UIS.302 Identity Verification Policy

300. Identity and Access Management

Purpose 

Georgetown University has adopted the Identification and Authentication principles established in 800-171 “Identification and Authentication” and 800-63 “Digital Identity Guidelines” controls guidelines as the basis for governance in this security domain. Each system administrator, system owner, authorized designee, and program administrator where identity verification is applicable must adhere to the guidelines and procedures associated with this policy in order to support and be compliant with the University information security framework.

Identity Verification Requirements 

This policy provides requirements for the identity proofing of individuals that request to or are required to gain access to protected University resources. The requirements outline the collection, storage, and destruction of identity evidence that will be presented by an individual upon request by system support representatives, hiring managers, or other University stakeholders with reasonable responsibility for proving identities.

  1. Any individual with NetID credentials used to access University technology resources must be enrolled in the University password management system (Password Management System) and the University’s two-factor authentication system (Duo). (These systems are used for the self-service process of claiming and resetting NetID passwords.)
  2. NetID account holders requesting assistance from University help desk agents in either acquiring or resetting their NetID passwords will need to coordinate a session for live visual verification of the requestor’s identity prior to providing any credentials.
  3. Any evidence collected for the purposes of identity proofing must be limited to the minimum documentation necessary to validate the account holder’s identity.
  4. The procedures used to verify account holders’ identities must include confirmation of identity through visual examination by UIS staff or an authorized designee.
    • Agents at the “walk-up” help desk must check acceptable forms of ID proof and the user’s unobscured face prior to assisting with credentials.
    • Help Desk phone agents must check acceptable form of ID proof on a GU Zoom session where the caller’s unobscured face is fully visible to the agent.
  5. No NetID account credentials will be provided for individuals whose identity cannot be verified in accordance with these guidelines. If circumstances exist where visual verification is not possible for the account holder, the account credentials may be provided only after University Information Security Office authorization.
  6. In the case of minors: If the NetID account holder is a minor without a Government-issued ID, the minor’s parent or authorized guardian must coordinate a session for live visual verification via the aforementioned procedures.
  7. Personally-identifiable information (PII) collected by the University may be used, at the discretion of the University, as the basis for identity verification.
    • All identity verification data including PII, must be managed, protected, stored, or shared in accordance with Data Classification Guidelines and Data Handling Guidelines to ensure confidentiality, integrity, availability, and attribution of the information source.
    • PII is classified as high-risk data, and thus must be maintained, purged, or destroyed, following the Data Handling Guidelines and Data Destruction Guidelines for its protection from unauthorized access for the duration of retention or when PII is no longer in use for University business.
  8. Only a portion of the Social Security Number (SSN) may be collected as an evidence of identity verification; using, collecting, and retaining the SSN is governed by the University SSN Policy.

All UIS staff and authorized designees charged with credentials management and/or identity verification are required to comply with these guidelines and document the completion of the visual verification and types of identity evidence presented in the verification process.

ID PROOFING DOCUMENTS

The Identity and Access Management team has determined which types of proofing documents are sufficient in verifying an individual’s identity. Primarily, the following non-altered government-issued evidence is accepted. Must have one of either (a) or (b):

a. Original Government-issued picture identification (Driver license or State ID Card)

b. Original Government-issued passport

Reviewed and Approved April 2021