Guideline ADG02 COMPUTER SECURITY (Formerly Computer Facility Security)

Policy Steward:  Vice President for Administration

Contents

  • Purpose
  • Responsibilities
  • Baseline Security
  • Further Information
  • Cross References

  • PURPOSE:

    To set up minimum criteria for computer access, controls and security for University Computer and Network Resources, and to provide more detailed guidance with regard to concepts embodied in Policies AD20, AD23 and AD71.

    RESPONSIBILITIES:

    Security Operations and Services Director is responsible for:

    1. Establishing permanent Committees as appropriate to advise him/her of appropriate security concerns, enhancements and technological progress in the field.
    2. Disconnecting any Computer and Network Resource if that resource fails to meet physical or access security standards, or otherwise poses an unacceptable risk to the University's Computer and Network Resources. In particular, if a computer's security is compromised by faulty or compromised hardware or software, the Senior Director for Security Operations and Services or his/her designee will inform the security and/or technical contacts for the network of the problem. Those responsible for the computer must repair the faults as soon as possible or the computer will be disconnected until it can be verified that the faults have been repaired.
    3. Requesting the removal of Account privileges for any system user on any University Computer and Network Resource if the individual is found to pose a substantial risk to the University's Computer and Network Resources. If the Account is not removed upon such a request, the computer or network resource upon which the Account resides may be disconnected.
    4. Requesting termination of other services or uses of University Computer and Network Resources if such services or uses violate University computer and network security policies. If the services or uses are not terminated upon such a request, the computer or network resource(s) involved may be disconnected.
    5. Establishing and directing the Penn State Computer Security Incident Response Team (Penn State CSIRT). Membership in the Penn State CSIRT will include experts in telecommunications and various operating systems that are in common use within the University. The Penn State CSIRT will aggressively investigate all attempts at system abuse and actively pursue abusers in order to protect the integrity of University Computer and Network Resources. The Senior Director of Security Operations and Services will ensure that an alternate is available from within the Penn State CSIRT membership to exercise the responsibilities of the Senior Director in the event a computer security emergency occurs in his/her absence.

    Unit Liasons:

    In conjunction with the Security Operations and Services Director, the Unit Liaisons will establish and monitor:

    Unit compliance with the University’s Minimum Security Baseline, which can be found at http://sos.its.psu.edu/minimum-security-baseline.html. The Unit Liaison may request to the Security Operations and Services Senior Director the immediate removal of account privileges on networks that contain internal/controlled or restricted data as defined in Policy AD71, Data Categorization, for system users or information associates who have violated University computer and network security policies.

    Deans and Administrative Officers:

    In order to comply with Policies AD20 and AD71, Deans and Administrative Officers, in conjunction with Unit Liaisons, must ensure that Colleges and Administrative Units have established and implemented security policies specific to their areas. They are similarly responsible for ensuring that the Minimum Security Baseline is implemented in the areas for which they are responsible. Moreover, system administrators within the Colleges and Administrative Units must develop security procedures implementing these policies to include the Minimum Security Baseline. Other specifics may be included as long as they do not counter elements included in this guideline, in Policies AD20, AD23 and AD71, or other University policies.

    BASELINE SECURITY:

    1. Minimum requirements regarding an "Account" (See ADG01 for a definition of account, Captive Account, and Group Account) are:

    a. There should not be any guest accounts unless the account is a captive account.

    b. There should be no Group Accounts, unless specifically requested in writing and authorized in writing by both the account owner and the University representative officially designated by the Dean and Administrative Officer in accordance with Policy AD20. For Computer and Network Resources operated by Information Technology Services, only the applicable Director may approve a Group Account.

    c. The registered user of an account is responsible and liable for all processes initiated from the account. In those rare instances where Group accounts are authorized, all users of the account are jointly responsible and liable.

    2. System Administrators and managers of networks containing restricted data as defined by Policy AD71, Data Categorization, will provide connectivity for secondary distribution to other networks only after assuring the networks and devices comply with the Minimum Security Baseline.

    3. The appropriate safeguards for institutional or personal computers or other devices that contain the categories of internal/controlled or restricted information as listed in Policy AD71, Data Categorization, which are listed in the Minimum Security Baseline.

    FURTHER INFORMATION:

    For questions, additional detail, or to request changes to this policy, please contact Security Operations and Services.

    CROSS REFERENCES:

    Other Policies in this Manual should also be referenced, especially :

    AD20 - Computer and Network Security,

    AD23 - Use of Institutional Data,

    AD71 - Data Categorization,

    ADG01 - Glossary of Computer Data and System Terminology, and

    ADG07 - Data Categorization Examples.


    Effective Date: April 22, 2014
    Date Approved: April 21, 2014
    Date Published: April 22, 2014

    Most recent changes:

    Revision History (and effective dates):

    | top of this policy | GURU policy menu | GURU policy search | GURU home | GURU Tech Support | Penn State website |