University Sponsored Affiliates

Policy

University-Sponsored Affiliates are individuals or related group of individuals authorized by the University through a contract or standing agreement to receive access to services typically granted only to those with an official academic or employment relationship (student, alumnus, employee, emeritus).

This policy institutes a formal authorization process used to determine if an individual or group should be given this Affiliate identity, to establish the timeline for which the Affiliate identify remains in effect, to specify which individual services are to be granted, and to specify who bears responsibility for the cost of providing each service. A University community member will be designated to serve as the Sponsor for each authorized Affiliate, with responsibility to monitor and provide timely status updates.

Affiliate relationships recognized through University contracts have defined business purposes. The contractual agreement specifies required access to services and outlines the fiscal responsibility of each party related to the costs incurred to provide those services.

Individuals established as Affiliates are required to provide personally identifying information to the University. The University will ensure that the safeguarding of private data collected from Affiliates adheres to the same standards established for its students and employees.

Recognized Affiliates are required to comply with all applicable FERPA, MGDPA, HIPAA, PCI-DSS and acceptable use policies.

All data and communications stored on or obtained or transmitted through university-owned or managed systems is the property of the University, the Minnesota State Colleges and Universities system, and the State of Minnesota, unless otherwise defined in the contractual agreement.

Each Affiliate relationship has a defined begin date and end date.

The Sponsor of record is responsible to ensure the Affiliate turns in all University-owned items when the relationship ends, such as Affiliate ID card, keys, and other physical assets.

The Sponsor of record must also contact IT Solutions to terminate access to accounts, services, door access, electronic key access, software, and other services provided to the Sponsor.

Periodic audits will be conducted by IT Solutions to confirm Affiliate Records reflect actual relationship statuses. Sponsors may be required to review and recertify Affiliate Records for continued access to some services.

A coordinated and centralized request and approval process exists to support the maintenance of Affiliate relationships with the University.

Definitions

Requestor: The University employee or organizational unit (or designee) with knowledge and ability to define necessary access to Services for an Affiliate, for the Sponsor’s review & approval. Requestor may ask to initiate, change, or terminate the Affiliate’s access to Services.

Sponsor: The University employee or organizational unit assigned responsibility and authority to approve access to Services requested for an Affiliate and to ensure the timely termination of Services granted to an Affiliate.

Affiliate Record: A collection of individual demographic attributes verified by the Requestor or Sponsor for the purpose of establishing an approved identity as an Affiliate.

Identity Management Systems: Data systems maintained by IT Solutions that assign a status to each record and the appropriate granting of access and privileges to individuals.

Services: Access and/or privileges granted through the creation of an individual’s identity in one or more Identity Management Systems.

Examples include Office 365 account, access to file servers, email, phone, networking, computer support, university directory listing, ID card, facilities access, eligibility to checkout library materials, utilize free busing, purchase parking permit, dining plan and/or campus printing/photocopying services, etc.

Procedure

• Onboarding
  • Requestor identifies a need for an Affiliate Record to be created and collects the required demographic data from the individual to be recognized as an Affiliate. The need is based on the terms of a University contract or other formal relationship with the University, or due to recognized individual situations such as the continuation of services afforded to students without enrollment due to military leave.
  • A responsible person needs to be identified as a Sponsor for the Affiliate, approve permissions and access to Services for the Affiliate, and to take overall responsibility for the Affiliate.
  • Requestor and/or Sponsor identify the Services needed and the time-period [start & end dates] for the provisioning of these Services.
  • Sponsor approves the request and forwards to IT Solutions for final determination of Services to be granted.
  • IT Solutions reviews the request from the Sponsor; once all necessary information is confirmed, the Affiliate Record is created in the appropriate Identity Management Systems and approved Services are provisioned to the Affiliate for the specified time-period.
  • IT Solutions notifies the Sponsor that the Affiliate Record is ready for use as requested.
  • IT Solutions notifies the internal service providers who need to be made aware of the availability of Affiliate Record information to complete the provisioning of Services.
• Updating
  • If the Requestor or Sponsor identifies a need to make changes to either the demographic data originally submitted or the Services originally granted to the Affiliate, the Sponsor submits a Help Desk ticket to IT Solutions.
  • IT Solutions updates the Affiliate Record and acknowledges the completion of the request back to the Sponsor.
  • IT Solutions notifies the internal service providers who need to be made aware of the availability of Affiliate Record information to complete the provisioning or expiration of Services.
• Recertifying
  • IT Solutions will notify the Sponsor 30 days prior to the Affiliate status expiration date and request a recertification of the Affiliate’s active status and need for Services.
  • Affiliates whose status has been recertified will have continued access to Services; if no recertification is received from the Sponsor, IT Solutions will terminate the Affiliate Record on the expiration date.
  • IT Solutions will notify the Sponsor and/or any internal services providers who need to be made aware of the termination of the Affiliate Record.
• Terminating
  • Requestor or Sponsor identifies a need to terminate an Affiliate Record as of a specific date and forwards a request via Help Desk ticket to IT Solutions.
  • IT Solutions terminates the Affiliate Record and acknowledges the completion of the request to the Sponsor and any internal service providers who need to be made aware.

University-Sponsored Affiliate Agreements

The University contract will define the business purpose for the agreement, Services required for individuals covered by the contract and any billable costs related to the provision of Services. As an example, if e-mail accounts, phones, and voicemail are needed for each affiliate, there will be an initial setup charge, monthly charges, as well as licensing charges for those services that will need to be paid by the affiliate or through the service contract. Similarly, if there are any additional services that need to be established, such as IT support services, this will need to be established in the contract as well.

All contracts and agreements must have a reasonable termination date. Requested Services for Affiliates must also have a reasonable termination date. When an Affiliate relationship is terminated, the Sponsor and service providers must be contacted immediately to deprovision Services and access to systems.

Every University-Sponsored Affiliate must completely comply with FERPA, MNDPA, HIPAA, PCI, and acceptable use policies as are other University employees. All data and communications that is stored or obtained on University systems or on paper or other forms of storage, or transmitted, is property of The University, Minnesota State and the State of Minnesota unless otherwise defined in the contractual agreement.

Rationale

The University has an interest in monitoring Affiliate relationships to mitigate potential risks in the context of information security and physical security, as well as the oversight of financial commitments established by such relationships. Individual service owners are not consistently notified when a University-Sponsored Affiliate should no longer be provided access to University services due to a contract expiration or other event that terminates the relationship. Therefore, it is imperative to establish a policy and supporting procedures to formally end a University-Sponsored Affiliate’s status in a timely manner.