3.3.1 Authentication and Identity Management
PLU issues and manages electronic identifiers — e.g. ePass usernames and passwords — for every member of the university who connects to the network to use such electronic resources as email, online resources, administrative information systems, and learning management systems.
All users of the PLU network must obtain electronic identifiers to gain access to the network and to specific networked resources to which they are assigned access. Users must adhere to all PLU policies for appropriate use of computing resources as well as obtain, change, and terminate these identifiers as directed by the university.
An individual’s role, status, and responsibilities within the university determines the level of authorization or privilege granted for a particular resource or service. Data stewards and application owners are responsible for establishing standards governing authorization for access to their services.
Sharing a personal identifier, such as username and password combination, is prohibited and may result in the suspension or revocation of network access privileges, separation from the university, or legal action. Those who share personal identifiers are held responsible for all activity occurring under their electronic identity.
I&TS determines criteria for the methods and strength of login requirements for all PLU systems, local or hosted, that require authentication. I&TS also determines and maintains the criteria for eligibility to receive electronic identifiers, in consultation with data stewards and informed by the Data Classification and Control policies. These criteria are documented and maintained in the “I&TS Access Control Schedule”.
3.3.2 Network Registry and Authorized Devices
The university issues and manages identifiers for all devices that connect to the network. These include desktop computers, laptop computers, and other mobile devices such as smart phones and tablets. Network registration is established for university-purchased devices when devices are placed into service; owners of personal devices must acquire a network identifier through Information & Technology Services (I&TS) before network access is enabled.
Each device connected to the network must have at least one individual responsible for the security of that device. These responsible individuals must know and enforce all Responsible Use of PLU Technology & Related Services policies, including prompt reporting of security incidents.
Unauthorized access to restricted or personally-owned computers, data, or software, or the knowing use of restricted computers, data, or software accessed or acquired by someone else, is prohibited. Use of computers or networks to compromise or attempt to compromise any other computers, networks, or data is prohibited.
3.3.3 Protection Against Malicious Software
All devices connected to the PLU network must be maintained with current operating systems, browsers, & applications. I&TS regularly releases patches to University-owned computers which are also equipped with anti-virus software. Employees or students who connect personally-owned devices to the PLU network must keep their operating systems, browsers, & applications up to date including a reliable anti-virus program. Failure to maintain anti-virus protection can result in network interruption or performance degradation, often without the owner’s knowledge. Device owners may be held liable for such incidents. A list of free, easy-to-install anti-virus software services is available through the I&TS Help Desk at https://www.plu.edu/antivirus.
3.3.4 Naming Conventions
PLU requires the central recording of a) all domain names purchased with institutional funds and served by institutional domain name servers, and b) the registration of those names within the plu.edu domain. I&TS reserves the right to limit a domain name that is not compatible with overall PLU domain naming practice. Final approval of a domain name used for Web access is granted by I&TS and the Marketing & Communications Web Development Group.
Rules for creation of plu.edu names are:
- Use the recognized name of an administrative unit, college, or department
- Use the name of a university-wide service (e.g. sakai.plu.edu)
- An exception may be granted if
- a large number of people will recognize and use it
- it will not be so generic or ambiguous as to give rise to confusion among average users
- the unit, college, or department head approves it