- Acceptable Use Policy and User Agreement
- Cell Phone and other Personal Electronic Device Policy
- Chosen First Name Use Policy
- Data Classification Policy
- Guest User Acceptable Use Policy
- Mobile and Remote Device Policy
- Password Policy
- Personal Computing Support Policy
- Screening Movies on Campus Policy
- User Access to Data and Services Policy
- Backup Retention Policy
- Copyright & Fair Use Policy
- Cloud Vendor Policy
- F&M Account Content Access by Non-Account Holder Policy
- Information Security Policy
- Network Security Policy
- Payment Card Industry (PCI) Compliance Policy
- Privacy Notice for F&M Website
- Privileged Account Management Policy
- Technology Hardware Acquisition, Disposition and Replacement Policy
- Wireless Network Policy
The purpose of this policy is to establish a standard for the creation of strong passwords and the protection of those passwords across Franklin & Marshall (F&M). This policy also defines multifactor authentication requirements for accessing the College’s information resources. At their discretion, the College Infrastructure Committee reserves the right to modify this policy at any point in time.
Information security requires the participation and support from all members of the F&M community with access to information assets. It is the responsibility of every member of the F&M community to help ensure that all information assets are kept secure and available. Information about how to change the password associated with your F&M NetID is found on the account management page at password.fandm.edu. Log in and follow the directions.
This policy applies to all members of the F&M community, which includes, but is not limited to employees, students, visitors, volunteers, third parties, contractors, consultants, clients, temporaries, and others (collectively known as "users"), who have access to, support, administer, manage, or maintain F&M information assets.
The College Infrastructure Committee periodically reviews and revises this policy based upon emerging best practices.
“Multifactor authentication” is an additional layer of security used during a logon process. A user will enter their account name, such as netid or email address, followed by the account password. At this point, if the particular system has multifactor authentication enabled, the user will be challenged for an additional piece of information that is generated in real-time from a registered device or available from an alternative method of authentication.
“Registered device” is commonly:
- A cell phone capable of receiving sms/text messages.
- A smartphone or mobile device with an authenticator application installed that produces a code that changes every 30-60 seconds.
- A smartphone or mobile device with an authenticator application installed that prompts to approve or deny a logon request at the time of authentication.
“Alternative method of authentication” refers to:
- A telephone number capable of receiving voice calls that will be available at the time of authentication. These are commonly home or office phones.
- A USB key made specifically for this use.
- A list of printed backup codes.
Passwords are a critical aspect of information security; they are the front line of protection for user accounts. A poorly chosen password may result in the compromise of F&M's entire campus network. Therefore, all F&M users are responsible for taking the appropriate precautions while selecting and securing their passwords.
You must never share your login and password with anyone.
All access to systems must be controlled by an authentication method involving a minimum of a Username/Password combination. The Username/Password combination must provide verification of the user's identity.
New users receive an alert indicating they can go to the password change system and create a password. They will need to have a mobile phone number on record. If they do not have a mobile phone number on record, they will need to contact the Help Desk. In the event a user requires assistance from Help Desk staff in resetting their password, upon verifying the user’s identity, the temporary password the Help Desk provides can only be conveyed to the user in person or on the phone. It will not be sent through email. This temporary password will also require the user to immediately change the password upon first use.
Automatic password aging/expiration after a period of time has been removed as a requirement for user accounts as of July 2020. This is considered a best practice based on research published by the National Institute of Standards and Technology (NIST).
Where technologically feasible, systems must use password history techniques to maintain a password history of users. The history file must contain the last 24 passwords of users and store them in encrypted form.
Users must create initial passwords that are a minimum of fourteen (14) characters in length. Where technically feasible, computer system administrators must enforce password length requirements.
Users may create passwords that contain characters from any of the following categories, but using more than one category is not required:
One or more numbers
Non-alphanumeric characters, for example: ~!@#$%^&*
Passwords must never be stored in clear text. Users must not ‘hard code’ any username/passwords in scripts or clear text files such as system shell scripts, batch jobs, or word processing documents.
For all employees, passwords should not be stored in plain text in word processing documents or elsewhere. For assistance managing passwords, contact the Help Desk for advice on best practices and tools available.
Users should never use their F&M username and password on other systems not managed by the College or not used exclusively for College business. In the event an F&M username is discovered in a security breach on the Internet or has been compromised, the account may be immediately locked and require a password change to regain access.
After five (5) consecutive authentication failures, users are locked out of the resource to which they are attempting to gain access and will have to reset their password using the College’s self-service password change service. In the event a user requires assistance from Help Desk staff in resetting their password, upon verifying the user’s identity, the temporary password the Help Desk provides can only be conveyed to the user in person or on the phone. It will not be sent through email. This temporary password will also require the user to immediately change the password upon first use.
Multifactor User Responsibility
Users must register a supported device or alternative method of authentication to provide an additional factor for authentication. This additional factor may or may not be required at every login regardless of time, location, or circumstance. Failure to register a device or alternative method of authentication will prevent access to the systems protected by multifactor authentication.
Users must promptly report the theft, loss, or unauthorized use of their registered device or alternative method of contact to the helpdesk.
Authorized personnel may monitor transmissions from the registered device or alternative method of authentication in the course of performing routine maintenance or troubleshooting problems.
The CIO or CISO may approve, in advance, exception requests to this policy based on the perceived threat to the College’s information assets. Any exemptions granted will be reviewed periodically and may be revoked at any time.
Policy Maintained by: Information Technology Services, Vice President and Chief Information Officer
Last Reviewed: 04 September 2021