 Password requirements are being updated to better protect us in today’s environment Longer password – 16 characters minimum (30 maximum) Complexity  No single dictionary words  Characters limited to: a-z, A-Z, 0-9 and [ ] & + ! % ? = ~ #  Must contain at least one lowercase letter, one uppercase letter, and one number  Must contain at least 5 unique characters  No more than four characters can be in a “sequence”

Complexity continued  No embedded personal information:  Netid  Name (first, middle, or last)  Birth year (YYYY) Passwords that have been used in the last 18 months cannot be re-used Successive passwords must differ by at least 3 characters The Good News  Required to change ONCE PER YEAR (every days)

 University Administrative Information Confidential Information Restricted Information Official Use Only Information Public Information

 Confidential Information is sensitive information that must be safeguarded in order to protect the privacy of individuals and the security and integrity of systems and to guard against fraud. Confidential Information includes, but is not limited to:

 Social Security numbers  Credit and debit card numbers  Bank account or other financial account numbers  University ID number  Medical or counseling records or information  Passwords, passphrases, PIN numbers, security codes and access codes  Tax returns  Credit histories or reports  Background check reports

Restricted Information includes all data, records, documents or files that contain information that is: (a) required to be maintained confidentially under any applicable law, regulation or University policy; (b) subject to a contractual obligation to maintain confidentially; (c) subject to any applicable legal privilege or protection, such as the attorney-client privilege; and/or (d) deemed by the University to be a trade secret, confidential or proprietary

 Education records (see the University’s definition at: efinitions.html efinitions.html  Employment records  Financial aid records  Business plans  Public relations strategies  Information security protocols or systems  Financial records (other than audited financial statements published on the University website)  Prospective and existing contracts

 Official Use Only Information is information about individuals that can be shared within the University Community for official purposes but will not be routinely made available to the public except by the Office of Communications.

 Name  Addresses: permanent, campus, local (off-campus), and campus computer network (IP) address, net id  Associated telephone numbers  Place of birth  School or college  Major and/or minor fields of study  Degree sought  Expected date of completion of degree requirements and graduation  Degrees conferred  Awards and Honors (e.g. Dean’s list)  Full or part time enrollment status  Dates of attendance  Previous institutions attended  Participation in officially recognized activities and sports  Weight and height of members of athletic team members  Photograph

Information that the University has made available or published for the explicit use of the general public.

 Confidential Information must not be stored on any mobile computing or storage device such as a laptop, PDA, USB drive, flash drive or any mobile device or media, regardless of whether such device is owned by the University or is personally owned.  Confidential information may be safely stored on the University’s centrally managed storage system referred to as “netfiles.”

 Confidential or Restricted Information should never be stored on a computing device or electronic storage media that is personally owned  Exception: The University acknowledges that faculty may wish to do their work using personally owned computing devices or electronic storage media therefore education records managed or created by faculty when teaching their classes are exempt from this restriction. However, faculty are advised to delete education records from personally owned computing devices and electronic media as soon as it is practical to do so.

 Paper or hardcopy documents, records and media containing Confidential or Restricted Information must be maintained in secure, locked locations when not in use. Electronic and hard copies of Confidential and Restricted Information should be stored only in University offices or facilities.  Exception: The University acknowledges that faculty may need to do their work at an off-campus location therefore education records managed or created by faculty when teaching their classes are exempt from this restriction. However, faculty are advised to carefully secure these documents, records and media when they are not in use.

 Confidential or Restricted Information should never be stored with a software or service vendor such as Google Apps, Dropbox or Mozy unless the University has a contractual agreement with the vendor or service.

 Information Services employs secure data destruction technologies when disposing of equipment. If University employees have control of a University owned computing device or storage media (e.g. computer, laptop, CD, DVD, thumb drive, etc.) that has stored University Administrative Information they should not dispose of it themselves but must turn it in to Information Services for secure disposal.

 If a University faculty member, staff member, student or contractor loses a computing device that held or contains University Administrative Information or becomes aware of the theft of such a device they must report that loss immediately to their supervisor and the Information Services Security Administrator.

 University faculty, staff, students and contractors must follow the University Record Retention Policy regarding appropriate retention of University Administrative Information

 When asked to write letters of recommendation for students or former students, faculty and staff should not share information from student Education Records, including grades or grade point averages, with others outside the institution without written permission from the student.  To release information relating to Education Records (non-directory information), faculty and staff must obtain written consent from the student for such disclosure.

 Upon request, access to a deceased person’s and electronic files will be granted to the appropriate University Official. After proper review that Official may, where appropriate, distribute information contained therein to the executor or administrator of a deceased person’s estate.  For deceased faculty and staff the appropriate University Official is the Associate Vice President of Human Resources, for deceased students the appropriate University official is the Vice President for Student Development. The responsible University Official will consult University Counsel, the Registrar, and the Provost as appropriate.

 In the event that an employee is terminated, resigns from or abandons their position at the University the appropriate University official may authorize access to that employee’s account or electronic files if needed to conduct University business.  For faculty accounts the appropriate University official is the Provost; for staff accounts the appropriate University official is the Associate Vice President of Human Resources.

 When the University is involved or anticipates involvement in litigation or a government investigation or when University officials have reason to believe that there has been a violation of applicable law or policy, it may become necessary to preserve certain documents and records, including s and electronic files. In such event, the University General Counsel will send a document preservation memo to all members of the faculty and staff who may be in possession of relevant documents and records. All recipients of the document preservation memorandum must take all reasonable precautions to ensure that the documents and records described in the memorandum are preserved, without modification, until further notice.

 FERPA Training Sessions—A chance for faculty and staff to update their knowledge of the Family Education Right to Privacy Act, the federal law that outlines rules and guidelines for schools to release information on students. Thursday, October 10 from 2-3p.m., International Center Commons Tuesday, October 22 from 9:30 -10:30a.m., International Center Commons Wednesday, October 30 from 2-3p.m., International Center Commons  Open Sessions on Data Security—Time for faculty and staff to hear from Information Services on the new Data Security Policy and guidelines for safely storing and handling electronic information. Thursday, October 24 from 9-10a.m., Jepson 118 Monday, October 28 from 11 to 12noon, Jepson 120  No sign-up required. Get your questions answered!