Policy AD20 COMPUTER AND NETWORK SECURITY

Contents

  • Purpose
  • Scope
  • Policy
  • . . . . I. General
  • . . . . II. Responsibilities
  • . . . . III. Reporting Security Incidents / System Vulnerabilities
  • Sanctions for Policy Violations
  • Course and Work-Related Access to Computers and Computer Networks
  • Exceptions and Exemptions
  • Copyright Infringement
  • Cross References

  • PURPOSE:

    To establish conditions for use of, and requirements for appropriate security for University Computer and Network Resources (as defined in the Glossary of Computer Data and System Terminology, ADG01).

    SCOPE:

    This policy is effective at all University locations and applies to all system users at any location, including those using privately owned computers or systems that connect to University Computer and Network Resources.

    This policy represents the minimum requirements that must be in place. In general, this policy is not intended to inhibit access to information services that University employees and students have made accessible for public inquiry (e.g., WWW) via University Computer and Network Resources. However, use of such services to access or attempt to access information not intended for public display or use, or to circumvent or violate the responsibilities of system users or system administrators as defined in this policy, is prohibited. Additionally, servers are not allowed on campus residence hall network connections except on the basis of a written request of a faculty member for a specific academic purpose and the explicit concurrence of the Vice Provost for Information Technology or designee.

    POLICY:

    I. GENERAL:

    Appropriate security shall include protection of the privacy of information, protection of information against unauthorized modification, protection of systems against denial of service, and protection of systems against unauthorized access.

    University Computer and Network Resources may be accessed or used only by individuals authorized by the University. Issuance of an account to a system user must be approved by an authorized University representative, as designated in this policy, AD23, and Administrative Guidelines ADG01 and ADG02. Any computer, computer system, network or device connected to University Computer and Network Resources will be subject to and must comply with the University's Administrative Guideline ADG02 - "Computer Facility Security." Any question with regard to whether a specific use is authorized must be referred to the Security Operations and Services Director.

    In order to protect the security and integrity of Computer and Network Resources against unauthorized or improper use, and to protect authorized users from the effects of such abuse or negligence, the University reserves the rights, at its sole discretion, to limit, restrict, or terminate any account or use of Computer and Network Resources, and to inspect, copy, remove or otherwise alter any data, file, or system resources which may undermine authorized use. The University also reserves the right to inspect or check the configuration of Computer and Network Resources for compliance with this policy, and to take such other actions as in its sole discretion it deems necessary to protect University Computer and Network Resources. The University also reserves the right to control and/or manage use of the frequency spectrum within the boundaries of all University locations. System users and units of the University are required to report transmitting devices and their characteristics to University officials, if so requested. The University reserves the right to require those units or individuals found to have such devices which interfere or are suspected to interfere with operation of centrally managed University systems, to discontinue use of such devices, and, if necessary, to remove them from University property.

    The University shall not be liable for, and the user assumes the risk of, inadvertent loss of data or interference with files resulting from the University's efforts to maintain the privacy, integrity and security of the University's Computer and Network Resources.

    The University is not responsible for the content of users' personal web spaces, nor the content of servers, programs or files that users maintain either in their personally allocated file areas on University-owned computer resources or on personally-owned computers connected to the University's Computer and Network Resources. (Note: Servers are not allowed on campus residence hall networks except on the basis of a written request of a faculty member for a specific academic purpose and the explicit concurrence of the Vice Provost for Information Technology or designee. Server is defined as a computer or computer program that provides or “serves” data, files or processing power to other computers/computer programs on a network. Examples of servers may include (but are not limited to) Web servers, mail servers, print servers or file servers.)

    The University reserves the right to suspend network access or computer account(s), or to impose sanctions as defined in this policy if user-maintained files, programs or services are believed to have been operating in violation of either law or policy. Additionally, the University retains the right subject to applicable law and policy to search and/or seize, for investigative purposes, any personal hardware or systems connected to University Computer and Network Resources if there is cause to suspect that such hardware or systems were used either in violation of federal, state or local law, or in violation of the terms and conditions set forth in University policies governing computer and network usage. Restoration will be at the sole discretion of the University. The University shall, to the full extent required under law, cooperate with all legal requests for information, including, but not limited to, disclosure of system user account information when made by any law enforcement officer or legal representatives pursuant to court order, subpoena or other legal process.

    The University can enforce the provisions of this policy and the rights reserved to the University without prior notice to the user.

    II. RESPONSIBILITIES RELATED TO ACCESS TO AND USE OF COMPUTER AND NETWORK RESOURCES:

    The Security Operations and Services Director - is responsible for:

    1. Developing and assisting units in the implementation of University-wide policies, controls and procedures to protect the University's Computer and Network Resources from intentional or inadvertent modification, disclosure or destruction.

    2. Monitoring user adherence to these policies.

    3. Authorizing security experiments or security scans affecting Computer and Network Resources (except for those responsibilities specifically accorded to system administrators in this policy).

    4. Coordinating response to computer and network security incidents to include, but not be limited to, notification of incidents to University Police Services, Internal Audit, Risk Management and Privacy Office and other University offices as appropriate, and contact with Incident Response teams external to the University.

    5. Educating the user community in the ethical use of Computer and Network Resources.

    6. Conducting periodic scans of the University's Computer and Network Resources (to include personally-owned computers connected to the University's Computer and Network Resources) for common security vulnerabilities, violations of policy or law, and/or malicious code. Reporting the results of such scans to the applicable University contacts for resolution of possible problems.

    Deans and Administrative Officers - are responsible for:

    1. Developing and implementing additional security policies specific to their Colleges or administrative units in coordination with the Security Operations and Services Director, and in consonance with this policy. These policies will guide System Administrators within the Colleges and administrative units in the formulation of detailed security procedures, and are considered to be a part of this policy statement.

    2. Authorizing access to computer systems, including the purpose of the account, and issuance of passwords, or designating in writing the individual(s) who will exercise this responsibility for the various systems and networks within the College or administrative unit. Responsibility for authorizing Group Accounts (as defined in the Glossary of Computer Data and System Terminology, ADG01) cannot be delegated lower than the academic department head, or equivalent managerial level within an administrative unit. For centrally managed Computer and Network Resources, only the applicable Senior Director within Information Technology Services may approve a Group Account.

    3. Ensuring mechanisms are in place to obtain acknowledgment from System Users that they understand, and agree to comply with University and College/Unit security policies. Such acknowledgment must be written unless an exception is approved in accordance with the Exceptions and Exemptions section of this policy.

    4. Ensuring technical or procedural means are in place to facilitate determining the User ID responsible for unauthorized activity in the event of a security incident.

    System Users (as defined in the Glossary of Computer Data and System Terminology, ADG01) - are responsible for:

    1. Understanding, agreeing to and complying with all security policies governing University Computer and Network Resources and with all federal, state and local laws, including laws applicable to the use of computer facilities, electronically encoded data and computer software.

    2. Safeguarding passwords and/or other sensitive access control information related to their own accounts or network access. Such information must not be transmitted to, shared with, or divulged to others. Similarly, system users must recognize the sensitivity of all other passwords and computer or network access information in any form, and must not use, copy, transmit, share or divulge such information, nor convert the same from encrypted or enciphered form to unencrypted form or legible text. Any attempt to conduct such actions by a system user is a violation of this policy.

    3. Taking reasonable precautions, including personal password maintenance and file protection measures, to prevent unauthorized use of their accounts, programs or data by others.

    4. Ensuring accounts or computer and network access privileges are restricted to their own use only. System users must not share their accounts, nor grant accounts to others nor otherwise extend their own authorized computer and network access privileges to others. System users must not implant, execute or use software that allows them unauthorized remote control of Computer and Network Resources, or of accounts belonging to others.

    5. Ensuring the secure configuration and operation of Internet services (e.g., WWW) they may establish on machines connected to University Computer and Network Resources. Also, system users are solely responsible for ensuring the content of files, programs or services that they operate, maintain, store or disseminate using University Computer and Network Resources (to include personally-owned computers connected to such resources) are compliant with both law and University Policy. Note: servers are not allowed on campus residence hall networks except on the basis of a written request of a faculty member for a specific academic purpose and the explicit concurrence of the Vice Provost for Information Technology or designee.

    6. Using accounts or network access only for the purposes for which they were authorized and only for University-related activities. Use of accounts or network access to conduct a commercial enterprise, or to promote or advertise a commercial enterprise is prohibited. Transmitting or making accessible offensive, obscene or harassing materials, and transmitting or making accessible chain letters, etc., are prohibited. Unauthorized mass electronic mailings and newsposts are prohibited. Conducting or attempting to conduct security experiments or security scans involving or using University Computer and Network Resources without the specific authorization of the Security Operations and Services Director is prohibited. The intentional or negligent deletion or alteration of information or data of others, intentional or negligent misuse of system resources, intentionally or negligently introducing or spreading computer viruses, and permitting misuse of system resources by others are prohibited.

    7. Representing themselves truthfully in all forms of electronic communication. System users must not misrepresent themselves as others in electronic communications. Similarly, system users must not cause a system to assume the network identity or source address of another Computer or Network Resource for purposes of masquerading as that resource. System users must not register Computer and Network Resources that have Internet addresses within the Penn State Internet domain under any non-Penn State domain name. System users must not provide Domain Name Service for any non-Penn State Computer and Network Resource.

    8. Respecting the privacy of electronic communication. System users must not obtain nor attempt to obtain any electronic communication or information not intended for them. In particular, system users must not attempt to intercept or inspect information (e.g., packets) en route through University Computer and Network Resources, nor use University Computer and Network Resources to attempt to intercept or inspect information en route through networks elsewhere. Similarly, system users must not implant, execute or use software that captures passwords or other information while the data are being entered at the keyboard or other data entry device.

    9. Respecting the physical hardware and network configuration of University-owned networks. System users must not extend the physical network on which their system resides (e.g., wiring, jacks, wireless connection).

    10. Treating non-University Computer and Network Resources in accordance with this policy. University Computer and Network Resources must not be used to attempt to breach the security or security policy of other sites (either willfully or negligently). An action or attempted action affecting non-University Computer and Network Resources that would violate this policy if performed on Penn State Computer and Network Resources is prohibited.

    System administrators (as defined in the Glossary of Computer Data and System Terminology, ADG01). Unless otherwise stated, system administrators have the same responsibilities as system users. However, because of their position, system administrators have additional responsibilities and privileges for specific systems or networks. For systems which they directly administer, system administrators are responsible for:

    1. Preparing and maintaining security procedures that implement University and College/Unit security policies in their local environment and that address such details as access control, backup and disaster recovery mechanisms and continuous operation in case of power outages.

    2. Taking reasonable precautions to guard against corruption, compromise or destruction of Computer and Network Resources. Reasonable precautions for system administrators exceed those authorized for system users. Specifically, system administrators may conduct security scans of systems which they directly administer. However, they may not conduct security scans for any other system or network. Similarly, system administrators may conduct dictionary comparisons or otherwise check password information related to system users on the systems for which they have administrative responsibility. They may not do so on other systems. System administrators may also intercept or inspect information en route through a network, but only information originating from or destined for systems for which they have direct administrative responsibility and only for purposes of diagnosing system or network problems. Exceptions must be authorized by the Security Operations and Services Director in accordance with this policy.

    3. Treating the files of system users as private. It is recognized that a system administrator may have incidental contact with system user files, including electronic mail, in the course of his or her duties. The contents of such files must be kept private. Deliberate access to system user files is authorized only in the event of a suspected security breach, if essential to maintain the system(s) or network(s) for which the system administrator has direct administrative responsibility, or if requested by or coordinated with the system user.

    4. Taking reasonable and appropriate steps to see that all hardware and software license agreements are faithfully executed on all systems, networks, and servers.

    5. Ensuring that Penn State network addresses are assigned to those entities or organizations that are part of Penn State only. System administrators must not assign network addresses to non-Penn State entities or organizations.

    6. Limiting access to root or privileged supervisory accounts. In general, only system administrators should have access to such accounts. System users should generally not be given unrestricted access to root or privileged supervisory accounts. As with all accounts, authorization for root or privileged supervisory accounts must be approved in accordance with this policy

    III. REPORTING SECURITY INCIDENTS OR SYSTEM VULNERABILITIES:

    Individuals aware of any breach of information or network security, or compromise of computer or network security safeguards, must report such situations to the appropriate system administrator and to the Security Operations and Services Director. The Security Operations and Services Director, in coordination with appropriate University offices, will determine if financial loss has occurred and if control or procedures require modification. When warranted by such preliminary review, University Police Services, Internal Audit, Risk Management and Privacy Office, and other University departments or law enforcement authorities will be contacted as appropriate.

    SANCTIONS FOR POLICY VIOLATIONS:

    Violation of any provision of this policy may result in:

    1. restriction or termination of a system user's access to University Computer and Network Resources, including the summary suspension of such access, and/or rights pending further disciplinary and/or judicial action;

    2. the initiation of legal action by the University and/or respective federal, state or local law enforcement officials, including but not limited to, criminal prosecution under appropriate federal, state or local laws;

    3. the requirement of the violator to provide restitution for any improper use of service; and

    4. disciplinary sanctions, which may include dismissal or expulsion for students, or termination of employment for employees.

    COURSE AND WORK-RELATED ACCESS TO COMPUTERS AND COMPUTER NETWORKS:

    Many academic course and work-related activities require the use of computers, networks and systems of the University. In the event of an imposed restriction or termination of access to some or all University computers and systems, a user enrolled in such courses or involved in computer-related work activities may be required to use alternative facilities, if any, to satisfy the obligation of such courses or work activity. However, users are advised that if such alternative facilities are unavailable or not feasible, it may be impossible to complete requirements for course work or work responsibility. The University views misuse of computers as a serious matter, and may restrict access to its facilities even if the user is unable to complete course requirements or work responsibilities as a result.

    EXCEPTIONS AND EXEMPTIONS:

    Exception to or exemptions from any provision of this policy must be approved by the Vice Provost for Information Technology or designee, which will normally be the Security Operations and Services Director. Similarly, any questions about the contents of this policy, or the applicability of this policy to a particular situation should be referred to the Security Operations and Services Director.

    COPYRIGHT INFRINGEMENT:

    The senior position for computer and network security reporting to the Vice Provost for Information Technology is designated to receive notices of possible copyright infringements occurring online at Penn State University.

    CROSS REFERENCES:

    Other Policies in this Manual should also be referenced, especially the following:

    AD08 - Purchase of Advertising

    AD11 - University Policy on Confidentiality of Student Records,

    AD23 - Use of Institutional Data,

    AD27 - Commercial Sales Activities at University Locations,

    AD53 - Privacy Statement,

    AD56 - Use of Group Communication Tools to Communicate University Business to Employees and Students,

    AD35 - University Archives and Records Management,

    ADG01 - Glossary of Computerized Data and System Terminology,

    ADG02 - Computer Facility Security Guideline,

    FN14 - Use of Tangible Assets, Equipment, Supplies, and Services, and

    HR60 - Access to Personnel Files.


    Effective Date: April 2, 2013
    Date Approved: April 1, 2013
    Date Published: April 2, 2013

    Most recent changes:

    Revision History (and effective dates):

    | top of this policy | GURU policy menu | GURU policy search | GURU home | GURU Tech Support | Penn State website |