The processes listed on this page have not been approved by the General Counsel but are recommended by Information Technology Services (ITS) for keeping the university successfully functioning. It is highly preferred that university employees follow these processes. Instances in which users do not follow said standards are subject to review on a case-by-case basis and may be subject to consequences as deemed necessary.
With the implementation of PeopleSoft Enterprise systems, functional areas took on the responsibility of scheduling their own processes within the systems. Each process must be run under a specific user account. On occasion, the person associated with a scheduled process either leaves the University without transferring or cancelling those scheduled processes, or the person may be on leave for an extended period of time, either expectedly or unexpectedly. On such occasions, issues with scheduled processes cannot be easily addressed by others in that functional area or within the technical support area. This policy governs the creation and administration of departmental scheduling accounts within the PeopleSoft Enterprise systems at BGSU that will enable a process whereby those scheduling responsibilities can be transferred to others without or with minimal disruption in service.
Department scheduling accounts for CSS, HCM and FMS are permitted only when they can be tied to an individual. That individual is responsible for protecting and maintaining the password associated with that account, and for using the account in accordance with the BGSU Information Technology Policy. No password sharing is permitted for any reason. When an account holder leaves the University, for any reason, the account holder's supervisor may authorize a transfer of that scheduling account to another staff member immediately or to an appointed person in Information Technology Services (ITS) until a permanent staff member is identified. The account password must be changed and the associated BGSU Id number transferred to the new account holder. If the original account holder returns to campus, the supervisor can then authorize a reversal of the process to assign the account back to the original account holder. In any case of an account transfer for any reason, a new password will be created for the account.
BGSU ITS Procedures Associated with Departmental Scheduling Accounts (found below).
|Applicability:||All University Units|
|Policy Administrator:||Office of the CIO|
||March 19, 2018
PROCEDURE OVERVIEW / GENERAL DESCRIPTION
This document outlines the procedures for obtaining, transferring and decommissioning a departmental scheduling account. Departmental scheduling accounts are governed by the Departmental Scheduling Account Policy, which explains when it is appropriate to request such an account and how the account must be handled when it is being transferred from one individual in a campus department to another.
Associated Policy: BGSU ITS Departmental Scheduling Account Policy
AREAS OF RESPONSIBILITY
Departmental Scheduling Account Owner: Will request a departmental scheduling account for scheduling processes within CSS, HCM or FMS. This account will be separate from the individual’s personal account and will be used for scheduling and managing output from a scheduled process. If the account owner is going to be out of the office for an extended period of time, it is the account owner and his/her supervisor’s responsibility to transfer the account ownership to another employee within the account owner’s department. The account owner must never share the password associated with the account with anyone else inside or outside of his/her office. If the account owner leaves the department or University under good terms, he/she should transfer the account to another individual in the office who can then take over the processes associated with the account without disruption in the scheduling of those processes.
ITS Security Team: Will set up departmental scheduling accounts in CSS, HCM and FMS and manage passwords associated with those accounts. Will reassign BGSU emplids associated with the accounts as requested and approved by departmental supervisors and/or ITS management.
ITS Application Area: In the event that a departmental scheduling account owner leaves unexpectedly, an appointed person in the ITS area may need to temporarily be assigned the departmental scheduling account access until the account can be transferred to another account holder or the account can be decommissioned and all processes running under that account can be terminated.
Obtaining a Departmental Scheduling Account
To obtain a departmental scheduling account, submit the appropriate Security Request for the area involved via the online request form. The form is accessible through the “Security Request” link within the myBGSU portal under Misc Services. After selecting the appropriate environment, complete the form for the account holder as follows:
- Name, title, BGSU username and BGSU Id, phone number of person who will own the departmental scheduling account
- Department name
- Role/Roles that need to be assigned to this account
- Indicate within the Comment box that this is a departmental scheduling account. Include other information like:
- What department the account is for (if different than what was listed at the top of the form)
- What email address should be associated with the account
- What should appear in the account description
- Include any row level security that would be appropriate for this account
Transferring a Departmental Scheduling Account
To transfer ownership of a departmental scheduling account from one staff member to another, complete the appropriate Security Request form for the area involved. The request should include:
- Name, title, BGSU username and BGSU Id, phone number of the person to whom the account is being transferred (under “This Request is for:”)
- Department name (of transferee)
- Within the Comment box, indicate that this is request to transfer the following departmental scheduling account:
- Name of the departmental scheduling account being transferred
- Name and BGSU Id of person who currently owns the account
- Name and phone number of department contact person
- Date when account transfer is needed
Decommissioning a Department Scheduling Account
To inactivate or remove a departmental scheduling account, complete the online Security Request form for the area involved. The request should include:
- Name, Title, BGSU username and BGSU Id, phone number of Person Who Owns the Departmental Scheduling Account
- Department Name
- Within the Comment box, indicate that this is request to remove the following Departmental Scheduling Account:
- Name of the Departmental Scheduling Account Being Removed
- Name and Phone Number of Department Contact Person
- Date when Account Should be Removed
- Name and email Address of the Supervisor Authorizing/Requesting the Removal of this Account
Before removing or inactivating the account, the security administrator will contact the appropriate lead or manager in the applications area to verify that there are no active scheduled processes associated with account. If there are active processes, the lead or manager will need to work the department contact or supervisor to make sure that those processes are cancelled or that they are handled appropriately. The applications area will need to make sure that no process is abandoned without an owner before the account is inactivated (or locked).
|Applicability:||All University Units|
|Policy Administrator:||Office of the CIO|
||March 19, 2018|
These guidelines are put in place to help mitigate the occurrence and/or impact of phishing attacks in the form of links in email messages on the BGSU community. Since 2016, BGSU has experienced an average of over 1000 compromised accounts per year. Phishing attacks are aimed at accessing personal information or other University resources for financial gain. Information obtained could be used to:
- Leverage access the user has to steal sensitive information that can be sold or used in more advanced attacks.
- Leverage access the user has to steal money directly from the user or the University.
- Leverage the account in more advanced phishing attacks against higher value targets moving forward.
Many phishing attacks are disguised in the form of a clickable link/URL in an email. The link looks like it will take you to a specific or familiar destination, but in reality, it does not. Typically, these links are configured to do one of the following:
- Take the user to a malicious webpage that attempts to install malware on the user's computer. The malware can do anything from retrieve the user's password to encrypting or stealing data from the user's device.
- Redirect the user to a fraudulent login page where the user enters their username and password under the impression that they are logging in to a legitimate BGSU website. From this page, hackers can access the user's password which can then be used to log in and access protected BGSU services.
Thus, Information Technology Services (ITS) recommends that URLs and clickable links be eliminated from email messages wherever possible in order to prevent the BGSU community from becoming conditioned to automatically clicking on email URLs without consideration.
These guidelines apply to all University emails sent out regularly, on a large scale or from a department/college email account; including but not limited to: marketing/promotional emails, mass emails, and emails from BGSU applications, etc. Any time an email is sent to a user with a request to click and follow a link, the user becomes more desensitized to the inclusion of links in messages and is more likely to follow a link without considering or investigating its origination or actual destination. Excluding links from messages whenever possible will help our users stay vigilant and to think twice before clicking on a URL. URLs to avoid in particular are any that require the user to enter their BGSU username and password.
These guidelines apply to all departments, colleges or entities operating on behalf of the University.
The BGSU Information Security Office considers exclusions on a case-by-case bases. To submit an exclusion for review, please email firstname.lastname@example.org
In lieu of including URLs in messages, ITS recommends including navigation instructions in their place. Please see the below example.
Rather than including a direct link to the Class Search page in MyBGSU, provide the following instructions:
From the BGSU homepage select MyBGSU in the top right corner of the screen. Log in with your BGSU username and password and then select Student Center. Select the Classes & Registration tile and then select Class Search from the left navigation menu.
|Applicability:||All University Units
|Guideline Administrator:||Office of the CIO|
||May 21, 2020|