- Campus Life
- Cost & Aid
- News & Events
- About Plattsburgh
Approved by Executive Council on March 14, 2008
Sensitive or Personal Information: Sensitive information includes any data items, which through loss, unauthorized access, or modification could: adversely affect the institution; violate international, federal, state, or local laws; compromise the privacy of individuals; or are any items explicitly defined by the institution as confidential or internal-use only.
Average Systems: Systems where users only have access to read and update only their information or do not have access to sensitive information about others.
High-Security Systems: Systems where users have been designated as having access to sensitive or personal information. As such, these users will be subject to more rigorous security requirements.
Accounts/Authentication System: For purpose of this document, an "account" will refer to one source of authentication, typically a username/password pair. Many systems may share a common account or authentication system. For example, SUNY Plattsburgh's NetID is just such an account used to access ANGEL, email, and other services. Some systems, such as Banner Forms, may choose to use a unique account specific only to that system.
Leet-Speak: Or "l33t-sp34k." The practice of substituting letters with numbers that bear some resemblance to them. For example, a "3" for an "E" or a "4" for an "A." This can be used as an effective means of creating a password that is meaningful to the user but that also complies with complexity guidelines.
It is the responsibility of all users to ensure that do nothing to allow compromise or unauthorized access to their accounts or information and services available through such accounts. As such, users:
In choosing an appropriately complex password, users should consider the following in addition to the specific requirements detailed in the next sections.
The degree of password complexity for any system is assigned at the discretion of the system's System Managers or Security Administrators.
After selecting an adequately complex or strong password, users of such systems are not required to change their passwords at any specific frequency, though they are encouraged to do so every 90-180 days. System Managers or Security Administrators of individual systems may opt to require password changes (expiration) at a specific interval with sufficient notification to users of those systems. Users desiring additional security may, at their discretion, change their passwords more frequently.
If a password is entered incorrectly 25 times in a row, the account will be locked for a period of 30 minutes. The relatively high retry count accommodates commercial software clients (programs) that often perform multiple retries on a single password entry. System Managers or Security Administrators will receive notification of each login failure and/or lockout incident and review available logs for evidence of unauthorized access.
If a password is entered incorrectly three times in a row, the account will be disabled and must be enabled by a security administrator. System Managers or Security Administrators will receive notification of each login failure and/or lockout incident and review available logs for evidence of unauthorized access.
In most situations, it is strongly encouraged that passwords resets be done by the user themselves using online forms or in person following the appropriate procedures listed in sections below. In addition to those procedures, special consideration must be given to individual branch campus, distance learning, and online students or those who simply are incapable of coming to campus in person for a password reset. Passwords for individuals who find themselves in those situations can only be reset by a System Manager, the Helpdesk Coordinator, or one of their assistants. The following information will need to be provided by the individual over the phone or in an email:
System Managers or Security Administrators, as well as staff at the Computing & Media Services Helpdesk and Feinberg Computer Lab service desk and in Computing Information Systems in Kehoe, are able to reset passwords. The Registrar and Alumni offices may also reset passwords for Students and Alumni, respectively. All parties resetting passwords must follow this protocol when resetting a password:
The password will be set to its default (the last 4 digits of the Social Security Number, followed by the first four letters of the last name in capital letters).
Passwords may be reset without verification by CMS systems management staff, the Helpdesk Coordinator, and the Computer Information Systems coordinator.
The user should receive an email confirming each reset request asking them to contact appropriate administrators with concerns. The appropriate System Managers or Security Administrators should appoint staff to review reset logs for evidence of unauthorized access. The staff reviewing the logs should not be the staff who perform the resets.
System Managers or Security Administrators of high-security systems alone can reset such passwords. Requests will be made in person to the security administrators of these systems.
Account information, including passwords, are considered private and the property of the user. Passwords are one-way encrypted in the system database and are not human-readable. Default passwords are provided to System Managers or Security Administrators by Computer Information Systems, and are stored in unencrypted format in the CMS database server for use when resetting passwords. System Managers, Security Administrators, and professional Helpdesk technicians have access to these stored passwords, and will access them, with notification to the user, for the following purposes:
Lists or files containing default password information should not be printed out, copied to other computer systems, or copied to any portable media other than for system backup purposes.
At no time should a System Manager, Security Administrator, Helpdesk technician, or other staff member ask a user to disclose their password in person, over the phone, in an email, or via any medium other than a secure password screen verifiably hosted by this campus. This is to avoid encouraging behaviors that would make it more likely that users would fall victim to Phishing attempts or other social engineering methods.
Should a password need to be disclosed by a System Manager, Security Administrator, Helpdesk technician, or other staff member to a user in person or over the phone, the person's identity should first be verified using methods described in the "Password Reset Procedures (Average Systems)" section of this document. If possible, usernames or account names and passwords should not be communicated via email. However, in cases where this becomes necessary, the username or account name and password should not be sent in the same message.
For more information about Administrative Policies approved by Executive Council, please contact:
Sean Brian Dermody
Assistant to the Vice President for Administration
Management Services Office
Office: Kehoe 710-11
Phone: (518) 564-2539
Fax: (518) 564-2540