1.1 Board of Trustees policy (BOT VI.F.2) delegates to the Chancellor the authority to establish University System policy on the operations and maintenance of property and delegate, in turn, to the component institutions the authority to establish correspondent institutional policies.
2. Delegation of Authority
2.1 The Chancellor delegates to the chief executive officers of each component institution the responsibility and authority to establish and administer an operations and maintenance program for all property owned, occupied, or managed by their respective institutions.
2.2 The component institutions' operations and maintenance programs shall include procedures establishing prudent property management practices and ensuring compliance with applicable Board of Trustees and University System policies and state and federal laws. Those programs shall designate specific institutional officials to be responsible for ensuring institutional compliance with program requirements.
3. Policy on Environmental Health and Safety
3.1.1 It is the policy of the University System of New Hampshire (USNH) to maintain a reasonably safe environment for its students, faculty and other academic appointees, staff, and visitors.
3.1.2 Operations at each component institution shall be conducted in compliance with applicable regulations, and when appropriate, with accepted health and safety standards.
3.1.3 A Council on Environmental Health and Safety is responsible for overall coordination and assessment of System-wide environmental health and safety efforts. The Council is chaired by the UNH Director of Environmental Health and Safety and includes representation from each component institution. The President or Chancellor of each component institution (GSC, KSC, PSU, UNH, USNH) appoints members to the Council. The Council shall meet quarterly to share current information, and shall provide to the Presidents and then to the Chancellor an annual report describing the state of the University System's environmental health and safety.
3.2.1 The Chancellor and Presidents are responsible for the implementation of the Environmental Health and Safety policy at their respective component institutions.
3.2.2 Vice Presidents, Deans, Directors, Department Chairs, principal investigators, supervisors, and all other employees are responsible for compliance with this policy as it relates to operations under their control.
3.3 Campus Program Elements and Objectives
3.3.1 The Chancellor, Presidents and Vice Presidents shall enact programs for environmental health and safety and such programs will be in compliance with applicable health and safety standards promulgated by federal, state and local agencies. In the absence of appropriate statutes and governmental regulations, the published standards of nationally recognized professional health and safety organizations would serve as guides. Appropriate working relationships with official regulatory agencies pertinent to environmental health and safety are recommended and encouraged.
3.3.2 Each component institution shall establish a written mission statement to outline operating policies, procedures and guidelines, as well as training for compliance with applicable environmental health and safety objectives listed below.
3.3.3 The written statement and programs for health and safety and environmental compliance shall include, but not be limited to the following program elements and objectives.
220.127.116.11 Injury and Illness Prevention
18.104.22.168.1 Objectives: The objectives are (1) to provide the means by which workplace hazards are identified and corrected in a timely manner; employees are to be informed of the specific hazards associated with their jobs and are to be trained in the appropriate safe work practices; employees can communicate, without fear of reprisal, their concerns about work area safety, and (2) to integrate existing and future compliance programs and environmental health and safety technical disciplines in a manner to ensure statutory and regulatory compliance in an efficient and logical approach. These programs and disciplines are discussed below.
22.214.171.124.2 Compliance Programs/Technical Disciplines
126.96.36.199.2.1 Industrial Hygiene: The practice of recognition, evaluation and control of potentially harmful substances and physical agents in the work area. The scope of this program shall include, but not be limited to, toxic materials, air quality in controlled environments, elements of physical exposure such as lighting, noise and temperature, and asbestos abatement.
188.8.131.52.2.2 General Safety: Identification and correction of factors which contribute to the incidence of accidental injury shall be maintained. The scope of these efforts shall include environmental conditions, engineering and design, maintenance of facilities and equipment, and the human factor.
184.108.40.206.2.3 Radiation and Laser Safety: Applicable regulations and appropriate standards shall be observed in the use of radioactive materials and radiation-producing machines. Appropriate guidelines shall be followed relating to the proper use, storage, and disposal of radioactive materials.
220.127.116.11.2.4 Occupational Health and Medicine: Appropriate resources and technology shall be applied to the recognition and response to occupational diseases and injury. Preventive health measures and surveillance techniques shall be utilized in a manner consistent with regulatory guidelines, accepted industry standards, and campus policy. The purpose of this program is the maintenance of reasonable standards for the health and safety of campus personnel and students.
18.104.22.168.2.5 Integrated Contingency Planning: Contingency planning shall facilitate appropriate mechanisms for accident prevention, mitigation and response to unplanned releases of oil or non-radioactive hazardous material to air, soil, surface water or groundwater. Appropriate contingency plans shall be maintained for each campus and steps taken to ensure adequate familiarity with the plan on the part of campus personnel.
22.214.171.124.2.6 Biological Safety: Applicable regulations and accepted standards governing the use, storage, and disposal of hazardous biological substances shall be observed. Conscientious surveillance shall be maintained and resources and technology applied to the handling of bio-hazardous substances consistent with regulatory controls and/or recognized health and safety standards.
126.96.36.199.2.7 Diving Safety: Diving operations under the auspices of the University of New Hampshire shall be conduced in compliance with appropriate regulations, safety standards, and campus policy.
188.8.131.52 Hazardous Materials and Environmental Management
184.108.40.206.1 Objectives: The objectives are: (1) to comply with statutory and regulatory requirements for hazardous materials inventory and emissions reporting; and (2) to collect, classify, and pack for shipment all hazardous waste for proper disposition.
220.127.116.11.2 Compliance Programs
18.104.22.168.1 Hazardous Waste Management: Procedures and facilities shall be maintained to allow for the preparation and ultimate disposal of hazardous waste produced by the campus. All applicable laws and regulations shall be used to establish standards for compliance.
22.214.171.124.2 Hazardous Materials Inventory and Reporting: This program develops and maintains campus hazardous materials inventories for the purpose of complying with regulations related to hazard communication, community right-to-know, air emissions, building/fire codes, and emergency preparedness.
4. Policy on Use of Technological Resources
4.1 Purpose. This policy delegates to the institutions within USNH the authority to adopt policies governing access to and use of institutional technological resources, subject to certain general rules for which System wide conformity is essential.
4.2 Definitions. For purposes of this policy the following terms shall have the indicated meanings:
4.2.1 "Technological resources" shall include, but not be limited to, telephones, voice mail applications, desktop computers, computer networks and electronic mail applications.
4.2.2 "Institutional technological resources" means those technological resources owned or operated by the University System or one of its component institutions.
4.2.3 "Non-institutional technological resources" means those technological resources that are neither owned nor operated by the University System or one of its component institutions.
4.3 Scope. This policy applies to access and use of technological resources by faculty, staff, administrators, students, and any other person whether inside or outside the academic community. This policy also applies to the access and use of non-institutional technological resources used in the performance of official duties by faculty, staff, or administrators, but only to the extent of such use.
4.4 Delegation of Authority. The institutions within the University System shall adopt policies governing access to and use of institutional technological resources. Institutional policies shall be consistent with applicable BOT and USY policies, and shall:
4.4.1 Establish standards of conduct which users are expected to meet, including the extent to which technological resources may be used for non-institutional purposes;
4.4.2 Notify users of privacy and security issues related to their use of the institution's technological resources;
4.4.3 Provide (an) effective mechanism(s) to inform users of the relevant institutional policies and train them in the proper use of technological resources;
4.4.4 Establish a policy on the retention, archiving, and deletion of information resident on technological resources owned or operated by the institution;
4.4.5 Establish a process whereby appropriate institutional officials may access, copy, and/or delete information resident in any technological resource owned or operated by the institution, such process to permit said actions only when justified by legitimate institutional interests;
4.4.6 Establish appropriate security mechanisms to protect the information resident in any technological resource against unauthorized access;
4.4.7 Establish a mechanism for receiving reports of violations of the institutional policies on the access to and use of technological resources and for appropriately responding to such reports.
4.5 General rules. The following general rules apply to the use of and access to technological resources anywhere within the University System and its component institutions:
4.5.1 The University System and its component institutions shall retain ownership over the records resident on the technological resources covered by this policy. In the case of faculty, staff, or administrators using non-institutional technological resources for institutional purposes, this policy applies only to records created for those institutional purposes. The institution's ownership of the record shall have no effect on the ownership of the copyright or other intellectual property rights related to information contained in the record, which rights may or may not reside with the institution.
4.5.2 The University System and its component institutions shall retain the right to access, copy, and delete, in accordance with policies established under subsection 4.4.5, above, information resident in technological resources covered by this policy. In the case of faculty, staff, or administrators using non institutional technological resources for institutional purposes, this policy applies only to records created for those institutional purposes.
5. Information Technology Security Policy
5.1 The institutions and individuals of the University System of New Hampshire (USNH), including ITEC and the USNH Information Security Committee (ISC), shall provide appropriate security to protect the privacy of information, safeguard electronic and derivative information against unauthorized use and modification, protect systems against unauthorized access, protect systems and related operations against disruptions, and prevent the loss of or damage to IT resources.
5.2 Information Technology Security Organization
USNH will establish and maintain an organizational structure with clearly assigned responsibilities for oversight and enforcement of USNH IT resources security, and a process for maintaining accountability for activities and system configurations that are inconsistent with the policy.
5.3 Physical and Environmental Security
USNH and each USNH institution, manager, provider and user of USNH IT resources is responsible for protecting, to the best of its ability, USNH IT resources. USNH and all USNH institutions, providers and users of USNH IT resources will institute and follow procedures, within their level of responsibility and authority, to protect those IT resources from loss, damage, compromise and unauthorized access, by creating a safe environment for the housing and use of those assets.
5.4 Computer, Network and Telecommunications Management
5.4.1 Network Management. USNH and providers and managers of USNH IT resources must manage the secure operation of the network environment and must do so in a manner that is consistent with a commitment to privacy and applicable USNH privacy policies.
5.4.2 Successful Operation of USNH Network Resources. USNH institutions will create appropriate policies and procedures to ensure and safeguard its IT resources from interference, threats, or other undesirable effects. In addition to IT resources, these policies and procedures shall include consideration for non-IT resources as well as consideration for devices not owned by the USNH either attached or unattached to the network.
5.4.3 Prevention of Loss, Modification or Misuse of Information Exchanged Between Organizations. All USNH institutions, providers and users of USNH IT resources will institute measures to safeguard the flow of data and information into and out of the networks.
5.4.4 Protection of Wireless Air Space. USNH institutions will manage the wireless spectrum to minimize interference between wireless networks and other devices using radio frequencies.
5.5 System Development & Maintenance
5.5.1 Security in Operational Systems and Prevention of Loss, Modification or Misuse of User Data in Application Systems
The appropriate level of protection must be incorporated into operational systems throughout the development process. Especially in cases where the data is sensitive or requires protection because of the risk and magnitude of loss or harm that could result from improper operation, manipulation or disclosure.
5.5.2 Protection of Confidentiality, Authenticity and Integrity of Information
USNH will protect the confidentiality, authenticity and integrity of information.
5.5.3 Conducting IT Projects and Support Activities in a Secure Manner
Changes and updates to systems and data must be traceable to accountable individuals and source documents under a defined management process.
5.5.4 Maintaining Security of Application System Software and Data
All USNH institutions and providers of USNH IT resources will provide and implement reasonable and adequate security measures to protect the information stored in IT resources.
5.6 Disaster Recovery and Business Continuity Management Planning
5.6.1 Disaster Recovery and Response Management Plan. USNH and each USNH institution will develop, keep current, and publish adequate disaster recovery plans to minimize the effects of a disaster and support restoration of USNH critical operations following a disastrous event.
5.6.2 Business Continuity Plan. A "Business Continuity Plan" shall be developed and implemented at all USNH institutions to facilitate the re-establishment and continuance of critical business functions after a disaster occurs.
5.7 System Access Control
5.7.1 Control Access to Information. Computer systems and resources used for the transaction of USNH business shall be protected from theft, malicious destruction, unauthorized alteration or exposure, or other potential compromise resulting from inappropriate or negligent acts or omissions.
126.96.36.199 Computer systems shall require utilization of employee-specific passwords for access. Passwords for access to USNH systems shall comply with industry standards as established by the institutional Chief Information Officers within the technological capabilities of each system.
188.8.131.52 Password change schedules will be established and communicated to password holders at timely intervals.
184.108.40.206 Employee-specific passwords shall be treated as sensitive, confidential information and shall not be shared. Employee-specific passwords also shall not be stored on-line or written down unless adequately secured from unauthorized viewing.
220.127.116.11 Authorized users of computer systems will take reasonable and appropriate measures to prevent access to systems by unauthorized persons.
18.104.22.168 All data on computers or electronic storage devices (including but not limited to desktop, laptop, server, or handheld devices) shall be wiped clean of files and data prior to transfer or surplus.
22.214.171.124 Social Security Number (SSN) is a particularly sensitive data item for all constituents. Whenever the SSN is utilized and/or displayed, the following shall apply to mitigate its exposure to unauthorized access.
126.96.36.199.1 A SSN shall not be sent via e-mail unless encrypted or masked for all but the last four (or fewer) digits of the number.
188.8.131.52.2 Shared electronic and paper reports shall have all but the last four (or fewer) digits of the SSN masked. In the limited cases where SSN is required for regulatory compliance related to employment, payroll processing, provision of benefits, and tax reporting, access to the information shall be limited to those with need to know.
184.108.40.206.3 Paper and electronic documents containing a SSN shall be disposed of in a secure fashion.
220.127.116.11.4 Personal information which links a SSN with a person shall not be publicly displayed.
18.104.22.168 Access to systems and sensitive data from outside the USNH managed environment (for example, from employee homes or during travel) will meet the same level of secure access as is provided in the USNH-managed environment.
22.214.171.124 The Chief Information Officer at each USNH institution will establish standards and interpret this policy to assure that it is implemented in a manner consistent with the technologies at each institution.
5.7.2 Control Access to Systems. Access to systems will be limited to staff who have a need to access them as determined by job responsibilities.
5.8 User Awareness & Training
5.8.1 Reducing Risks of User Error, Theft, Fraud or Misuse of Facilities. USNH institutions and providers of USNH IT resources will institute measures to reduce risks of user error, theft, fraud or misuse of IT resources, by providing appropriate user information and training.
5.8.2 Educating Users about Information Technology Security Threats and Concerns. USNH and its member institutions will communicate to all constituents their responsibility for protecting the technology environment, and provide the information necessary to help them protect IT resources against threats.
5.9.1 Compliance with federal, state and local laws, USNH and institutional policies, and contractual obligations. The use and operation of USNH IT resources will comply with federal, state and local laws, USNH and institutional policies, and contractual obligations. USNH GLBA Information Security Program
126.96.36.199 The USNH Information Security Committee (ISC) oversees and coordinates the USNH Gramm-Leach-Bliley Act Information Security Program to ensure the protection of customers’ nonpublic financial information, including information obtained by USNH in connection with a financial service provided to a student, employee or other third party.
188.8.131.52 The USNH Information Security Committee (ISC) is responsible for developing, implementing and updating the USNH Identity Theft Prevention Program, adopted by the USNH Board of Trustees pursuant to the Federal Trade Commission's (FTC) Red Flags Rule. The ISC’s responsibilities include promoting policies for protecting personally identifiable information; ensuring appropriate training of USNH staff on the Program and related policies; reviewing any staff reports regarding the detection of Red Flags and the steps for preventing and mitigating identity theft; determining which steps of prevention and mitigation should be taken in particular circumstances; and considering periodic changes to the Program.
5.9.2 Providing information concerning laws, policies and contractual obligations. All USNH institutions, providers and managers of USNH IT resources will institute procedures to inform users and administrators of IT resources about applicable laws, policies and contractual obligations. USNH GLBA Information Security Program
5.9.3 Procedures for adjudicating security violations. Violations of this security policy constitute unacceptable use of IT resources and may violate other USNH policies and/or state and federal law. Suspected or known violations should be reported to the IT Security Officer at USNH or member institutions.
5.9.4 Performing a Security Audit Process. All USNH institutions, providers and managers of USNH IT resources will periodically conduct an audit of security of IT resources.
5.10 Asset Classification & Control
5.10.1 Maintaining Appropriate Information Technology Inventory Controls. All USNH institutions, providers, managers and users of USNH IT resources will develop and maintain a comprehensive inventory of critical information assets.
5.10.2 Inventories of assets help ensure that effective asset protection takes place, and may also be required for other business purposes, such as health and safety, insurance, or financial (asset management) reasons. The process of compiling an inventory of assets is an important aspect of risk management. An organization needs to be able to identify its assets and the relative value and importance of these assets. Based on the information an organization can then provide levels of protection commensurate with the value and importance of the assets. An inventory should be drawn up and maintained of the important assets associated with each information system. Each asset should be clearly identified and its ownership and security classification agreed [upon] and documented together with its current location.
5.10.3 Safeguarding Information Sensitivity. All USNH institutions, providers, managers and users of USNH IT resources will establish methods to identify, classify, and where necessary, restrict access to institutional data so as to recognize sensitivity, protect confidentiality or safeguard privacy as required by law, institutional policy or ethical considerations.
6.1 Purpose. To have appropriate protection for information, it is important to first understand what it is that needs to be protected. The purpose of the Data Classification Model is to define data categories, provide examples of each category, and provide a model that can be used by USNH institutions for classifying and protecting information. As such, this model is a foundation for policies pertaining to the protection of information.
6.2 Scope. This model applies to every student, faculty, and staff member at USNH, as well as any members of the general community working with or for USNH.
6.3 Delegation of Authority. The institutions within the University System shall use this policy as a model when adopting policies regarding the minimum level of protection required for each category of data. USNH Institutions may combine one or more of the USNH data categories to meet their local needs. Institutional policies shall be consistent with applicable BOT and USY policies.
6.4 Restricted Data
6.4.1 Definition: Data is Restricted if protection is legally defined and/or it is required by federal and/or state law.
184.108.40.206 SSNs and other personally identifiable information as defined by state of NH reporting requirements
220.127.116.11 Information protected by FERPA, HIPAA, FMLA and GLB
18.104.22.168 Research information that requires protection by law
22.214.171.124 Information protected through "Affirmative Action" and/or "disability regulation"
6.5 Sensitive Data
6.5.1 Definition: Data is Sensitive if controlled access is required by institutional policy, by the data proprietor/steward, by contract, for ethical reasons, and/or if it is at high risk of damage or inappropriate access. It includes data which if compromised, would result in high institutional cost, harm to clients, harm to institutional reputation or unacceptable disruption of the institution to be able to meet its mission. It includes other data explicitly identified as requiring controlled access, but it does not include restricted data as defined above.
126.96.36.199 Directory information as defined by the institution
188.8.131.52 Information that is not restricted, and is not public
184.108.40.206 Intellectual property
220.127.116.11 Information technology infrastructure, design, security, authentication stores
6.6 Public Data
6.6.1 Definition: Data is Public if it is not restricted or sensitive and it is explicitly identified as public. It includes data that may be provided to anyone without any further oversight.
18.104.22.168 Contact information of employees that is approved for publication in the public directory
22.214.171.124 Campus map that has been explicitly approved for public display
7.1 Our Commitment To Privacy
7.2 International Visitors
USNH is located in the United States (State of New Hampshire). By providing information to USNH, you are transferring your personal data to the United States. If you are providing personal information and are not a resident of the United States, your country’s laws governing data collection and use may differ from those in the United States.
7.3 The Information We Collect:
7.3.1 Personal Information
USNH collects personal information about you through our websites and mobile applications only when you voluntarily submit your information to us.
"Personal information" is any information that can be used to identify you or that may be linked to you. This information is commonly limited to the information found in a public directory, such as first name, last name, postal address, email address, and phone number.
7.3.2 Certain USNH websites allow individuals to create and maintain individualized accounts. Where these sites are concerned, users have the responsibility of maintaining the confidentiality of their accounts and passwords, and for restricting access to their computers. Users agree to accept responsibility and repercussions for all activities that originate from their accounts.
7.3.3 Log Files
USNH and our third-party vendors may automatically collect certain information regarding your use of our websites and mobile applications, but you will remain anonymous. Information collected includes:
- Your session and the pages you visit;
- Date and time of access;
- Operating system of the device through which you access USNH websites;
- Browser type and version, the monitor screen size and color depth and other plugin and program information as sent by your browser;
- Similar data and information that may be used in the event of attacks on our information technology (IT) systems.
The generic information we collect is based on IP address, which is the location of a computer or network. We may use or disclose your IP address, and data connection-specific information, to help us diagnose problems with our servers and network, and to administer our websites by identifying (1) which parts of our sites are most heavily used, and (2) where our audience comes from, from both within and outside the USNH data networks. USNH will not associate your IP address and web usage data with your specific email address or any other personal information that can specifically identify you unless required to do so by law.
7.3.4 Mobile Applications
When you install mobile applications with the publisher name “University of New Hampshire,” “Keene State College,” “Plymouth State University” or “Granite State College” from the Google Play store or Apple’s App Store, the application may ask for permission to use or access:
- GPS services
- Push notifications
The general information described above may be aggregated with the general information of all site visitors to identify and improve how our websites or applications are used. In turn, we may share this aggregate information about our site with partners or the general public. Aggregate data does not contain any information that could be used to contact or identify you.
7.3.5 Web Analytics
Some USNH websites and mobile applications (“apps”) use Google Analytics, a service provided by Google, Inc. Google Analytics places a cookie on your computer or a code embedded in the mobile application to analyze how you use the site or app. The information generated by the cookie is transmitted to and stored by Google on its servers. Google uses this information to compile reports on website and mobile activity, and then the university site and application owners use that information to improve their sites and apps. Google may also transfer this information to third parties where required to do so by law, or where such third parties process the information on Google's behalf. Google does not associate your IP address with any other data held by Google.
7.4 How We Use Collected Information:
USNH may use the information we collect:
To respond to your inquiries;
To provide services or materials you request;
To operate and understand how services are utilized;
To maintain our contact list(s);
To provide business services for which the information is intended;
To assess the effectiveness of our events, campaigns, and publications;
For information processing that is reasonably appropriate or necessary within our legal obligations.
On some pages, you can request information, make requests, and register to receive materials or make recommendations about other people. We use the personal information you provide when placing a request to complete that request to the best of our ability. We use return email addresses to answer the email we receive. Such addresses may be used to communicate further with you. You are always provided an opportunity to opt out or otherwise prohibit such uses.
We process your Personal Information for the purposes described above to facilitate transactions requested by you and to meet our contractual obligations (for example, registering you for events); on the basis of our legitimate interests (for example, website analytics); or on the basis of your consent, where applicable.
7.5 How We Share Collected Information
We do not share this information with outside parties except for the following limited purposes:
- When we have your consent to share the information;
- To the extent necessary to complete your request;
- With USNH school officials and administration;
- In response to subpoenas, court orders, or legal processes;
- As we deem necessary to protect the rights, safety or property of the University System of New Hampshire and its component institutions.
Finally, we never use or share the personally identifiable information provided to us online in ways unrelated to the ones described above without also providing you an opportunity to opt out or otherwise prohibit such unrelated uses.
If we are required to disclose information by law or court order, we will make reasonable efforts to notify any affected parties in advance.
7.6 Internet-Based Advertisements
7.7 Our Commitment To Data Security
To prevent unauthorized access, maintain data accuracy, and ensure the correct use of information, we have put in place appropriate physical, electronic, and managerial procedures to safeguard and secure the information we collect online.
7.8 Our Commitment To Children's Privacy
7.8.1 Children's Privacy
7.8.2 Information We May Collect
We may collect the following information about a child who will participate in a USNH-administered youth activity:
Date of birth (to ensure enrollment in age-appropriate activities)
Depending upon the activities in which your child chooses to participate, your child may be asked or choose to provide additional information. We do not require a person to disclose more information than is reasonably necessary to participate in an activity.
7.8.3 How We Use the Information
We use the information about your child to register your child for a USNH event and to insure appropriate content and safety for participants. USNH and its institutions will not disclose a child's information to any third party without parental authorization, except as may otherwise be required by law.
7.8.4 Parent/Guardian Consent
We will not collect or store online information from or about a child under age 13 until we have received a parent's or guardian's verified consent.
Parents or Guardians may review their child's personal information in our online databases; correct factual inaccuracies in the information collected about their child; refuse to permit us to collect further personal information from their child; and ask that information be deleted from our online records. Appropriate contact information for parents will be provided on every webpage promoting or permitting activities by children under age 13.
7.8.5 COPPA Notice Template
A Children's Online Privacy and Protection Act ("COPPA") notice template is provided for use by the institutions of USNH.
7.9 How You Can Access Or Correct Your Information
You can access all your personally identifiable information that we collect online and maintain by contacting each school directly via phone or e-mail. We use this procedure to better safeguard your information.
- Granite State College: email@example.com or 1-888-372-4270
- Keene State College: firstname.lastname@example.org or 1-603-358-2532
- Plymouth State University: email@example.com or 1-603-535-2929
- University of New Hampshire: IT.Security@unh.edu
- University System of NH (USNH): USNH.firstname.lastname@example.org
You can correct factual errors in your personally identifiable information by sending us a request that credibly shows error.
To protect your privacy and security, we will also take reasonable steps to verify your identity before granting access or making corrections.
7.10 External Links
Some USNH websites may contain links to external websites not owned by, or officially affiliated with, USNH in any way. USNH is not responsible for the privacy practices or the content of such websites.
7.11 Changes to this Policy
We reserve the right to change, modify, add or remove portions of our privacy statements at any time. Any such amendments will be noted on this page, so please visit periodically to view current statements.
8. USNH Password Policy
The purpose of this policy is to establish the standards for the proper construction, usage, handling and maintenance of passwords at all USNH institutions. This policy applies to applicant, student, prior student/alumni, employee, sponsored user, and contract/vendor level passwords.
8.2 Policy Statement
8.2.1 Password Change Frequency
126.96.36.199 All passwords associated with USNH accounts must be changed annually with the following exceptions:
- System Administrator Accounts (every six months)
- All non-primary identity accounts accessed by employees with privileged access must have passwords changed upon departure of employee.
188.8.131.52 Users will be notified of the need to change their password via formal email prior to the password’s expiration date in order to remain compliant with this policy.
184.108.40.206 Users with expired passwords shall be restricted from accessing USNH resources.
8.2.2 Password Construction
220.127.116.11 Passwords shall:
- be between 14 and 64 characters in length
- be sufficiently different from previous passwords
- contain a minimum of 5 unique characters
18.104.22.168 Passwords shall not:
- include the user’s first, last, or preferred name, the user’s USNH username, or the user’s USNH ID
- be re-used
- contain number or character sequences of 4 or more. Examples: abcd, 6789, sTuV
- contain characters repeated 4 or more times. Examples: bbbb, 8888, TttT, &&&&
22.214.171.124 Known compromised or commonly used weak passwords are disallowed.
8.2.3 Password Usage
126.96.36.199 Passwords used for USNH purposes shall not be used for purposes outside of USNH including but not limited to personal banking, Amazon, Netflix, Gmail, etc.
188.8.131.52 Passwords used for accessing USNH information technology resources that require local application accounts for authentication shall not be the same as the user’s USNH password.
- Local application accounts are accounts for official university applications that do not use USNH username and password to log in
- Examples: Salesforce, USNH Benefits
8.2.4 Password Handling
184.108.40.206 Passwords shall be treated as sensitive, confidential information.
220.127.116.11 Passwords shall not be shared with anyone, including administrative assistants or supervisors.
18.104.22.168 Passwords shall not be written down or stored on-line in clear text.
22.214.171.124 Passwords shall not be shared in email, chat, electronic forms, or other electronic communication.
126.96.36.199 Passwords shall not be spoken in front of others.
188.8.131.52 Users shall not use the "Remember Password" feature of web browsers to store USNH passwords.
184.108.40.206 Forgotten passwords shall be reset using USNH approved automated mechanisms.
220.127.116.11 Users with forgotten passwords who are unable to reset their password using automated mechanisms must provide verification of identity via the approved university process.
18.104.22.168 Members of USNH IT organizations will never ask users to provide their password for any USNH account.
8.2.5 Compromised Passwords
22.214.171.124 Users who believe their password has been compromised must notify the Service Desk/Help Desk at their institution immediately.
126.96.36.199 If USNH has reason to believe a user’s password has been compromised, the user’s access may be revoked until the password can be reset without notification to the user.
188.8.131.52 Users with potentially compromised passwords shall provide verification of their identity and must set a new password to regain access to USNH information technology resources.
This policy applies to all passwords used to authenticate to USNH information technology resources or any information technology resource that stores non-public USNH data. It does not apply to the following types of passwords, the requirements for each are defined elsewhere:
- Service Account Passwords - defined as passwords used by an information technology resource to contact or interface another information technology resource
- UNH Parent Portal Account Passwords
All USNH employees, students, applicants, sponsored users, contractors, vendors, former employees, and prior students/alumni with access to USNH systems.
Failure to comply with this policy puts USNH information at risk and may result in disciplinary action in accordance with the appropriate institutional disciplinary procedures for students, faculty, and staff, as outlined in the relevant student regulations (e.g., Student Rights, Rules, and Responsibilities), faculty handbooks, or staff handbooks. USNH Faculty or staff who are members of a University-recognized bargaining unit are covered by disciplinary provisions set forth in the agreement for their bargaining units. Contractors or vendors that fail to comply with this policy may be in violation of their contract with USNH and risk penalties up to contract termination.
Requests for exceptions to this policy must be submitted in writing to the USNH Information Security Officer and may be granted on a case by case basis based on business need and other factors.
8.7 Roles & Responsibilities
- Comply with all restrictions and requirements outlined in this policy
- Maintain the confidentiality of USNH passwords
- Report all information security events or incidents to UNH Information Security Services
8.7.2 Information Technology - Institutional
- Notification to users of expiring passwords
- Disabling of accounts with out-of-policy passwords
Authentication: Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.
Compromised Account: An account that is or has been accessed by an unauthorized party, prior to the password being changed by the authorized user.
Identity: The set of physical and behavioral characteristics by which an individual is uniquely recognizable.
Non-Primary Identity: An identity established for a USNH employee or student that is separate from their primary identity. Examples of non-primary identities are Pool, Secondary, Service, Privileged/Admin. Non-primary identities are used to provide different access than an individual’s primary identity.
Password: A trusted secret used for authentication.
Primary Identity: The identity associated with a user’s USNH username, each individual person has only one primary identity across the entire University System of New Hampshire and its institutions.
Service Account: An account used by an information technology resource to contact or interface another information technology resource.
System Administrator Account: Account associated with a non-primary identity used by members of the USNH community to administer information technology resources.
User-level Password: Passwords associated with primary and non-primary identity accounts that are used by an individual user to authenticate. Passwords used by information technology resources to authenticate to other information technology resources, without human intervention, are not user-level passwords.