IT-Standard 06


Approved Date: 08/26/2025

 

Description

 

The university’s responsibility to ensure the security and accuracy of an individual’s identity is critical in protecting the university’s systems and information. This process, known as Identity Assurance, establishes and validates the identity of an individual to an appropriate level of confidence, ensuring that access to sensitive information, systems, and physical spaces is granted only to authorized users. As a hub for academic research, protected health information (PHI), personally identifiable information (PII), sensitive personal data, and unique campus operations, universities require a robust identity assurance framework to safeguard institutional resources, comply with applicable regulatory requirements, and foster trust among students, faculty, staff, and partners.

 

This Standard establishes the Identity Assurance Standard for the University of Iowa, providing a structured approach so that the University may accomplish identity verification and authentication across university systems. It outlines the principles and methodologies required to maintain a secure and user-friendly enterprise environment. By adopting this Standard, the university seeks to protect against identity-related risks, enhance operational efficiency, and ensure that all users, whether performing activities on- campus or remotely, have secure access tailored to their roles and needs as appropriately designated by their respective campus leaders.

Definitions

 

Identity Proofing is a process used to verify that an individual person is who they claim to be. The process involves collecting, validating, and verifying information about an individual person to establish their claimed identity to a certain level of assurance.

 

Identity Verification is the ongoing process by which the institution confirms that someone accessing a system or service is the same individual person whose identity was previously verified through identity proofing. While identity proofing initially establishes an individual person’s identity, the verification process continually confirms that identity during subsequent and ongoing interactions.

Identity Assurance Level refers to the degree of confidence the institution possesses that an individual person’s identity accurately corresponds to the individual using the issued credential.

Multi-Factor Authentication specific to university operations entails the use of more than one factor (such as something an individual person knows, something they have, something they are, or their geographical location) to enhance security.

Credential is an object or data structure that binds an individual person’s identity to a means of authentication, like a username/password, or a token like a Duo factor.

 

Requirements

 

Part 1: Identity Assurance Levels

In order to better define the scale of assurance required for varying levels of institutional sensitivity, the university establishes a 3-tier approach modeled after but not identical to the identity assurance levels outlined in NIST SP 800-63A. 

Identities recorded by the university are designated based on the level of assurance required, both based on the sensitivity of information that will become accessible by the identity as well as the risk of potential harm caused by a false claim to an identity. Whereas a campus guest identity may be designated IAL0, a healthcare provider’s identity may be designated IAL2 depending on regulatory need or operational preferences. An IAL designation is unique to the identity itself – there is no commonly applicable clear-cut rule for designating an IAL for all guest accounts, for example, as the level of identity assurance necessarily depends on the specific role and level of access needed.

 

Level

Assurance

Verification

Example Identities

IAL1

Low

Self-asserted

  • Campus guests

  • Student applicants

  • Employee candidates

  • Some vendors & contractors

IAL1+

Moderate

Identity is checked against government documents

  • Enrolled students

  • University employees

  • Anyone who requests and is granted confidential access

IAL 2

High

Identity is checked against government documents; documents are checked against government sources

  • As required by applicable regulation (e.g.EPCS)

  • Designated institutional positions and personnel (by HR)

 

Note: IAL1 and IAL2 align to NIST IA levels; IAL1+ is an intermediate level that is organizationally-defined here at Iowa.

 

Part 2: Identity Onboarding & Escalation

 

When an identity is first established for an individual person, the individual person is said to be onboarded to the identity. This process is normally performed during student admissions, upon employee onboarding, or following a contract agreement in which the university forms a business relationship. Due to this lifecycle, most identities are initially established by HR (employees) or the Provost (students) at IAL1. During the onboarding process, the individual may be verified to IAL1+ or IAL2, which may be reflected in IAM systems. Individuals may also need to elevate their IAL in the course of their employment based on business needs.

 

Part 3: Identity Verification & Proofing

 

If IAL1+ is required, an identity must then be verified with more substantiation than self-assertion. IAL1+ verification occurs when the university compares the self-asserted identity to official documents to ensure the individual person is who they claim to be.

 

  • For students, identity verification normally occurs during registration; for some remote students, verification may require a third-party service
  • For employees, identity verification normally occurs on the first day of employment, when HR performs I-9 verification and confirms that the individual person’s identity is the same as the identity self-asserted during the pre-employment review process.
  • For vendors or individual persons without an employment relationship with the university, this verification may occur at the start of the business relationship or may require a third-party service.

In some cases, an existing and applicable regulatory requirement will mandate that measures be taken so that the individual’s identity is also proofed. Even in the absence of a regulatory requirement, the position may afford sufficient privileges, access, or administrative rights that that business units, in coordination with HR, determine that identity proofing for the position or individual is necessary. When IAL2 is deemed to be required, the identity must be verified and proofed.

Part 4: Authentication Assurance Levels

 

Systems are classified based on the assurance required to access the given system. A system itself or any of its components may be designated AAL0, AAL1, or AAL2 based on the classification of data in the system and its overall designated criticality. As with identity assurance, privileged access to even AAL0 systems may require AAL1 or AAL2 authentication. A system’s AAL designation is maintained within the university’s overall asset inventory and reviewed regularly by system owners.

 

Authentication Assurance Levels are based on how difficult it may be for someone to replicate or otherwise compromise the factor or credential used for authentication. For example, while username/password credentials may be relatively easy for a threat actor to compromise, it is more difficult to compromise an individual person’s fingerprint or iris scan.

 

 

Level

Assurance

Credential Example

Examples

AAL 0

Low

Username & Password

  • Basic loginto university services

  • Event registrations

AAL 1

Moderate

Secondary Factor (User/PW/MFA)

  • Employee Self-Service

  • University Email

  • Administrative Access

 

AAL 2

 

High

 

Organizationally-defined or Regulation-Dependent

  • Remote Admin Services

  • PrivilegedAccess Workstations

  • CJIS, EPCS, ITAR/EAR, etc

 

 

 

Other examples of systems with associated data classification and authentication assurance levels:

 

Level

Assurance

Data Classification

Examples

 

 

 

AAL 0

 

 

 

Low

 

 

 

Public & 

University-Internal

  • A public sign-up page for campus events

  • Registration page for a public newsletter

  • Pre-employment portal registration

  • Pre-admissions status portal for potential students

 

AAL 1

 

Moderate

 

Restricted & Critical

  • O365 

  • Completing timesheets in Employee Self-Service

  • Research systems

  • Research with PHI/PII

  • Clinical Systems (with PHI)

 

AAL 2

 

High

Use-Dependent (Critical)

  • Regulated access (e.g.EPCS)

  • Privileged access to critical institutional systems

 

Compliance and Enforcement

 

The university maintains the authority to restrict or revoke any user’s privileges on IT resources, and to take any other steps deemed necessary to manage and protect university IT resources and data, including referral to appropriate external authorities. (Policy Manual § II-19

 

Exceptions: Security Exceptions are available on a limited basis. University applications or services with an implementation that does not meet these standards must be granted an exception. System Owners may be required to share technical details and present justification if they seek an exception. This information, and potentially also a security review, are subsequently analyzed and approved by the Information Security and Policy Office (ISPO). Request a Security Exception. 

 

References

 

Special Publication 800-63A, Digital Identity Guidelines, March 2020, National Institute of Standards & Technology, US Department of Commerce.