The purpose of an Information Technology Standard is to specify requirements for compliance with Old Dominion University Information Technology policies, other University policies, as well as applicable laws and regulations. Standards may include business principles, best practices, technical standards, migration and implementation strategies, that direct the design, deployment and management of information technology.

1. Purpose

   The purpose of this compliance standard is to establish account management practices for Monarch Identification and Authorization System (MIDAS), the central identity and password manager control system. Management and access control practices are used to ensure security is applied effectively.

2. Definitions

   Banner Affiliate is a term to describe an account in the MIDAS system associated with a Banner Person Record that has a Banner Affiliate Record

   Banner Person is a term to describe an account in the MIDAS system associated with a Banner Person Record that has a Student or Employment Record

   Event Accounts are sponsored accounts commonly used for specific events like conferences

   MIDAS is an acronym for the Monarch Identification and Authorization System, a central identity and password manager.

   MIDAS Guest Account is a term to describe MIDAS accounts that do not have associated Banner person records.

   MIDAS Account is a common term for Banner Person

   ITS is the acronym for the official name of Information Technology Services.

   User includes anyone who accesses and uses the Old Dominion University information technology resources

   Locally Hosted systems are those IT Systems physically housed and logically connected to the ODU Main Campus.

   Sponsored Account is a term describing a MIDAS Guest account with a short account lifecycle.

   SSO is the acronym for Single Sign-On. This encompasses a family of systems/applications that allow users to verify their credential in one system and have that credential trusted in another.

   MIDAS Role is an attribute associated to a MIDAS account describing the user's affiliation with the University.

   MIDAS Group is a logical grouping of entities inside of MIDAS.

3. Standards Statement

   1. Account Creation

      MIDAS is an ID and password management system that stores user information and communicates that information to University networked resources. This allows the user to log in to those resources with the same user ID and password.

      MIDAS accounts and Banner Affiliate accounts are available to members of the University community with a unique and verifiable person record in Banner. MIDAS Guest and Sponsored accounts may be issued to guests and/or affiliates for access to non-sensitive systems based on System Owner approval.

      All MIDAS users are required to accept the Acceptable Use Policy. Additional account creation requirements may exist based on Compliance Requirements, Federal, State, or Local laws or by other University and/or ITS Standards. These additional requirements should be scoped to the intended user base.

      A security profile is created for password recovery purposes. The security profile requirements may be determined by user affiliation or access to sensitive data.

      Two-Factor authentication setup may be required.

      After creating a MIDAS ID and password from this site, users can use these credentials to access approved and provisioned services that are integrated with MIDAS. Secondary IDs may be created for the user, depending on system requirements. MIDAS account IDs and any secondary IDs must be unique to the individual across all systems.

      Only ODU hosted or contracted systems may accept MIDAS credentials. Only locally hosted or CIO approved applications may verify the MIDAS credential directly, while other systems must leverage SSO systems or use a unique username and password.

      Users creating MIDAS Accounts must verify their Banner person record association during the creation of the MIDAS Account. Users creating MIDAS Guest Accounts may self-assert person record data. A MIDAS Guest Account can become a MIDAS Account after Banner person records have been verified but all self-assert data must no-longer be used.

   2. Passwords

      Users can change their password within MIDAS after successfully authenticating to MIDAS directly.

      All Password changes must be governed by the users Password Profile. If a user is a member of two or more password profiles, then the most complex password profile must be used.

      Password profiles complexity requirements are determined off of Sensitivity and Risk and should only be applied to the relevant user base. Complexity Requirements should include:

      • Number of Upper, lower alpha characters
      • Number of Numeric characters
      • Number of Non-Alphanumeric characters
      • Number of repeating characters
      • Number of previous password history entries
      • Number of password differences from the previous password
      • List of blacklisted characters (for system compatibility)
      • List of blacklisted words or passwords. E.g., Dictionary checks

      Administrative Password Reset may be issued by the ITS Help Desk when the user is unable to complete their security profile or by ITS Security under suspicion of compromise. Until the user is able to recover the account, all services must be disabled. Services will be restored after a new security profile is established and a new unique password has been set. Lost or forgotten passwords can be reset by users after successfully answering the questions using data stored in their security profile.

   3. Account Management

      MIDAS accounts must only be disabled under University Council or Student Judicial direction.

      MIDAS may issue services automatically based on System Owner approved authorizations.

      Manual services may be issued through the Account Management Standard.

      Service Removal must be done according to the Account Management Standard and Procedure.

      • Services may be suspended through ODU Business processes as requested by Supervisors, Human Resources or University Management.
      • Services may be temporarily disabled by ITS Security Operations in response to Security Threats by the Security Team.
      • All services related to and including the MIDAS accounts may be completely disabled only under direction of University Counsel.

      Management of Groups may be distributed from ITS Accounts as directed by the Group owner.

      Management Interfaces of MIDAS may be distributed to non-ITS Account personnel with the approval of the Director of Information Security.

4. Procedures, Guidelines & Other Related Information

   Federal and State Law

   University Policy 3501 - IT Access Control

   University Policy 3505 - Information Technology Security

5. History

   Date	Responsible Party	Action
   December 2006	ITAC/CIO	Created
   October 2008	ITAC/CIO	Reaffirmed
   October 2010	ITAC/CIO	Reaffirmed
   October 2011	ITAC/CIO	Reaffirmed
   September 2013	IT Policy Office	Revised
   May 2018	IT Policy Office	Formatting changes; minor revisions based on new functionality
   October 2021	IT Policy Office	Definitions and links checked