Revision Date: New Policy
Effective Date: 11/1/2023

Section A – University Systems and Applications

I. Purpose

The purpose of this policy is to establish information security standards for individuals receiving credentials to Fairleigh Dickinson University (“FDU” or “University”) resources and how those resources are accessed.

II. Scope and Applicability

This policy applies to all university system resources. All Users are responsible for adhering to this policy.

III. Definitions

Capitalized terms shall have the meaning ascribed to them herein and shall have the same meaning when used in the singular or plural form or any appropriate tense.

1. Account: An established relationship between a User and a computer, network, or Information System which is assigned a credential such as a username and password.
   
2. System Administrative Account: An Account with elevated privileges intended to be used only when performing management tasks, such as installing updates and application software, managing user accounts, and modifying operating system and application settings.
   
3. Entitled Account: A user who has met the minimum requirement to be granted authorization to access electronic Fairleigh Dickinson University Resources.
   
4. Authorized User: A User who has been granted authorization to access electronic Fairleigh Dickinson University Resources and is current and active in their privileges.
   
5. Contractor or Vendor: A person or a company that undertakes a contract to provide materials or labor to perform a service.
   
6. Employee: University staff faculty and adjunct, including nonexempt, exempt, and overseas staff and collegiate faculty.
   
7. Multi-Factor Authentication (MFA): Authentication using two or more different factors to achieve authentication. Factors include something you know (e.g., PIN, password); something you have (e.g., cryptographic identification device, token); or something you are (e.g., biometric).
   
8. Privileged Account: An Account that is authorized to perform security-relevant functions that an ordinary Account is not authorized to perform.
   
9. Single Sign-On (SSO): An authentication process that allows an Authorized User to access multiple applications with one set of login credentials. SSO is a common procedure in enterprises, where a client accesses multiple resources connected to a local area network (LAN).
   
10. User: A member of the University community, including but not limited to Staff and Faculty, and other individuals performing services on behalf of University, including Contractors, volunteers and other individuals who may have a need to access, use or control University Data.

IV. Authentication

1. Any service, application or Information System, whether on-premise or in the cloud, that contains WISP protected information, especially PI or PHI; OR is accessed by a large group of employees (20 or more), must use Single Sign-on authentication.
   
   • If the service or application is being provisioned by a business unit, the unit must engage University Systems to work with the provider to enable SSO.
     
   • If SSO is not supported by the service or application, it will not be approved for use by the university.
     
   • See Section V for exceptions.
     
2. Multi-factor authentication (MFA) must be used to access University resources.
   
3. Passwords must be constructed in accordance with the minimum requirements as listed below:
   
   • Authorized User Account passwords must meet a minimum length of 8 characters.
     
   • Administrative and Privileged Account passwords must meet a minimum of 10 characters.
     
   • Passwords must contain a mix of alphanumeric characters. Passwords must not consist of all digits, all special characters, or all alphabetic characters.
     
   • Automated controls must ensure that passwords are changed at 90-day intervals for both general users and administrative-level accounts.
     
   • NetIDs associated with a password must be disabled for a period of time after 10 consecutive failed login attempts. A minimum of 30 minutes is required for the reset period.
     
   • Passwords must not be the same as the NetID.
     
   • Passwords must not be displayed on screens.
     
   • Users must not share passwords.
     
   • Initial passwords and password resets must be issued pre-expired forcing the user to change the password upon first use.
     
   • Password reuse must be limited by not allowing the last 10 passwords to be reused. In addition, the password must be at least 2 days old in order to be voluntarily changed.
     
   • Access will be disabled 90 days past the date that a password expired if not changed.
     
   • Access will be disabled after 30 days of creation if NetID is not claimed.
     
   • Expired passwords must be changed before any other system activity is allowed.
     
4. Server Password Protocol
   
   • If, at any time, a member of the Community is granted permission to install a server, and access to that server is restricted via Login, and if that process is granted SSO exception through section VII., that system can not hold passwords in clear text. That system must use an approved irreversible cryptographic transform to protect its users’ passwords.

VI. Enforcement

• This policy will be enforced by technical controls wherever feasible; otherwise, this policy will be enforced by OIRT under the direction of the CIO. All members of FDU’s faculty and staff have a responsibility to promptly report any known instances of noncompliance to AVP of University Systems and Networking or the Director of Systems.
  
• Failure to comply with this policy can result in disciplinary action. Any such discipline shall be in accordance with processes and procedures of Human Resources and subject to any protections afforded under the University’s agreement with “Office & Professional Employees International Union”, the “Faculty Handbook”, and similar documents. Third parties who violate this Policy may have their relationship with the University terminated and their access to campus restricted.

VII. Exceptions

• Exceptions to this policy should be submitted to the AVP, USAN for review. Approval of the Chief Information Officer (CIO) or Data Security Incident Response Team (DSIRT) may be required.

---

Welcome to Fairleigh Dickinson University. As a new member of our campus community, one of your first priorities will be gaining access to FDU NetID. With an FDU NetID, you will have access to a variety of IT resources, including Office365. Depending on your role within the University, you will either be creating an account or claiming an account that has already been created for you. Please follow the process below which applies to you.

New Student through Welcome Email (US Students)

If you are a new student of our New Jersey campuses and you have received a Welcome email from fdu-it@fdu.edu, please visit the link below

New Student

If you are a new student at FDU Vancouver or if you are a New Jersey based student that has not received a Welcome Email, please visit the link below

New Faculty, Staff Member Temporary Employee, or On-Campus Contractor

If you are a new Faculty, adjunct Faculty, Staff member, temporary employee, or contractor who works on campus and requires a NetID, please visit the link below

All Others

If you are entitled to an FDU NetID account and either do not fall under any of the categories above or attempted to claim their NetID and received a message that your NetID has not been created, please visit the link below

As a member of our community, your FDU NetID is your passport to accessing many of Fairleigh Dickinson University’s IT services. Most important is your student, employee, or alumni FDU Email account. When using FDU Email, you are an ambassador for our institution and our expectation is that you will conduct yourself in an efficient, effective, ethical and lawful manner. Please review our Policy for Acceptable Use of Email to ensure that you are adhering to all security and decorum requirements.

Effective Date: 01/01/2018

1.0 Introduction

The purpose of this policy is to ensure the proper use of e-mail by all those assigned a Fairleigh Dickinson University (FDU) e-mail account. This policy applies to any e-mail system that FDU has or may install in the future. It also applies to employee use of personal e-mail accounts via browsers, as directed below. All users of FDU e-mail systems have the responsibility to use their e-mail in an efficient, effective, ethical and lawful manner. E-mail users must follow the same code of conduct expected in any other form of written or face-to-face business communication. FDU may supplement or modify this policy for specific employees in certain roles. This policy complements similar FDU policies such as the Acceptable Use Policy and the Written Information Security Program (WISP). Please read and follow those policies as well.

The University subscribes to the 1940 Statement of Principles on Academic Freedom and Tenure and the 1940 and 1970 Interpretive Comments issued thereon, formulated jointly by the Association of American Colleges and the American Association of University Professors. Nothing in this policy is intended to supersede those statements and principles.

2.0 Ownership of Email Data

The University owns all University email accounts in the fdu.edu domain, or any subsequent domains it may create (University Email Accounts). Subject to underlying copyright and other intellectual property rights under applicable laws and University policies , the University also owns data transmitted or stored using the University Email Accounts.

3.0 Employee Responsibilities

FDU only supports the installation and usage of approved e-mail clients.

Usernames will be assigned as part of the University’s e-mail registration process and reflect internally mandated e-mail naming conventions.

3.1 Acceptable Uses

• Communicating in a professional manner with other FDU associates about work-related matters.
• Communicating in a professional manner with parties outside FDU for business purposes.
• Personal communications that are brief and do not interfere with work responsibilities.
• Users are allowed to access personal e-mail accounts on a limited basis, without disrupting business responsibilities. Access can be gained only by using a browser. Use of e-mail-specific protocols, such as POP3 and IMAP4, is prohibited, since they require specific firewall ports to be open.
• Electronic messages are frequently inadequate in conveying mood and context. Users should carefully consider how the recipient might interpret a message before composing or sending the message.

3.2 Unacceptable Uses

• Creating and exchanging messages that can be interpreted as harassing, obscene, racist, sexist, ageist, pornographic or threatening, as defined by University policies.
• Creating and exchanging information that is in violation of copyright or any other law. FDU is not responsible for an associate’s use of e-mail that breaks laws.
• Personal communication that interferes with work responsibilities.
• Opening file attachments from an unknown or untrustworthy source, or with a suspicious or unexpected subject line.
• Sending unprotected healthcare data and personally identifiable consumer data or other confidential information to unauthorized people or in violation of FDU’s Acceptable Use Policy, or the Written Information Security Program (WISP). , Health Insurance Portability and Accountability Act and/or Gramm-Leach-Bliley Act regulations. Exceptions may be authorized by the University Chief Information Security Officer working with the employee’s supervisor. Communications that strain FDU’s network or other systems unduly, such as sending large files to large distribution lists.
• Communications to distribution lists of only marginal interest to members, and replying to the entire distribution list when a personal reply is effective.
• Communications with non-specific subject lines, inarticulate language, and without clear purpose.
• Auto-forwarding e-mail messages from your University e-mail account.
• Using any e-mail system, other than FDU’s e-mail system, for FDU-related communications.
• Circulating chain letters and/or commercial offerings.
• Circulating unprotected healthcare data and personally identifiable consumer data that would violate U.S. Federal HIPAA and GLB regulations. Exceptions may be authorized by the employee’s supervisor and in conjunction with use of a University-approved e-mail encryption service.
• Altering or forging the “From” line or any other attribution of origin contained in electronic mail or postings.
• Using any of the University systems for sending what is commonly referred to as “SPAM” mail (unsolicited bulk email)

4.0 Privacy Guidelines

The University typically does not review the content of electronic messages or other data, files, or records generated, stored, or maintained on its electronic information resources; however, it retains the right to inspect, review, or retain the content of such messages, data, files, and records at any time without prior notification. Any such action will be taken for reasons the University, within its discretion, deems to be legitimate. These legitimate reasons may include, but are not limited to,

• responding to lawful subpoenas or court orders;
• investigating misconduct (including research misconduct);
• determining compliance with University policies and the law; and
• locating electronic messages, data, files, or other records related to these purposes.

FDU maintains the right to monitor and review e-mail activity to ensure compliance with this policy, as well as to fulfill FDU’s responsibilities under the laws and regulations of the jurisdictions in which it operates. Users should have no expectation of privacy.

• Except as otherwise stipulated in this policy, on termination or separation from FDU, FDU will immediately deny access to e-mail, including the ability to download, forward, print or retrieve any message stored in the system, regardless of sender or recipient.
• Except as otherwise stipulated in this policy, employees who leave FDU will have their mailbox deleted within six months of their termination date. The employee’s manager may request that access be given to another employee who may remove any needed information within the same six month time frame.
• FDU reserves the right to intercept, monitor, review and/or disclose any and all messages composed, sent or received on the University e-mail system. Intercepting, monitoring and reviewing of messages may be performed with the assistance of content filtering software, or by designated FDU employees and/or designated external entities. Employees designated to review messages may include, but are not limited to, an employee’s supervisor or manager and/or representatives from the HR, legal or compliance departments.
• FDU reserves the right to alter, modify, re-route or block the delivery of messages as appropriate. This includes but is not limited to:
  • Rejecting, quarantining or removing attachments and/or malicious code from messages that may pose a threat to FDU resources.
  • Rejecting or quarantining messages with suspicious content.
  • Rejecting or quarantining messages containing offensive language or topics.
  • Re-routing messages with suspicious content to designated FDU employees for manual review.
  • Appending legal disclaimers to messages.
• Electronic messages are legally discoverable and permissible as evidence in a court of law.
• Users of the University’s computing and electronic communications resources must understand that electronic messages, data, files, and other records generated, stored, or maintained on University electronic information resources may be electronically accessed, reconstructed, or retrieved by the University even after they have been deleted.

5.0 Security

As with any other type of software that runs over a network, e-mail users have the responsibility to follow sound security practices.

• Users should not use the e-mail system to transfer sensitive data, except in accordance with FDU data protection policies. Refer to the Written Information Security Program (WISP). Sensitive data passed via e-mail over the Internet could be read by parties other than the intended recipients, particularly if it is clear text. Malicious third parties could potentially intercept and manipulate e-mail traffic.
• In an effort to combat propagation of e-mail viruses, certain attachment types may be stripped at the University e-mail gateway. Recipients will be notified via e-mail when this occurs. Should this create a business hardship, users should contact the University Technical Assistance Center (UTAC).
• Attachments can contain viruses and other malware. User should only open attachments from known and trusted correspondents. Suspicious attachments should be reported to the University Technical Assistance Center (UTAC).
• Spam is automatically filtered at the University gateway in a highly efficient manner. Errors, whereby legitimate e-mail can be filtered as spam, while rare, can occur. If business-related mail messages are not delivered, users should check their local spam folder or the daily spam digest. If the message is not there, users should contact University Technical Assistance Center (UTAC).
• Users will not be asked by OIRT or any other FDU group by e-mail for personal information such as usernames or passwords. Any such requests should not be responded to and should be referred to the University Technical Assistance Center (UTAC). Such approaches – known as phishing – are fraudulent approaches carried out for the purpose of unlawful exploitation.

6.0 Operational Guidelines

FDU employs certain practices and procedures in order to maintain the health and efficiency of electronic messaging resources, to achieve FDU objectives and/or to meet various regulations. These practices and procedures are subject to change, as appropriate or required under the circumstances.

• For ongoing operations, audits, legal actions, or any other known purpose, FDU saves a copy of every e-mail message and attachment(s) to a secure location, where it can be protected and stored for three years. Recovery of messages from this store is prohibited for all but legal reasons.
• To deliver mail in a timely and efficient manner, message size must be less than 25MB. Messages larger than 25MB will be automatically blocked and users will be notified of non-delivery. Should this create a business hardship, users should contact the University Technical Assistance Center (UTAC).

Access to the content of electronic mail, data, files, or other records generated, stored, or maintained by any user may be requested from the University’s Associate Vice President of Technology Infrastructure for the reasons set forth below and shall be authorized as follows:

1. by the Associate Vice President of Human Resources for all University employees;
2. by either Dean of Students for students; or
3. by the General Counsel for the purposes of complying with legal process and requirements or to preserve user electronic information for possible subsequent access in accordance with this policy.

In all cases, the Office of the General Counsel must be consulted prior to making a decision on whether to grant access. In the case of a time-critical matter, if the authorizing official is unavailable for a timely response, the General Counsel may authorize access.

All full-time faculty who retire from the University may keep their email address for life if they request to do so.

All full-time faculty who leave the University for reasons other than termination for cause, may request email forwarding for up to six months.

7.0 Governance and Enforcement

This policy was created with input from the University’s Data Security Incidence Response Team (DSIRT). At the request of the University’s Chief Information Security Officer (CISO), the DSIRT will review this policy annually to ensure that FDU is in compliance with internal or external requirements. FDU faces liability if users violate the terms of this policy. Therefore, willful or repeated violations of this Acceptable Use Policy for E-mail can result in informal or formal warnings, the loss of e-mail privileges, and other sanctions including termination. Any such discipline shall be in accordance with processes and procedures of Human Resources and subject to any protections afforded under the University’s agreement with “Office & Professional Employees International Union”, the “Faculty Handbook”, and similar documents. Third parties who violate this Policy may have their relationship with the University terminated and their access to campus restricted.

For assistance with this policy, please contact the University’s Chief Information Security Officer (CISO).

Exceptions to this policy may be authorized by the University Chief Information Security Officer working with the employee’s supervisor.

Policy violations should be reported immediately to the University’s Associate Vice President of Technology Infrastructure

The University reserves the right to suspend an e-mail account while investigating a complaint or troubleshooting a system or network problem.

This document will be reviewed semi-annually and is available both electronically and in printed form at each of the Campus Computing Centers.

It is the user’s responsibility to remain informed about the contents of this document.

Other Related and Applicable Policies

---

The SAMI Support portal requires a valid NetID and password, along with DUO multi-factor authentication, for access. Upon entry, users can create new tickets, review open or closed requests, and explore the IT Knowledgebase for solutions to common issues. Access the support portal using the button below:

SAMI Support Portal

If you need to open a request and cannot access SAMI Support for any of the reasons below, please complete this request form to contact the Fairleigh Dickinson University Technical Assistance Center (UTAC). A member of the IT support team will assist you via phone call or email.

• I do not have a valid University issued NetID
• I am not able to authenticate through DUO
• I have not set up my DUO account
• I am a vendor without a University issued NetID
• I am an admitted student
• I am a newly hired employee or adjunct
• My FDU account is locked
• I need my Net ID password reset and have already attempted to do that through identity.fdu.edu

SAMI Support Public Request

What is a phishing scam?

Phishing refers to the act of using a fraudulent identity and scenario to extract personal information or something else of value. Although phishing scams can occur over various mediums including text messages, phone calls, and social media, they are most frequently carried out via email.

Scammers have many means of acquiring bulk email addresses. Receiving a phishing attempt does not mean that your account has been singled out or has been compromised in any way.

Fairleigh Dickinson University’s email accounts employ Microsoft’s Advanced Threat Protection (ATP) which, in addition to traditional spam filtering, removes malware infected attachments and utilizes Safelinks to scan messages for malicious links. Additionally, we have appended the subject line of messages coming from outside of the FDU domain with the “[External]” tag. Although phishing can occasionally come from inside of our domain, messages with the external tag demand extra scrutiny.

Despite all of these efforts, keeping up with the latest scams is always a cat and mouse game. It is best practice to have a solid foundational knowledge of how these scams work.

Detecting a Phishing Scam

Although each phishing scam is unique, there are certain common traits which can serve as red flags. The most common “tell” is a sense of urgency. Generally, phishers would like for you to act promptly and without careful consideration. As a result, they will pepper their email with phrases such as “immediate action required” and “to avoid the immediate suspension of your account”.

Although an urgent tone is likely to be your first clue, there are plenty of other red flags that you will begin to notice over time. Many phishing attempts are poorly constructed emails. Incorrect spelling and grammatical errors are common. The message could contain a blank subject line and the sender’s signature may only list their title instead of their name. Be wary of messages in which the quality of writing does not meet your expectations for the purported institution.

The goal of many scams is to make a request for your personal information. This can take the form of bluntly asking for your social security number. However, it may also take a subtler approach. Many phishing attempts will create a mock version of a University, banking institution, or commerce website and ask you to log in. Once you enter your account information, the scammers have acquired your password.

Although most phishing scams cast a wide net, some recent attacks have specifically targeted individual members of the University. If someone is claiming to be your colleague or supervisor, check to confirm that the message is coming from their FDU account. Do not trust messages claiming to be from FDU employees which originate from external accounts such as Gmail and Yahoo.

Many of these personalized scams also have a very specific common thread. After a bit of conversation, the scammer will request that you purchase gift cards for common services such as iTunes, Google Play, or Amazon. No, your boss does not urgently require you to purchase gift cards out of pocket.

Also, beware of solicitations coming to your FDU email address from businesses offering deals or asking you to click on a banner to receive a promotion. Make sure that the email is coming from the domain of the company offering the sale or promotion.

What does a phishing scam look like?

Now that you know what to look for, let’s look at a sample phishing attempt:

Reporting a Phishing Scam

You can use your newfound expertise to assist the FDU community. When you see a message that you believe to be a phishing scam, please report it to us. Via Outlook this can be accomplished via our reporting tool. Please see Reporting Phishing or Junk Emails for more information. If you are using an alternative mail client such as Apple Mail, you can forward the suspected scam to phishing@fdu.edu.

How should I proceed if I have already replied to a Phishing Scam?

Please change any passwords that you have provided to the scammer. Once this is completed, please contact the Fairleigh Dickinson University Technical Assistance Center (UTAC) for further instructions.

Fairleigh Dickinson University provides an extensive array of technological resources and services tailored for our students. This guide is designed to assist students in navigating and utilizing these tools effectively, ensuring they can easily set up, access, and manage their accounts, while also offering comprehensive information on each service.

ID and Email

Academic Systems

Webcampus is a course content management system. FDU’s Webcampus is also known as the Blackboard System. On-line courses are taught through this system which also allows for interaction between the student and faculty member as well as on-line class discussions.

To learn more about how to access Webcampus, review the guide below:

Self-Service is an interactive web application that enables students to view their individual information contained in FDU’s Student Information System. Students can use Self-Service to do things like view their financial aid, pay their bills, and register for classes.

Review the Tutorial below to learn how to use Self Service:

Connectivity

Using your FDU NETID, you can connect to the FDU Wireless Network. For instructions view the links below:

Security

Understanding and implementing cybersecurity measures is crucial for protecting your personal and institutional information. This section provides essential resources to help you navigate the landscape of cyber threats.

Stay safe online by reviewing the articles below:

Software

Fairleigh Dickinson University has both licensed and open-source software, that is offered for academic and/or personal use for students. The links below point out to commonly used software, both licensed and open source, that are offered for academic and/or personal use to all Fairleigh Dickinson University faculty, staff and students.

In our digital learning environment, mastering online tools is essential for academic success. These resources are designed to guide you through the process of engaging in classes virtually via Zoom and accessing your files on OneDrive.

Printing and Labs

Computing Services has multiple computer labs available on both New Jersey Campuses for classroom instruction and student use.

FDU also provides remote access to many of the software applications typically found in university computer labs through our platform FDU Anywhere. You can access it using your FDU NetID credentials using the link below:

FDU Anywhere

Review the FDU Anywhere Tutorial below to learn how to use our virtual labs:

For any IT related questions and support, contact our Fairleigh Dickinson University Technical Assistance Center (UTAC):

SAMI Support

Fairleigh Dickinson University regularly hosts on-campus visitors requiring access to our wireless network. As a security measure, in order to provide access to our Network, an FDU faculty member, staff member, or student must sponsor the guest(s) that they are providing access to. The sponsor takes responsibility for the Internet usage of their guests and ensures that they adhere to FDU’s Acceptable Use Policy for Computer Usage.

Choosing the Correct Account Type

• Accounts can be created for up to 8 days
• The sponsor can manage accounts (extend time, delete, suspend or reset password)
• Account creation requires a valid FDU NetID to create
• A single Guest Account (Known Guest) can be created or generic accounts (5 devices per account with the ability to create 10 generic accounts at once) can be created through this function

For events that will have a large audience, a Group Account may be needed. If you are a faculty or staff member and you require this account type, please create a sponsored guest account and then create a UTAC ticket. This can be accomplished by contacting the Fairleigh Dickinson University Technical Assistance Center (UTAC). 

Please provide UTAC with the following information:

• Guest account name
• The name that you would like to use for your Group account
• Faculty/staff sponsor name, contact number and e-mail address
• Location for the event (Building, Room, Classroom, etc.)
• Time and date of the event

Once the ticket is created, OIRT (Office of Information Resource Technology) will contact you within 3 business days to complete the Group account activation.

EduRoam

Fairleigh Dickinson is a member of Eduroam (education roaming) which provides secure, world-wide roaming access service for the international research and education community. If your guest is coming from another Higher Education institution that is also a member of Eduroam, they will not require an FDU guest account. Instead, they can gain access to our Network simply by logging into the eduroam network with their regular credentials.

(Available on Metro and Florham Campus Only)

Creating and Managing an FDU Wireless Guest Account

1. Log into access.net.fdu.edu using your NetID and password

2. Click the “Generic” or “Known Guest” button

• Generic – This option allows you to create up to 10 accounts concurrently without entering your guest’s information

• Known Guest – This option allows you to create an account with guest information. You need to input the guest’s “First name”, “Last name”, “Email address”, and “Phone number”. You also need to enter your own FDU email address

3. If you have selected “Generic”, enter the number of accounts that you would like to create (maximum of 10)

4. The remaining instructions are for both known guests and generic accounts. Choose how long you want the guest account to be active

• First Option – Click the box next to “End of business day” if your guest only requires access through the end of the day

• Second Option – Type the number of days required in the “Duration” box (maximum of 8). The “From Date” and “To Date” will automatically change based on the requested duration

• Optional – If needed, you can select an exact date and time for the guest account access to begin and end (24:00 format)

5. Click the “Create” button

1. Log into access.net.fdu.edu using your NetID and password

2. Click the “Manage Accounts” tab

3. Check the box next the account that you would like to update. You can now use the following administrative functions

• Edit: Modify any information entered during account creation
  
• Resend: Print or email the account username and password
  
• Extend: Add additional time to the account. The maximum total duration of 8 days will still apply
  
• Delete: Immediately delete the account
  
• Reset Password: This will reset the password and either print or email the new password

Support

For additional support, please contact the University Technical Assistance Center (UTAC)