Computer and Network Security Policy
University of Arkansas
Draft: April 20, 2001, 1:23 a.m.
Text "Computing Services" changed to "University IT Services" 10-22-07
Purpose:
To establish conditions for use of, and requirements for appropriate security for University Computer and Network Resources (as defined in the "Glossary of Computer Data and System Terminology").
Scope:
This policy is effective at all University locations and applies to all system users at any location, including those using privately owned computers or systems to access University Computer and Network Resources. This policy represents the minimum requirements that must be in place. This policy is not intended to inhibit access to information services that University employees and students have made accessible for public inquiry (e.g., World Wide Web, or anonymous ftp). However, use of such services to access or attempt to access information not intended for public display or use, or to circumvent or violate the responsibilities of system users or system administrators as defined in this policy, is prohibited.
Policy:
I. General:
Appropriate security shall include, but is not limited to: protection of the privacy of information, protection of information against unauthorized modification or disclosure, protection of systems against denial of service, and protection of systems against unauthorized access.
University Computer and Network Resources may be accessed or used only by individuals authorized by the University. Issuance of an account to a system user must be approved by an authorized University representative, as designated in the "Code of Computing Practice". Any question with regard to whether a specific use is authorized must be referred to the Information Technology Security Group (ITSG).
In order to protect the security and integrity of Computer and Network Resources against unauthorized or improper use, and to protect authorized users from the effects of such abuse or negligence, the University reserves the rights, at its sole discretion, to limit, restrict, or terminate any account or use of Computer and Network Resources, and to inspect, copy, remove or otherwise alter any data, file, or system resources which may undermine authorized use. The University also reserves the right to inspect or check the configuration of Computer and Network Resources for compliance with this policy, and to take such other actions as in its sole discretion it deems necessary to protect University Computer and Network Resources. The University further reserves the right to enforce these provisions without prior notice to the user.
The University shall not be liable for, and the user assumes the risk of, inadvertent loss of data or interference with files or processes resulting from the University's efforts to maintain the privacy, integrity and security of the University's Computer and Network Resources.
II. Responsibilities Related To Access To And Use Of Computer And Network Resources:
The Information Technology Security Group - is responsible for:
- Implementing University-wide security policies to protect the University's Computer and Network Resources from intentional or inadvertent modification, disclosure or destruction.
- Monitoring user adherence to these policies.
- Authorizing security audits or security scans affecting Computer and Network Resources (except for those responsibilities specifically accorded to system administrators in this policy).
- Coordinating response to computer and network security incidents to include, but not be limited to, notification of incidents to University Police, internal auditors, and other University offices as appropriate, and contact with Incident Response teams external to the University.
- Educating the user community in the ethical use of Computer and Network Resources and on best common practices and standards for implementing and improving security of Computer and Network Resources.
- Maintaining methods of reporting incidents (i.e., Web forms, email addresses, emergency contact methods).
- Maintaining a list of Emergency Departmental Contacts. The contact list should allow University individuals to locate their local security contact person, and provide Information Technology Security Group members with emergency contact methods for each local security person.
- Require regular updates of all University Computer and Network Resource software, especially those for which demonstrated security exposures are repaired.
- Require strong encryption and secure authentication techniques throughout all University Computer and Network Resources where possible.
- Providing services (i.e., Web pages, FAQs, patches, virus software updates, instruction, organization for volunteers, security alerts, etc.) to assist departments and individuals to maintain security on their Computer and Network Resources.
Network and Computer Security Subcommittee of the Computing Activities Council - are responsible for:
- Developing additional security policies specific to their Colleges or administrative units in coordination with the Information Technology Security Group, and in consonance with this policy.
- These policies will guide System Administrators within the Colleges and administrative units in the formulation of detailed security procedures, and are considered to be a part of this policy statement.
Departments and Organizations - are responsible for:
- Providing security contact information for users. This information will be maintained on the ITSG website.
- Providing emergency contact information for the ITSG. This information will be maintained on the ITSG website.
- Updating their University Computer and Network Resource software on a regular basis.
University IT Services - are responsible for:
- Authorizing access to computer systems, including the purpose of the account, and issuance of passwords, or designating in writing the individual(s) who will exercise this responsibility for the various systems and networks within the College or administrative unit. Responsibility for authorizing Group Accounts (as defined in the "Glossary of Computer Data and System Terminology") cannot be delegated lower than the academic department head, or equivalent managerial level within an administrative unit. For centrally managed Computer and Network Resources, only the applicable Senior Director within University IT Services may approve a Group Account.
- Ensuring mechanisms are in place to obtain acknowledgment from System Users that they understand, and agree to comply with University and College/Unit security policies. Such acknowledgment must be written unless an exception is approved in accordance with the Exceptions and Exemptions section of this policy.
- Ensuring technical or procedural means are in place to facilitate determining the User ID responsible for unauthorized activity in the event of a security incident.
System Users (as defined in the "Glossary of Computer Data and System Terminology") - are responsible for:
- Understanding, agreeing to and complying with all security policies governing University Computer and Network Resources and with all federal state and local laws, including laws applicable to the use of computer facilities, electronically encoded data and computer software.
- Safeguarding passwords and/or other sensitive access control information related to their own accounts or network access. Such information must not be transmitted to, shared with, or divulged to others. Similarly, system users must recognize the sensitivity of all other passwords and computer or network access information in any form, and must not use, copy, transmit, share or divulge such information, nor convert the same from encrypted or enciphered form to unencrypted form or legible text. Any attempt to conduct such actions by a system user is a violation of this policy.
- Taking reasonable precautions, including personal password maintenance and file protection measures, to prevent unauthorized use of their accounts, programs or data by others.
- Ensuring accounts or computer and network access privileges are restricted to their own use only. System users must not share their accounts, nor grant accounts to others nor otherwise extend their own authorized computer and network access privileges to others.
- Ensuring the secure configuration and operation of network services (e.g., World Wide Web, anonymous ftp, shared directories, files, and printers) they may establish on machines connected to University Computer and Network Resources.
- Conducting or attempting to conduct security experiments or security probes or scans involving or using University Computer and Network Resources without the specific authorization of the Information Technology Security Group is prohibited. The intentional or negligent deletion or alteration of information or data of others, intentional or negligent misuse of system resources, intentionally or negligently introducing or spreading computer viruses, and permitting misuse of system resources by others are prohibited.
- Respecting the privacy of electronic communication. System users must not obtain nor attempt to obtain any electronic communication or information not intended for them. In particular, system users must not attempt to intercept or inspect information (e.g., packets) en route through University Computer and Network Resources, nor use University Computer and Network Resources to attempt to intercept or inspect information en route through networks elsewhere.
- Respecting the physical hardware and network configuration of University-owned networks. System users must not extend the physical network on which their system resides (e.g., wiring, jacks, wireless connection) without proper authorization.
- Abiding by all security measures implemented on University Computer and Network Resources. System users must not attempt to defeat or subvert security measures. System users must not use any other network address (e.g., IP address) for a Computer or Network Resource than has been properly assigned by an authorized system or network administrator.
- Treating non-University Computer and Network Resources in accordance with this policy. University Computer and Network Resources must not be used to attempt to breach the security or security policy of other sites (either willfully or negligently). An action or attempted action affecting non-University Computer and Network Resources that would violate this policy if performed on University of Arkansas Computer and Network Resources is prohibited.
System administrators (as defined in the "Glossary of Computer Data and System Terminology") - are responsible for:
(Unless otherwise stated, system administrators have the same responsibilities as system users. However, because of their position, system administrators have additional responsibilities and privileges for specific systems or networks.)
- Preparing and maintaining security procedures that implement University and College/Unit security policies in their local environment and that address such details as access control, backup and disaster recovery mechanisms and continuous operation in case of power outages.
- Taking reasonable precautions to guard against corruption, compromise or destruction of Computer and Network Resources. Reasonable precautions for system administrators exceed those authorized for system users. Specifically, system administrators may conduct security scans of systems which they directly administer. However, they may not conduct security scans for any other system or network. Similarly, system administrators may conduct dictionary comparisons or otherwise check password information related to system users on the systems for which they have administrative responsibility. They may not do so on other systems. Such password scans shall be conducted only for the purpose of improving security by identifying owners of weak or easily guessed passwords. System administrators may also intercept or inspect information en route through a network, but only information originating from or destined for systems for which they have direct administrative responsibility and only for purposes of diagnosing system or network problems. Exceptions must be authorized by the Information Technology Security Group in accordance with this policy.
- Treating the files of system users as private. It is recognized that a system administrator may have incidental contact with system user files, including electronic mail, in the course of his or her duties. The contents of such files must be kept private. Deliberate access to system user files is authorized only in the event of a suspected security breach, if essential to maintain the system(s) or network(s) for which the system administrator has direct administrative responsibility, or if requested by or coordinated with the system user. Law enforcement access to system and/or user files must be by properly filed subpoena or search warrant only.
- Taking reasonable and appropriate steps to see that all hardware and software license agreements are faithfully executed on all systems, networks, and servers.
- Ensuring that University of Arkansas network addresses are assigned to those entities or organizations that are part of University of Arkansas only. System administrators must not assign network addresses to non-University of Arkansas entities or organizations. System administrators may in some cases provide Domain Name Service for non-University of Arkansas Computer and Network Resources, but only with the approval of University IT Services.
- Limiting access to root or privileged supervisory accounts. In general, only system administrators should have access to such accounts. System users should generally not be given unrestricted access to root or privileged supervisory accounts. As with all accounts, authorization for root or privileged supervisory accounts must be approved in accordance with this policy.
III. Copyright And Intellectual Property:
Because electronic information is volatile and easily reproduced, respect for the work and personal expression of others is especially critical in computer environments. Violations of authorial integrity, including plagiarism, invasion of privacy, unauthorized access, and trade secret and copyright violation using University Computer and Network Resources are prohibited. Computer software protected by copyright is not to be copied from, into, or by using University Computer and Network Resources, except as permitted by law or by the license or contract with the owner of the copyright.
IV. Reporting Security Incidents Or System Vulnerabilities:
Individuals aware of any breach of information or network security, or compromise of computer or network security safeguards, must report such situations to the appropriate system administrator and to the Information Technology Security Group within 48 hours of discovery. The University Information Technology Security Group, in coordination with appropriate University offices, will determine if financial loss has occurred and if control or procedures require modification. When warranted by such preliminary review, University Police Services, internal Audit, and other University departments or law enforcement authorities will be contacted as appropriate.
Sanctions For Policy Violations:
Violation of any provision of this policy may result in:
- restriction or termination of a system user's access to University Computer and Network Resources, including the summary suspension of such access, and/or rights pending further disciplinary and/or judicial action;
- the initiation of legal action by the University and/or respective federal, state or local law enforcement officials, including but not limited to, criminal prosecution under appropriate federal, state or local laws;
- the requirement of the violator to provide restitution for any improper use of service; and
- disciplinary sanctions, which may include dismissal or expulsion.
Course And Work-Related Access To Computers And Computer Networks:
Many academic course and work-related activities require the use of computers, networks and systems of the University. In the event of an imposed restriction or termination of access to some or all University computers and systems, a user enrolled in such courses or involved in computer-related work activities may be required to use alternative facilities, if any, to satisfy the obligation of such courses or work activity. However, users are advised that if such alternative facilities are unavailable or not feasible, it may be impossible to complete requirements for course work or work responsibility. The University views misuse of computers as a serious matter, and may restrict access to its facilities even if the user is unable to complete course requirements or work responsibilities as a result.
Exceptions And Exemptions
Exception to or exemptions from any provision of this policy must be approved by the Information Technology Security Group. Similarly, any questions about the contents of this policy, or the applicability of this policy to a particular situation should be referred to the Information Technology Security Group.