NetID Password Policy

None

 Review Process / Approval

None

Sensitive or Personal Information: Sensitive information includes any data items, which through loss, unauthorized access, or modification could: adversely affect the institution; violate international, federal, state, or local laws; compromise the privacy of individuals; or are any items explicitly defined by the institution as confidential or internal-use only.

Average Systems: Systems where users only have access to read and update only their information or do not have access to sensitive information about others.

High-Security Systems: Systems where users have been designated as having access to sensitive or personal information. As such, these users will be subject to more rigorous security requirements.

Accounts/Authentication System: For purpose of this document, an "account" will refer to one source of authentication, typically a username/password pair. Many systems may share a common account or authentication system. For example, SUNY Plattsburgh's NetID is just such an account used to access ANGEL, email, and other services. Some systems, such as Banner Forms, may choose to use a unique account specific only to that system.

Leet-Speak: Or "l33t-sp34k." The practice of substituting letters with numbers that bear some resemblance to them. For example, a "3" for an "E" or a "4" for an "A." This can be used as an effective means of creating a password that is meaningful to the user but that also complies with complexity guidelines.

None

Account Lockout Procedures (Average System)

If a password is entered incorrectly 25 times in a row, the account will be locked for a period of 30 minutes. The relatively high retry count accommodates commercial software clients (programs) that often perform multiple retries on a single password entry. System Managers or Security Administrators will receive notification of each login failure and/or lockout incident and review available logs for evidence of unauthorized access.

Account Lockout Procedures (High-Security Systems)

If a password is entered incorrectly three times in a row, the account will be disabled and must be enabled by a security administrator. System Managers or Security Administrators will receive notification of each login failure and/or lockout incident and review available logs for evidence of unauthorized access.

Password Reset Procedures

In most situations, it is strongly encouraged that passwords resets be done by the user themselves using online forms or in person following the appropriate procedures listed in sections below. In addition to those procedures, special consideration must be given to individual branch campus, distance learning, and online students or those who simply are incapable of coming to campus in person for a password reset. Passwords for individuals who find themselves in those situations can only be reset by a System Manager, the Helpdesk Coordinator, or one of their assistants. The following information will need to be provided by the individual over the phone or in an email:

• Birth date
• Home address (on file)
• Home phone (on file)

Password Reset Procedures (Average Systems)

System Managers or Security Administrators, as well as staff at the Computing & Media Services Helpdesk and Feinberg Computer Lab service desk and in Computing Information Systems in Kehoe, are able to reset passwords. The Registrar and Alumni offices may also reset passwords for Students and Alumni, respectively. All parties resetting passwords must follow this protocol when resetting a password:

• In all cases, users should be encouraged to reset the passwords themselves using the online web form.
• If a user cannot do a self-reset for whatever reason, a College ID must be presented and verified for a password to be reset. Verification is done by checking the ID against Banner data or other databases that list active IDs.
• If no College ID is available, the user's birth date may be used as verification data, along with some other form of picture ID.
• If a picture ID is not available, the user's birth date and last four digits of their Social Security number may be used as verification data.
• If possible, no information provided by the user should be written down or communicated to the staff resetting the password. The user should be directed to type in all information themselves or to do a self-reset via a web form.
• If possible, the user should be directed to change the password to a different one immediately after the rest is complete.  

The password will be set to its default (the last 4 digits of the Social Security Number, followed by the first four letters of the last name in capital letters).

Passwords may be reset without verification by CMS systems management staff, the Helpdesk Coordinator, and the Computer Information Systems coordinator. The user should receive an email confirming each reset request asking them to contact appropriate administrators with concerns. The appropriate System Managers or Security Administrators should appoint staff to review reset logs for evidence of unauthorized access. The staff reviewing the logs should not be the staff who perform the resets.

Password Reset Procedures (High-Security Systems)  

System Managers or Security Administrators of high-security systems alone can reset such passwords. Requests will be made in person to the security administrators of these systems.

None

Related Policies

SUNY Plattsburgh Policy #10019- Responsible Use of Technology Resources

Relevant NYS Laws/Standards  

• From "Information Security Practices Recommended by New York State(Current State of Standards), Version September 14, 2006," [email protected]. Derived from" Cyber Security Policy P03-002, Information Security Policy," New York State Office of Cyber Security & Critical Infrastructure Coordination
  • 1.27 Give the Security Administrators administrative responsibility over all user-IDs and passwords and the associated processes for reviewing, logging, implementing access rights, emergency privileges, exception handling, and reporting requirements.
  • 2.45 Associate each user-ID with an authentication token, such as a password, which is used to authenticate the person accessing the data, system, or network.
  • 2.48 Hold each authorized user responsible to reasonably protect against unauthorized activities performed under his or her user-ID including not sharing passwords or other tokens or mechanisms used to uniquely identify individuals.

• Public Officers' Law, Section 74 New York State Ethics Commission
  • 3.b No officer or employee of a state agency, member of the legislature or legislative employee should accept employment or engage in any business or professional activity which will require him to disclose confidential information which he has gained by reason of his official position or authority.
  • 3.c No officer or employee of a state agency, member of the legislature or legislative employee should disclose confidential information acquired by him in the course of his official duties nor use such information to further his personal interests.
  • 4. Violations. In addition to any penalty contained in any other provision of law any such officer, member or employee who shall knowingly and intentionally violate any of the provisions of this section may be fined, suspended or removed from office or employment in the manner provided by law. Any such individual who knowingly and intentionally violates the provisions of paragraph b, c, d or i of subdivision three of this section shall be subject to a civil penalty in an amount not to exceed ten thousand dollars and the value of any gift, compensation or benefit received as a result of such violation...

There are no specific trainings identified with this policy.