Information Technology Services
ITS Security Policy
Date Issued: 04/05/2011
Policy No.: ITS-020
The purpose of this policy is to help secure the private and sensitive electronic related information of the faculty, staff, students, and others affiliated with the University and to prevent the loss of electronic information that is critical to the operation of the University.
Compliance procedures for this policy are specified in the Information Technology Acceptable use Policy.
Business Owner – Individuals responsible for managing the data on enterprise applications. These individuals generally determine the rights and access privileges for us those users.
Enterprise Systems – Software systems designed to integrate many aspects of an organizations operations and processes (e.g., Banner,Resource 25, Raisers Edge, PeopleSoft, Blackboard Transact, etc.).
System Administrators – Technology individuals responsible for administering the configuration and security for enterprise applications.
Network Administrators – Technology individuals responsible for administering the configuration and security for network related equipment.
Awareness and Education
This policy shall be reviewed annually on or before July 1, ITS will notify all campus users of the changes to this policy on or before September 1.
ITS may also distribute quarterly email security awareness updates for all campus end users.
Each year, ITS will perform an annual risk assessment before July 1 to identify information technology threats and vulnerabilities. This annual risk assessment will result in a formal risk assessment. The results from this risk assessment will be presented to the President’s Cabinet.
ITS will maintain information technology security awareness material for all new employees. This material will be made available to Human Resources for all new employees. Human Resources will verify that employees are presented with the material upon hire.
Users who have valid reasons for accessing enterprise systems (as determined by the user’s manager and the appropriate business owner)are granted access privileges to these systems, which will be assigned as appropriate by business owners. Access will be granted by means of a computer account, which also serves to identify the user’s activity within the system.
User accounts are intended for individual use only. The sharing of these accounts with other University and non-University personnel is strictly prohibited. If users believe that their account has been compromised, they should contact the ITS help desk immediately.
An authorization form is required for all enterprise system accounts. This authorization form specifies privileges and the usage for individual users. All authorization forms must be approved by the business owner, the user’s direct manager, and the Chief Information Officer. The access rights for privileged users must be restricted to least privileges necessary to perform job responsibilities. Privileges must only be assigned based on job classifications and functions.
If a user account is inactive for 6 months ITS will recommend to the business owner, the user, and the user’s direct manager to disable the account.
From time to time general users may be assigned remote access to electronic resources. Once their access is no longer required, those services must be removed immediately. If remote access to those services becomes inactive for 6 months the accounts associated with remote access will be disabled.
From time to time contractors may be assigned (remote or onsite)access to electronic resources. Once their access is no longer needed or when their contract has expired, access for those services must be removed immediately.
All business owners for identified enterprise applications must review yearly the business classifications with ITS. These classifications are based on user type and permitted access. The business owners must also review the summary of end users with access to enterprise applications with ITS.
All system administrators for identified enterprise applications must review user accounts and associated privileges twice per year and produce a report showing who is authorized to use the system and their level of authorization for all enterprise systems. This report is due to the Chief Information Officer on or before January 15th and July 15th of every year.
When employees terminate employment or change positions within the University, Human Resources should immediately contact ITS to ensure that the proper changes to user accounts have been made. All system administrators will monitor security related updates for all core systems and networking components. These updates will be added to the core systems regularly. All system administrators must review and document the major systems quarterly and produce a report to the Chief Information Officer showing all system security upgrades and patches. This report is due on or before the following dates:
- January 15
- April 15
- July 15
- October 15
All network administrators must review and document the network (both wired and wireless) diagram and associated major components (routers, firewalls, packet shaper, etc) rules twice per year and produce a report showing all connections to systems that store or handle sensitive data. This report is due to the Chief Information Officer on January 15th and July 15th of every year.
All network administrators will monitor security related updates for all core networking components. These updates will be added to the core networking components at least once per month. All network administrators must review and document the network equipment (both wired and wireless) quarterly and produce a report showing all network security upgrades and patches for the major components (routers, firewalls, packet shaper, etc). This report is due on or before the following dates:
- January 15
- April 15
- July 15
- October 15
Information Technology Code of Ethics
All ITS professionals as well as other university employees responsible for administering information systems are responsible for maintaining and protecting the confidentiality of data. These individuals must adhere to the Information Technology Services Code of Ethics.
Custom Application Software
All custom application code for web applications that access enterprise applications must be reviewed by qualified ITS employees. If developed by ITS, the code changes must be reviewed by individuals other than the originating code author. Reviews must ensure that code is developed according to secure coding guidelines. All code reviews must then be approved by the Director of Enterprise Applications prior to release.
All public facing web applications that access enterprise applications must be reviewed annually and after changes. A report of this review will be provided to the Chief Information Officer on January 15 of every year.
The Chief Information Security Officer will compile a list annually (on or before July 15) of the service providers that have access to card holder (credit card) data. This list will include verification of the following:
- A written agreement acknowledged by the service providers of their responsibility for securing card holder data.
- Verification of policies and procedures and verification that they were followed including proper due diligence prior to engaging any service provider.
- Verification that the entity maintains a program to monitor its PCI DSS compliance status.
Reporting Security Incidents
University employees aware of any breach of information or network security, or compromise of computer or network security safeguards, are expected to report such situations to the ITS immediately following discovery of the incident. When warranted by preliminary review, University Police, Internal Audit, and other University departments or external law enforcement authorities may be contacted as appropriate.
Technical Logs All security logs should be reviewed daily. If exceptions are discovered, those exceptions should be immediately brought to the attention of the Chief Information Officer. All security logs should be retained for a two years. All logs for the past three months must be available for immediate analysis.
Information Technology Services
Information Technology Services Representative