Princeton University Information Technology Policy

If, because of your status as a member of the University’s student body, faculty or staff, whether active or on leave, or as an affiliate, departmental computer user, or authorized visitor, or as a representative of an authorized University group, the University has provided you with a computer account that provides access to the University’s computer systems, networks, voice mail services or other technological facilities, you are accountable to the University for all actions that are performed by anyone who uses that account. Therefore, you are expected to take reasonable measures to prevent your accounts from being used by others. Since passwords are a primary method of protecting University systems against unauthorized use, you, as a University-provided account holder, are expected to change any pre-assigned default password at the first possible opportunity, to select strong passwords that are difficult to guess, and to safeguard them from casual observation or capture. Thereafter, it is strongly recommended that passwords be changed at least once a year (ideally more often). Intentional sharing of such passwords with associates, friends, or family is prohibited, unless required by the terms of University employment or the nature of the group to which the account has been assigned. If there are alternate and practical ways to share work-related information readily and securely, these should be used rather than one University employee’s being given the password of another.

An enhanced security profile (ESP) is a primary method of protecting access to some University services and data. As an account-holder, you are expected to protect the answers to your ESP security questions as you would protect your password.

There are Internet services designed to allow you to store personal information such as passwords, PIN numbers, credit card numbers and other data for ready retrieval by smart phone or other mobile device. If you elect to store your University password(s) through such a service, you risk exposure and subsequent misuse of your University account access and files.

If you administer a server or allow accounts or access for others, whether members of the University community or people outside Princeton University on a system you own or control, you are responsible for protecting the University's property, license agreements, and good name from damage by others to whom you might provide access. You also are responsible for assuring that no copyrighted material (including music, film or television, podcasts, computer games, and software) is published on, or distributed from, that system without permission of the copyright holder. If you cannot accept such responsibility, you ought not be providing access for others. You are responsible for assuring that a strong root or administrative password is in place; for installing and maintaining appropriate anti-virus and firewall protections; for being aware of known vulnerabilities and for ensuring that the system you own or administer is not used by outsiders to relay commercial or other unsolicited mass e-mailings (“spam”); and, in general, for securing the system and its services against use by viruses, worms, or outsiders for attacks on other systems within, and outside, the Princeton University domain, or for other hostile or abusive purpose.

If you are responsible for any web-based application presented through the University's resources, you must ensure that it cannot be used by anyone to relay unsolicited e-mail or spam to others. You also must ensure that the application cannot be used by others to compromise the application itself or the server on which the application resides.

Applications provided through cPanel or similar services on a University-maintained device will be scanned for vulnerabilities before being made operational, and any vulnerabilities should be addressed. If serious vulnerabilities in such an application are observed after initial implementation, the application must be removed until the vulnerabilities have been remedied.

Applications downloaded for mobile devices may also pose security risks and should be installed only when there is confidence they are secure.

If you encounter or observe a gap in system or network security, you must report the gap to the appropriate office or authority, which may be the OIT Help Desk, the Library Systems Office, or the appropriate system authority, either within or outside the University. (The IT Security website at: www.princeton.edu/itsecurity may be of help identifying the appropriate office.) You must refrain from exploiting any such gaps in security.