I. Purpose and Scope

Northeastern University is committed to maintaining the security of the information it collects, stores, shares, uses, and otherwise handles in the course of university business. Given the widespread deployment and diverse functions of Information Technology (IT) Systems used within the university, it is paramount that all System Owners and System Administrators understand and apply the requirements of this IT System security policy to protect University Records and Confidential Information.

This policy applies to all students, faculty, and staff considered a System Owner or System Administrator of a Northeastern IT System. IT Systems are included in the scope of this policy if they utilize or connect to any of the following: Northeastern’s Network, ITS troubleshooting or administration, OIS incident response or investigation, or a Northeastern Microsoft account (e.g., @northeastern.edu).

II. Definitions

Confidential Information: is any proprietary or non-public information the unauthorized disclosure, use, alteration, or loss of which could result in a violation of Northeastern’s legal obligations or policies, or could adversely affect the university’s reputation, programs and services, safety, operations, finances, or community members. Examples of Confidential Information include, without limitation, any Personal Information of employees, students (including their educational records), applicants, and parents; financial information (including credit card numbers, bank account numbers, and university financial data); health information; non-public contracts, awards, and grants; Restricted Research Data; alumni and donor records; personnel records; system passwords; and future operational and strategic plans.

ITS: Information Technology Services (ITS) is the department within Northeastern University that manages IT Systems.

IT System: A discrete set of information resources organized for the collection, processing, maintenance, use, sharing, dissemination, or disposition of University Records and Confidential Information. These can be either university-owned systems or vendor systems.

LDAP: Lightweight Directory Access Protocol is a directory service protocol used to access and manage directory services. These services store information about users, computers, and other network resources, allowing applications to communicate and retrieve this information.

Media: Physical devices or writing surfaces including, but not limited to, magnetic tapes, optical disks, magnetic disks, Large-Scale Integration (LSI) memory chips, and printouts (not including display media) on to which information is recorded, stored, or printed.

NIST: National Institute of Standards and Technology is a U.S. government agency under the Department of Commerce. Its primary mission is to promote innovation and industrial competitiveness by advancing measurement science, standards, and technology.

OIS: The Office of Information Security, a sub-department within ITS that manages the information security of Northeastern’s IT Systems.

POAM: Plan of Action and Milestones is a document used to identify and track the remediation of security vulnerabilities or unmet requirements set forth in this policy or any security standards or specification implementing this policy. It outlines specific tasks, responsibilities, timelines, and resources needed to address identified vulnerabilities or gaps.

Process: Set of interrelated or interacting activities that transforms inputs into outputs.

Single Sign-On (SSO): Accounts that synchronize with the LDAP or Active Directory to pass authentication through several applications.

System Accounts: Privileged accounts on the in-scope IT system that are granted permissions that allow them to execute actions standard users cannot.

System Administrator: An organization or individual responsible for building and maintaining an IT System, appliance, or specific system elements. This role revolves around hands-on management of the system, usually more technical in nature than the System Owner. The administrator is also responsible for implementing approved secure baseline configurations, incorporating secure configuration settings for IT products, and conducting/assisting with configuration monitoring activities as needed.

Depending on the size of the IT System, the System Administrator responsibilities can be split across multiple skill-based subjects listed below. These subjects can be managed by separate teams across Northeastern depending on the skills necessary to carry out the following responsibilities:

• • Infrastructure: manages any servers not aligned to a specific skill-based subject listed below.
  • Network: designs, implements, and maintains the interconnected communication pathways that allow computers, servers, and other devices to exchange data across organizations.
  • Security: manages all IT Systems that require and confirm security of the environment (Sentinel, Defender, Tenable, Azure, Intune, Windows Cloud PC, etc.).
  • Desktop: manages the physical workstations and the software installed on them.
  • Identity: manages IT Systems that control identity-based access, like Entra ID.

System Owner: An individual or organization responsible for the development, procurement, integration, modification, operation, maintenance, and/or final disposition of an IT System.

University Record: means any document, data, or other recorded information created or received by Northeastern in the course of university business. These records can exist in hard copy (such as paper, photographs, microfiche, or phonographs) or digital form (such as e-mail, Teams or Zoom messages, texts, chats, and other data stored in IT tools, applications, and databases). Some examples of University Records include, without limitation: employee files, student records, research proposals and related documentation, contracts, meeting minutes, correspondence, memoranda, financial records, policies and similar standards, marketing materials, drawings, and maps.

User: Individual, or an IT System process acting on behalf of an individual, authorized to access an IT System for performing a legitimate purpose. A User’s permissions are considered general with no elevated permissions on the IT System, application, or appliance they have access to within the environment. A User is authorized to create, store, use, share, archive, and delete data in accordance with defined handling requirements.

Vendor: An external (non-Northeastern) organization contractually engaged by the university to provide it with one or more services.

III. Policy

The System Owner for every in-scope IT System is responsible for confirming the completion of all requirements and procedures listed in this policy and all supporting university standards. This includes staffing the appropriate number of employees or contractors necessary to meet these requirements.

The NIST security control subjects listed in Sections A-N below each contain references to university practices and procedures that must fully meet the requirements of this policy. These practices and procedures are outlined in greater detail in the respective Northeastern standard.

 

A. Access Control

Access Control (AC) seeks to establish Northeastern’s IT System access requirements, manage access to its IT Systems, and implement mechanisms to limit access to University Records and Confidential Information.

AC covers:

1. 1. Establishing IT System Access Requirements.
   2. Controlling Internal IT System Access.
   3. Controlling Remote IT System Access.
   4. Limiting Data Access to Authorized Users and Processes.
   5. Restricting Unauthorized Access, Requiring Users to Use Only Northeastern-assigned Accounts.
   6. Establishing Authorization Levels for Accessing University Records and Confidential Information.

For more details around the implementation requirements of the AC subject, please refer to the Access Control standard here: Northeastern University Access Control Standard – Office of Information Security. 

 

B. Awareness and Training

The Awareness and Training (AT) subject focuses on assigning security awareness training to all Users on a regular basis. This training seeks to reduce security risks to Northeastern by requiring that individuals be aware of potential threats and the means for reporting and mitigating them. AT requires appropriate role-based training during the onboarding process and annual training for existing employees before accessing Northeastern’s IT Systems.

For more details around the implementation requirements of the AT subject, please refer to the Awareness and Training standard here: Northeastern University Awareness and Training Standard – Office of Information Security.

 

C. Audit and Accountability

The Audit and Accountability (AU) subject focuses on requiring certain audit logs to be captured by IT Systems within the Northeastern environment. To balance monitoring and auditing requirements with other IT System needs, a measured approach is used to identify the appropriate subset of event types to be captured and logged. Accountability requires that audit logs are appropriately protected and reviewed to identify indicators of IT Systems issues or suspicious User activity.

AU includes:

1. 1.  Defining Audit Requirements.
   2.  Performing Auditing.
   3.  Identifying and Protecting Audit Information.
   4.  Reviewing and Managing Audit Logs.
   5.  Defining the University’s Right to Monitor User Activity and Access Logs.
   6.  Requiring Regular Access Log Reviews of Institutional Data.

For more details about the implementation requirements of the AU subject, please refer to the Audit and Accountability standard here: Northeastern University Audit and Accountability Standard – Office of Information Security.

 

D. Configuration Management

The Configuration Management (CM) subject focuses on establishing configuration baselines for Northeastern IT Systems and assets and requires that configuration and change management procedures are in place to protect IT Systems.

CM includes:

1. 1.  Establishing Configuration Baselines.
   2.  Performing Configuration and Change Management.

For more details around the implementation requirements of the CM subject, please refer to the Configuration Management standard here: Northeastern University Configuration Management Standard – Office of Information Security.

 

E. Identification and Authentication

The Identification and Authentication (IA) subject focuses on establishing the identity of an entity (e.g., individual, IT System, process, application, appliance) interacting with another entity prior to granting access to an IT System. Identification is achieved by requiring that all entities within the organization are unique and traceable to the owner of the identity. Authentication is the act of proving the assertion that an entity using an identity truly is the authorized entity. IA establishes the foundation for which many of the cybersecurity capabilities within the university environment operate, such as AC and AU. University Records and Confidential Information are among the most valued assets of the university, and access carries with it the responsibility to safeguard and protect this information from loss of confidentiality, integrity, and availability.

IA covers:

1. 1. Granting Access to Authenticated Entities.
   2. Defining Password Security Requirements for IT Systems.

Password Requirements for IT System Accounts

Passwords to all Northeastern University IT System accounts (including Vendor systems) must meet the defined University Password Standards.

 

Password Requirements for Vendor IT Systems

To achieve an appropriate strength of password complexity and adherence to the University Password Standards, access to University Records and Confidential Information, when provided through a Vendor’s application, should have established ACs using credentials and passwords synchronized through the university’s LDAP or Active Directory (AD) systems.

Where access to Vendor applications cannot be established through the use of LDAP or AD systems, the Vendor is required to establish password controls that meet the University Password Standards, except where technically infeasible.

 

Password Requirements for IT Systems that Cannot Meet University Password Standards

For systems not technologically able to reach the minimum password requirements as stated in this Section E, passwords must be at least 10 characters in length, if possible, and systems must incorporate industry standard security procedures to protect User accounts. The System Owner is required to file a POAM with ITS explaining why it is not technically feasible and what mitigating controls will be implemented.

 

For more details around the implementation requirements of the IA subject, including password requirements, please refer to the Identification and Authentication standard here: Northeastern University Identification and Authentication Standard – Office of Information Security.

 

F. Incident Response

The security Incident Response (IR) subject focuses on preparing, detecting, containing, eradicating, and recovering from security incidents. IR focuses on mitigating the risks from security incidents by responding to them effectively and efficiently and restoring systems to normal operations.

IR covers:

1. 1. Planning Incident Response.
   2. Detecting and Reporting Events.
   3. Developing and Implementing a Response to a Declared Incident.
   4. Testing Incident Response.
   5. Reporting Security Breaches Involving Northeastern Data When Required by Applicable Law.
   6. Defining the University’s Rights to Take Action in the Case of Policy Violations.

For more details around the implementation requirements of the IR subject, please refer to the Incident Response standard here: Northeastern University Incident Response Standard – Office of Information Security.

 

G. Maintenance

The Maintenance (MA) subject establishes the methods for Northeastern IT Systems’ upkeep, preserving good working order, and minimizing the risk of software and hardware failure.

MA covers:

1. 1. Managing Maintenance.

For more details around the implementation requirements of the MA subject, please refer to the Maintenance standard here: Northeastern University Maintenance Standard – Office of Information Security.

 

H. Media Protection

The Media Protection (MP) subject focuses on managing the risks of accessing, storing, transporting, and protecting Media containing University Records and Confidential Information. MP also directs the proper sanitization and destruction of Media containing Confidential Information.

MP covers:

1. 1. Protecting and Controlling Media.
   2. Sanitizing Media.
   3. Protecting Media During Transport.
   4. Defining University Record Retention Timelines (including Retention Rules for Student Health Records).
   5. Requiring All University Records and Confidential Information to Be Used Only for University-approved Purposes and Defining Restrictions for
           Accessing High-risk/Critical Confidential Information.
   6. Requiring Users to Follow Local, State, Provincial, National, and Federal Laws.
   7. Enforcing Control Laws When Handling Certain Types of Confidential Information.

For more details around the implementation requirements of the MP subject, please refer to the Media Protection standard here: Northeastern University Media Protection Standard – Office of Information Security.

 

I. Personnel Security

The Personnel Security (PS) subject seeks to minimize the associated risks to Confidential Information in IT Systems accessed by Northeastern employees (e.g., staff and faculty) and Vendor personnel utilizing screening and protection capabilities.

PS includes:

1. 1. Screening Personnel.
   2. Protecting the University During Personnel Actions.

For more details around the implementation requirements of the PS subject, please refer to the Personnel Security standard here: Northeastern University Personnel Security Standard – Office of Information Security.

 

J. Physical Protection

The Physical Protection (PE) subject uses multiple security measures in a layered defense to limit physical access to IT Systems, equipment, and operating environments that contain University Records and Confidential Information.

PE includes:

1. 1. Limiting Physical Access.
   2. Escorting and Tracking Visitors.

For more details around the implementation requirements of the PE subject, please refer to the Physical Protection standard here: Northeastern University Physical Protection Standard – Office of Information Security.

 

K. Risk Assessment

The Risk Assessment (RA) subject seeks to establish methods and processes by which the university will identify and manage risks associated with all IT Systems.

RA includes:

1. 1. Identifying and Evaluating Risk.
   2. Managing Risk.

For more details around the implementation requirements of the RA subject, please refer to the Risk Assessment standard here: Northeastern University Risk Assessment Standard – Office of Information Security.

 

L. Security Assessment

The Security Assessment (CA) subject focuses on the testing and/or evaluation of the security controls implemented for IT Systems to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the IT Systems. This subject also focuses on the continuous monitoring of security controls to maintain ongoing awareness of security vulnerabilities and threats to support organizational risk management decisions.

CA includes:

1. 1. Developing and Managing an IT System Security Plan.
   2. Defining and Managing Controls.
   3. Creating and Maintaining a POAM for any Security Control Gaps.
   4. Requiring Compliance Assessments for Handling Northeastern Data.

For more details around the implementation requirements of the CA subject, please refer to the Security Assessment standard here: Northeastern University Security Assessment Standard – Office of Information Security.

 

M. IT System and Communications Protection

The System and Communications Protection (SC) subject focuses on controlling, protecting, and monitoring communications at key IT system and network boundaries. Architectural designs, software development lifecycles, and secure IT Systems engineering principles are leveraged to promote IT System and communications security.

SC includes:

1. 1. Defining Security Requirements for IT System and Communications.
   2. Controlling Communications at IT System Boundaries.

For more details around the implementation requirements of the IT SC subject, please refer to the IT System and Communications Protection standard here: Northeastern University System and Communications Protection Standard – Office of Information Security.

 

N. IT System and Information Integrity

The System and Information Integrity (SI) subject focuses on requiring that systems are free from flaws and that data integrity is maintained. SI is achieved by identifying and remediating flaws and preventing malicious content from entering IT Systems.

SI covers:

1. 1. Identifying and Managing IT System Flaws.
   2. Identifying Malicious Content.
   3. Performing Network and IT System Monitoring.

For more details around the implementation requirements of the IT SI subject, please refer to the IT System and Information Integrity standard here: Northeastern University System and Information Integrity Standard – Office of Information Security.

 

The OIS is responsible for reviewing this policy and its supporting standards annually, at minimum, and making updates based on changes to Northeastern’s operational environment. OIS is responsible for disseminating and/or communicating all related updates to the relevant stakeholders in a timely manner.

Northeastern recognizes that, on rare occasions, there might be one or more compelling reasons to consider allowing an organization to operate outside of the criteria defined in this policy. To facilitate this process, the System Owner must petition OIS for a risk-based exception by completing and submitting a POAM. All approved policy exceptions must be formally documented by the Northeastern Chief Information Security Officer (CISO) and indicate the anticipated exception duration (temporary, long-term, etc.). All risk-based exceptions must be reviewed by the CISO, at minimum, during each
review period for this policy, with the goal of rescinding the exceptions by moving the systems into compliance with this policy.

Failure to comply with this policy may result in disciplinary action, up to and including termination (in Canada, termination for cause). Under export control and other laws relating to data protection, violations might also subject the violator to criminal or civil prosecution. 

IV. Additional Information

N/A

V. Contact Information

 

Northeastern University CISO, Office of Information Security, OIS@northeastern.edu, 617-373-4357

To report risk to, or loss/unauthorized disclosure of, sensitive or personal data, click here: Office of Information Security

For questions about this policy: Office of Information Security

For privacy-related questions: privacy@northeastern.edu 

Responsible Office/Department(s)

Office of Information Security

 

Related Policies

Policy on Appropriate Use of Computer and Network Resources

Policy on Privacy for Employees, Job Applicants, Contractors, and Others Working with the University

Policy on Privacy for Students, Applicants, and Alumni

Policy on Mobile Devices

Policy on Background Checks and Credential Verifications

 

Related Procedures

Password Protection

Supersedes

706 – Policy on Enterprise Passwords

Keywords

Information; Compliance; Governance; Requirement; System; Password; System Access

Version History

Last Revision Date: November 17, 2025
Issued: September 23, 2025