Routine Measures for Intrusion Detection & Prevention
Office of Information Security (OIS) handles security issues related to Access Accounts. OIS uses a spectrum of tools to discover and prevent internal and external attacks and compromised systems on the network. Upon identification of a compromised Access Account, the Access Account is locked and the Access Account holder is contacted.
Incident Reporting Procedure
Any suspicious or questionable network activity should be reported to Office of Information Security (OIS).
Find out the current procedures to report incidents, see the Reporting an Incident page on the OIS site.
Locking and Unlocking An Access Account
SOS will lock an Access Account for a policy violation.
Some examples include:
- Copyright infringement
- User ID mistaken identity (for example, a family member with same initials)
- Password violation (shared password)
- Security concern
- Access Account holder deceased
- Immediate employment termination
- Request from the University Judicial Affairs
- Request from law enforcement
SOS staff members are able to perform the locking of an Access Account, which records the locking history in CACTUS.
The lock on the Access Account remains in effect until SOS deems it appropriate to unlock it. SOS personnel take action to unlock the Access Account (or elevate to a system administrator, or delegate to authorized personnel to resolve).
Once the lock is removed, the Access Account holder will need to visit a signature station to acquire a new password.
Password Reset and Expiration
- Password Reset at Initial Use
ITS-managed systems strongly recommend the password for any newly activated Access Account to be changed at first use. This ensures that only the person who has been assigned the Access Account knows the password. An Access Account holder is encouraged to choose a strong password for his/her Access Account and periodically change it for security reasons. The password should be changed immediately if an Access Account owner believes that it has been compromised (for example, if there is a possibility that another person may have viewed or acquired the password). Guidelines for creating strong passwords are available at Penn State Access Account Password Policy. Users can change their respective passwords at Penn State Password Management.
- Mandatory Annual Password Reset
ITS-managed systems also force expiration of Penn State Access Account passwords once per year. Passwords will expire exactly 365 days from the date and time of last change. In addition to the University’s annual password change requirement, ITS encourages individuals to change passwords more frequently throughout the year. Users can view expiration dates via the ITS Secure Server.
- Password Reset by authorized staff via DIMC (Digital Identity Management Center)
If an Access Account owner forgets his/her password, then he/she may request a password reset. After verifying the person’s identity, an authorized ITS staff member can reset the password. The new password consists of a system-generated alphanumeric string. An authorized staff member with full privileges is able to view the password and supply the new password to the Access Account owner.
ITS-managed systems retain a history of three passwords. This means that the last three passwords cannot be re-used. When the password is changed, the Access Account owner must create a password that is different from the last three passwords. ITS strongly encourages Access Account owners to avoid reusing any old passwords.
A list of best practices for strong password creation is available via Penn State Access Account Password Policy.
Release of Identity Information
The release and retention of student, faculty, and staff directory information is based on Guru Policy AD11 (University Policy on Confidentiality of Student Records.
The adoption of Shibboleth requires Penn State to release its identity subjects’ attributes. In the process, Penn State releases only information that is necessary to obtain services from service provider.
Privacy of User Information
Access Account user IDs are searchable via Penn State Directory Services. Information such as address, phone number, major, position title, etc. are included in the listing. The University may publicly share directory information unless the individual takes formal action to restrict its release. If the individual prefers not to be listed in Penn State’s directory, then the person must request removal of the information by placing a confidentiality hold.
To request a confidentiality hold, an employee may contact the Human Resource representative designated for his/her area in order to make the change. A student needs to request the change through the Office of the University Registrar.
Information about Penn State Directory Services is found on the Directory Services page.