Two Factor Authentication to Georgetown Systems

1. Purpose

The purpose of this policy is to establish minimum standards for authentication and authentication management for Georgetown University network systems. This policy is designed to ensure that the technology system administrators manage authentication in a consistent manner and to safeguard NetID-based access to information assets in accordance with data protection best practices and industry standards.

Two-factor authentication is recognized as an industry best practice in preventing unauthorized access to an institution’s enterprise accounts, financial, operational, and academic systems.

2. Scope

This policy applies to all authentication administered throughout the GU network, whether centrally managed by UIS, managed by a designated technology service provider, or departmentally managed. This policy applies to all individuals and entities who are authorized to access the GU network’s information systems and data.

3.  Policy Statement

The University has implemented multi-factor authentication for all administrative and functional access to technology resources that store, process, transact or transmit any data classified as Personally Identifiable Information, University financial information, and protected health information; further, any accountholder that is designated a system administrator, has elevated privileges to University technology, or otherwise meets the criteria of high risk as assigned by the office of the CIO shall also be required to enroll in two-factor authentication.

4. Exemption

Georgetown University NetID accountholders that wish to be exempted from the multi-factor authentication policy have to provide justification to the office of the Chief Information Officer. Not all requests will be granted unless there is an individual need that supersedes the needs of the protection of the University data and its technology systems.

https://uis.georgetown.edu/accounts/netid-password-security/duo

5. Noncompliance

In accordance with the policy statement, any technology system connected to the University network must apply the appropriate authentication and access controls to prevent unauthorized access to University administrative, operations and academic systems and data.

Those accountholders, system owners and administrators that are noncompliant with this policy are subject to being prevented from connecting to systems that require two-factor authentication, thereby potentially impacting their ability to perform work functions and access their own employee-related records.

Related Documents

Computer Systems Acceptable Use Policy

Information Security Policy

Procedures for TSPs/SNAs

Approved 2/2/2018 by the Chief Information Officer, Judd Nicholson                                                   

Reviewable annually