Polytechnic University Department of Computer and Information Science Security Policy

Table of Contents

• 1. Introduction
  • 1.1 Policy Goals
  • 1.2 Appropriate Use
• 2. Computer Security Policy
  • 2.1 Authorized Users
  • 2.2 Policy Applicability
  • 2.3 Policy Statements
  • 2.4 Policy Administration
  • 2.5 Electronic Mail Privacy
  • 2.6 Auditor Access
    • 2.6.1 Internal Auditors from the University
    • 2.6.2 State and Federal Auditors
• A. Password Management
  • A.1 Password Selection
  • A.2 Password Handling
• B. Disaster Recovery
  • B.1 Data Backup
    • B.1.1 Personal Data Backup
  • B.2 Contingency Planning
• C. Personnel Security
  • C.1 Employee Requirements
  • C.2 Security Awareness and Training
  • C.3 Employee Accountability
  • C.4 Hiring and Termination Procedures
• D. Contact Information and Roles

Polytechnic University Department of Computer and Information Science Security Policy

$Revision: 1.4 $ Last modification $Date: 2001/12/08 15:34:29 $

1. Introduction

This document constitutes the security policy of the Computer and Information Science (CIS) Department at Polytechnic University. The policy is intended to allow for the proper use of all computing equipment and network infrastructure owned by and/or administered by the CIS department. This policy is intended to supplement, not replace, all existing laws, regulations, agreements, and contracts that currently apply to computing and networking services. This policy is further intended to supplement -- not relax or weaken -- the University-wide computing and security policies. (1).

1.1 Policy Goals

The department's security policy is intended to protect the department's computing resources and infrastructure from natural and human hazards. The policy is designed to:

• Protect the physical security of the department's computers.
• Maintain the integrity of information stored on the department's computers.
• Assure the continued operation and availability of the department's computers.

1.2 Appropriate Use

Access to computer systems is a privilege, not a right. Appropriate use should always be legal and ethical. Users should reflect academic honesty, mirror community standards, and show consideration and restraint in the consumption of shared resources. Users should also demonstrate respect for intellectual property; ownership of data; system security mechanisms; and individual rights to privacy and to freedom from intimidation, harassment, and annoyance.

2. Computer Security Policy

2.1 Authorized Users

Authorized users are current faculty, staff, and graduate students of the CIS department. Undergraduate students may be granted access to certain computing facilities if enrolled in a course which uses these facilities, or if granted access by a faculty member.

2.2 Policy Applicability

The computer security policy applies to all users of the department's computing facilities.

2.3 Policy Statements

It is the policy of the CIS department that:

1. Computing resources are valuable assets; unauthorized use, alteration, or destruction of computing resources is forbidden.
2. Attempting, or assisting someone else, to circumvent, bypass, or disable security access controls on any department computer is a violation of this policy.
3. Intentionally conducting any activity which denies computer service to others or which interferes with another's ability to use the computing facilities is forbidden.
4. Accessing or copying, or attempting to access or copy, another user's files or electronic mail without explicit permission is forbidden.
5. Users must inform system administrators or the security officer if they believe the security of a computer system has been compromised, or if they are aware of any situation which would allow a computer system's security to be compromised.
6. In electronic communications users must identify themselves properly. It is a violation of this policy to mis-identify oneself as another person in any electronic communication such as e-mail.
7. Computer logon ids may be used only by the person to whom they are assigned. Users are expected keep their passwords private. Permitting others to use their login ids is a violation of this policy.
8. User and system passwords should be changed frequently. Password guidelines are provided below.
9. Use of the department's computing facilities to harass another is explicitly prohibited. Examples of harassment include, but are not limited to,
   • Sending chain letters or other unsolicited e-mail.
   • Sending obscene, intimidating, insulting, or threatening e-mail.
   • Altering another user's files with out their explicit consent.
   • Changing or making public another user's password.
   • Sending e-mail purporting to be from another person.
10. The department respects the privacy of all users; however the department retains the right to inspect files suspected of causing: disruption of, or damage to, computing resources; violations of the University's or the department's behavior guidelines; or State or Federal law. Information that staff obtain through such inspection or through any other privileged access is to be treated as confidential.
11. All end-user personal computers and workstations should have virus protection software installed, and should be routinely scanned for viruses.
12. All departmental computers should have appropriate security patches and safeguards installed.
13. All departmental computers which are accessible on the public Internet should have all non-essential services disabled, to minimize the possibility of security compromises. Access lists should be used where practical to restrict access and further reduce the possibility of break-in.
14. All departmental computers which provide shared services, such as file and mail servers, will be physically protected by appropriate doors and locks.
15. System administrators may routinely monitor usage or network traffic for the purposes of detecting unauthorized computer use or security violations (break-ins).
16. Violations of this computer security policy will be reported to the departmental security officer, or to the University security officer.
17. The department or its system administrators may restrict or refuse the use of computing resources to anyone who violates its policies or to anyone whose usage interferes with or damages the work of others.
18. Persons violating the computer security policy are subject to loss of computing privileges and academic discipline by the department.
19. Persons violating the computer security policy may be reported, at the department's discretion, to applicable University disciplinary authorities or to the appropriate legal authorities.

2.4 Policy Administration

The computer security policy is administered by the computer security officer. The policy is maintained by the computer security officer and the department's faculty liaison. The policy will be reviewed annually and updated as appropriate.

2.5 Electronic Mail Privacy

Users should not expect total privacy of electronic e-mail. Administrators may see the contents of e-mail when it is mis-addressed, or in the normal course of maintaining the e-mail system. When an administrator does see the contents of electronic e-mail they are required to keep the contents confidential.

2.6 Auditor Access

2.6.1 Internal Auditors from the University

• Internal Auditors have access to all University activities, records, property, and employees in the performance of their duties.
• For non-investigative audits, access requests for Information Resources and data files will be made to the data owner and the administrative management of the organization operating the computers and information resources, as appropriate.
• For investigative audits, access requests for information resources and data files will be made to the appropriate administrative management level of the organization operating the computers and information resources.
• Internal Audit access to data files will be provided as specifically requested by Internal Audit; however, whenever practical, Internal Audit will utilize hard copy output or data file copies.
• Read only access will be granted, unless specific instructions are provided, to ensure proper safeguards for continued integrity and availability of data files.

2.6.2 State and Federal Auditors

• State and Federal auditors will be granted access to Information Resources and data files on an as needed basis after coordination with the Internal Auditors and data owners, and after proper training requirements are met.

A. Password Management

Passwords are used to ensure that a user's computer login is used only by that person. Having a password which is easily guessed or discovered not only allows access to that user's files, but may allow the department's computers to be used to steal other user's computer login or to launch attacks against other computers.

For this reason passwords should be chosen and protected using the following guidelines.

A.1 Password Selection

Passwords should never be words (in any language!) or proper names. Some rules to follow:

• Use both uppercase and lowercase letters if the computer system considers an uppercase letter to be different from a lowercase letter when the password is entered.
• Include digits and punctuation characters as well as letters.
• Choose something easily remembered so it doesn't have to be written down.
• Use at least 8 characters. Password security is improved slightly by having long passwords.
• A password should be easy to type quickly so someone cannot follow what was typed by watching the keyboard.
• Use two or more short words and combine them with a special character or a number, like ROBOT4ME or EYE-CON.
• Put together an acronym that has special meaning to you, like NOTFSW (None Of This Fancy Stuff Works) or AVPEGCAN (All VAX Programmers Eat Green Cheese At Night).

A.2 Password Handling

• A standard admonishment is "never write down a password." You should not write your password on your desk calendar, on a Post-It label attached to your computer terminal, or on the pull-out drawer of your desk.
• A password you memorize is more secure than the same password written down, simply because there is less opportunity for other people to learn a memorized password. But a password that must be written down in order to be remembered is quite likely a password that is not going to be guessed easily. If you write a password in your wallet, the chances of somebody who steals your wallet using the password to break into your computer account are remote. If you must write down a password, follow a few precautions:
  • Do not identify the password as being a password.
  • Do not include the name of the account or the phone number of the computer on the same piece of paper. Do not attach the password to a terminal, keyboard, or any part of a computer.
  • Mix in some "noise" characters or scramble the written version of the password in a way that you remember, but make the written version different from the real password.
  • Never record a password on-line and never send a password to another person via electronic mail.

This information on passwords was adapted from the book Practical UNIX Security by Simson Garfinkel and Gene Spafford.

B. Disaster Recovery

B.1 Data Backup

Shared departmental computers are backed up regularly on-site to provide protection against hardware failures and other disasters. Backups are also rotated off-site regularly.

B.1.1 Personal Data Backup

Personal computers are not backed up centrally. Furthermore, backups for shared departmental computers may not be frequent enough to satisfy all user's requirements. It is strongly recommended that users make personal backups of critical data.

B.2 Contingency Planning

Contingency plans specify procedures designed to:

• identify and respond to disasters
• protect personnel, systems, and datq
• to provide critical services with all or portions of the computing facility unavailable
• to recover full service capability

A contingency plan is currently under review.

C. Personnel Security

C.1 Employee Requirements

Every employee is responsible for systems security. Security responsibility is part of each administrator's job description; violations of security policy may be cause for disciplinary action.

C.2 Security Awareness and Training

Regular meetings are held at which current and pending security issues such as CERT incident reports are discussed and reviewed, and new potential risks are identified and planned for.

Employees are required to follow security publications and to make use of all security resources (such as mailing list subscriptions and notification services) in order to keep abreast of pertinent security issues in their areas of expertise.

C.3 Employee Accountability

Employees with administrator access to computing systems acknowledge:

• The security requirements of the systems they administer and their responsibility to maintain the security of these systems.
• Each individual user's right to privacy.
• The department's policy that any information that staff obtain through any privileged access is to be treated as confidential.

C.4 Hiring and Termination Procedures

Upon termination of a person who occupies a position of special trust or responsibility, or is working in a sensitive area, management should revoke all access authorizations and logons. Furthermore, all passwords allowing privileged access, and all physical locks and combinations should be changed upon that person's departure.

D. Contact Information and Roles

Footnotes

(1)

We gratefully acknowledge the contributions of the informative and thorough security policies at Texas A&M University and at the University of California, Davis, upon which portions portions of this policy are based

This document was generated on 8 December 2001 using texi2html 1.56k.