Your responsibility for network and information security
If, because of your status as a member of the University’s student body, faculty or staff, whether active or on leave, or as an affiliate, departmental computer user, or authorized visitor, or as the representative of an authorized University group, the University has provided you with an account that provides access to the University’s systems, networks, voice mail services or other technological facilities, you are accountable to the University for all actions that are performed by anyone who uses that account. Therefore, you are expected to take reasonable measures to prevent your accounts from being used by others. Since passwords are a primary method of protecting University systems against unauthorized use, you, as a University-provided account holder, are expected to change any pre-assigned default password at the first possible opportunity, to select strong passwords that are difficult to guess, and to safeguard them from casual observation or capture. Thereafter, the University requires that passwords for University-provided accounts be changed at least once a year and for greater security recommends they be changed even more often.
Intentional sharing of such passwords with associates, friends, or family is prohibited, unless required by the terms of University employment or the nature of the group to which the account has been assigned. If there are alternate and practical ways to share work-related information readily and securely, these should be used rather than one University employee’s being given the password of another.
A password used for access to a Princeton University account or resource should not be the same as those used to access non-University-affiliated resources. For example, account-holders should not use any of their University passwords as the password for a social media site, or a personal banking site, or other outside resources.
An enhanced security profile (ESP) is a primary method of protecting access to some University services and data. As an account-holder, you are expected to protect the answers to your ESP security questions as you would protect your password.
There are Internet services designed to allow you to store personal information such as passwords, PIN numbers, credit card numbers and other data for ready retrieval by smart phone or other mobile device. If you elect to store your University password(s) through such a service before the University recommends a secure option, you risk exposure and subsequent misuse of your University account access and files.
Allowing access to others
If you administer a server or router or allow accounts or access for others, whether members of the University community or people outside Princeton University on a networked device, system, server, router, or network address translator you own or control, you are responsible for protecting the University's property and good name from damage by others to whom you might provide access and for compliance by users with the University’s license agreements and any applicable terms of service. You also are responsible for assuring that no copyrighted material (including music, film or television, podcasts, computer games, and software) is published on, or distributed from, that system without permission of the copyright holder. If you cannot accept such responsibility, you ought not be providing access for others. You are responsible for assuring that a strong root or administrative password is in place; for installing and maintaining appropriate anti-virus and firewall protections; for being aware of known vulnerabilities and for ensuring that the system you own or administer is not used by outsiders to relay commercial or other unsolicited mass e-mailings (i.e., spam); and, in general, for securing the system and its services against use by viruses, worms, or outsiders for attacks on other systems within, and outside, the Princeton University domain, or for other hostile or abusive purpose.
Securing Web-based applications
If you are responsible for any web-based application presented through the University's resources, you must ensure that it cannot be used by anyone to relay unsolicited e-mail or spam to others. You also must ensure that the application cannot be used by others to compromise the application itself or the server on which the application resides.
You also must be aware of and apply security updates and security patches as they are released for the software used to create and maintain the application and/or website.
Applications provided through cPanel or similar services on a University-maintained device will be scanned for vulnerabilities before being made operational, and any vulnerability should be addressed. If serious vulnerabilities in such an application are observed after initial implementation, the website will be suspended until the vulnerabilities have been remedied.
Applications downloaded for mobile devices may also pose security risks and should be installed only when there is confidence they are secure.
Discovering gaps in security
If you encounter or observe a gap in system or network security, you must report the gap to the appropriate office or authority, which may be the OIT Help Desk, the Library Systems Office, or the appropriate system authority, either within or outside the University. (The IT Security website at: www.princeton.edu/itsecurity may be of help identifying the appropriate office.) You must refrain from exploiting any such gaps in security.