Project complete: Closing gaps in identity proofing
A patchwork of uncoordinated policies and procedures guided the university in verifying an individual’s identity, the key to accessing university resources. The resulting gaps in security, compliance, documentation, and responsibility could leave the university vulnerable to cyberattacks, fraud, or legal sanctions.
The Identity Assurance initiative assessed the current state, addressed immediate vulnerabilities, and recommended the following items when implementing National Institute of Standards and Technology (NIST) Identity Assurance Levels (IALs) across the university.
- Future efforts should focus on creating a shared identity assurance framework that maps to NIST standards.
- Required levels of identity assurance should be determined by the type of access an individual has to sensitive data, systems, or physical locations. The amount of possible risk associated with accessing sensitive data, systems, or physical locations should also determine the amount of effort necessary for validating identity at higher IALs.
- Introduce technology and services to support verifying identity at higher IALs, including external proofing services and using biometric technology, when necessary.
U-M is among the first higher education institutions to conduct a universitywide analysis of current identity proofing practices and identity assurance levels.
- Gained understanding of current methods, technologies, policies, and identity proofing processes at all U-M campuses, including Michigan Medicine, by interviewing groups responsible for onboarding individuals.
- Focused information gathering efforts on the following common areas:
- Sponsored account creation
- Employee hiring
- ID card issuance
- Uniqname password resets
- Student matriculation
- Implemented enhanced security measures by requiring a uniqname and UMICH password to view the the Mcard Request From online.
- Recommended policy, technology, and business process changes based on project analyses and understanding of shortcomings.
The project completed in March 2018. See News and Updates for details on project’s accomplishments. If you are interested in learning more about identity assurance, please contact the EIAM program team.