President James E. Lyons, Sr.
Computing resources–hardware, software, data, and the network–are vital University assets. All users of the University computing resources need to be aware of and respect the value of these resources. By using these resources, all users are part of a community responsible for ensuring that data are kept confidential, reliable, and available, and that the integrity of the campus computing resources is not jeopardized.
We recognize that local, state, and federal laws relating to copyrights, security, and other statutes regarding electronic media and intellectual property bind all members of the campus community. To ensure that all members of the University community have a clear understanding of the University’s position regarding the security policy of our computing resources, this President Memorandum (PM) was written. It provides a framework for the implementation and enforcement of computer and network security at CSUDH. The document assists the faculty, staff, and students in understanding the need for and the means of protecting CSUDH's computing resources and the information hosted on the University’s servers and computers.
This PM defines the minimum standards for a common level of security that is to be implemented across all computing and network resources at CSUDH. This PM may be supplemented by additional guidelines created by the individual campus units. The supplemental guidelines will address each unit's specialized security needs with the understanding that they are consistent with the standard defined in this PM. It is the responsibility of the individual department/college manager (MPP) to inform their subset of users regarding any documents specific to their computing environment. Employees will be given copies of applicable documents and/or web links.
This PM makes an effort to explain the rationale and intent of the policies contained in this document. This document also assumes as a condition of use, the exercise of common sense, common courtesy, and a respect for the rights or property and privacy of the University and other users. Issues concerning the "appropriate use" of computing resources, other than those dealing with security or legal issues are not covered by this PM. (See the CSUDH policy entitled Use of Information Technology Services and Resources and Electronic Mail Systems or Services.)
This PM applies to all CSUDH computing and network resources including computers, software, data, and communication networks that are controlled, administered, or accessed directly or indirectly by users at CSUDH. Privately owned computer systems, when attached to the campus network and/or resources through wireless network or VPN, are subject to the same responsibilities and regulations as pertain to University-owned systems.
This document only covers computer security and is not a substitute for other campus policies related to campus computing.
This document addresses five key principles of security and the responsibilities that each individual has:
· Privacy of Data
· Data Integrity
· Service Integrity
· Legal Issues
· Authorized Use
The University supports each individual's right to privacy when using CSUDH computing resources, and will take reasonable steps to ensure security of these resources. However, the University cannot guarantee absolute privacy of electronic communication and computing resources. Each user must recognize that risks exist with regard to the confidentiality of personal email, data, files and activity logs due to system limitations, software bugs, unauthorized activity, and potential system failures.
Data contained on CSUDH computer systems is accessible to authorized personnel. These individuals are responsible for conducting normal system administration activities including diagnosing or correcting problems. At the request of the President (designee), files may be examined by system personnel to determine if a user is acting in violation of the policies defined in this PM, other University policies, and state or federal statutes. For purposes of this PM, “other University policies” include, but are not limited to, Fingerprinting of Employees, Guidelines for Search Committees, Perceived Effectiveness Review, layoff procedures, etc. Access to University computer systems and accounts is generally monitored. In addition, systems and accounts may also be more closely inspected or monitored when:
· Activity from a specific account prevents access to computing or networking resources by others.
· Usage patterns indicate that an account is responsible for unauthorized or illegal activity.
· There are reports of violations of policy or law taking place.
· It appears necessary to do so to protect University resources or data or to protect the University from liability.
· It is required by and/or consistent with law.
As a public institution, we may have to make the data on CSUDH computer systems available to the public through public record laws. All requests for such data should be immediately forwarded to campus legal counsel.
Access to University information resources may be granted based on the following: relevant laws and contractual obligations, the requester's need to know, the information's sensitivity, and the risk of damage to or loss by the University. Access may be temporarily revoked by the President (designee). If the employee’s access is temporarily revoked, the employee will not be disciplined for work not performed solely for not having said access. Permanent revocation of computer access will be in accordance with applicable provision of the affected labor contracts. Non-represented employees may use the Campus Reconsideration Policy if their access is permanently revoked.
The University reserves the rights to limit, restrict, or extend computing privileges and access to its information resources. Data owners, whether departments, auxiliary units, faculty, students, or staff, may allow individuals other than University faculty, staff, and students access to information for which they are responsible. Methods for such access should not violate any license or contractual agreement, University policy, or any federal, state, county, or local law or ordinance; nor degrade the performance of the University community. Access by non-University members is subject to approval by and at the discretion of the system administrator(s) responsible for the information resource(s) involved.
Every authorized user is responsible for the integrity of these resources. All users of computing systems must respect the rights of other computing users, respect the integrity of the physical facilities and controls, and respect all pertinent license and contractual agreements.
A user is one who has authorized access to University computing resources. Everyone on or off-campus who accesses a University computing resource, through whatever authorized (or unauthorized) means, is considered a user and is bound by the user responsibilities stated in this policy.
A. Users are ultimately responsible for the effect(s) of computing activity when using a computer.
B. Users shall not store the personal information of students or employees on desktop or laptop computers, unless permission is granted in writing by the Associate Vice President of Information Technology
C. Accounts created for an individual are for the use of that individual only. Computer accounts, passwords, and other types of authorization are assigned to individual users and must not be shared with others. Users are responsible for any use of their account.
D. Use only those computing resources for which authorization has been issued. Do not attempt to obtain system privileges to which authorization has not been granted or give unauthorized access to others.
E. Do not violate the security policy on any computer or network facility, interfere with the authorized computer use of others, or interfere with the normal running of services on any computer system or network. This includes unauthorized modifications to software or hardware of any computer or network, propagating viruses, or excessive network traffic that interferes with the use of others.
F. Users are responsible for the data and information that they are entrusted with and must not disclose confidential or sensitive information without authorization from the data owner. Confidential data transferred over networks should be encrypted to ensure security.
G. Never attempt to intercept, capture, alter, or interfere in any way with the normal transmission data on any computer or network, without prior authorization from the person or persons responsible for that resource.
H. Observe all applicable policies of external computers or networks when using such resources.
I. Report unauthorized use of computing resources or observed gaps in system or network security to the University Helpdesk, your project director, instructor, supervisor, system administrator, and/or other appropriate University authority immediately upon discovery. Provide system administrators with information about computing activities when a reasonable request is made.
J. Users must protect their password so that others cannot gain access to their account.
K. The University Technology Advisory Council approved the following password rules, which all users of the University computing resources must observe:
· Password History = 10 passwords
· Password Age (Max) = 200 days
· Password Length = 8 characters
· Password Complexity = Yes
· Requires any combination of three of the following four:
o Upper case (A,B,C)
o Lower case (a,b,c)
o Numerals (1,2,3)
o Symbols (!,*,%)
· Password lockout = 5 bad attempts
· Lockout duration = 30 minutes
System/network administrator is a user who has special access to one or more than one University computing resource. This special access includes control over the function of said computing resource(s). Technically, one is a system/network administrator if one exercises direct control over the following on a computing resource:
· (optionally) access level
System/network administrators are bound by all user responsibilities. In addition, they are bound by the responsibilities enumerated for system/network administrators. System/network administrators may also be bound by other responsibilities and definitions herein as appropriate to their designated tasks. A system administrator:
An application developer is a user who has access to a University computing resource for the purpose of developing software for use on that system or for any other system deemed appropriate and permissible. Application Developers may be employed by the University in this capacity and/or other capacities as well. For the purposes of this PM, an Application Developer is one who does any of the following:
· Writing program code
· Writing HTML, CGI or other World Wide Web-based content
· Writing SQL code or other user interface-related tasks
· Facilitating data transmission routines
· Any user performing any like functions as part of the regular curriculum or their course of study
Application Developers are additionally bound by all the user responsibilities. They may also be bound by other responsibilities and definitions herein as appropriate to their designated tasks. Application Developers shall:
A database administrator is a user who has special access to a University-owned or used dataset. Such special access includes control over access to this data, access to the software functioning to present the data and control over said software. The database administrator is bound by all user responsibilities as well as the responsibilities enumerated for database administrators. Database administrators may also be bound by other responsibilities and definitions herein as appropriate to their designated tasks.
An Information Systems Manager/Supervisor is defined, for purposes of this PM, as an individual who oversees others in the above defined areas, namely:
· system/network administrators
· database administrators
· application developers
An Information Systems Manager/Supervisor shall:
A system administrator, network administrator, application developer or DBA shall take action to temporarily limit access to computing resources for the purpose of maintaining integrity of the resource based on the defined security standards of that resource (system) when he or she:
A. Observes a violation of this policy
B. Notices an unusual degradation of service or other aberrant behavior on the system, network, or server for which he or she is responsible
C. Receives a complaint of computing abuse or degradation of service
D. Is alerted by system-monitoring or management software that indicates a potential security intrusion
Depending on the severity of the violation, users may be subject to any or all of the following:
A. Temporary loss of computing and network access
B. University disciplinary actions
C. Civil proceedings
D. Criminal prosecution
The Associate Vice President of Information Technology or his/her delegate shall notify the user of any such action as soon as possible and the user will have an opportunity to respond before any restrictions are made permanent. If the violation is non-serious or unintentional, common sense, reason and sensitivity should be used to resolve issues in a constructive and positive manner without escalation.
If the issue cannot be resolved, or if, in the opinion of the Associate Vice President of Information Technology, the violation warrants action beyond his/her authority, the case shall be referred to other authorities, such as the University disciplinary body appropriate to the violator's status:
Students Judicial Review or Office of the Vice President, Student Affairs
Staff Employee's Supervisor or Human Resources
Faculty Academic Personnel Services
All Law Enforcement when the administrator believes the law has been broken
Such appeals should be handled by the appropriate disciplinary body expeditiously, so as to minimize the disruption of crucial teaching and research tools.
In all cases where enforcement action is taken, the Associate Vice President of Information Technology or his/her delegate, must keep accurate records and logs and produce them as required by campus disciplinary bodies or law enforcement officials.
· In an effort to assess the vulnerability of the campus computing and network environment, periodic audits may be necessary. Such audits may be particular to a specific system or the entire campus computing/network environment, and may be conducted by on-campus personnel or an outside vendor.
· The Associate Vice President of Information Technology or his/her delegate shall conduct information security audits on the University owned computing and network facilities.
· The Campus Information Security Incident Response Team is an add hoc committee for technical security concerns, issues and problems. The Associate Vice President of Information Technology is the chair of the Campus Information Security Response Team. Members of the team are appointed or invited as needed per each information security instance. Meetings occur as needed.
· The Chair of the Campus Information Security Incident Response Team is charged with recommending changes to this PM.
All existing laws (Federal and State) as well as University regulations and policies apply, including not only those laws and regulations specific to computers and networks, but also those that may apply generally to personal conduct. When there is a security breach of students’ or employees’ personal information, in accordance with California Civil Code 1798.29, the University will notify the impacted students or employees.
Misuse of computing, networking, or information resources may result in loss of computing privileges. Additionally, misuse can be prosecuted under applicable statutes. Users may be held accountable for their conduct under any applicable University or campus policies, procedures, or collective bargaining agreements. Complaints alleging misuse of CSUDH computing resources will be directed to those responsible for taking appropriate disciplinary action.
Federal Family Educational Rights and Privacy Act of 1974,
Federal Privacy Act of 1974
Federal Electronic Communications Privacy Act of 1986
Federal Copyright Law
Federal Computer Fraud and Abuse Act of 1986
State of California Education Code, Section 67100 et seq.
State of California Information Practices Act of 1977 (Civil Code Section 1798 et seq.)
State of California Public Records Act (Gov. Code Section 6250 et seq.)
State of California Penal Codes, Section 502
California Code of Regulations, Title 5, Section 41301, Student Discipline
· CSU System Information Security Policy (currently being developed)
The combination of a user number, username, or user ID and a password that allows an individual access to a computer or network.
In the context of these guidelines, this phrase refers to the computers, network, software and hardware that makes electronic data or information available to users.
Data requiring high level of protection due to the risk and magnitude of loss or harm that could result from disclosure, alteration or destruction of the data. This includes information whose improper use or disclosure could adversely affect the ability of the University to accomplish its mission as well as records about individuals requiring protection.
Information which can be made generally available both within and beyond the University.
Information that requires some level of protection because its unauthorized disclosure, alteration, or destruction will cause perceivable damage to the University.
The individual or department that can authorize accesses to information, data, or software and that is responsible for the integrity and accuracy of that information, data, or software. The data owner can be the author of the information, data, or software or can be the individual or department that has negotiated a license for the University's use of the information, data, or software.
A group of computers and peripherals that share information electronically, typically connected with each other by either cable, modem, or wireless.
Normal Resource Limits
The amount of disk space, memory, printing, and so forth, allocated to your computer account by that computer's system administrator.
Any person who has been granted access to Campus computing and information systems and equipment.
This President Memorandum was drafted with references to the following documents:
1. San Diego State University Computing Security Policy
2. "General Catalog, 1999-2000", San Diego State University
3. "Administrative Information Systems Information and Data Security Manual", Brown University
4. "Electronic Mail Policy", University of California, Office of the President
5. "Computer Use Policy", University of California, Berkeley
6. "Guidelines for Administering Appropriate Use of Campus Computing and Network Services", University of California, Berkeley
7. "COMPUTING & COMMUNICATIONS SERVICES SECURITY GUIDE", San Francisco State University
8. "Computing Ethics and Security", San Francisco State University
9. "Appropriate Use Policy", Humboldt State University
10. "Rules for Responsible Computing", Texas A&M University
11. "Computer Security Policy", Texas A&M University
12. "Policy on Use of Computing and Communications Technology", California State University, Chico
13. "Information Technology Services: Appropriate Use Policy", Yale University
14. "Information Technology Resources and Internet Access -- Guidelines for Use", Princeton University
15. "Policy for Responsible Computing", University of Delaware
16. "COMPUTER AND NETWORK USE POLICY", Keene State College
17. "Why is security important for NPACI sites and users?", San Diego Supercomputer Center
18. "Network Security at UCSD", University of California, San Diego
19. "ACT Security Policy", University of California, San Diego
20. EDUCAUSE web site
21. Electronic Frontier Foundation web site