For a better experience, click the Compatibility Mode icon above to turn off Compatibility Mode, which is only for viewing older websites.

Security of Enterprise Systems - PHEC

Overview

Drexel University ("University"), to provide services to its constituents, records a large amount of extremely confidential data, transmits the information over extensive wired and wireless networks, and stores the information on numerous computing systems. Any breach in the security of these systems or networks could disrupt the University and/or allow such confidential information to be transmitted quickly, silently and without geographic or constituency limits.

Recognizing these vulnerabilities and the need for institutions to limit access to such information, the Federal Government has passed numerous laws concerning personal information. As a result, the University must comply with a complex array of legislation including, but not limited to, FERPA , HIPAA , GLB . Failure to comply with legislation can have significant adverse consequences on the University, its academic program, research funding and reputation.

Statement of Purpose

In order to ensure the continued availability, confidentiality, and integrity of University information, to protect business-critical networks and systems, and to comply with federal law, the Office of Information Resources & Technology (IRT) and the Office of General Counsel (OGC) have established a number of policies and practices, including the Security of Enterprise Systems Plan ("Plan"). The goal of the Plan is to assure ongoing compliance with federal statutes and regulations related to the Plan and to position the University for likely future privacy and security regulations.

The Plan outlines requirements for all areas of the University, including but not limited to, administrative offices, academic departments, researchers, and third party contractors (including food services and the book store).

Each person who accesses University business systems must abide by the Plan. All levels of management must ensure that, for their areas of responsibility, each individual knows his or her responsibilities as outlined in the Plan.

Definitions:

Institutional Data is information relating to the administration of the University.
1. The Family Educational Rights and Privacy Act,20 U.S.C. § 1232g, et seq.
2. The Health Insurance Portability and Accountability Act of 1996 (Public Law 104-191)
3. The Financial Services Modernization Act of 1999,15 U.S.C. § 6801, et seq.

Enterprise Systems are University -wide business systems, such as the Banner System, Cactus, Signature, Exeter Student Marketing System, SCDConline (CoOp), Web*Finance, Web*Salary and the BSR Institutional Advancement System. Additional systems may be added in the future.

Enterprise System Owners are the senior vice presidents who oversee each Enterprise System and who provide leadership in regard to the overall functionality of the Enterprise System.

Enterprise System Administrators are the individuals responsible to the Enterprise System Owner for the overall functionality, accuracy, integrity and security of data within each Enterprise System.

Data Custodians are the individuals who report to an Enterprise System Owner and are responsible for day-to-day information management, including creation, maintenance, ongoing timeliness and accuracy of an Enterprise System.

Computing System is any handheld, laptop or desktop computer, server, or other computing system operated by or for the University and/or connected to a University network.

Server is any Computing System or device that performs functions for other network-connected Computing Systems, including, but not limited to, file sharing (making files available to other systems), web serving, remote control (allowing the computer to be controlled from another location), and peer-to-peer sharing. Computing Systems may perform as Servers unless specifically configured not to.

System Administrator is the individual, either in the Office of Information Resources and Technology or other University departments, who controls and operates a Computing System.

End User is an individual who accesses an Enterprise System or Computing System.

Overview

The University is the ultimate owner of all Institutional Data, whether maintained in an Enterprise System or in other applications and/or Computing Systems.

All Institutional Data are considered confidential and are intended exclusively for purposes related to the University's programs. All Institutional Data and Enterprise Systems should be used only for the legitimate business of the University and not for commercial, personal and/or political purposes.

Requirements and Procedures

Accounts Management

Requests for access to Institutional Data, including maintenance and/or inquiry, should be given to the appropriate Enterprise System Administrator who will determine the validity of the request. If the request for access is approved, the System Administrator will notify the Core Administrative System Group of the Office of Information Resources and Technology by email. If a request for access crosses functional modules, the Enterprise System Administrator for each respective module must authorize the request for its respective areas.

By approving access to an End User, the Enterprise System Administrator acknowledges that access to the Institutional Data is job-related and necessary to perform the duties expected. An Enterprise System Administrator has the right to deny requests for access if he or she believes that access would not be a beneficial use of University resources. Denied requests for accounts may be appealed in writing to the Enterprise System Owner.

Authorization/Access Control

End Users are to be provided with the minimum access privileges required to perform permitted tasks.

Access is provided to End Users so that they can more effectively perform the duties of their position. An employee, before being granted access to an Enterprise System, must receive general system training supplemented by specific instruction from the Enterprise System Administrator and/or the Data Custodian of the respective area. This specific training ensures that the End User understands how to interpret the Institutional Data being accessed. The training should match and not exceed the level of access approved.

Password Policy

Banner Oracle Password Policy

In order to improve security and comply with external audit recommendations, all Banner Oracle passwords must be changed at least once every 60 days.

Banner Oracle passwords are used by Native Banner, Internet Native Banner, and WebFinancials; they are not used by the DrexelOne portal, BannerWeb (which is accessed via DrexelOne), the Drexel domain, Unix Systems, Email servers, the Brio OnDemand Server (Insight), the Exeter Student Marketing System, the BSR Advancement System, Yardi or Cactus.

An acceptable Banner Oracle password is:

  • Between 6 and 8 characters in length
  • The first character must be a letter (A - Z)
  • It must have at least 2 letters and at least 1 number
  • The following symbols are not allowed: $ & @ " '
  • The password cannot be a word in any dictionary

When an End user's password expires, the End User will not be locked out, but will be required to change his password before continuing with his login.

If an End User forgets his password, he must contact the appropriate Enterprise System Administrator.

If an End User enters an invalid or incorrect password four (4) times in a row, he will be locked out of his Banner Oracle account for one (1) hour.

In order for an End User to change his Banner Oracle password in Native Banner or Internet Native Banner, he must enter GUAPSWD in the Direct Access field on the Oracle Runtime Form. To change a Banner Oracle password within WebFinancials, click on the Change Password link.

Each End User is responsible for the security, privacy and confidentiality of the Institutional Data to which he has access. Each End User is responsible for all transactions occurring during the use of his account. End Users must never share their passwords with others. If an End User suspects that his password has been compromised, he must immediately change his password. End Users should logoff of any Enterprise System when the End User leaves his desk for more than 30 minutes.

Enforcement

Failure to comply with the above policies may result in denial of access to information in Enterprise Systems and/or disciplinary action against the End User or Enterprise System Administrator.

General Password Guidelines

The following guidelines are derived from a template provided by the SANS (SysAdmin, Audit, Network, Security) Institute.

Overview

  • All user-level passwords must be changed at least every 63 days.
  • User accounts that have system-level privileges granted through group memberships or programs such as "sudo" must have a unique password from all other accounts held by that user.
  • Passwords must not be inserted into email messages or other forms of electronic communication.
  • All user-level and system-level passwords must conform to the guidelines described below.

General Password Construction Guidelines

Passwords are used for various purposes at the University . Since very few systems have support for one-time tokens (i.e., dynamic passwords which are only used once), End Users must be aware of how to select b passwords.

Poor or weak passwords have the following characteristics:

  • The password contains fewer than six characters
  • The password is a word found in a dictionary (English or foreign)
  • The password is a common usage word such as:
  • Names of family, pets, friends, co-workers, fantasy characters, etc.
  • Computer terms and names, commands, sites, companies, hardware, software.
  • Organization, place or event names like "Drexel", "Philly", "SuperBowl" or any derivation.
  • Birthdays and other personal information such as addresses and phone numbers.
  • Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
  • Any of the above spelled backwards.
  • Any of the above preceded or followed by a digit (e.g., secret1, 1secret)

Strong passwords have the following characteristics:

  • Contain both upper and lower case characters (e.g., a-z, A-Z)
  • Have digits and punctuation characters as well as letters
    e.g., 0-9 ! # % ^ * ( ) _ + | ~ - = \ ` { } [ ] : ; < > ? , . /
  • Passwords for Banner and WebFinancials must begin with a letter
  • Are at least seven characters long.
  • Are not a word in any language, slang, dialect, jargon, etc.
  • Are not based on personal information, names of family, etc.

Passwords should never be written down or stored on-line. Try to create passwords that can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation. NOTE: Do not use any of these examples as passwords!

B. Password Protection Standards
Do not use the same password for University accounts as for other non- University access (e.g., personal ISP account, option trading, etc.). Where possible, use different passwords for Banner and Email or the Drexel domain.

Do not share University passwords with anyone, including administrative assistants, secretaries, graduate assistants, or the help desk/technical support staff. All passwords are to be treated as sensitive, Confidential University information.

Here is a list of "don'ts":

  • Don't reveal a password over the phone to ANYONE
  • Don't reveal a password in an email message
  • Don't reveal a password to the boss
  • Don't talk about a password in front of others
  • Don't hint at the format of a password (e.g., "my family name")
  • Don't reveal a password on questionnaires or security forms
  • Don't share a password with family members
  • Don't reveal a password to co-workers while on vacation
  • Don't reuse passwords in the course of one year
  • When changing a password, don't derive it from a previous password (e.g. TmB1w2R!-1 becomes 1TmB1w2R!-2)

If someone demands a password, refer them to this document or have them call your Enterprise System Administrator.

Again, do not write passwords down and store them anywhere in your office. Do not store passwords in a file on ANY computer system including PDAs without encryption.

Change passwords at least once every nine weeks.

If a password is suspected to have been compromised, report the incident to your Enterprise System Administrator and change the password.

Password cracking or guessing may be performed on a periodic or random basis by IRT or its delegates. If a password is guessed or cracked during one of these scans, the End User will be required to change it.