has elevated privileges to University technology, or otherwise meets the criteria of high risk as assigned by the office of the CIO shall also be required to enroll in two-factor authentication and may not be eligible for exemption from this policy.
Georgetown University NetID accountholders that wish to apply for exemption from the multi-factor authentication policy have to provide justification to the office of the Chief Information Officer. Not all requests will be granted unless there is an individual need that supersedes the needs of the protection of the University data and its technology systems.
In accordance with the policy statement, any technology system connected to the University network must apply the appropriate authentication and access controls to prevent unauthorized access to University administrative, operations and academic systems and data.
Those accountholders, system owners and administrators that are noncompliant with this policy are subject to being prevented from connecting to systems that require two-factor authentication, thereby potentially impacting their ability to perform work functions and access their own employee-related records.
Drafted 1/2018; Revised 6/2018
Approved by the Chief Information Officer, Judd Nicholson Reviewable annually