Policy on Accounts (NetIDs, Special-purpose NetIDs, Privileged Access Accounts) and Access (MFA, Passwords)

New York University, in order to provide a reliable and secure technological environment, has requirements for obtaining accounts, accessing network resources, and ensuring proper usage of those resources by authorized users. It also has controls to restrict unauthorized or unauthenticated use of its technology systems, services, and data.

This Policy applies to members of the University community and affiliates who use NYU's computer and data resources. This policy covers:

• Accounts (NetIDs, Special-purpose NetIDs, Privileged Access Accounts)
• Access (Multi-Factor Authentication [MFA], Passwords, Anonymous Network Access)

Authorized users are faculty, students, administrators, staff, researchers, alumni, and those engaging with the NYU community who have a legitimate need to access and use NYU technology resources, including guests, tenants, contractors, consultants, and visitors. Depending upon service eligibility, NYU technology resources may be used only by authorized users.

Authorized users may be assigned one or more accounts with appropriate access restrictions, and may use only the technology resources to which they have been given access.

Several types of accounts exist at NYU, some managed centrally (Standard NetID, Special-purpose NetID) and some managed both centrally and locally (Local Accounts, Privileged Access Accounts). The security of NYU systems and data must be safeguarded by members of the community according to NYU Policies and Guidelines with review from the NYU IT Global Office of Information Security (GOIS).

• Individual Accounts (NetIDs) - an account with NetID that is assigned to an individual required to utilize NYU MFA
• Special-purpose Accounts (NetIDs)
  • Test Accounts - used for the purpose of application, system, and service development and testing to mimic users' credentials and access. Individual and machine test accounts used for development. Best Practices:
    • Test accounts should be used in DEV and QA environments.
    • Test accounts should NOT be used in production systems.
    • Test accounts by default require MFA; exemption can be requested for machine-to-machine testing.
  • Admin Accounts - Privileged Access Accounts, i.e., administrator accounts, across systems, which separate duties from individual accounts. MFA is required for these accounts.
  • Non-Standard Entitlement Admin Account - for individuals as a second account that needs to be approved where there are non-standard entitlements. MFA is required for these accounts.
  • Machine Accounts - an account for purposes of automated integrations between systems or applications.

A. Individual Accounts (NetIDs) (for all community members)

1. Overview
The NetID is the key identifier used for accessing a wide range of online University services, including University networks, data, and systems. An individual NYU NetID is assigned to members of the NYU community in order to enable personal access to University online services.

Once activated, the NetID with password serves as the credential used for access to authorized NYU technology resources via desktop computers, laptops, and mobile devices. The NetID is also the basis of the default NYU Email address.

2. Eligibility
Members of the NYU community are assigned an individual NetID upon joining the community. Timing and procedures for the NetID creation and assignment are different for different community roles.

3. Responsibilities
Users are responsible for any and all activity conducted with their login credentials (NetID, or other NYU-provided login ID, and password). Any instances of lost or stolen login credentials must be immediately reported to security@nyu.edu. All NetID holders are responsible for safeguarding login credentials.

B. Special-purpose Accounts (for System Administrators or Sponsors/approvers of Special-purpose NetIDs)

1. Overview
In special circumstances, a special purpose NetID may be assigned to a member of the NYU community for purposes other than sole individual use.

Examples of where special-purpose NetIDs are allowed: 1) system integrations, where an application or system requires a NetID-based account for a system-to-system integration, or 2) wireless network access for kiosks, where a department wishes to configure special computers (e.g., kiosks or classroom podium computers) for automatic access to the NYU wireless network which requires NetID and password authentication.

Special-purpose NetIDs are not available for shared accounts, where a department or group desires an account to manage a University business process, for example intake and processing of email to an administrative department from diverse sources. In a case such as this, use of a scalable issue tracking system such as NYU ServiceLink is the type of tool recommended by NYU IT.

Typical alternatives to be considered include:

• NYU Email account delegation
• NYU Groups
• Issue-tracking system, such as NYU ServiceLink

2. Eligibility
Full-time NYU faculty and staff are eligible to request a special-purpose NYU NetID by sponsorship, provided it fits with allowed use. When an individual or sponsor leaves NYU, moves into an unrelated position at the University, or has another significant change in role, any special-purpose NetIDs assigned to the individual will be deactivated (unless previously transferred to another eligible member of the community).

3. Responsibilities
All responsibilities associated with the use of an individual NetID (most notably those described in the Policy on Responsible Use of NYU Computers and Data) are associated with the use of a special-purpose NetID, and the sponsor is responsible for the uses to which the special-purpose NetID is put.

In addition, the restriction against shared use of the NetID (and its associated password) may be different in certain use cases for special-purpose NetIDs. Since, however, shared use of a NetID is inherently less secure than individual use, in cases where shared use is planned, other sharing mechanisms, where available, should be used instead of assignment of a special-purpose NetID.

4. Approval and Review
Approval for a special-purpose NetID is requested via the IAM service form and reviewed by the NYU IT service director for Identity and Access Management. Once approved, the system access privileges pertaining to the specific request are assigned to the NetID.

5. Expiration and Notification
When a special-purpose NetID is assigned, an end-date is associated with it. NetIDs to be used for automated system-to-system integrations (not an individual), will possess an end-date set very far into the future so as to prevent expiration of the NetID and resultant loss of system functionality.

When an end-date approaches, the sponsor of the special-purpose NetID will be notified in advance that an extension is necessary and of the procedure for requesting the extension. A special-purpose NetID that is not renewed will be deactivated and its password expired automatically, along with any computer accounts that have been created under that NetID.

In addition, NYU IT will perform a certification process to validate sponsorship of these accounts. Sponsors are required to respond to the certification within the dates set in the certification to allow NYU IT to properly update existing accounts with new sponsors and disable accounts no longer needed.

C. Privileged Access Accounts (for Staff Managing IT Resources)

This policy applies to all service or system administrator accounts used with University information system servers. Privileged Access Accounts include those verified with passwords, keys, or other means of authentication. Privileged Access Accounts may be local, network (domain), or shared accounts.

This policy applies to all services managed by NYU or cloud infrastructure and platform services licensed by NYU. This policy also should be used as a guide when evaluating vendor-provided services.

This Privileged Access Account policy is best practice and is recommended but not required for faculty-managed research servers.

1. Overview

a) Privileged Access Accounts enable an authorized individual to take actions which may affect computing systems, network communication, or the accounts of other users. Privileged Access is typically granted to system administrators, network administrators, database administrators, account administrators, or other individuals whose job duties require special privileges over a computing system or network.

b) Privileged Access Accounts may be "administrator" or "root" accounts with full access rights or accounts that possess limited elevation of system rights. Privileged Access Account holders have the ability to fundamentally change the functionality or security of an application, system, and service, or create new accounts with those abilities.

c) Privileged Access Accounts must be set to the lowest level of access needed to accomplish a job function, supporting the principle of least privilege.

2. Responsibilities

a) Individuals with privileged access must respect the rights of the system users and the integrity of the systems and related physical resources and must comply with applicable policies, laws, regulations, and procedures, while pursuing appropriate actions required to provide high-quality, timely, and reliable computing services.

b) Privileged Access Account holders must be aware that these privileges place them in a position of heightened trust. They must not breach that trust by misusing privileges or failing to maintain a high professional standard.

c) Every Privileged Access Account holder must change their password every 90 days.

d) Privileged Access Accounts must not be shared.

e) Root, super administrator, or any account that would be considered a "master" service account, must be escrowed in an approved service to be available for emergency access from authorized personnel. Privileged Access Account passwords must be stored in a department-approved password storage service. Passwords must not be stored in unapproved systems or unencrypted.

f) When a Privileged Access Account holder leaves the University, their privileged access must be disabled immediately upon their departure. When a Privileged Access Account holder no longer requires privileged access, that access must be disabled immediately.

g) Privileged Access Account activity must be logged. Logs must be retained for a minimum of 90 days.

h) Managers should review Privileged Access Accounts for misassigned, unused, or unauthorized accounts at least every 90 days. Accounts identified as such should be disabled or removed.

i) Privileged Access Account holders may not use their privileged access for unauthorized viewing, modifying, copying, or destroying system or user data.

j) Privileged Access Account holders have a responsibility to protect the confidentiality of any information they encounter while performing their duties. If, during the performance of their duties, individuals with privileged access inadvertently see information indicating serious misuse, they are advised to consult with their manager. If the situation is an emergency, intervening action may be appropriate.

k) Privileged Access Account holders are responsible for complying with all applicable laws, regulations, policies, and procedures.

3. Approval and Review

a) Privileged Access is granted only to authorized individuals.

b) Units managing their resources with their own Privileged Access Accounts need to provide a similar request and approval process. Appropriate University leadership must approve all Privileged Access Accounts and account holders at least annually (or more often as regulations require) to determine if Privileged Access is still needed and to review what level of access is appropriate.

c) The NYU IT Global University Chief Information Security Officer (Global CISO) is responsiblefor the governance, oversight, and monitoring of the Privileged Account Management process.

A. Multi-Factor Authentication (MFA)

Multi-Factor Authentication (MFA) refers to a method of computer access control that helps safeguard data by requiring more than one method of authentication from independent categories of credentials to verify the user’s identity for login or other transactions.

MFA reduces the risk of compromise of an individual’s NetID credentials through unauthorized access to sensitive information, thereby increasing the level of certainty that the individual is who they claim to be. The added level of security through use of MFA helps NYU safeguard its users’ personal information from cybersecurity threats and ensures uninterrupted access to University technical resources.

1. Users and Responsibilities

a) The use of NYU MFA is mandatory for community members to access most NYU services, including but not limited to NYUHome, PeopleSync, NYU Brightspace, NYU Email, and many others that are accessed using an NYU NetID and password. This includes NYU Virtual Private Network (VPN) services.

b) Applications at NYU are required to use MFA to enhance the security of user access. The level of MFA security is dependent upon the application’s data classification based on the Electronic Data and System Risk Classification Policy.

c) MFA is required to protect Privileged Access to NYU technology resources. Where any NYU-managed system supports elevation to a second factor of authentication, MFA is required for Privileged Access.

d) MFA is available on applications and systems across NYU using NYU IT-provided Single Sign-On (SSO) both Shibboleth (SAML2) and OpenID Connect (OAuth2). NYU applications should utilize SSO as part of their user authentication.

e) Although the vendor-provided NYU MFA system offers multiple ways of obtaining an MFA passcode for authorization of credentials to NYU services, applications, and systems, NYU recommends that NYU users configure MFA and their device(s) via the NYU Start Page and utilize the mobile application provided to obtain a passcode. To learn more, visit the NYU MFA website.

2. MFA Requirement for NYU Community Members:

• Employees - As of employment start date at the University
• Affiliates - As of start date at the University
• Degree Students - As of semester Census Capture date
• Alumni - Once a student graduates and transitions to alumni status, the individual is no longer required to use MFA. MFA is available for alumni who wish to have added security to protect their accounts and data.

3. Restrictions

The MFA passcode obtained through the mobile application, tokens, and other means must not be shared with others. Disciplinary measures may be undertaken by NYU against those sharing a passcode, particularly if it results in a security breach.

4. Accommodations for Individuals with Disabilities

If an individual with a disability needs a reasonable accommodation in order to participate in the NYU MFA process, or is seeking an exception to the MFA process, they may submit a request to:

• Employees/Affiliates: Office of Equal Opportunity, equal.opportunity@nyu.edu
• Students: The Moses Center for Student Accessibility, mosescsa@nyu.edu

After approval, the above units will contact NYU IT via email at AskIT@nyu.edu to process the change.

5. Exceptions

An MFA exception can be requested for a specific computer (i.e., kiosk or classroom computer). Please note that these exceptions are for automated device-to-device specific integrations and are NOT user-based. Based on the request, the NYU IT Global University Chief Information Security Officer (Global CISO) will assess the risk to information security, computing system security, and compliance requirements NYU must meet under law, contract or policy; other individuals within the user’s department or the University may be consulted concerning the business or academic need for the exception the user is requesting. The Global CISO will determine, at a minimum, if the following base requirements can be met or have been met before approving an exception:

• The computer, device, or workstation must not be used for processing High Risk data (e.g., ePHI, SSNs, credit cards)
• The exception must not place individuals, NYU, NYU systems, or NYU-NET at risk

There may be compensating controls placed on the specific piece of equipment to reduce risk to the NYU community.

B. Passwords

1. Secure all computer and mobile accounts with passwords, and use passwords to protect all file sharing.
2. Refer to password requirements and security tips for details.
3. Privileged Access Account passwords must be changed every 90 days; individual standard NetID passwords must be changed once a year.

C. Anonymous Network Access

NYU IT prohibits "anonymous" access from NYU-NET to the internet. This means that persons using NYU-NET resources to access the internet must either:

• gain access only after providing a uniquely-identifying username and password, or
• by using a networked machine registered for their individual use in the Domain Name System (DNS).

It is the responsibility of local IT managers to implement this policy. Changes in assigned users of individual networked machines, e.g., through new staff hiring, should be reported to the NYU-NET Network Operations Center (NOC) in order that the DNS may be updated. Any sign of NYU-NET or internet abuse must be communicated immediately to the NOC.

Violators of this policy may find their network access disabled, with no prior warning, until sufficient safeguards have been put into place to ensure that no further violations take place. NYU IT reserves the right to disconnect individual machines or sub-networks of NYU-NET in order to preserve the smooth functioning and security of the network as a whole.

It is the responsibility of all network users to accept full responsibility for the use of their accounts and machines, and to preserve their sole individual use of their accounts by not sharing them with other individuals, by maintaining secret passwords, by changing passwords frequently, and by selecting passwords which are difficult to guess or decrypt.