Credential Management Rule

Responsible officeInformation Technology
Enforcement officialSecurity and Privacy Officer

Statement of Rule:

University employees with privileged access to systems and applications must use the University’s approved credential management solution for storing, retrieving, and managing privileged account credentials.

1. Purpose

1.1. The purpose of this rule is to ensure the secure and centralized management of privileged account credentials within the organization. By enforcing the use of the approved credential management solution, the risk of credential theft, misuse, or unauthorized access is minimized, thereby enhancing the overall security posture of the organization's IT systems and sensitive data.

2. Stakeholders Most Impacted by the Rule

2.1. University employees with privileged access to systems and applications

3. Full Rule Details

3.1. All university employees with privileged access to systems and applications shall use the approved credential management solution for storing, retrieving, and managing their privileged credentials.

3.2. Credentials shall never be shared or stored outside the designated solution, such as in emails, documents, spreadsheets, physical media, or other insecure locations.

3.3. University employees are strictly prohibited from using personal or unauthorized credential management tools or solutions to store University credentials.

3.4. Access to the credential management solution shall be granted based on the principle of least privilege, and access rights shall be reviewed quarterly.

3.5. Any suspected or actual incidents of credential compromise or misuse shall be reported immediately to the Security and Privacy team.

4. Accountability

4.1. Failure to follow this Policy and any associated procedures may subject WMU students to disciplinary action, up to and including dismissal from the University, consistent with applicable procedures conduct under the Student Code; and subject WMU employees to disciplinary action, up to and including dismissal from employment by the University, consistent with applicable procedures and Collective Bargaining Agreements.

4.2. The Information Security team shall conduct regular audits and monitoring to ensure compliance with this policy.

4.3. Violations of this policy shall be documented and reported to the appropriate IT Managers and Supervisors for corrective action.

History

Effective date of current versionMay 20, 2024
Date first adoptedMay 20, 2024
Proposed date of next reviewMay 20, 2026