3359-11-10.3 Information technology security and system integrity policy.



Similar documents
IT1. Acceptable Use of Information Technology Resources. Policies and Procedures

Network Security Policy

COMPUTER AND NETWORK USAGE POLICY

UNIVERSITY OF ROCHESTER INFORMATION TECHNOLOGY POLICY

Marist College. Information Security Policy

Computer Use Policy Approved by the Ohio Wesleyan University Faculty: March 24, 2014

City of Boston Department of Innovation and Technology Policy Title: Information Technology Resource Use Policy Effective Date: April 1, 2011

EMPLOYEE ACCESS RELEASE AND AUTHORIZATION FORM MCS warehouse form No

2.5.1 Policy on Responsible Use of University Computing Resources Introduction This policy governs the proper use and management of all University of

LINCOLN UNIVERSITY. Approved by President and Active. 1. Purpose of Policy

Johnson Creek School District Parent/Student Information Packet

COMPUTER USE POLICY. 1.0 Purpose and Summary

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Information Technology Cyber Security Policy

Information Resources Security Guidelines

Responsible Administrative Unit: Computing, Communications & Information Technologies. Information Technology Appropriate Use Policy

UNIVERSITY GUIDEBOOK. Title of Policy: Acceptable Use of University Technology Resources

Document Title: System Administrator Policy

2. Prohibit and prevent unauthorized online disclosure, use, or dissemination of personally identifiable information of students.

USE OF INFORMATION TECHNOLOGY FACILITIES

Department of Homeland Security Management Directives System MD Number: Issue Date: 03/01/2003 DHS USAGE

Bates Technical College. Information Technology Acceptable Use Policy

OSU INSTITUTE OF TECHNOLOGY POLICY & PROCEDURES

Network & Information Security Policy

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

New Mexico Highlands University (NMHU) Information Technology Services (ITS) Information Technology Resources Policy: Internet, Intranet, ,

Electronic Communication

Contact: Henry Torres, (870)

Franciscan University of Steubenville Information Security Policy

Odessa College Use of Computer Resources Policy Policy Date: November 2010

Information Security Policy

BLOOMFIELD COLLEGE ACCEPTABLE USE POLICY

How To Audit The Mint'S Information Technology

Information Technology Acceptable Use Policy

STOWE COMMUNICATIONS ACCEPTABLE USE POLICY FOR BUSINESS SERVICES HIGH SPEED INTERNET

Network Security Policy

Riverside Community College District Policy No General Institution

Data Security Incident Response Plan. [Insert Organization Name]

Page 1 of 10. TITLE: Network Usage Policy STATEMENT OF PURPOSE: Policy Number: AM-RM-010

APPROPRIATE USE OF INFORMATION POLICY 3511 TECHNOLOGY RESOURCES ADOPTED: 06/17/08 PAGE 1 of 5

Student Network Acceptable Use Policy Lone Jack C-6 School District

Server Protection Policy 1 1. Rationale 1.1. Compliance with this policy will help protect the privacy and integrity of data created by and relating

AASTMT Acceptable Use Policy

Cablelynx Acceptable Use Policy

MARIN COUNTY OFFICE OF EDUCATION. EDUCATIONAL INTERNET ACCOUNT Acceptable Use Agreement TERMS AND CONDITIONS

Acceptable Use Policy

Network Security Policy: Best Practices White Paper

TABLE OF CONTENTS Information Systems Security Handbook Information Systems Security program elements. 7

Hyde School Student Computer Systems Acceptable Use Policy

H. R SEC DIRECTORATE FOR INFORMATION ANALYSIS AND INFRA STRUCTURE PROTECTION.

OLYMPIC COLLEGE POLICY

Bossier Parish Community College

Wright State University Information Security

How To Protect Decd Information From Harm

NETWORK AND AIS AUDIT, LOGGING, AND MONITORING POLICY OCIO TABLE OF CONTENTS

Technology Department 1350 Main Street Cambria, CA 93428

STAR TELEPHONE MEMBERSHIP CORPORATION ACCEPTABLE USE POLICY FOR BROADBAND INTERNET SERVICES

Delaware State University Policy

AP 417 Information and Communication Services

Peace Corps Office of the OCIO Information and Information Technology Governance and Compliance Rules of Behavior for General Users

AVON OLD FARMS SCHOOL COMPUTER AND NETWORK ACCEPTABLE USE POLICY

State HIPAA Security Policy State of Connecticut

Sample Employee Network and Internet Usage and Monitoring Policy

<COMPANY> PR11 - Log Review Procedure. Document Reference Date 30th September 2014 Document Status. Final Version 3.

INFORMATION TECHNOLOGY Policy 8400 (Regulation 8400) Data Security

ST. CLOUD STATE UNIVERSITY INSTALLATION AND USE OF VIDEO SURVEILLANCE EQUIPMENT PROCEDURE. Purpose

Southern Law Center Law Center Policy #IT0014. Title: Privacy Expectations for SULC Computing Resources

Transcription:

Information technology security and system integrity policy. (A) Need for security and integrity. The university abides by and honors its long history of supporting the diverse academic values and perspectives engendered in its academic culture, and the university deeply respects the freedom of expression and thought of its users. Although the university does not censor its users' work, exceptional situations may arise where it becomes necessary to protect the integrity and security of university information systems and to provide for effective operation of these systems. The university must, therefore, reserve the right to limit use and access to certain of its computing systems where the university becomes aware of serious violations with respect to its rules and policies, or with respect to applicable federal, state, or local laws and regulations. This rule provides for information technology system security and integrity. For purposes of this rule, information technology includes computing networks at the university of Akron, which enable communication amongst computing devices as provided by or supported by the university. The security and integrity of information technology shall be protected through a set of priorities with which the university seeks to: (1) Protect human life and people's safety. (2) Protect information systems and prevent the unauthorized exploitation of classified or sensitive data, systems, networks or sites. (3) Protect information systems and prevent the unauthorized exploitation of other data, including proprietary, scientific, managerial and research data. (4) Prevent any damage to or alteration of information technology hardware or software. (5) Minimize any disruption of computing resources and processes. (B) Information technology security officer. The president shall appoint an information technology security officer ("ITSO") to implement the information technology security program at the university of Akron. The "ITSO" shall seek to assure that information technology is secure at the university and shall be responsible for the following duties: (1) Providing for network security by seeking to preclude misuse of the university's network to gain or attempt to gain unauthorized access to any

system; 2 (2) Providing for and implementing, in cooperation with the information technology security policy committee, a written system to investigate any violations or potential violations of this policy or any policy regarding system security and integrity, individually or in cooperation with any appropriate university, law enforcement, or investigative official; (3) Enforcing the provisions of this rule; (4) Keeping a record of system integrity problems and incidences; (5) Taking such emergency action as is reasonably necessary to provide system control where security is deemed to have been lost or jeopardized; (6) Performing periodic security surveys; (7) Performing checks of network systems to assess system security and integrity, as well as to determine the use or placement of illegal or improper software or equipment; (8) Disposing of software or equipment, through appropriate methods, that university officials deem to be legal or proper where such equipment is not attached to or accessing university network systems; (9) Ensuring processes are in place to remove all data before equipment is disposed or redeployed; (10) Training personnel who work with university network systems; (11) Keeping copies of all records and reports necessary to implement this rule; (12) Coordinating and consulting with the office of general counsel, the office of the VPCIO and the information technology security policy committee; (13) Implementing decisions of the university concerning security; and (14) Providing reports directly to the vice president of information and instructional technology (CIO) and the respective vice president in any area where any security violation or potential challenge to security occurs. (C) Information technology security policy committee. (1) The president shall appoint an information technology security policy

3 committee ("ITSPC") consisting of at least one member from each of the divisions represented by a vice president at the university. (2) The "ITSPC" shall, in coordination with the "ITSO," recommend written policies and procedures necessary for assuring the security and integrity of information technology at the university of Akron. Additionally, the "ITSPC" shall coordinate with the "ITSO" in creating and implementing a written system to investigate any violations or potential violations of this policy or any policy regarding system security and integrity. (3) Review actions taken by the "ITSO." (4) The "ITSO" shall be a permanent member of the "ITSPC." (D) Compliance with system security and integrity; noncompliance and enforcement; reservation of authority and rights. (1) All university personnel shall cooperate fully with the university "ITSO" and the "ITSPC." (2) The university reserves the right to take all necessary actions to prevent its network and computing infrastructure from being used to attack, damage, harm or improperly exploit any internal or external systems or networks. (3) The university reserves the right to take all necessary actions to protect the integrity of its network, the systems attached to it, and the data contained therein. (4) Violations of federal, state, or university regulations, or any laws respecting information technology will be considered serious matters that may warrant loss of applicable privileges, fines, or more serious action as necessary, including but not limited to appropriate disciplinary action. (E) Network security and implementation guidelines. (1) Use of the university's network to gain or attempt to gain unauthorized access to any system or information is prohibited. (2) Unauthorized network devices may not be attached to the university's network. (a) An unauthorized network device is any device which, when attached to a packet switched network, enables or facilitates the flow of data for which the device is neither the authorized originator or authorized destination.

4 (b) Interference with network devices or their functionality is prohibited. (3) Devices that provide routing service or functionality, or that generate any type of routing protocol traffic, may not be attached to the university's network without justification and the director of network and communications services' prior approval. (4) Users may not modify the topology of the university's network without prior approval. (a) The installation of network cables, access points, switches, routers or other communications equipment by department staff and students is prohibited, without the prior approval of the director of network and communication services. (b) Telecommunications is the only authorized manager of cable installation. (5) Network servers. (a) All network servers and server services must be registered with the server systems group. (b) The server systems group in the ITS Division will have administrative access to all servers connected to the network to maintain operating system patches and anti-virus software required to protect the university. (c) Unless arrangements have been made with the server systems group, all network connections are considered to be client connections. Client connections are connections that offer no services, computing resources or data resources to the public internet. (6) Network applications and protocols that are not essential to carrying out the mission of the university or to the conduct of university business are neither specifically permitted nor specifically prohibited. Should such an ancillary application or protocol become a risk to the security of the university's computing infrastructure, its use may be restricted or blocked as deemed appropriate or necessary, without prior notice. (7) The use of anonymous or generic "IDs" to provide general login access to university network services is prohibited. This prohibition may not apply when access is otherwise strictly controlled and limited to specific services.

5 (8) Attempts to bypass or circumvent the university's policies on network security or their implementation are prohibited. (9) By connecting to the university's network, users consent to the university's use of both active and passive systems to assess the security of the university's network and all devices connected to it. (a) Systems that appear to be compromised or that present an immediate risk to the security of the university's computing infrastructure may be disconnected as deemed necessary without prior notice. (b) Those systems not deemed to be high risk will be given ample time to correct the problems. (10) The university of Akron will make a good faith effort to protect the integrity of all data which traverses its network but does not guarantee its privacy. Replaces: 3359-11-10.3 Effective: 01/31/2015 Certification: Ted A. Mallo Secretary Board of Trustees Promulgated Under: 111.15 Statutory Authority: 3359.01 Rule Amplifies: 3359.01 Prior Effective Dates: 06/09/03, 06/25/07

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information