Chapter 3337-91 Policies on University Credentials

3337-91-03 Computer and network use.

The version of this rule that includes live links to associated resources is online athttps://www.ohio.edu/policy/91-003.html

(A) Overview

This policy provides guidance and establishes expectations for members of the university community as they use Ohio university's information technology resources.

Access to computer systems and networks owned or operated by Ohio university imposes certain responsibilities and obligations and is granted subject to university policies, and local, state, and federal statutes.

Access to the university's computing facilities and resources is granted solely to Ohio university faculty, staff, registered students, and individuals outside the university who are authorized to use services that have been made available through Ohio university. The university reserves the right to limit, restrict, or extend computing privileges and access to its resources.

Computers and network resources can provide access to resources both on and off campus. Such open access is a privilege, and requires that individual users act in a responsible and acceptable manner. Acceptable use always is ethical, reflects academic honesty, and shows restraint in the consumption of shared resources. Acceptable use demonstrates respect for intellectual property, truth in communication, ownership of data, system security mechanisms, and individuals' right to privacy and freedom of intimidation, harassment, and unwarranted annoyance. The university considers any violation of acceptable use principles or guidelines to be a serious offense and reserves the right to test and monitor security, and copy and examine any files or information resident on university systems allegedly related to unacceptable use.

Those who do not abide by the policies and guidelines in this policy should expect at least suspension of computer privileges and possible disciplinary action in accordance with university rules for misconduct and existing judicial, disciplinary, or personnel processes. Offenders may also be subject to criminal prosecution under federal or state laws, and should expect the university to pursue such action.

The office of information technology should be notified about violations of computer laws and policies, as well as about potential loopholes in the security of its computer systems and network. The user community is expected to cooperate with the office of information technology in their operation of computer systems and networks as well as in the investigation of misuse or abuse.

Ohio university's computers, networks, and other information resources (i.e., web pages and other information servers) may not be used in any manner prohibited by law or disallowed by licenses, contracts, or university regulations. Organizations, faculty, staff, and individuals are accountable for the information they publish across computing resources, and they must be aware of university policies regarding confidential information, harassment, use of university computer, and intellectual property.

(B) Required activities

In making acceptable use of resources, you must:

(1) Use resources only for authorized purposes.

(2) Protect your login ID and system from unauthorized use. The university is not responsible for activities on your login ID or that originate from your system.

(3) Access only files and data that are your own, which are publicly available, or to which you have been given authorized access.

(4) Be considerate in your use of shared resources. Refrain from monopolizing systems, overloading networks with excessive data, or wasting computer time, connect time, disk space, printer paper, manuals, or other resources.

(C) Forbidden activities

In making acceptable use of resources, you must not:

(1) Provide login ID codes and system access for the purpose of using resources in violation policy, or in violation of federal, state or local statutes.

(2) Use copyrighted images, text, or software without permission or in violation of the copyright laws of the United States, or violate terms of applicable software licensing agreements.

(3) Use resources to violate the university codes of conduct or engage in any illegal activity.

(4) Use resources for private financial gain or compensation except as permitted under policy 17.900, or for partisan political purposes.

(5) Use resources to intimidate or single out individuals or groups for degradation or harassment in violation of federal or state law and other university policies.

(6) Use resources to provide materials whose nature or volume compromise the ability of the server to serve other users' documents.

(7) Use a computer account for which authorization has not been granted, use the campus network to gain unauthorized access to any computer system, attempt to circumvent data protection schemes or uncover security loopholes, or mask the identity of an account or machine.

(8) Knowingly perform an act that will interfere with the normal operation of computers, terminals, peripherals, or networks, including knowingly running or installing on any computer system or network, or giving to another user, a program intended to damage or to place excessive load on a computer system or network. This includes programs known as computer viruses, Trojan horses, and worms.

(D) Possible penalties

Misuse of computing, networking, information, or world wide web resources may result in the loss of computing privileges. Additionally, misuse can be prosecuted under applicable statutes. Offenses that are in violation of local, state, or federal laws may be reported to the appropriate university and law enforcement authorities. Users may be held accountable for their conduct under any applicable university or campus policies, procedures, or collective bargaining agreements. Complaints alleging misuse of computer resources will be directed to those responsible for taking appropriate disciplinary action. Reproduction or distribution of copyrighted works, including images, text, or software, without permission of the owner is an infringement of U.S. copyright law and is subject to civil damages and criminal penalties including fines and imprisonment. Violators will be subject to university rules and regulations.

(E) Additional use policies

Additional use policies and terms and conditions may be in place for specific electronic services offered by Ohio university, such as the world wide web, university records, and student code of conduct policies. You must familiarize yourself with any of these when you agree to use these services.

The version of this rule that includes live links to associated resources is online athttps://www.ohio.edu/policy/91-003.html

Effective: 8/6/2016
Promulgated Under: 111.15
Statutory Authority: 111.15
Rule Amplifies: 111.15

3337-91-04 University credentials.

The version of this rule that includes live links to associated resources is online athttps://www.ohio.edu/policy/91-004.html

(A) Overview

Credentials issued at Ohio university are for the sole purpose of accessing university resources. They are often the first line of attack, and the last line of defense, in the protection of these resources. Because of this, they must be used with care, and adequately protected. This policy outlines those protections that must be observed by individuals, technical staff, and systems using credentials at the university and recommendations for their protection.

(B) Individuals

An individual to whom credentials have been issued has certain responsibilities in the care of those credentials. The following behaviors should be observed to reduce the risk of compromise to your credentials.

(1) Keep your credentials, secret questions, and their answers private and known only to you.

(2) Use unique credentials (username and password combination) for Ohio university that are different from any other service or website.

(3) Your credentials are for your personal authentication to university resources, and should not be used as a means to provision services to other users.

(4) If you suspect that your credentials have been compromised, change your credentials and questions immediately and inform the information security office by e-mail to security@ohio.edu.

(C) Credentials

Credentials exist to ensure that the individual gaining access to university resources through an account is the same individual to whom the access was given. The university acknowledges that not all accounts carry the same level of risk. Therefore the level of rigor and complexity requirements that are applied to ensuring the security of the credentials will be in line with the risk which a compromise of that account would present to the university or its community.

The university data stewards (see part (D) of policy 93.001 ) will review these complexity requirements on an annual basis. Any changes that need to take place between reviews will be identified by the university information security officer, and presented to the university data stewards for approval. Actual authentication complexity requirements will be captured in the "Authentication Credentials Complexity Standard," which strives to relate the strength of the credential with the risk that a compromise of that account would present to the university.

(D) Information system owners

It is the owner or manager of information services' responsibility to ensure that they comply with this policy and its associated complexity requirements. The recommended method is integrating with OIT authentication services and appropriately mapping individuals' accounts to the correct risk levels. Prior to integrating with OIT authentication services, permission must be obtained from the university information security officer and the chief information officer or their delegates. If a separate user credential is issued, the service owner must instruct their users to use different credentials than are used with their OhioID.

(E) Authentication servers

University authentication services are limited to those run and maintained by the office of information technology. It is the responsibility of the chief information officer or appointed delegate to ensure that the following are adhered to by all systems that perform authentication functions.

(1) Only those systems that are required and approved by the chief information officer or appointed delegate may store passwords in any form. Those that store these passwords must store them in a cryptographically secure format.

(2) Authentication systems must encrypt password at all times during transmission.

(3) Authentication systems must be housed in the university datacenter or another approved location. Authentication systems must be administered by OIT.

(4) Authentication systems must be hardened in accordance with NIST 800-123.

(5) Administrators accessing authentication systems must use an approved multi-factor authentication to access.

The version of this rule that includes live links to associated resources is online athttps://www.ohio.edu/policy/91-004.html

Effective: 6/24/2016
Promulgated Under: 111.15
Statutory Authority: 111.15
Rule Amplifies: 111.15