Franciscan University of Steubenville Information Security Policy

Transcription

1 Franciscan University of Steubenville Information Security Policy Scope This policy is intended for use by all personnel, contractors, and third parties assisting in the direct implementation, support, and servicing of information security measures at Franciscan University of Steubenville (FUS). There are certain sections within this policy that specifically apply to students, such as the end user awareness policy. The Office of Information Technology (OIT) reserves the right to change or supplement this policy at any time. Responsibility Information Security is the ultimate responsibility of the Director of OIT. Day to day and operational responsibility falls on the Director of OIT. The Director of OIT reports directly to the Executive Vice President of FUS. The Director of OIT is responsible for the overall ownership of this document and for communicating this policy, in full or in portion, to all pertinent employees on a regular basis. Maintenance This policy is reviewed at least on an annual basis for appropriateness and effectiveness as it relates to generally accepted information technology guidance. This review is performed by the Office of information Technology that is led by the Director of OIT. These policies are communicated to the President s Cabinet for approval on an annual basis, or as changes are made. The end user awareness portion of this document shall be reviewed by every new hire as part on their orientation. In addition, the section that pertains to students will be shared with the students via the student handbook. At least annually end users (student/faculty/staff) shall be notified of any changes in the program along with any tips or reminders to maintain a strong information security environment. Faculty and staff will reaffirm the policy annually. Enforcement Violations of this Policy may result in the suspension or loss of the violator s use privileges, and/or discipline up to and including termination of employment. At the university s sole discretion, additional civil, criminal and equitable remedies may be pursued. Any exceptions to this policy must be documented, reported to the Director of OIT, and brought to the attention of the Office of Information Technology and President s Cabinet for appropriate action as necessary.

2 Faculty/Staff Policy The usage of University computers and network facilities is a privilege, not a right, and improper use can result in suspension or revocation of those privileges, and/or further disciplinary measures as warranted. The Franciscan University of Steubenville (FUS) urges all faculty/staff to follow these policies and to conduct themselves within the framework of the University s Mission Statement Internet and Safety Faculty/Staff shall take full responsibility for every message they transmit through the University s computers and network facilities. No one shall use the University s network to transmit fraudulent, defamatory, harassing, obscene, indecent, or threatening messages, or any communications prohibited by law or which violates University practice, policy or the spirit of its mission Faculty/Staff are to exercise caution when forwarding or sending to a non-fus account. Sending to non-fus accounts is the same as storing that on a non-fus computer. Please carefully consider the contents of your prior to sending Faculty/staff are prohibited from using the University s computing resources for political campaigns, fundraising, commercial enterprises, mass mailings, or other outside activities that have not been granted the use of the University s facilities Faculty/Staff shall not automatically forward their FUS outside of the University. The OIT cannot control or enforce proper security policies on messages that are no longer stored on their network Faculty/Staff shall ensure that they maintain confidentiality between the University and student information with the utmost care and never share this information with any outside party unless explicitly authorized by management or the student (where applicable) Viewing, accessing, printing, or distributing indecent, obscene, or pornographic materials using University equipment, network, or internet access is strictly prohibited Faculty/Staff of the Franciscan University of Steubenville are to practice safe internet browsing and behavior that will lower the risk associated with viruses, worms, spyware, copyright infringement, etc. Internet browsing and

3 behavior may be regulated and is monitored to ensure compliance Quick tips for safe browsing include never clicking on suspicious links or offers that seem too good to be true, never sharing personal information without verifying the identity of the party requesting it, and the use of common sense Faculty/Staff shall not attempt to read, alter, or delete anyone s other than their own unless given the proper authority from staff (ie; proxy access) Faculty/Staff shall never open up attached items that appear to be related to SPAM. Faculty/Staff should alert the Office of Information Technology (OIT) in the event they receive a suspicious that appears to be SPAM SPAM messages are generally from address that you would not recognize SPAM messages also typically offer something to get your attention that is too good to be true. If something sounds too good to be true, it generally is If you believe a message is SPAM never respond to it Occasionally you may receive s from outside companies or other universities that request information about your account. Often they ask for the following: 1. First Name & Last: 2. Full Login 3. Username: 4 Password: 5. Current Password: Although the may appear to be official and appear to come from a legitimate site, in most circumstances it is fraudulent. This kind of spam is known as "phishing". It's a method used to gain access to your account(s) to acquire personal and financial information about you. Never give out this kind of information to anyone. This not only applies to your Franciscan account, but also to any personal accounts you use. If you do receive an such as this, delete it. Do not reply or forward it to anyone. Do not click on any link that it directs you to.

4 If you have provided this kind of information from your Franciscan account, please contact the Help Desk Faculty/Staff shall not share (verbally, electronically, or by any other means) personally identifiable information (including grades) about students or other faculty/staff unless authorized explicitly by the owner of that information or the OIT Faculty/Staff shall not use file sharing or peer to peer programs to illegally download to retrieve or share files. Please review the addendum to the Higher Education Opportunity Act of 2008 (HEOA) as part of Appendix A Faculty/Staff shall not copy or install software that is in violation of any copyright laws. If there is any question all faculty/staff are urged to call the OIT PC Security and Safety Faculty/Staff should ensure that their computers are configured with the hardware and software specifications recommended by the OIT. Any updates and services to the resources given to Faculty/Staff are to be applied by the OIT Faculty/Staff shall never use FUS network/computer resources without proper authorization. Faculty/Staff shall not misrepresent his or her identity or relationship to the University for the purpose of obtaining or using computer, server or network privileges and/or services Faculty/Staff shall never knowingly endanger, or attempt to endanger, the security of any University computer, server or network facility, nor willfully interfere with others authorized computer usage Faculty/Staff shall never use the University s communication facilities to attempt unauthorized use, nor to interfere with others legitimate use, of any computer, server or network facility anywhere Permission to physically connect or attempt to connect a computer or device not provided by the university to any of the University s networks must be done in the conjunction with the University s Office of Information Technology Faculty/Staff shall place confidential information onto University systems at their own risk. The University cannot guarantee the privacy of computer files, electronic mail or

5 other information by computer, whose confidentiality is not otherwise mandated by law Faculty/Staff shall not use shared university computers for unauthorized games, chat rooms, or other recreational sites for personal interest. Faculty assigned games and chat rooms to teach particular concepts can be used with prior coordinated authorization from the Coordinator of Academic Computing Faculty/Staff shall never share their passwords with another individual inside or outside of the University. In addition, faculty/staff shall never write their passwords down Faculty/Staff are required to lock their computers (password must be entered again upon return) prior to leaving their work areas All mobile devices (laptops, smart phones, PDAs, ipads, etc.) used by faculty/staff must be protected outside of the office. Faculty/Staff need to have security set up on any mobile device that integrates with the university s network or accesses any of the university s resources. At a minimum there must be a screen lock and remote wipe capabilities setup on the phone Faculty/Staff should read and understand and abide by the university s Laptop Leasing Policy (See Appendix B) Faculty/Staff shall select passwords that are strong in nature. Strong passwords have the following characteristics: Is at least eight characters long Does not contain your user name, real name, or school name Does not contain a complete dictionary word Is significantly different from previous passwords. Passwords that increment (Password1, Password2, Password3...) are not strong Contains characters from each of the following four groups (uppercase letters, lowercase letters, numerals, symbols) Changed at least every 90 days Faculty/Staff shall never attempt to modify or disrupt the configuration or operation of University software or hardware. This includes automatic system updates, anti-virus scans, personal firewall settings, or any other process initiated by the OIT.

6 Faculty/Staff are responsible for archiving their own s. The OIT will give guidance and instruction on how to do this but faculty/staff are ultimately responsible for ensuring that any important s don t get purged from the FUS systems Faculty/Staff are responsible for all data stored locally on their laptop or desktop. Users should take care to ensure that all FUS related materials are stored on the user s corresponding network drive as this drive is archived and backed up regularly. Faculty/Staff are responsible for backing up any data on their laptop or PC s local drive. FUS is not responsible for any data stored on laptops Any material that is stored on an FUS network drive that is not work or academically related to FUS is subject to removal upon the Office of Information Technology s discretion Faculty/Staff are to have anti-malware (anti-spyware and antivirus) application systems installed on their systems The anti-malware application system is to receive updated virus and malware definitions and application updates on a regular basis or as soon as they come available from the vendor The anti-malware application system is to be configured to fully scan the faculty/staff computer on a regular basis for known malware Network Security and Safety Faculty/Staff may not modify or tamper with any university owned network wiring, wall faceplates, or network devices. Faculty/Staff who do not follow this policy will be assessed a fee based on time and materials for the repair of any damage to University resources Faculty/Staff are prohibited from setting up their computers to be used as DHCP, DNS, File Sharing, WEB or FTP servers. Computers cannot be set up to act as a bridge, a router, or a gateway Faculty/Staff are prohibited from setting up an additional network by attaching a wireless access point, a hub, router or a switch to the network Under no circumstances will any member of faculty/staff be permitted to use their network connection or computing privileges for non-university or commercial purposes. Faculty/Staff may not advertise any commercial products. Any member of faculty/staff found to be using their connection for

7 commercial use will be disconnected from the network and subject to discipline under appropriate University policies Faculty/Staff requiring remote access to FUS information technology resources must review and acknowledge understanding of the Remote Usage Policy which can be found as Appendix B of the Franciscan Information Security Program Faculty/Staff are prohibited from installing any software on PC s or laptops provided by the university without authorization from OIT Remote access to/from a university computer must adhere to the University s Remote Access Policy and must be approved by the Department Head/Vice President and OIT.