ROWAN UNIVERSITY POLICY

 

Title: Multi-Factor Authentication Policy
Subject: Information Resources and Technology
Policy No: IRT:2018:04
Applies: University-Wide
Issuing Authority: Senior Vice President for Information Resources and Technology and Chief Information Officer
Responsible Officer: Vice President for Information Resources and Technology and Chief Technology Officer
Date Adopted: 07/02/2018
Last Revision: 11/17/2025
Last Review: 11/12/2025

 

I. PURPOSE

The purpose of this policy is to establish requirements for the use of multi-factor authentication (MFA) and single sign-on functionality in the Rowan University environment and for processing Rowan data of all classification levels. The integration of these requirements allows for proper centralized authentication, logging and investigation related to security and regulatory requirements.

II. ACCOUNTABILITY

Under the direction of the President, the Chief Information Officer and Information Security Officer shall ensure compliance with this policy. The Vice Presidents and Deans shall implement this policy.

III. APPLICABILITY

This policy applies to all members of the Rowan Community who access and use the University’s electronic information and information systems.

IV. DEFINITIONS

Refer to the Rowan University Technology Terms and Definitions for terms and definitions that are used in this policy.

V. POLICY

All University systems must comply with the following requirements:

  1. All information systems containing sensitive data defined as but not limited to confidential, private, internal, and/or regulated (FERPA, HIPAA, Controlled Unclassified Information, etc.) must use multi-factor authentication and single sign-on in accordance with IRT’s MFA and single sign-on standards.
  2. Multi-factor authentication must include at least two of the following categories:
    1. Something you have (e.g., hardware token, smart phone application, badge, digital certificate, smart card)
    2. Something you know (e.g., password, passphrase, PIN)
    3. Something you are (e.g., fingerprint scan, facial recognition) 
  3. Systems that contain data types that require the use of MFA and single sign-on, but do not support integration with Rowan’s MFA and single sign-on technology, must be restricted to only allow access from IRT-managed devices that require those features themselves, such as a remote desktop with MFA and single sign-on enabled. 
  4. Systems containing public data only do not require multi-factor authentication. If authentication is required for public data systems, integration with Rowan’s authentication platforms is recommended to ease administration and provide security features such as account management and centralized logging.

VI. POLICY COMPLIANCE

Any individual who violates this policy shall be subject to discipline up to and including dismissal from the University, as well as civil and criminal penalties, if applicable. Any exceptions to this policy must be approved by the Information Security Office.


By Direction of the CIO: 

Mira Lalovic-Hand, 
SVP and Chief Information Officer