PM 2007-02

02/05/2007                                                                                                   

President James E. Lyons, Sr.

CSUDH Information Security

1.0 Introduction

Computing resources–hardware, software, data, and the network–are vital University assets. All users of the University computing resources need to be aware of and respect the value of these resources. By using these resources, all users are part of a community responsible for ensuring that data are kept confidential, reliable, and available, and that the integrity of the campus computing resources is not jeopardized.

We recognize that local, state, and federal laws relating to copyrights, security, and other statutes regarding electronic media and intellectual property bind all members of the campus community. To ensure that all members of the University community have a clear understanding of the University’s position regarding the security policy of our computing resources, this President Memorandum (PM) was written.  It provides a framework for the implementation and enforcement of computer and network security at CSUDH. The document assists the faculty, staff, and students in understanding the need for and the means of protecting CSUDH's computing resources and the information hosted on the University’s servers and computers.

2.0 Reasons for a President Memorandum on Information Security

This PM defines the minimum standards for a common level of security that is to be implemented across all computing and network resources at CSUDH. This PM may be supplemented by additional guidelines created by the individual campus units. The supplemental guidelines will address each unit's specialized security needs with the understanding that they are consistent with the standard defined in this PM. It is the responsibility of the individual department/college manager (MPP) to inform their subset of users regarding any documents specific to their computing environment. Employees will be given copies of applicable documents and/or web links.

This PM makes an effort to explain the rationale and intent of the policies contained in this document. This document also assumes as a condition of use, the exercise of common sense, common courtesy, and a respect for the rights or property and privacy of the University and other users.  Issues concerning the "appropriate use" of computing resources, other than those dealing with security or legal issues are not covered by this PM. (See the CSUDH policy entitled Use of Information Technology Services and Resources and Electronic Mail Systems or Services.)

3.0 Scope

This PM applies to all CSUDH computing and network resources including computers, software, data, and communication networks that are controlled, administered, or accessed directly or indirectly by users at CSUDH. Privately owned computer systems, when attached to the campus network and/or resources through wireless network or VPN, are subject to the same responsibilities and regulations as pertain to University-owned systems.

This document only covers computer security and is not a substitute for other campus policies related to campus computing.

This document addresses five key principles of security and the responsibilities that each individual has:

·   Privacy of Data

·   Data Integrity

·   Service Integrity

·   Legal Issues

·   Authorized Use

4.0 Privacy Statement

The University supports each individual's right to privacy when using CSUDH computing resources, and will take reasonable steps to ensure security of these resources. However, the University cannot guarantee absolute privacy of electronic communication and computing resources. Each user must recognize that risks exist with regard to the confidentiality of personal email, data, files and activity logs due to system limitations, software bugs, unauthorized activity, and potential system failures.

Data contained on CSUDH computer systems is accessible to authorized personnel. These individuals are responsible for conducting normal system administration activities including diagnosing or correcting problems. At the request of the President (designee), files may be examined by system personnel to determine if a user is acting in violation of the policies defined in this PM, other University policies, and state or federal statutes. For purposes of this PM, “other University policies” include, but are not limited to, Fingerprinting of Employees, Guidelines for Search Committees, Perceived Effectiveness Review, layoff procedures, etc.  Access to University computer systems and accounts is generally monitored. In addition, systems and accounts may also be more closely inspected or monitored when:

·   Activity from a specific account prevents access to computing or networking resources by others.

·   Usage patterns indicate that an account is responsible for unauthorized or illegal activity.

·   There are reports of violations of policy or law taking place.

·   It appears necessary to do so to protect University resources or data or to protect the University from liability.

·   It is required by and/or consistent with law.

As a public institution, we may have to make the data on CSUDH computer systems available to the public through public record laws. All requests for such data should be immediately forwarded to campus legal counsel.

5.0 Authorized Access and Use

Access to University information resources may be granted based on the following: relevant laws and contractual obligations, the requester's need to know, the information's sensitivity, and the risk of damage to or loss by the University. Access may be temporarily revoked by the President (designee). If the employee’s access is temporarily revoked, the employee will not be disciplined for work not performed solely for not having said access. Permanent revocation of computer access will be in accordance with applicable provision of the affected labor contracts. Non-represented employees may use the Campus Reconsideration Policy if their access is permanently revoked.

The University reserves the rights to limit, restrict, or extend computing privileges and access to its information resources. Data owners, whether departments, auxiliary units, faculty, students, or staff, may allow individuals other than University faculty, staff, and students access to information for which they are responsible. Methods for such access should not violate any license or contractual agreement, University policy, or any federal, state, county, or local law or ordinance; nor degrade the performance of the University community. Access by non-University members is subject to approval by and at the discretion of the system administrator(s) responsible for the information resource(s) involved.

Every authorized user is responsible for the integrity of these resources. All users of computing systems must respect the rights of other computing users, respect the integrity of the physical facilities and controls, and respect all pertinent license and contractual agreements.

6.0 Responsibilities

6.1 User Responsibilities

A user is one who has authorized access to University computing resources. Everyone on or off-campus who accesses a University computing resource, through whatever authorized (or unauthorized) means, is considered a user and is bound by the user responsibilities stated in this policy.

A.     Users are ultimately responsible for the effect(s) of computing activity when using a computer.

B.     Users shall not store the personal information of students or employees on desktop or laptop computers, unless permission is granted in writing by the Associate Vice President of Information Technology

C.     Accounts created for an individual are for the use of that individual only. Computer accounts, passwords, and other types of authorization are assigned to individual users and must not be shared with others. Users are responsible for any use of their account.

D.     Use only those computing resources for which authorization has been issued. Do not attempt to obtain system privileges to which authorization has not been granted or give unauthorized access to others.

E.      Do not violate the security policy on any computer or network facility, interfere with the authorized computer use of others, or interfere with the normal running of services on any computer system or network. This includes unauthorized modifications to software or hardware of any computer or network, propagating viruses, or excessive network traffic that interferes with the use of others.

F.      Users are responsible for the data and information that they are entrusted with and must not disclose confidential or sensitive information without authorization from the data owner. Confidential data transferred over networks should be encrypted to ensure security.

G.     Never attempt to intercept, capture, alter, or interfere in any way with the normal transmission data on any computer or network, without prior authorization from the person or persons responsible for that resource.

H.     Observe all applicable policies of external computers or networks when using such resources.

I.        Report unauthorized use of computing resources or observed gaps in system or network security to the University Helpdesk, your project director, instructor, supervisor, system administrator, and/or other appropriate University authority immediately upon discovery. Provide system administrators with information about computing activities when a reasonable request is made.

J.       Users must protect their password so that others cannot gain access to their account.

K.    The University Technology Advisory Council approved the following password rules, which all users of the University computing resources must observe:

·    Password History = 10 passwords

·    Password Age (Max) = 200 days

·    Password Length = 8 characters

·    Password Complexity = Yes

·    Requires any combination of three of the following four:

o       Upper case (A,B,C)

o       Lower case (a,b,c)

o       Numerals (1,2,3)

o       Symbols (!,*,%)

·    Password lockout = 5 bad attempts

·    Lockout duration = 30 minutes

6.2 System/Network Administrator Responsibilities

System/network administrator is a user who has special access to one or more than one University computing resource. This special access includes control over the function of said computing resource(s). Technically, one is a system/network administrator if one exercises direct control over the following on a computing resource:

·   Hardware

·   Software

·   (optionally) access level

 

System/network administrators are bound by all user responsibilities. In addition, they are bound by the responsibilities enumerated for system/network administrators. System/network administrators may also be bound by other responsibilities and definitions herein as appropriate to their designated tasks. A system administrator:

  1. Manages systems, networks, and servers to provide available software or hardware to users for their University computing. A system administrator, with appropriate supervision and authority from management, is responsible for the security of a system, network, or server and is responsible for enforcing this and other campus policies. Access to system administrator accounts and passwords must be limited and on a "need to know" basis.
  2. May take reasonable action as authorized by the provisions of this security policy. In addition, action may be taken based on other campus policies, management, or lawful grounds to inspect, monitor, and/or suspend access privileges determined to be necessary or appropriate in order to maintain the integrity of the computer system, network, or protection of other users.
  3. Has special access to information and other special computing privileges and will use such access only in performing official duties. Such access shall not be used to satisfy idle curiosity. Access to users' information shall be governed by relevant University policies and procedures as well as State and Federal laws.
  4. Must develop, test, maintain, and document effective computer and network security procedures and take reasonable precautions to guard against corruption of software, damage to hardware or facilities, or unauthorized access. This includes installing system patches, security software, and conducting periodic security audits as appropriate for the resource being managed. They must be aware of network topology issues that affect the security of their systems and data. Systems should be configured to run only necessary system services which limits the potential vulnerability of the system. Appropriate backup procedures and disaster recovery plans must be developed.
  5. Shall take reasonable and appropriate steps to see that all the terms of the hardware and software license agreements are fulfilled on all systems, networks, and servers for which they are responsible.

6.3 Application Developer Responsibilities

An application developer is a user who has access to a University computing resource for the purpose of developing software for use on that system or for any other system deemed appropriate and permissible. Application Developers may be employed by the University in this capacity and/or other capacities as well. For the purposes of this PM, an Application Developer is one who does any of the following:

·   Writing program code

·   Writing HTML, CGI or other World Wide Web-based content

·   Writing SQL code or other user interface-related tasks

·   Facilitating data transmission routines

·   Any user performing any like functions as part of the regular curriculum or their course of study

Application Developers are additionally bound by all the user responsibilities. They may also be bound by other responsibilities and definitions herein as appropriate to their designated tasks. Application Developers shall:

  1. Ensure that applications are written in a method consistent with this and other applicable security policies.
  2. Apply data transfer methods that maintain the integrity and security of the data using encryption methods when applicable.
  3. Apply security patches and close security holes in applications when they are known.
  4. Test applications for common security risks.
  5. Document code so that others can maintain it.
  6. Document software installations so that others can perform maintenance.

6.4 Database Administrator (DBA) Responsibilities

A database administrator is a user who has special access to a University-owned or used dataset. Such special access includes control over access to this data, access to the software functioning to present the data and control over said software. The database administrator is bound by all user responsibilities as well as the responsibilities enumerated for database administrators. Database administrators may also be bound by other responsibilities and definitions herein as appropriate to their designated tasks.

  1. A Database Administrator must maintain knowledge of the data within their trust and is expected to be familiar with the functions to which the data applies, the structure and functioning of the database management systems in which the data resides, and the methods available for accessing the data.
  2. A DBA, with appropriate supervision and authority from management, is responsible for the security of the database and is responsible for enforcing this and other campus policies. Access to DBA accounts and passwords must be limited and on a "need to know" basis.
  3. Working with the data owner and/or management, a DBA must define the sensitivity of the information in the database and must develop guidelines and procedures for requesting access to database and information in the database. A DBA has special access to information contained in the database and a DBA's access to such information shall be governed by relevant University policies and procedures as well as State and Federal laws.
  4. A DBA must protect the database and the information contained in the database from unauthorized access or modification and must develop, test, maintain, and document effective database security procedures.

6.5 Information Systems Management Responsibilities

An Information Systems Manager/Supervisor is defined, for purposes of this PM, as an individual who oversees others in the above defined areas, namely:

·   users

·   system/network administrators

·   database administrators

·   application developers

An Information Systems Manager/Supervisor shall:

  1. Review access of their users
  2. Ensure that users comply with security policies and procedures
  3. Monitor use to identify problems
  4. Remove access when users leave the department or University
  5. Translate policies into operational procedures
  6. Provide appropriate funding and resources to implement policies and procedures
  7. Promote security awareness and training

7.0 Implementation, Enforcement and Appeals

A system administrator, network administrator, application developer or DBA shall take action to temporarily limit access to computing resources for the purpose of maintaining integrity of the resource based on the defined security standards of that resource (system) when he or she:

A.  Observes a violation of this policy

B.   Notices an unusual degradation of service or other aberrant behavior on the system, network, or server for which he or she is responsible

C.  Receives a complaint of computing abuse or degradation of service

D.  Is alerted by system-monitoring or management software that indicates a potential security intrusion

Depending on the severity of the violation, users may be subject to any or all of the following:

A.     Temporary loss of computing and network access

B.     University disciplinary actions

C.     Civil proceedings

D.     Criminal prosecution

The Associate Vice President of Information Technology or his/her delegate shall notify the user of any such action as soon as possible and the user will have an opportunity to respond before any restrictions are made permanent. If the violation is non-serious or unintentional, common sense, reason and sensitivity should be used to resolve issues in a constructive and positive manner without escalation.

If the issue cannot be resolved, or if, in the opinion of the Associate Vice President of Information Technology, the violation warrants action beyond his/her authority, the case shall be referred to other authorities, such as the University disciplinary body appropriate to the violator's status:

Students           Judicial Review or Office of the Vice President, Student Affairs

Staff                 Employee's Supervisor or Human Resources

Faculty             Academic Personnel Services

All                    Law Enforcement when the administrator believes the law has been broken

Such appeals should be handled by the appropriate disciplinary body expeditiously, so as to minimize the disruption of crucial teaching and research tools.

In all cases where enforcement action is taken, the Associate Vice President of Information Technology or his/her delegate, must keep accurate records and logs and produce them as required by campus disciplinary bodies or law enforcement officials.

8.0 Security Resources

Security Audits

·   In an effort to assess the vulnerability of the campus computing and network environment, periodic audits may be necessary. Such audits may be particular to a specific system or the entire campus computing/network environment, and may be conducted by on-campus personnel or an outside vendor.

·   The Associate Vice President of Information Technology or his/her delegate shall conduct information security audits on the University owned computing and network facilities.

Campus Information Security Incident Response Team (CISIRT)

·   The Campus Information Security Incident Response Team is an add hoc committee for technical security concerns, issues and problems.  The Associate Vice President of Information Technology is the chair of the Campus Information Security Response Team.  Members of the team are appointed or invited as needed per each information security instance.   Meetings occur as needed.

·   The Chair of the Campus Information Security Incident Response Team is charged with recommending changes to this PM.

 

9.0 Legal and Policy Issues

All existing laws (Federal and State) as well as University regulations and policies apply, including not only those laws and regulations specific to computers and networks, but also those that may apply generally to personal conduct.  When there is a security breach of students’ or employees’ personal information, in accordance with California Civil Code 1798.29, the University will notify the impacted students or employees.

Misuse of computing, networking, or information resources may result in loss of computing privileges. Additionally, misuse can be prosecuted under applicable statutes. Users may be held accountable for their conduct under any applicable University or campus policies, procedures, or collective bargaining agreements. Complaints alleging misuse of CSUDH computing resources will be directed to those responsible for taking appropriate disciplinary action.

9.1 Federal Statutes

Federal Family Educational Rights and Privacy Act of 1974,

Federal Privacy Act of 1974

Federal Electronic Communications Privacy Act of 1986

Federal Copyright Law

Federal Computer Fraud and Abuse Act of 1986

9.2 State of California Statutes

State of California Education Code, Section 67100 et seq.

State of California Information Practices Act of 1977 (Civil Code Section 1798 et seq.)

State of California Public Records Act (Gov. Code Section 6250 et seq.)

State of California Penal Codes, Section 502

California Code of Regulations, Title 5, Section 41301, Student Discipline

9.3 CSU Policies

·    CSU System Information Security Policy (currently being developed)

Appendix A - Definitions

Computer Account

The combination of a user number, username, or user ID and a password that allows an individual access to a computer or network.

Computing Resources

In the context of these guidelines, this phrase refers to the computers, network, software and hardware that makes electronic data or information available to users.

Data, Confidential

Data requiring high level of protection due to the risk and magnitude of loss or harm that could result from disclosure, alteration or destruction of the data. This includes information whose improper use or disclosure could adversely affect the ability of the University to accomplish its mission as well as records about individuals requiring protection.

Data, Public

Information which can be made generally available both within and beyond the University.

Data, Sensitive

Information that requires some level of protection because its unauthorized disclosure, alteration, or destruction will cause perceivable damage to the University.

Data Owner

The individual or department that can authorize accesses to information, data, or software and that is responsible for the integrity and accuracy of that information, data, or software. The data owner can be the author of the information, data, or software or can be the individual or department that has negotiated a license for the University's use of the information, data, or software.

Network

A group of computers and peripherals that share information electronically, typically connected with each other by either cable, modem, or wireless.

Normal Resource Limits

The amount of disk space, memory, printing, and so forth, allocated to your computer account by that computer's system administrator.

User

Any person who has been granted access to Campus computing and information systems and equipment.

 

Appendix B - Acknowledgements

This President Memorandum was drafted with references to the following documents:

1.      San Diego State University Computing Security Policy

2.      "General Catalog, 1999-2000", San Diego State University

3.      "Administrative Information Systems Information and Data Security Manual", Brown University

4.      "Electronic Mail Policy", University of California, Office of the President

5.      "Computer Use Policy", University of California, Berkeley

6.      "Guidelines for Administering Appropriate Use of Campus Computing and Network Services", University of California, Berkeley

7.      "COMPUTING & COMMUNICATIONS SERVICES SECURITY GUIDE", San Francisco State University

8.      "Computing Ethics and Security", San Francisco State University

9.      "Appropriate Use Policy", Humboldt State University

10.  "Rules for Responsible Computing", Texas A&M University

11.  "Computer Security Policy", Texas A&M University

12.  "Policy on Use of Computing and Communications Technology", California State University, Chico

13.  "Information Technology Services: Appropriate Use Policy", Yale University

14.  "Information Technology Resources and Internet Access -- Guidelines for Use", Princeton University

15.  "Policy for Responsible Computing", University of Delaware

16.  "COMPUTER AND NETWORK USE POLICY", Keene State College

17.  "Why is security important for NPACI sites and users?", San Diego Supercomputer Center

18.  "Network Security at UCSD", University of California, San Diego

19.  "ACT Security Policy", University of California, San Diego

20.  EDUCAUSE web site

21.  Electronic Frontier Foundation web site