Policy 07:13:00 Identification, Authentication, and Authorization
Revision Responsibility: Coordinator IT Services Responsible Executive Office: Vice President of Academic Affairs |
Purpose: To ensure the security and integrity of both College data and data belonging to individuals, this policy establishes requirements for the digital identification of all users of Platt College computer systems and networks (also referred to as Platt College IT resources). Identified users will securely authenticate to College systems and access only resources that they have been authorized to access. |
Policy: Bottom of Form All users of Platt College IT resources will be assigned a unique identity to securely authenticate to College IT resources that they have been authorized to access. Applicability This policy covers students, faculty, staff, administration and any and all individuals or entities using any Platt College IT resource and educational delivery format such as face-to-face (eCompanion), blended (eCombination), or online (eCourse). 1. Identification Management of Identifiers
Alternative IDs (alternative names registered along with a personal Platt College ID) may be reassigned after a waiting period. Social Security Number. Social Security Numbers shall not be used to identify Platt College employees or students. Platt College Network Identifiers Platt College IDs: must be at least eight characters in length and consist of at least three conventions; Alpha upper case and lower case, numeric and special characters. Nexus (SIS) Student IDs: The Nexus (SIS) login ID will be the student first name followed by a period (.) then the last name. As part of the application process, potential applicants visit the Applicant Portal Homepage where they enter First Name and Last Name which are turned into their user account. The initial password is created by the student at the time of the account creation:
Types of Platt College IDs Regular Personal Platt College IDs. Regular IDs are available to:
Sponsored Personal Platt College IDs. Sponsored IDs are available to all others subject to the following conditions:
Other Platt College IDs. IDs are available to identify other kinds of entities such as groups, departments, mailing lists, roles, computer-based services, etc. Eligibility for Platt College IDs
2. Authentication Access to non-public Platt College IT resources will be achieved by individual and unique logins, and will require authentication, minimally a username and password combination. Authentication credentials will not be coded into programs or queries unless they are encrypted, and only when no other reasonable options exist. Authentication Methods Authentication methods involve presenting both a public identifier (such as a user name or identification number) and private authentication information such as a personal identification number (PIN), password, token, or information derived from a cryptographic key. Authentication against Platt College’s central computing infrastructure is recommended when possible. One of the following methods must be implemented:
No Unencrypted Authentication Unencrypted authentication and authorization mechanisms are only as secure as the network they use. Traffic across the network may be monitored, rendering these mechanisms vulnerable to compromise. Therefore, all College services must use only encrypted authentication mechanisms unless otherwise authorized. In particular, historically insecure services, such as Telnet, FTP, SNMP, POP, and IMAP must be replaced by their encrypted equivalents. User Responsibilities Official Actions. Use of an ID and authentication method to identify oneself to an on-line system constitutes an official identification of the user to the College, in the same way that presenting an ID Card does. Users can be held responsible for all actions taken during authenticated sessions. Confidentiality. Regardless of the authentication method used, users must keep authentication information confidential (i.e. a user must not knowingly or negligently make it available for use by an unauthorized person). Security Precautions. Users are encouraged to change their password regularly (at least once every three months), to limit possible abuse of passwords that may have been compromised without the user’s knowledge. Passwords should be chosen so that they are not easily guessable (i.e. not based on the user’s name or birth date). Disciplinary Action. Individuals who are found to have knowingly violated one of these provisions will be subject to disciplinary action. The possible disciplinary actions for violations, which can include termination of employment or student status, will depend on the facts and circumstances of each use. 3. Authorization Access to information and IT system resources will be granted on a “need to know” or “minimum necessary” basis and must be authorized by the immediate information owner. Any of the following methods are acceptable for providing access: Context-based access. Access control based on the context of a transaction (as opposed to being based on attributes of the initiator or target). The “external” factors might include time of day, location of users, strength of user authentication, etc. Role-based access. Access control model that permits the specification and enforcement of enterprise-specific security policies in a way that maps more naturally to an organizations structure and business activities. Each user is assigned to one or more predefined roles, each of which has been assigned the various privileges need to perform that role. User-based access. Security mechanism used to grant users of a system access based upon the identity of the user. 4. Identification and Authentication of Local Systems This section contains recommendations and requirements for systems and services that use local identification and authentications methods rather than centrally supported methods.
5. Privacy Statement Platt College publishes a Privacy Statement which provides detailed information about the use of personal information. By logging into the Platt College Portal to view content or to submit content, students, faculty, staff, and any approved guests agree to abide by the rules and regulations set forth in the Privacy Statement. |
Created: August 4, 2011, Revised: June 14, 2013 to reflect the addition live online proctoring services, June 22, 2015 to reflect the deletion of ProctorU and to revise the CAMS IDs used, August 9, 2017 to reflect change from CAMS to Nexus (SIS) procedures. |