security

FDU-Secure uses current encryption standards to connect to the FDU wireless network via secure wireless traffic. This is an evolving technology and occasionally, one of the changes made by FDU IT requires us to issue a new certificate. When this occurs, you will need to accept the certificate using the process below.

Note

Your process may vary slightly based on the version of the Operating System that your device is using. Please contact the University Technical Assistance Center at (973)-443-8822 if you require further assistance.

How to Accept the New Certificate for FDU-Secure Wireless

Windows
  1. Login to your Windows 10 computer
  2. Go to the bottom right taskbar > Click on the “Networks” icon:
    • From the Networks list, select: “FDU-Secure
    • Click “Connect
  3. At the “Continue connection?” prompt, click “Connect
  1. Open your browser and test your Internet connection
close
macOS
  1. Login to your Mac computer
  2. Go to top right menu bar > Click “Wi-Fi” icon:
    • From the Wi-Fi list, select: “FDU-Secure
    • Click “Join
  3. At the “Authenticating to network FDU-Secure” prompt, click “Continue
  1. Click “OK
  2. Open your browser and test your Internet connection
close
iOS
  1. Login your iOS device (eg. iPhone)
  2. Go to your device’s Settings App > Select “Wi-Fi” > Select “FDU-Secure” > Click “Forget This Network
  3. Tap the “Back” button and select “Wi-Fi “once again to reload the available Wi-Fi networks:
    • From the Wi-Fi list, select: “FDU-Secure
    • Enter your complete FDU NetID as in the examples below: “username@fdu.edu, username@student.fdu.edu, username@alumni.fdu.edu”
    • Enter your FDU NetID Password
    • Click Join
  1. At the “Certificate” prompt, tap “Trust
  1. Open your browser and test your Internet connection
close
Android
  1. Login to your Android Device
  2. Open the “Settings” Application > Select “Wi-Fi” > Select the Gear icon next to FDU-Secure
  1. Select “Forget This Network
  1. Select FDU-Secure from the Wi-Fi menu
  1. Select “EAP method” and select “PEAP” from the dropdown menu
  2. Enter your complete FDU NetID and password
  3. In the “CA Certificate” field, select “Use System Certificates
  4. In the Domain field, enter fdu.edu
  5. Enable “Auto Reconnect
  6. Tap “Connect
  1. Open your browser and test your Internet connection
close
Last Modified: icon icon Copy Link

Backup Alert Email Notifications

Code42 will send users an email alert notifying of any incomplete backups of their devices.

  • The Code42 email alert will be sent from Code42 for Enterprise <noreply@code42.com>
  • The Subject line of the email will be labeled with: Critical: [Name of Device] not backed up

Backup Alert

You will receive an alert when your computer hasn’t backed up to Code42 for 5 calendar days. The email will look like the example below:

Code42 Backup Alert Email Notification

What to do if you get a backup alert

After receiving a Code42 backup alert email, you should locate the device the email specifies in need of backup. The Code42 device name will be listed in the Subject: line and Computer Name: line of the Code42 backup alert email. To locate the name of a Code42 device, left-click the Code42 “C” symbol icon in the Windows System Tray, also referred to as the notification area.

Tip

The Windows System Tray or notification area is usually located on the bottom right of the Windows taskbar, next to the displayed digital clock.

For macOS users left-click Code42 “C” symbol icon on the macOS icon menu bar. The Code42 device name will be displayed in the console. Ensure the Code42 application displays the same name as the Code42 backup alert email you received.

This image has an empty alt attribute; its file name is Code-42-Tray-Icon.svg

Code42 “C” symbol icon

Code42 Device Name

After locating the correct specified device stated in the Code42 backup alert email, force a backup of the device by performing the following:

  1. Left-click the “Code42” System Tray or macOS menu bar Icon
This image has an empty alt attribute; its file name is Code-42-Tray-Icon.svg

Code42 Icon

  1. Left-click “Run backup now

Note

The backup may take some time to complete. This depends on the length of time since Code42’s last complete backup and the amount of new data needed to be backed up.

Last Modified: icon icon Copy Link

Confidentiality Agreement and Security Policy

Resources for: Faculty Staff
icon Close

Select employees of Fairleigh Dickinson University may be required to engage with confidential University data.

The FDU Confidentiality Agreement and Security Policy defines your obligations under Federal and State guidelines to preserve the security and confidentiality of this information.

Confidentiality Agreement and Security Policy

Fairleigh Dickinson University regards security and confidentiality of data and information to be of utmost importance. Each individual granted access to electronic and/or hard copy data holds a position of trust and must preserve the security and confidentiality of the information to which he/she is granted access to. Therefore, it is the intent of this policy to ensure that University data, in any format, is not divulged outside of Fairleigh Dickinson University without explicit approval to do so by an Associate Vice-President of the University or higher who has responsibility for the data in question. As such, the University requires all users of data to follow the procedures outlined below:

Policy on Confidential Information

Users of University data are required to abide by all applicable Federal and State guidelines and University policies regarding confidentiality of data, including the Family Education Rights and Privacy Act (“FERPA”) and, as applicable, The Health Insurance Portability and Accountability Act of 1996 (“HIPAA”). For more information, see FERPA and HIPAA).

Confidential Information shall be defined as:

  • regarding student, faculty or staff: any personally-identifiable records, financial records (including social security and credit card numbers), health records; contracts, research data; alumni and donor records; personnel records other than an individual’s own personnel record;
  • regarding the University: University financial data; computer and system passwords, University issued PINS, University proprietary information/data; and
  • any other information for which access, use, or disclosure is not authorized by: 1) federal, state, or local law; or 2) University policy.

The individual receiving the Confidential Information shall have no obligation under this Policy with respect to Confidential Information which:

  • is or becomes publicly available without breach of this Policy by the recipient;
  • is rightfully received by the recipient without obligations of confidentiality; or
  • is developed by the recipient without breach of this Policy; provided, however, such Confidential Information shall not be disclosed until thirty (30) days after written notice of intent to disclose is given to the University officer who has responsibility for the data in question, along with the asserted grounds for disclosure;
  • is disclosed in accordance with any “whistle blower” action as provided in the U.S. False Claims Act, the New Jersey Conscientious Employee Protection Act (“NJCEPA”), or similar legislation. (Brief overview of the NJCEPA is available at here.

Any individual with authorized access to the Confidential Information is given access solely for the business of the University and must not divulge the Confidential Information outside of the University except for University business requirements approved by the President of the University or the division head responsible for the data in question. Specifically, with respect to Confidential Information, individuals must:

  1. Access Confidential Information solely in order to perform his/her job responsibilities.
  2. Not seek personal benefit or permit others to benefit personally from any Confidential Information that has come to them throughout their work assignments.
  3. Not make or permit unauthorized use of any Confidential Information in the University’s information system or other records.
  4. Not enter, change, delete or add data to any information system or files outside of the scope of their job responsibilities.
  5. Not include or cause to be included in any record or report, a false, inaccurate or misleading entry known to the user as such.
  6. Not alter or delete or cause to be altered or deleted from any records, report or information system, a true and correct entry.
  7. Not release Confidential Information other than what is required in completion of job responsibilities which is consistent with this Policy.
  8. Not exhibit or divulge the contents of any record, file or information system to any person unless it is necessary for the completion of their job responsibilities.

It is the individual’s responsibility to immediately report, as outlined under “Information Security Breech and Violation Reporting” at the end of this Policy, if the individual has violated this Policy. Additionally, given the potential harm that the University may suffer with the release of any Confidential Information, all employees are strongly encouraged to report any suspected violation of this policy or any other action, which violates confidentiality of data, as outlined at the end of this policy.

Security Measures and Procedures

All users of University information systems, including Datatel, MS File shares and FDU Office 365 email accounts, are supplied with an individual user account to access the data or systems necessary for the completion of their job responsibilities. Users of the University information systems are required to follow the procedures outlined below:

  1. All transactions, processed by a user ID and password, or PIN, are the responsibility of the person to whom the user ID was assigned. The user’s ID, password, and PIN must remain confidential and must not be shared with anyone.

• Using someone else’s user ID, password or PIN is a violation of policy, no matter how it was obtained.

• Your user ID, password or PIN provides access to information that has been granted specifically to you. To reduce the risk of shared passwords – remember not to post your password or PIN on or near your workstation or share your password or PIN with anyone.

• It is your responsibility to change your password immediately if you believe someone else has obtained it.

Note: If you need your Password or PIN changed, please contact the University Technical Assistance Center (UTAC) 973-443-8822 immediately.

  1. Access to any student or employee information (in any format) is to be determined based on specific job requirements. The appropriate Department Chair, School Director, Department Director/Manager, Dean, Provost, and/or Vice President is responsible for ensuring that access is granted only to authorized individuals, based on their job responsibilities. Written authorization must be received by the Computer Center prior to granting system access.

You are prohibited from viewing or accessing additional information (in any format) unless you have been authorized to do so. Any access obtained without written authorization is considered unauthorized access.

In order to prevent unauthorized use, the user shall log off of all applications that provide access to confidential information, or lock their computer when leaving their workstation. This is especially important during breaks and lunch. Unless there is a specific business need, all workstations should be shut down at the end of the workday.

Note: If you require assistance in establishing your workstation password, please access the screensaver documentation or contact the University Technical Assistance Center (UTAC) at 973-443-8822.

  1. If you have any reason to believe your password or PIN has been compromised or revealed inadvertently, you should change your password and immediately notify one of the individuals as outlined under “Information Security Breech and Violation Reporting” at the end of this policy.

Note: All University’s computer system will periodically prompt you to change your password.

  1. Upon termination or transfer of an employee, Human Resources will notify University Systems and Security, who in turn will notify the appropriate areas in the Computer Center.
  1. Generally, students, temporary employees and consultants should not have access to the University record system. Written approval by the Department Chair, School Director, Department Director/Manager, Dean, Provost, and/or Vice President in charge of the respective area is required if it is determined that access is required. The student, temporary employee or consultant is to be held to the same standards as all University employees, and must be made aware of their responsibilities to protect student and employee privacy rights and data integrity. Written authorization must be received by the Computer Center prior to granting system access.
  1. You agree to properly secure and dispose of any outputs or files you create in a manner that fully protects the Confidential Information.

Additionally, I understand that if granted access to process transactions via Datatel data entry screens, any information I enter or change will be effective immediately. Accordingly, I understand that I am responsible for any changes made using my ID.

I understand that my access to University data is for the sole purpose of carrying out my job responsibilities and Confidential Information is not to be divulged outside of The University, except as previously stated.  Breach of confidentiality, including aiding, abetting, or acting in conspiracy with any other person to violate any part of this policy, may result in sanctions, civil or criminal prosecution and penalties, employment and/or University disciplinary action, and could lead to dismissal, suspension or revocation of all access privileges. I understand that misuse of University data and any violation of this policy or the FERPA, HIPAA or GLB policies are grounds for disciplinary action, up to and including dismissal.  This Agreement shall not abridge nor supersede any rights afforded faculty members under the Faculty Handbook.

Information Security Breech and/or Policy Violation Reporting

If you suspect an Information Security Data Breech or a violation of this policy, report such an event to your department chair or staff supervisor and send an immediate email to violation@fdu.edu. If you do not have immediate access to email, contact the University Technical Assistance Center (UTAC) at 973-443-8822; do not provide details but request a ticket be opened with University Systems & Security due to a information security data breech or policy violation requesting an immediate callback. When practical, also send an email to violation@fdu.edu.


Last Modified: icon icon Copy Link

Virtru email encryption is the preferred method to send and view encrypted emails and files with your FDU email address. Available for FDU Faculty and Staff upon request. Click the link below to request access to Virtru Email Encryption.

The Virtru Email Encryption Tutorial will help users navigate installation, basic use, different usage scenarios, and common technical questions.

Alternative Approved Methods for Encryption

If you are not approved for Virtru email encryption, the articles below are alternative, FDU OIRT and DSIRT approved methods for encrypting Microsoft Office and Adobe PDF files and comply with the University WISP.

Warning Warning

According to FDU’s Written Information Security Program (WISP), in no case should they be sending or storing WISP protected information without the explicit authorization of the Chief Information Security Officer (CISO). If approved, these instructions will provide you with guidance on the methodology.

For more information, visit the link at the bottom of the page.

Last Modified: icon icon Copy Link

Virtru email encryption is a security enhancement to FDU’s Office 365 and Microsoft Outlook email environment, which provides Faculty and Staff the option of sending and receiving encrypted emails using their FDU email account.

index

Index

What is Virtru Email Encryption

Virtru email encryption is a security enhancement to FDU’s Microsoft Office 365 and Microsoft Outlook email environment, which provides Faculty and Staff the option of sending and receiving encrypted emails using their FDU email account. Virtru for the Microsoft Outlook desktop email client is available for installation for approved FDU Faculty and Staff via the FDU Self Service Portal for Software on Windows 10 desktops and laptops owned by the University.

Virtru Email Client

The Virtru client provides a seamless experience when using the Microsoft Outlook desktop client. The Virtru Outlook plugin is only available on university laptops or desktops running Microsoft Windows.

Virtru for Office365

All Apple macOS users and users who access their FDU email through Office 365 can use Virtru email encryption to send sensitive information electronically.

Tip

Microsoft Office 365 is accessed by visiting office365.fdu.edu from any web browser.

What is Virtru Secure Reader?

Virtru’s Secure Reader is a platform that can be accessed within FDU’s Outlook on the Web (office365.fdu.edu) and right on your web browser by clicking the “Unlock Message” button in your Virtru secured email. From there, all you have to do is quickly validate you are an authorized recipient of that email or file. Once complete, you can read and reply to the secure email directly in your browser.

A secure message encrypted by Virtru will have a few key components, including a short unencrypted message from the sender, and a button that says “Unlock Message”.

Note

The Secure Reader is used when viewing encrypted emails from Microsoft Office on the web and any email client on mobile devices (AndroidOS and iOS)

Request Form

To obtain access to virtru in order to send encrypted emails, you must fill out the request from below:

Installing Virtru onto a University PC

  1. Open the FDU Self Service Portal for Software application. Locate and left-click Virtru Email Encryption and then click “Install

For additional information on the FDU Self Service Portal for Software, please click the following link:

  1. A message box will appear notifying that Microsoft Outlook needs to be closed. Click “OK” and the installation will continue

Note

This window will only appear if the Microsoft Outlook Client is running.

  1. A message will appear when Virtru is finished installing. Click “OK” to finalize the process

Virtru is now ready to be activated.

Activating Virtru on a University PC

  1. When you open Microsoft Outlook after the Virtru has been installed, you will be prompted to activate your Virtru plugin. Click “Activate to begin. You may choose “Laterif you do not wish to activate at this time

Note

Check “Don’t show me again” before you click “Activate” or “Later” to prevent a pop-up window from re-appearing to prompt activation of un-activated account(s) whenever you start Outlook.

  1. You will be presented with a list of FDU email accounts configured to use in Microsoft Outlook. If your Microsoft Outlook application is associated with multiple email accounts, click on only those you will need to use Virtru email encryption. Then click “Continue
  1. After selecting the proper accounts, you will have the choice of signing in with FDU’s email provider (Microsoft Office 365) or choosing to receive an activation email. Choose “Sign in with Office 365

Activating Virtru through Office 365 Sign in

  1. Enter your FDU NetID credentials when prompted and proceed through the FDU Single Sign-on webpage, including completing Duo Multi-Factor authentication. If you experience issues, choose to “Send me an activation email” and follow the directions given below in item

Note

If you cannot activate your account(s) using “Sign in with Office 365”, choose to “Send me an activation email.”

Activating Virtru through Activation Email

  1. If you are unable to activate your account(s) using “Sign in with Office 365,” choose to “Send me an activation email.” The process will take a few moments to complete in the background
  1. During this process, Virtru will send a unique email from noreply-activation@virtru.com to your mailbox. The Virtru plugin will search for this email in your inbox. When the activation email is found, Virtru will automatically delete the email from your email inbox, and the Virtru plugin will complete the activation

Tip

Click “Take a tour” for a brief walkthrough of your new Virtru features.

If your activation does not automatically complete in a few minutes, please contact the University Technical Assistance Center at (973)-443-8822.

Activating from the Virtru Menu

If you have disabled automatic activations, you can still activate Virtru on your account(s) at any time.

  1. Select the ‘Virtru‘ menu tab from the top bar of the main Microsoft Outlook window
  1. Choose “Authorize Accounts” or “Options
  1. If you select “Options,” go to the ‘Account Activation‘ menu tab, select your FDU email account, and click on “Activate Selected
  1. You will then follow the activation process already illustrated above in “Activating Virtru through Office 365 Sign-on or “Activating Virtru through activation email” described above

Re-enabling a Virtru Account

FDU Virtru users will occasionally be required to reactivate their Virtru add-in due to the following:

  • You’ve cleared your registry
  • Your Virtru activation status has expired. For security purposes, Virtru will invalidate your activation status every
    • 120 days for users accessing their own mailboxes
    • 10 days for users accessing shared or delegated mailboxes
  • You are using Virtru on a new machine

You are automatically prompted when you need to re-activate. You can also proactively reactivate at any time via the ‘Virtru’ menu tab. This process was described above in “Activating from the Virtru Menu.”

Reset Activations

If you wish to fully deactivate all accounts in Microsoft Outlook, you can do so from the ‘Virtru’ menu tab:

  1. Click on the ‘Virtru‘ menu tab at the top of your Microsoft Outlook window and select “Debug Log
  1. Click on the ‘Debug Commandsmenu tab option and select the “Reset Activations (clears registry only)” option
  1. Click “Yes” and then “OK” to confirm the changes
  1. From the ‘Virtrumenu tab, you can reauthorize by clicking on “Authorize Accounts

Virtru Walkthrough Video

Send a Virtru-encrypted Email in Outlook

With Virtru, you can easily protect your emails by encrypting messages and attachments in a few simple clicks.

  1. Left-click “New Email” from the main Outlook window
  1. Open the ‘Message menu tab and left-click the “Virtru button” to turn “Virtru ON.” The button should turn blue and read “Virtru ON
  1. Add recipients, a subject, the body of the email, and any relevant attachments

Tip

Additional security options for the message, including Disable Forwarding, setting an Expiration Date, and applying Watermarking and/or Persistent File Protection (PFP) to attachments are available to select for your Virtru-encrypted email. More details on these additional features can be on the “FDU Virtru Email Encryption Tutorial” under “Additional Resources.”

  1. When your message is ready, click “Send.” You should see a brief animation letting you know that the message is “Encrypting” before it is fully sent

FDU Virtru-encrypted Email Introduction for Recipients

FDU includes a standardized introduction to inform the recipient that they are viewing a Virtru-encrypted email. Below is an example of what the recipient will see. If you have updated the introduction, it will be reflected accordingly

Personal Virtru-encrypted Email Introduction for Recipients

You can also set a one-time, unencrypted personal introduction for the message to either clarify the introduction of Virtru to the recipient or provide some context about the email. Left-click the “Personal Introduction” menu button in your email draft window.

Note

The Personal Introduction only supports plain text and line breaks. Special formatting is not supported.

Send a Virtru-encrypted Email on Microsoft Office 365

With Virtru, you can easily protect your emails by encrypting messages and attachments in a few simple clicks. To send Virtru encrypted emails from your Microsoft Office 365 email acount, simply prepend the subject line of your email as follows:

#secure#

Virtru-encrypted Email Recipient Experience

The recipient will receive an email that looks like this:

Read a Virtru Encrypted Email on Microsoft Office 365

In this article, we’ll show you how to quickly access and read your Virtru-secured message or attachment within Microsoft Office 365 using Virtru’s Secure Reader.

How to Access and Read your Message

  1. Login to FDU’s Microsoft Office 365 web portal using any web browser. Enter your FDU NetID credentials
  1. Open the Virtru-secured email in your inbox and left-click “Unlock Message.” A new tab will open
  1. When prompted, select your FDU email address

Tip

If you don’t see yours listed, left-click “Use another email address” and enter your email address.

Note

Please be sure to verify using the exact email address to which the secure message was sent. If the email was sent to an alias, group address, or distribution list address, you will need to select or enter that exact email address rather than your personal address.

  1. Choose how you’d like to verify your identity
    • Microsoft Office 365 users can use their FDU NetID credentials to log into the Secure Reader using “Sign In with Microsoft.” If you choose this route, you can skip step #5 below.
    • Alternatively, users may choose “Or sign-in with a one-time verification link.”

Warning Warning

For emails sent to an alias, group address, or distribution list address, you will need to select the Or sign-in with a one-time verification link option. For group addresses and distribution list addresses, this action will send the verification email to all users on that group or distribution list.

  1. If you selected “Or sign-in with a one-time verification link,” check your inbox for your verification email. It will come from verify+xxxxxxxx@virtru.com (with each “x” being a digit). Open the verification email and left-click “View Message” to open your message

Note

Both the “Unlock Message” and “View Message” links need to be opened in the same browser on the same device in order to confirm your identity.

Please also note, Virtru offers a “cookie-less” verification pathway if we detect that tracking or cookies and local storage have been disabled in the browser. In these cases, we send a verification code via email. This code, once received, simply needs to be pasted into the proper field in your browser in order to grant access.

If you do not receive the verification email, contact the UTAC at (973)-443-8822 for assistance.

  1. Your message will open the Virtru Secure Reader in a new tab in the browser. You will also be able to view and access attachments at this time

Note

For a variety of reasons, some recipients may occasionally receive an error message when trying to open a secure email or attachment. If you are having problems accessing your secure email and/or files, please contact the UTAC at (973)-443-8822 for assistance.

Reply to a Virtru Encrypted Email on Microsoft Office 365

In this article, we’ll show you how to quickly reply to your Virtru-secured message or attachment within Microsoft Office 365 using Virtru’s Secure Reader.

How to Reply to a Secure Message

  1. Login to FDU’s Microsoft Office 365 web portal using any web browser. Enter your FDU NetID credentials
  1. After successfully opening the Virtru-secured message, to send a “Secure Reply,” scroll down the page below the main message, or click the icon in the top right with the arrow pointing to the left. You may also click on the arrow next to it to reveal additional options such as “Secure Reply All
  1. Attachments can be added by clicking “Add Attachment.” These attachments will be sent securely as well
  1. When you are ready to send your email, hit the “Secure Send” button. Both you and all applicable recipients will receive a copy of your reply. Please note that your secure reply will be sent from secure-reply@virtru.com

Viewing a Secure File or Attachment on Microsoft Office 365

This article covers the different options you have for viewing and downloading secure attachments and files within Microsoft Office 365 using Virtru’s Secure Reader. Depending on the type of attachment you’ve received, you can view your file directly in the Virtru Secure Reader or download the file to your computer. The Virtru Secure Reader can preview various file types, including PDF, Word documents, most image files, and plain text files.

Viewing Directly in the Secure Reader

  1. Login to FDU’s Microsoft Office 365 web portal using any web browser. Enter your FDU NetID credentials
  1. If you’ve received an attachment in a Virtru secured email or an encrypted file that was shared directly with you, you can hover over the file name and choose “View” or “View Protected file” to view the attachment right in your web browser

Downloading Unsupported File Types

If you’ve received a file that cannot be previewed in the Virtru Secure Reader, you will be prompted to download that file directly. There will be no “View” option.

Printing Attachments in the Secure Reader

You can print a document from the Secure Reader by selecting the menu under the “Downloadbutton and then selecting “Print.” You may also choose to download it first, then open and print via a preferred program on your computer.

Note

Note that printing via your web browser’s File>Print option will not print the document as expected.

Using the Virtru Dashboard for Microsoft Office 365 Users

Users who access their FDU email through the Microsoft Office 365 web portal and all Apple macOS users will need to use the Virtru Dashboard to manage all of Virtru’s security options.

  1. To use the Virtru Dashboard, click the link below:

Tip

We will refer to the “Virtru Dashboard” many times, as this dashboard is used to change settings after an encrypted email has been sent. It is suggested that you bookmark this site for easy access.

  1. Choose “Sign in with Office365“, and skip to Step 5. If you choose to request a one-time verification link, enter your FDU email address and click on “Submit
  1. If you request the one-time verification link, you will receive an email from Verify for Virtru, as shown below. If you are using different web browsers, such as Google Chrome or Mozilla Firefox, it will be reflected in the email message accordingly
  1. Click “Verify me” and choose “Copy Link Location.” Open a new browser tab and paste the link location into the URL space. Hit the “Enter” or “Return” key on your keyboard
  1. When you log in to the Virtru Dashboard for the first time, you will see the message below. Left-click “OK, GOT IT!
  1. You will now be able to view Virtru encrypted emails or files you have sent, as well as open the ‘Settings‘ menu tab to set behaviors for your Virtru account

Manage Virtru’s Expiration Date Security Option in Outlook

In addition to encrypting messages and files, Virtru users have the ability to apply additional security settings to protected content. Among these settings is the option to apply an “Expiration Date” to an encrypted email or file.

Typically, if a Virtru email recipient receives an encrypted message or file, they can indefinitely access that content. However, as the owner of that content, you can restrict access after a particular point in time. If a recipient tries to access the content after expiration, they will receive a prompt indicating their access is expired.

Manage Virtru’s Expiration Date Security Option in the Virtru Dashboard

In addition to encrypting messages and files, Virtru users have the ability to apply additional security settings to protected content. Among these settings is the option to apply an “Expiration Date” to an encrypted email or file.

Typically, if a Virtru email recipient receives an encrypted message or file, they can indefinitely access that content. However, as the owner of that content, you can restrict access after a particular point in time. If a recipient tries to access the content after expiration, they will receive a prompt indicating their access is expired.

Manage Virtru’s Disable Forwarding Security Option in Outlook

In addition to encrypting messages and attachments, Virtru users have the ability to apply additional security settings to protected content. Among these settings is the option to apply “Disable Forwarding” to a Virtru-encrypted email.

Typically, if a Virtru plugin for Microsoft Outlook user receives an encrypted message, they can use Virtru to forward the email to a new party. This will add the new recipient as an authorized user and allow them to unlock the message. “Disable Forwarding,” however, ensures that your recipients can access the encrypted content but will stop any additional users from gaining access to the message. If the original recipient passes the email to a new party, then the new user will not be added as an authorized user and will not be able to unlock the message.

Manage Virtru’s Disable Forwarding Security Option in the Virtru Dashboard

In addition to encrypting messages and attachments, Virtru users have the ability to apply additional security settings to protected content. Among these settings is the option to apply “Disable Forwarding” to an encrypted email.

Manage Virtru’s Watermarking Security Option in Outlook

In addition to encrypting messages and attachments, Virtru users have the ability to apply additional security settings to protected content. Among these settings is the option to apply “Watermarking” to an encrypted file.

Typically, if a Virtru recipient receives an encrypted file, they can preview the file in the Virtru Secure Reader and download a decrypted copy locally. When “Watermarking” is applied to a secure file, recipients will only have access in the Secure Reader and will see their email address watermarked across the document.

The addition of the watermark is visible but transparent enough not to obscure the contents of the file when viewed. A recipient will not be able to download a local decrypted copy of the file.

This feature can be applied using the Virtru plugin for Microsoft Outlook or the Virtru Dashboard. It supports the following common file types:

  • Microsoft Office documents: .docx, .pptx, .xlsx
  • Common image file formats: .jpeg, .png
  • PDF documents

Note

Although newer Microsoft Office file types are supported, older versions (.doc, .ppt, .xls) are not compatible. Additionally, these other common file types are NOT supported: .msg, .zip, .md.

Mange Virtru’s Watermarking Security Option in the Virtru Dashboard

In addition to encrypting messages and attachments, Virtru users have the ability to apply additional security settings to protected content. Among these settings is the option to apply “Watermarking” to an encrypted file.

Typically, if a Virtru recipient receives an encrypted file, they can preview the file in the Virtru Secure Reader and download a decrypted copy locally. When “Watermarking” is applied to a secure file, recipients will only have access in the Secure Reader and will see their email address watermarked across the document.

The addition of the watermark is visible but transparent enough not to obscure the contents of the file when viewed. A recipient will not be able to download a local decrypted copy of the file.

This feature can be applied using the Virtru plugin for Microsoft Outlook or the Virtru Dashboard. It supports the following common file types:

  • Microsoft Office documents: .docx, .pptx, .xlsx
  • Common image file formats: .jpeg, .png
  • PDF documents

Note

Although newer Microsoft Office file types are supported, older versions (.doc, .ppt, .xls) are not compatible. Additionally, these other common file types are NOT supported: .msg, .zip, .md.

Revoke Virtru Encrypted Content in Outlook

When a Virtru user sends encrypted content, they have full control over access to the message(s) and/or file(s). Even if a recipient receives encrypted content, the sender has the ability to revoke (or reauthorize) access at any time. Virtru even allows the sender to revoke access to specific recipients.

Note

Virtru can only revoke emails that were sent securely with Virtru. Any messages sent prior to having Virtru installed or messages sent unsecured after Virtru has been installed cannot be revoked.

Revoke Virtru Encrypted Content in the Virtru Dashboard

When a Virtru user sends encrypted content, they have full control over access to the message(s) and/or file(s). Even if a recipient receives encrypted content, the sender has the ability to revoke (or reauthorize) access at any time. Virtru even allows the sender to revoke access to specific recipients.

Note

Virtru can only revoke emails that were sent securely with Virtru. Any messages sent prior to having Virtru installed or messages sent unsecured after Virtru has been installed cannot be revoked.

Using Virtru’s Persistent File Protection (PFP) Security Option

Note

Please note that Persistent File Protection (PFP) Security Option is only available from the Virtru add-on to the Microsoft Outlook Desktop Application. It is not available when using Outlook on the Web (office365.fdu.edu) or the Virtru Dashboard.

In addition to encrypting messages and attachments, Virtru users have the ability to apply additional security settings to protected content. Among these settings is the option to apply “Persistent File Protection (PFP)” to an encrypted file.

PFP provides a secure file container that is portable, universally accessible, and built on top of open standards. Regardless of where files are stored, PFP allows you to select, protect, and share a file with anyone while maintaining full visibility into how it is being used and retaining the ability to revoke access at any time. Any file protected with PFP will convert into the .tdf.html file format. This ensures that the contents are only accessible in Virtru’s Secure Reader, and only authorized parties can view it.

This feature can be applied using the Virtru plugin for Microsoft Outlook on Windows Operating Systems only. It supports the following common file types:

  • Microsoft Office documents: .docx, .pptx, .xlsx
  • Common image file formats: .jpeg, .png
  • PDF documents

Note

Although newer Microsoft Office file types are supported, older versions (.doc, .ppt, .xls) are not compatible. Additionally, these other common file types are NOT supported: .msg, .zip, .md.

Last Modified: icon icon Copy Link

FDU-Secure Wi-Fi Connection for FDU Owned Equipment

Resources for: Faculty Staff
icon Close

When using FDU Owned equipment, FDU-Secure should be your default method for connecting to the on-campus wireless network. FDU-Secure uses current encryption standards to connect to the FDU wireless network via secure wireless traffic. Although it requires a modicum of configuration upon initial setup, your device will automatically reconnect going forward. Follow the procedure below and contact our University Technical Assistance Center at (973)-443-8822 if you encounter any issues.

Configuration Procedures

Start your laptop computer

Click on the Wi-Fi bar located at the right hand side of the taskbar

Click Network Settings > Wi-Fi > Network and Sharing Center

Select: Set up a new connection or network

  • Choose a connection option: Manually connect to a wireless network
  • Network name: FDU-Secure
  • Security type: WPA2-Enterprise
  • Encryption type: AES
  • Security Key: [BLANK]

Check Start this connection automatically

Title: domain1
  • Check Start this connection automatically
    • Click Next
Title: domain2

Click Change connection settings

Go to Security tab > Click Settings

  • Check Verify the server’s identity by validating the certificate
    • Check Connect to these servers: radius.fdu.edu
    • Trusted Root Certification Authorities: AddTrust External CA Root
    • Notifications before connecting: Tell user if the server’s identity can’t be verified
    • Select Authentication Method: Secured password (EAP-MSCHAP v2)
    • Check: Enable Fast Reconnect
Title: domain3

Configure Windows Login Name and Password.

  • Click Configure
  • Check automatically use my Windows logon name and password (and domain if any).
Title: domain5
  • Click OK.

Apply settings below, by clicking OK.

Click: Advanced settings

  • Go to 802.1X settings tab
  • Check Specify authentication mode: User or computer authentication
Title: domain6

OK > OK > Close

Last Modified: icon icon Copy Link

FDU-Secure Wi-Fi Connection for Non FDU Owned Equipment

icon Close

FDU-Secure uses current encryption standards to connect to the FDU wireless network via secure wireless traffic. As a result, FDU-Secure is the preferred method of accessing the on-campus Wireless network. Please follow the procedure below and feel free to contact our University Technical Assistance Center at (973)-443-88222 if you encounter any issues.

Configuration Procedures

Start your laptop computer

Click on the Wi-Fi bar located at the right hand side of the taskbar

Click Network Settings > Wi-Fi > Network and Sharing Center

Select: Set up a new connection or network

  • Choose a connection option: Manually connect to a wireless network
    • Network name: FDU-Secure
    • Security type: WPA2-Enterprise
    • Encryption type: AES
    • Security Key: [BLANK]
    • Check Start this connection automatically
    • Click Next
Title: non-domain2

Click Change connection settings

Go to Security tab > Click Settings

  • Check Verify the server’s identity by validating the certificate
    • Check Connect to these servers: radius.fdu.edu
    • Trusted Root Certification Authorities: AddTrust External CA Root
    • Notifications before connecting: Tell user if the server’s identity can’t be verified
    • Select Authentication Method: Secured password (EAP-MSCHAP v2)
    • Check: Enable Fast Reconnect
Title: non-domain3

Configure Windows Login Name and Password.

  • Click Configure
  • Uncheck Automatically use my Windows logon name and password (and domain if any).
Title: non-domain5
  • Click OK.

Apply settings below, by clicking OK

Click: Advanced settings

  • Go to 802.1X settings tab
  • Check Specify authentication mode: User or computer authentication
  • OK > OK > Close

When prompted for credentials enter your FDU NetId info: Examples: “username@fdu.edu or username@student.fdu.edu”

Last Modified: icon icon Copy Link

Legacy Authentication is a term Microsoft sometimes uses to describe basic authentication when used with its cloud-based services. This is in contrast with the term “modern authentication” which provides more security and capabilities.

ALERT ALERT

FDU will block legacy authentication for users on September 19, 2022.

Legacy Authentication Topics

Background

Legacy (or basic) authentication is characterized by:

  • A client or network protocol that is incapable or not configured to do modern authentication
  • A client which sends both the username and password to the application
  • An application using the username and password to get a logon token on behalf of the user

Modern authentication is characterized by:

  • a client and service capable and configured to use OpenID Connect, SAML, and/or OAuth 2.0 for authentication AND
  • a client and service which can accept redirects to the identity provider for all authentication interactions and can work with authentication tokens of the protocols above

All Microsoft cloud services are modern authentication capable.

Whether legacy or modern authentication is used is dependent on the client capabilities. To use modern authentication, you can, in many cases, update your client application or change to an alternative client application.

A list of known clients using legacy authentication is available. Transitioning from legacy authentication usually requires the individual user to change the client software they are using, which may require assistance from the Fairleigh Dickinson University Technical Assistance Center (UTAC).

Protection with two-factor authentication (2FA)

Legacy authentication can not be protected by 2FA. Because the password is known to the application accessed via legacy authentication, it is less secure than modern authentication. If legacy authentication is not blocked for your account, 3rd party applications can ask for your credentials and have your password without you being aware they do.

Transition from legacy authentication

For the typical user, the complexity of determining whether you are using legacy authentication is significant. If you are using one of the client applications that does not use modern authentication protocols (see section below for a list of known clients using legacy authentication), you should replace them. If you don’t have one of these client applications but still suspect you have legacy authentication, contact the Fairleigh Dickinson University Technical Assistance Center (UTAC) for assistance.

close
How Do I Address My Use of Legacy Authentication

In most cases, users will need to do one or more of the following:

  • Update their application to a version that supports modern authentication protocols
  • Upgrade to the latest version of their phone operating system
  • Remove and re-add their FDU account in the configuration of their iOS or macOS application so it will use modern authentication protocols

All three of these actions are informed by the list of known insecure client apps. FDU IT doesn’t know your devices like you do, nor do we manage which client applications you use, so only you can identify where action needs to be taken.

If you don’t seem to have one of the insecure client applications but still suspect you have legacy authentication, For the typical user, the complexity of determining whether you are using legacy authentication is significant. If you are using one of the client applications that does not use modern authentication protocols (see section below for a list of known clients using legacy authentication), you should replace them. If you don’t have one of these client applications but still suspect you have legacy authentication, contact the Fairleigh Dickinson University Technical Assistance Center (UTAC) for assistance.

close
To Remove your FDU Account on iOS
  1. Open “Settings
  2. Choose “Calendar” or “Mail
  3. Choose “Accounts
  4. Choose “Exchange” or “Google” – make sure you are choosing an account in the format fdunetid@fdu.edu
  1. Choose “Delete account
  1. Confirm the deletion by choosing “Delete from my iPhone
close
To Remove your FDU Account on Android
  1. Open the “Gmail App
  1. Tap the Account icon in the top right to view all existing accounts
  1. Tap “Manage Accounts on this device
  1. Select your @fdu.edu mail account from the list
  1. Tap “Remove account
close
To Re-add your FDU Exchange Account on iOS and Android

To add your FDU Email account to an iOS device’s native “Mail” app follow the instructions on the link below:

close
List of Known Clients Using Legacy Authentication

This list is not intended to be comprehensive; it is only a list of known client applications. If you have one which should be added, please let us know.

Client AppFDU IT RecommendationNotes
Outlook 2010 or earlierReplace with one of the supported email clients
Outlook 2013 without special settings enabledReplace with one of the supported email clientsAlternate resolution (not supported by FDU-IT): Enable Modern authentication for Office 2013 on Windows devices – Microsoft 365 admin | Microsoft Docs
Mail or Calendar on iOS11 or newerReplace with one of the supported email clientsAlternate resolution (not supported by FDU-IT): Remove FDU account on device, then re-add FDU account.

These apps now support modern authentication, but that support was only recently added and any account setup previously is “stuck” in legacy authentication. You’ll need to delete the account and set it back up fresh to get modern authentication. Apple plans to release an update which automatically fixes this.
Mail or Calendar on iOS 10 or lowerReplace with one of the supported email clientsAlternate resolution: upgrade to iOS 11 or newer, then follow resolutions for that scenario
Any client application on iPhone 5 and lowerUse OWA or replace this device
Any client application on iPad 4th generation and lowerUse OWA or replace this device
EudoraReplace with one of the supported email clients
PineReplace with one of the supported email clients
ThunderbirdReplace with one of the supported email clients
Mac Mail on Mac OS 10.13 or earlierReplace with one of the supported email clientsAlternate resolution (not supported by FDU-IT): Upgrade macOS, remove FDU account on device, then re-add FDU account
Any client application on ChromebooksUse OWA or replace this device
Sharepoint Designer 2013Retire use of this discontinued tool.Contact FDU IT for more information
close
Known Problem: Your Email Access Has Been Blocked

You may see an email in your FDU inbox like this:

While the email message says it was sent by your IT department, it was not. This email message wasn’t actually sent–it only exists on your mobile device and was created to alert you to the fact that your client application can’t sign into your account. Your email access has not been blocked–it is only that this client application is broken. You can verify for yourself that your email access was not blocked by going to Outlook on the Web. And the reason the client application is broken is because it can only do legacy authentication OR it only has cached credentials which are based on legacy authentication.

close
How Do You Know if You Will Be Impacted?

There are several ways to determine if you’re using Basic authentication or Modern authentication. If you’re using Basic authentication, you can determine where it’s coming from and what to do about it.

Authentication dialog

A simple way to tell if a client app (for example, Outlook) is using Basic authentication or Modern authentication is to observe the dialog that’s presented when the user logs in.

Modern authentication displays a web-based login page:

Basic authentication presents a dialog credential modal box:

On a mobile device, you’ll see a similar web-based page when you authenticate if the device is trying to connect using Modern authentication.

You can also check the connection status dialog box, by “CTRL + right-clicking” the Outlook icon in the system tray, and choosing Connection Status.

When using Basic authentication, the “Authn” column in the “Outlook Connection Status” dialog shows the value of “Clear“.

Once you switch to Modern authentication, the “Authn” column in the Outlook Connection Status dialog shows the value of “Bearer“.

close
Last Modified: icon icon Copy Link

Revision Date: 10/1/2016
Original Date: 03/1/2016

With so many threats to your online data, it has never been more important to have a thorough understanding of password security protocols. Towards this end, FDU IT strongly recommends that you familiarize yourself with the information outlined in our Password Policy. You will not only gain an understanding of your responsibilities as a member of our community, but you will also learn helpful tips for password selection and insight into our password construction rules and password change frequency.

I. Overview

1.1 Purpose of Policy

Passwords are an important part of Fairleigh Dickinson University’s [herein after referred to as FDU’s] efforts to protect its technology systems and information assets by ensuring that only approved individuals can access these systems and assets.

FDU recognizes that passwords have serious weaknesses as an access control. For some higher-risk systems, other approved authentication methods that provide higher levels of trust and accountability may be used.

Since most of FDU’s systems continue to rely on passwords alone, this policy is designed to address their weaknesses by establishing best practices for the composition, lifetime and general usage of passwords.

1.2 People Affected

All members of FDU’s student, faculty and staff population as well as all contractors and temporary staff who are approved to access the University’s network and systems.

1.3 People Responsible

The Chief Information Security Officer in consultation with the Data Security Incident Response Team shall be responsible for implementing, changing, enforcing and communicating this policy.

1.4 Structure of Policy

  • Policy schema
  • End users’ responsibilities
  • Help desk operators’ responsibilities
  • System developers’ and administrators’ responsibilities

1.5 Enforcement

This policy will be enforced by technical controls wherever feasible; otherwise, this policy will be enforced by line management.

All members of FDU’s faculty and staff have a responsibility to promptly report any known instances of noncompliance to the CISO.

1.6 Consequences of Noncompliance

Failure to comply with this policy can result in disciplinary action as set out in FDU’s Written Information Security Policy [herein after referred to as WISP].

1.7 Language

In the Responsibilities sections of this policy (3, 4 and 5), the keywords “must,” “must not,” “should,” “should not” and “may” are to be interpreted as follows:

  • “Must” and “must not” mean that compliance with the policy statement is mandatory.
  • “Should” and “should not” mean that compliance with the policy statement is strongly recommended. While these recommendations are not required if technical, operational or business issues make them infeasible, supporting rationale may be requested when audit or compliance review findings cite those responsible for noncompliance.
  • “May” means that compliance with the policy statement is recommended but optional.

II. Policy Schema

2.1 Password Confidentiality

A password can provide effective authentication if and only if it is known only to the individual user. End users will ensure the confidentiality of their passwords at all times. System developers and administrators will ensure that whenever technically possible, systems do not store passwords in clear text.

Administrative processes may necessitate temporary exceptions to this principle, but these will be kept to an absolute minimum.

2.2 Password Construction

Password length and complexity requirements provide resistance to common kinds of attacks. Because of technology constraints, password construction rules may vary from one system to another, but they will meet (or exceed) these requirements wherever possible.

FDU recognizes that long and complex passwords may be difficult for users to remember, and thus, this policy provides guidance to end users on how to construct a memorable password that meets (or exceeds) these requirements.

2.2.1 Password Construction Rules

A password will be made up of:

  • Eight (8) or more characters
  • At least one uppercase letter
  • At least one lowercase letter
  • At least one digit (0 through 9)
  • At least one special character ($, @, # and so on)

A password will not include a single instance of a dictionary word.

Note: The above rule is enforceable only on some systems.

A password will not include:

  • The user’s user ID or email address
  • The name of a group the user account belongs to

A password should not contain anything that is meaningful to the user, such as a name (either real or fictional), a date (such as family birthdays and anniversaries), telephone numbers, postal codes and car registration numbers.

Note: The above is not enforceable on any system.

Additionally, the University is utilizing modeling software that prohibits the use of passwords that are commonly used or appear on compromised lists. If a password meets the construction rules it may be rejected requiring the user to modify the password until it is accepted.

2.3 Password Change and Reuse

Users will be forced to change their passwords periodically in order to minimize the window of opportunity for an attacker who has discovered a user’s password.

A user’s new password will be completely different from any recently used password.

A user will be free to choose a new password at any time. However, performing multiple changes in quick succession to enable continued use of a recently used password will be prohibited.

2.3.1 Password Change and Reuse Rules

A user will change his or her password every 84-90 days depending on the system.

  • Datatel/Ellucian password life is set at 84 days
  • Alpha password life is set at 84 days
  • Windows Desktop/Office365/NetID password life is set at 90 days
  • Others not specifically identified shall be 90 days

Note: The above rule may not be enforceable on all systems.

A user’s password will be different from his or her previous (X) passwords as follows:

  • Datatel/Ellucian: 5
  • Alpha: 5
  • Windows Desktop/Office 365 and NetID: 10
  • Others not specifically identified shall be 10

Note: The above rule is only enforceable on some systems.

2.4 Password Entry

Whenever technically possible, the password field in a login panel will be configured to mask the password entered by a user to minimize the risk of opportunistic observation by another.

A system will allow multiple successive login attempts (“grace logins”). If the password is not correct on the last allowed attempt, the user’s account will be suspended, and the user will have to contact the University Technical Assistance Center (UTAC) and open a ticket to resume the account and, if necessary, reset the password.

2.4.1 Password Entry Rules

A system will allow between 5 and 10 failed login attempts as noted below:

  • Datale/Ellucian: 5
  • Alpha: 5
  • Windows Desktop/Office 365/NetID: 10
  • Others not specifically identified shall be 10

Note: This rule is enforceable on only some systems.

2.5 Password Storage

Whenever technically possible, a system will not hold passwords in clear text; it will use an approved irreversible cryptographic transform to protect its users’ passwords.

A system that stores users’ passwords for other systems, and brokers those passwords to those systems on behalf of the user, will use an approved (reversible) encryption algorithm.

III. End Users’ Responsibilities

If you are an end user of FDU’s systems, you have the following responsibilities regarding the password you use on any of FDU’s systems. (See 1.7 Language section for the meanings of the terms in bold type.)

These responsibilities apply even if the system does not enforce any specified rules:

a)  You must keep your password confidential at all times.

b)  You must not disclose your password to anyone, including FDU’s management and technical support staff, even if they demand it.

c)  If this happens, you must escalate to the CISO immediately. You should not use any password that you use on any FDU systems on any external system (including Internet banking and social networking services).

d)  You should not write down your password.

e)  You should not use the “remember password” feature in any Web browser.

f)  You must only use a “password keeper” or “password wallet” software or service that has been approved by policy or otherwise in writing by the CISO.

g)  You must choose a password that meets or exceeds the length and complexity requirements set out in 2.2.1 Password Construction Rules section.This is your responsibility even if these rules are not enforced by a particular system. Sometimes, technical restrictions on a system do not allow you to choose a password that meets these requirements. Such systems are enumerated in Schedule [X], along with the password construction rules that apply.

h)  You should choose a password that meets or exceeds the other requirements set out in 2.2.1 Password Construction Rules section.A help desk operator, system administrator or other user should never ask you to choose a password that doesn’t meet requirements (g) and (h). If this happens, you must escalate to the CISO immediately.Further, if any help desk operator asks you to change your password on a portal that does not use an HTTPS website with an SSL lock, you should escalate to the CISO immediately.

The following rules, (i) to (l), are enforced on most systems. If the rules are not enforced by the system, you are still expected to comply.

i)  You must change your password at least every 90 days.There is no need to access a rarely used system just to change an old password. Most systems will automatically expire the password after 90 days, and you will be prompted to change the password when you next log in.

j)  You should not use any of your previous six (5) passwords.

k)  You should choose a new password that has no more than four (4) characters in a row in common with your current password.For example, if your password is “anTelope1,” a new password of “anTelope2” is not acceptable, but “anTecede1” is.

l)  You should not change your password more than twice in any three (3) days.

Tips for Choosing a Good Password (Advisory)

The length and complexity requirements may appear to make it hard to choose a password that is easy to remember, but it can be pretty straightforward to do so.

A password that meets the minimum length requirement must be rather complex. You can readily construct such a password from the initial letters of a favorite quotation, song lyric, poem and so on, capitalizing some letters, and substituting a number or special character in an appropriate place.

For example:

  • Ww1dwysm — What would I do without your smart mouth?
  • Itwbtd2A — In the week before their departure to Arrakis.

A “very long” password can be relatively simpler. Choose three simple words, capitalizing some letters, and link them with a number or special character.

For example:

  • gorilla8banana@SanDiego

IV. Help Desk Operators’ Responsibilities

If you are an FDU IT technician or a system administrator providing support normally done by the help desk, you have the following responsibilities regarding users’ passwords on any of FDU’s systems that you support. (See 1.7 Language section for the meanings of the terms in bold type.)

a)  When a user asks you to reset his or her password, you must corroborate the user’s claimed identity in line with approved procedures in Appendix A.

b)  You must not disclose a user’s new password to anyone other than the user himself or herself.

c)  You must not write down a user’s new password.

d)  You must not send any new password to a user electronically.

e)  You must not ask any user to tell you his or her password.

V. System Developers’ and Administrators’ Responsibilities

If you are a system developer or system administrator, you have the following responsibilities regarding the passwords used on any of FDU’s systems that you own, develop or maintain. (See 1.7 Language section for the meanings of the terms in bold type.)

If compliance with (a), (c), (g), (h), (i), (j) or (k) is not technically feasible because of system constraints, contact the CISO to agree on and document the exception.

a)  You must configure each system to require that any user’s password meets the length and complexity requirements set out in 2.2.1 Password Construction Rules section.

b)  You should configure each system to require that any user’s password meets as many of the other requirements set out in 2.2.1 Password Construction Rules section as are technically feasible.

c)  You must configure each system to force a user to change his or her password every 90 days.

d)  You should configure each system to prohibit a user from using any of his or her previous five (5) passwords.

e)  You should configure each system to prohibit a user from choosing a new password that has more than four (4) characters in a row in common with his or her current password.

f)  You should configure each system to prohibit a user from changing his or her password more than twice in any three (3) days.

g)  You must configure the password field in a login panel to mask the password entered by a user to minimize the risk of opportunistic observation by another.

h)  You must configure each system to allow 5 successive login attempts (“grace logins”). If the password is not correct on the 5th attempt, the system must suspend the user’s account such that the user will have to contact an administrator to resume the account and, if necessary, reset the password.

i)  Passwords must be implemented in the strongest form the system supports and supports the intended business function. You should implement a cryptographic transform to protect the passwords of the users on each system

5.1 Requirements for Third-Party Systems

All mandatory requirements noted in this section (that is, those denoted by “must” or “must not”) constitute part of the minimum security specification for third-party system software that FDU acquires and implements. That is, it is essential that system software enables system developers and administrators to fulfill these responsibilities.

If a third-party system cannot meet the minimum security specification, contact the CISO to agree on and document the exception.

All optional requirements noted in this section (that is, those denoted by “should” or “should not”) constitute desirable features of third-party system software.


Last Modified: icon icon Copy Link

As a member of our community, your FDU NetID is your passport to accessing many of Fairleigh Dickinson University’s IT services. Most important is your student, employee, or alumni FDU Email account. When using FDU Email, you are an ambassador for our institution and our expectation is that you will conduct yourself in an efficient, effective, ethical and lawful manner. Please review our Policy for Acceptable Use of Email to ensure that you are adhering to all security and decorum requirements.

Effective Date: 01/01/2018

1.0 Introduction

The purpose of this policy is to ensure the proper use of e-mail by all those assigned a Fairleigh Dickinson University (FDU) e-mail account. This policy applies to any e-mail system that FDU has or may install in the future. It also applies to employee use of personal e-mail accounts via browsers, as directed below. All users of FDU e-mail systems have the responsibility to use their e-mail in an efficient, effective, ethical and lawful manner. E-mail users must follow the same code of conduct expected in any other form of written or face-to-face business communication. FDU may supplement or modify this policy for specific employees in certain roles. This policy complements similar FDU policies such as the Acceptable Use Policy and the Written Information Security Program (WISP). Please read and follow those policies as well.

The University subscribes to the 1940 Statement of Principles on Academic Freedom and Tenure and the 1940 and 1970 Interpretive Comments issued thereon, formulated jointly by the Association of American Colleges and the American Association of University Professors. Nothing in this policy is intended to supersede those statements and principles.

2.0 Ownership of Email Data

The University owns all University email accounts in the fdu.edu domain, or any subsequent domains it may create (University Email Accounts). Subject to underlying copyright and other intellectual property rights under applicable laws and University policies , the University also owns data transmitted or stored using the University Email Accounts.

3.0 Employee Responsibilities

FDU only supports the installation and usage of approved e-mail clients.

Usernames will be assigned as part of the University’s e-mail registration process and reflect internally mandated e-mail naming conventions.

3.1 Acceptable Uses

  • Communicating in a professional manner with other FDU associates about work-related matters.
  • Communicating in a professional manner with parties outside FDU for business purposes.
  • Personal communications that are brief and do not interfere with work responsibilities.
  • Users are allowed to access personal e-mail accounts on a limited basis, without disrupting business responsibilities. Access can be gained only by using a browser. Use of e-mail-specific protocols, such as POP3 and IMAP4, is prohibited, since they require specific firewall ports to be open.
  • Electronic messages are frequently inadequate in conveying mood and context. Users should carefully consider how the recipient might interpret a message before composing or sending the message.

3.2 Unacceptable Uses

  • Creating and exchanging messages that can be interpreted as harassing, obscene, racist, sexist, ageist, pornographic or threatening, as defined by University policies.
  • Creating and exchanging information that is in violation of copyright or any other law. FDU is not responsible for an associate’s use of e-mail that breaks laws.
  • Personal communication that interferes with work responsibilities.
  • Opening file attachments from an unknown or untrustworthy source, or with a suspicious or unexpected subject line.
  • Sending unprotected healthcare data and personally identifiable consumer data or other confidential information to unauthorized people or in violation of FDU’s Acceptable Use Policy, or the Written Information Security Program (WISP). , Health Insurance Portability and Accountability Act and/or Gramm-Leach-Bliley Act regulations. Exceptions may be authorized by the University Chief Information Security Officer working with the employee’s supervisor. Communications that strain FDU’s network or other systems unduly, such as sending large files to large distribution lists.
  • Communications to distribution lists of only marginal interest to members, and replying to the entire distribution list when a personal reply is effective.
  • Communications with non-specific subject lines, inarticulate language, and without clear purpose.
  • Auto-forwarding e-mail messages from your University e-mail account.
  • Using any e-mail system, other than FDU’s e-mail system, for FDU-related communications.
  • Circulating chain letters and/or commercial offerings.
  • Circulating unprotected healthcare data and personally identifiable consumer data that would violate U.S. Federal HIPAA and GLB regulations. Exceptions may be authorized by the employee’s supervisor and in conjunction with use of a University-approved e-mail encryption service.
  • Altering or forging the “From” line or any other attribution of origin contained in electronic mail or postings.
  • Using any of the University systems for sending what is commonly referred to as “SPAM” mail (unsolicited bulk email)

4.0 Privacy Guidelines

The University typically does not review the content of electronic messages or other data, files, or records generated, stored, or maintained on its electronic information resources; however, it retains the right to inspect, review, or retain the content of such messages, data, files, and records at any time without prior notification. Any such action will be taken for reasons the University, within its discretion, deems to be legitimate. These legitimate reasons may include, but are not limited to,

  • responding to lawful subpoenas or court orders;
  • investigating misconduct (including research misconduct);
  • determining compliance with University policies and the law; and
  • locating electronic messages, data, files, or other records related to these purposes.

FDU maintains the right to monitor and review e-mail activity to ensure compliance with this policy, as well as to fulfill FDU’s responsibilities under the laws and regulations of the jurisdictions in which it operates. Users should have no expectation of privacy.

  • Except as otherwise stipulated in this policy, on termination or separation from FDU, FDU will immediately deny access to e-mail, including the ability to download, forward, print or retrieve any message stored in the system, regardless of sender or recipient.
  • Except as otherwise stipulated in this policy, employees who leave FDU will have their mailbox deleted within six months of their termination date. The employee’s manager may request that access be given to another employee who may remove any needed information within the same six month time frame.
  • FDU reserves the right to intercept, monitor, review and/or disclose any and all messages composed, sent or received on the University e-mail system. Intercepting, monitoring and reviewing of messages may be performed with the assistance of content filtering software, or by designated FDU employees and/or designated external entities. Employees designated to review messages may include, but are not limited to, an employee’s supervisor or manager and/or representatives from the HR, legal or compliance departments.
  • FDU reserves the right to alter, modify, re-route or block the delivery of messages as appropriate. This includes but is not limited to:
    • Rejecting, quarantining or removing attachments and/or malicious code from messages that may pose a threat to FDU resources.
    • Rejecting or quarantining messages with suspicious content.
    • Rejecting or quarantining messages containing offensive language or topics.
    • Re-routing messages with suspicious content to designated FDU employees for manual review.
    • Appending legal disclaimers to messages.
  • Electronic messages are legally discoverable and permissible as evidence in a court of law.
  • Users of the University’s computing and electronic communications resources must understand that electronic messages, data, files, and other records generated, stored, or maintained on University electronic information resources may be electronically accessed, reconstructed, or retrieved by the University even after they have been deleted.

5.0 Security

As with any other type of software that runs over a network, e-mail users have the responsibility to follow sound security practices.

  • Users should not use the e-mail system to transfer sensitive data, except in accordance with FDU data protection policies. Refer to the Written Information Security Program (WISP). Sensitive data passed via e-mail over the Internet could be read by parties other than the intended recipients, particularly if it is clear text. Malicious third parties could potentially intercept and manipulate e-mail traffic.
  • In an effort to combat propagation of e-mail viruses, certain attachment types may be stripped at the University e-mail gateway. Recipients will be notified via e-mail when this occurs. Should this create a business hardship, users should contact the University Technical Assistance Center (UTAC).
  • Attachments can contain viruses and other malware. User should only open attachments from known and trusted correspondents. Suspicious attachments should be reported to the University Technical Assistance Center (UTAC).
  • Spam is automatically filtered at the University gateway in a highly efficient manner. Errors, whereby legitimate e-mail can be filtered as spam, while rare, can occur. If business-related mail messages are not delivered, users should check their local spam folder or the daily spam digest. If the message is not there, users should contact University Technical Assistance Center (UTAC).
  • Users will not be asked by OIRT or any other FDU group by e-mail for personal information such as usernames or passwords. Any such requests should not be responded to and should be referred to the University Technical Assistance Center (UTAC). Such approaches – known as phishing – are fraudulent approaches carried out for purpose of unlawful exploitation.

6.0 Operational Guidelines

FDU employs certain practices and procedures in order to maintain the health and efficiency of electronic messaging resources, to achieve FDU objectives and/or to meet various regulations. These practices and procedures are subject to change, as appropriate or required under the circumstances.

  • For ongoing operations, audits, legal actions, or any other known purpose, FDU saves a copy of every e-mail message and attachment(s) to a secure location, where it can be protected and stored for three years. Recovery of messages from this store is prohibited for all but legal reasons.
  • To deliver mail in a timely and efficient manner, message size must be less than 25MB. Messages larger than 25MB will be automatically blocked and users will be notified of non-delivery. Should this create a business hardship, users should contact the University Technical Assistance Center (UTAC).

Access to the content of electronic mail, data, files, or other records generated, stored, or maintained by any user may be requested from the University’s Associate Vice President of Technology Infrastructure for the reasons set forth below and shall be authorized as follows:

  1. by the Associate Vice President of Human Resources for all University employees;
  2. by either Dean of Students for students; or
  3. by the General Counsel for the purposes of complying with legal process and requirements or to preserve user electronic information for possible subsequent access in accordance with this policy.

In all cases, the Office of the General Counsel must be consulted prior to making a decision on whether to grant access. In the case of a time-critical matter, if the authorizing official is unavailable for a timely response, the General Counsel may authorize access.

All full-time faculty who retire from the University may keep their email address for life if they request to do so.

All full-time faculty who leave the University for reasons other than termination for cause, may request email forwarding for up to six months.

7.0 Governance and Enforcement

This policy was created with input from the University’s Data Security Incidence Response Team (DSIRT). At the request of the University’s Chief Information Security Officer (CISO), the DSIRT will review this policy annually to ensure that FDU is in compliance with internal or external requirements. FDU faces liability if users violate the terms of this policy. Therefore, willful or repeated violations of this Acceptable Use Policy for E-mail can result in informal or formal warnings, the loss of e-mail privileges, and other sanctions including termination. Any such discipline shall be in accordance with processes and procedures of Human Resources and subject to any protections afforded under the University’s agreement with “Office & Professional Employees International Union”, the “Faculty Handbook”, and similar documents. Third parties who violate this Policy may have their relationship with the University terminated and their access to campus restricted.

For assistance with this policy, please contact the University’s Chief Information Security Officer (CISO).

Exceptions to this policy may be authorized by the University Chief Information Security Officer working with the employee’s supervisor.

Policy violations should be reported immediately to the University’s Associate Vice President of Technology Infrastructure

The University reserves the right to suspend an e-mail account while investigating a complaint or troubleshooting a system or network problem.

This document will be reviewed semi-annually and is available both electronically and in printed form at each of the Campus Computing Centers.

It is the user’s responsibility to remain informed about the contents of this document.

Other Related and Applicable Policies


Last Modified: icon icon Copy Link