Security
of
Resources Issue
No. 6
Effective Date: 10/30/2006
Review: April 1 E3Y
01. POLICY STATEMENTS
01.01 Automated
information and information resources residing at
02. GENERAL GUIDELINES
02.01 Information that is sensitive or confidential must be protected from unauthorized access or modification. Data that is essential to critical university functions must be protected from loss, contamination, or destruction.
02.02 Risks to
information resources must be managed. The expense of security safeguards must
be appropriate to the value of the assets being protected, considering value to
both the University and potential intruder.
02.03 The
integrity of data, its source, its destination, and processes applied to it are
critical to its value. Changes to data must be made only in authorized and
acceptable ways.
02.04 In the
event a disaster or catastrophe disables information processing and related
telecommunication functions, the ability to continue critical university
services must be assured.
02.05 Security
needs must be considered and addressed in all phases of development or
acquisition of new information processing systems.
02.06 Security
awareness of employees must be continually emphasized and reinforced at all
levels of management. All individuals must be accountable for their actions
relating to information resources.
02.07 The
university information security program must be responsive and adaptable to
changing vulnerabilities and technologies affecting information resources.
02.08 The
University must ensure adequate separation of functions for tasks that are
susceptible to fraudulent or other unauthorized activity.
03. PURPOSE
03.01 The
03.02 Texas Administrative Code (1 TAC 201.13(b)) assigns to each head of an agency of state government the responsibility of assuring an adequate level of security for all data and information technology resources within that agency. The purpose of this UPPS is to establish an Information Resources Security Program to:
a. Assign and
maintain management and staff accountability for the protection of information
resources;
b. Promulgate
policies regarding the security of data and information technology resources;
c. Define
minimum security standards for the protection of information resources,
including required administrative procedures or management controls;
d. Provide
procedures to assist management and staff in implementing effective security
standards and practices where such controls are applicable, as determined by
management;
e. Provide a
compilation of information security material in support of security awareness
and training programs; and
f. Ensure
that security controls do not unnecessarily impede authorized access to
information resources.
04. FACULTY, STAFF AND STUDENT RESPONSIBILITIES
04.01 It is against university policy for individuals to attempt to violate the security of other computer users on any system accessible via the university computer network. The violation or attempted violation of system security is grounds for revocation of computer access privileges, suspension or discharge of employees, suspension or expulsion of students, and prosecution to the full extent of the law.
04.02 Individuals
are responsible for the security of any computer account issued to them and are
accountable for any activity that takes place in their account. Individuals who
discover or suspect that the security of their account has been compromised
must immediately change their password and report the incident to their
supervisor. Any suspected or attempted
violation of system security should be reported immediately to the Office of
the Assistant Vice President for Technology Resources at 245-2501.
04.03 The Assistant
Vice President for Technology Resources will ensure that Sections 04.01 and
04.02 of this UPPS are available for posting in all centrally administered
computing facilities and offices, including computer centers, staff offices and
general purpose computer labs. The Assistant Vice President for Technology
Resources will also ensure that Sections 04.01 and 04.02 of this UPPS are
published in all appropriate University documents, such as the Staff Handbook,
the Faculty Handbook, and the Student Handbook.
04.04 Each member of the Texas State faculty and staff (including student staff) having access to the University's central computer systems, any terminal or workstation device connected to the University computer network, or any printed material produced via the university computer network is responsible for using only those resources and materials required to fulfill their job functions. Moreover, such use must be appropriate and consistent with those job functions and must not violate or compromise the privacy or security of any data or systems accessible via the University computer network.
04.05 Each
person having access to the administrative database is responsible for ensuring
the privacy and security of any information accessible to him or her in the
normal course of his or her work. Each person is responsible for the security
of any terminal or workstation device accessible to him or her in the normal
course of his or her work.
04.06 The
responsibilities of a position with respect to security and risk management are
commensurate with its authority. Descriptions of security roles and
responsibilities for university personnel are contained in the Information
Resources Security Manual (IRSM).
04.07 The
University recognizes four generic roles with respect to the security of data,
software, hardware and other information resources: 1) owners, 2) custodians,
3) agents and 4) users. Texas State University-San Marcos (and consequently the
State of
04.08 Technology
Resources, acting on behalf of the President and in its ISF role, defines
information asset custodianship and custodianship responsibilities for all
04.09 An
internal audit of the Information Security Function (ISF) shall be performed
periodically, based on risk assessment, as directed by the President or the
Vice President for Information Technology acting on delegated authority for
risk management decisions.
05. RISK ANALYSIS PROCEDURES
05.01 Risk analysis is the vehicle for systematically identifying and evaluating the vulnerabilities of an information system and its data to the threats facing it in its environment. It's an essential part of any security and risk management program. Absolute security that assures protection against all threats is unachievable. Risk analysis provides a framework for weighing losses that may be expected to occur in the absence of an effective security control, against the costs of implementing the control. Risk management is intended to ensure that reasonable steps have been taken to prevent situations that can interfere with accomplishing the university mission.
05.02 Managers
shall periodically complete or commission a comprehensive risk analysis for all
information resources in their custody, including departmentally-administered
computing resources used to store, process and access confidential or sensitive
information. The analysis should identify reasonable, foreseeable, internal,
and external risks to the security, confidentiality, and integrity of those
resources that could result in unauthorized disclosure, misuse, alteration,
destruction, or other compromise of information. The sufficiency of safeguards
in place to control these risks must be assessed and the degree of risk
acceptance (i. e., the exposure remaining after implementing appropriate
protective measures, if any) must be identified and documented. This risk
analysis should include consideration of employee training and management,
information systems architecture and processes, and prevention, detection and
response to intrusion and attack.
05.03 Technology Resources shall periodically complete or commission a risk analysis of information resources considered essential to the University's critical mission and functions, and shall implement appropriate controls and procedures to safeguard those resources. Technology Resources shall prepare and maintain a written and cost-effective Disaster Recovery Plan that provides for the prompt and effective continuation of critical university missions in the event of a disaster. Key safeguards and the Disaster Recovery Plan will be tested and updated periodically to assure that it is valid and remains current.
05.04 Administrators of servers that support
critical university functions are responsible for those servers. The security
controls over the backup resources will be as stringent as the protection
required of the primary resources. Departments administering networks are
responsible for establishing regular schedules for making backup copies of all
data and software resident on their networks and for ensuring that the backups
are stored in a safe location. Users are responsible for ensuring that the data
and software resident on their personal computers are backed up as required by
their individual circumstances.
06. PERSONNEL PRACTICES
06.01 In any
organization, people represent the greatest possible assets in maintaining an
active level of security. People also represent the greatest threats to
information security; therefore, maintaining employee awareness and motivation
is an integral part of the security program.
Managers are responsible for taking all measures necessary to ensure that departmental staff maintain the confidentiality of information retrieved from the administrative data base. Examples of such information include personnel and payroll records, transcript and grade records, financial aid information, and other sensitive data. Use of this information for unauthorized purposes is prohibited, as is access to such information in any form whatsoever by unauthorized individuals.
06.02 Technology
Resources has developed and maintains an Information Resources Security Manual
(IRSM) that includes the University's security policies and procedures. The use
of
Technology Resources shall provide literature and training at the University's new employee orientation and Professional Development sessions for continuing employees to emphasize security awareness and the importance of individual responsibility with respect to information security. This literature shall include references to all relevant university policy and procedure documents, including the IRSM. Managers must continually reinforce the value of security consciousness in all employees whose duties bring them into contact with confidential or sensitive information resources.
06.03 Managers are responsible for ensuring that access privileges are revoked or modified as appropriate for any employee in their charge who is terminating, transferring, or changing duties. Managers should provide written notification to the appropriate security administrator whenever an employee's access privileges should be revoked or changed as a result of the employee's change in status. See Appendix A of the IRSM for a list of applications and their Security Administrators.
07. PHYSICAL S
07.01 All university information processing areas must be protected by physical controls appropriate for the size and complexity of the operations and the criticality or sensitivity of the systems operated at those locations.
07.02 Reviews
of physical security measures shall be conducted annually by managers, as well
as whenever facilities or security procedures are significantly modified.
07.03 Physical
access to centrally administered computer facilities is restricted to
individuals having prior authorization from the Assistant Vice President for
Technology Resources. Authorized visitors shall be supervised. The
responsibility for securing departmentally administered computer facilities or
equipment from unauthorized physical access or improper use, ultimately rests
with the manager responsible for the facility or equipment.
07.04 Employees
and information resources shall be protected from environmental hazards.
Designated employees shall be trained to monitor environmental control
procedures and equipment and shall be trained in desired response in case of
emergencies or equipment problems. Emergency procedures shall be developed and
regularly tested as directed by the university Risk Management and Safety
Office. Policy and procedures for Technology Resources’ staff will include
housekeeping and environmental control procedures.
07.05 Confidential
or sensitive information, when handled or processed by terminals, workstations,
communication switches and network components outside the central computer
room, shall receive the level of protection necessary to ensure its integrity
and confidentiality. The required
protection may be achieved by physical or logical controls, or a mix
thereof. No “logged in” job session (i.
e., a session in which user identity has been authenticated) shall be left
unattended unless appropriate measures, such as password protected keyboard
locking, have been taken to prevent unauthorized use. The owner of the
logged-in account is responsible for any activity that occurs during a job
session logged-in under that account.
08. PROCEDURES FOR MAINTAINING INFORMATION S
08.01 All information and telecommunication resources leased or owned by the University and all information technology services billed to the University shall be used only to conduct official university business except as otherwise provided by state law.
08.02 All computer
software programs, applications, source code, object code and documentation are
deemed to be a work made for hire and are university property and shall be
protected as such if developed either:
a. by Texas
State employees in the course and scope of their employment or with the use of
Texas State equipment, materials or other resources, with the exception of
those works covered by a separate intellectual property agreement that
addresses ownership rights; or
b. by contract
personnel acting under a contract with the University or the State, unless the
contract under which the software or documentation is developed specifically
provides otherwise; or
c. through
expenditure of university funds.
08.03 All
computer software programs, applications and documentation and associated
licenses purchased for use by the University are university property and shall
be protected as such.
08.04 Confidential
information shall be accessible only to personnel who are authorized by the
information custodian on a strict "need to know" basis in the
performance of their duties. Data containing any confidential information shall
be readily identifiable and treated as such in its entirety, consistent with
university policies and procedures as identified in the IRSM and UPPS 01.04.00,
Appropriate Release of Information.
08.05 When
confidential or sensitive information from another university or state agency
is received by
08.06 Managers
shall specify and establish controls to ensure the accuracy and completeness of
data and ensure that data comes from the appropriate source for the intended
use.
08.07 Except for public users of systems where such access is authorized, or for situations where risk analysis demonstrates no need for individual accountability of users, each user of a multiple-user automated system shall be assigned a unique personal identifier or user identification. User identification shall be authenticated before the system may grant that user access to automated information.
08.08 A user's
access authorization shall be removed from the system when the user's
employment is terminated or the user transfers to a position where access to
the system is no longer required. The Assistant Vice President for Technology
Resources may authorize exceptions to this account revocation policy when in
his or her best judgment it is clearly in the University's best interest to do
so.
08.09 Systems
shall incorporate authentication functions that are consistent with the level
of confidentiality or sensitivity of the information they contain and process.
08.10
08.11 Appropriate audit trails shall be maintained to provide accountability for changes to confidential or sensitive information, software and automated security or access rules.
08.12 Automated
systems that process confidential or sensitive information must adhere to
university policies as defined or referenced in the IRSM.
08.13 Controls
shall ensure that legitimate users of information resources cannot access
stored software or data unless they have been authorized to do so.
08.14 Security
breaches shall be promptly reported and investigated. If criminal action is
suspected, the University must contact the appropriate local law enforcement
and investigative authorities immediately.
08.15 Test
functions shall be kept either physically or logically separate from production
functions. Copies of production data shall not be used for testing unless all
personnel involved in testing are authorized access to the production data.
08.16 Appropriate information security and audit controls shall be incorporated into new systems. Each phase of systems acquisition shall incorporate corresponding development or assurances of security controls.
08.17 After a
new system has been placed in operation, all program changes shall be
authorized and accepted by the information custodian (or custodian's designee)
before implementation.
09. PROCEDURES
FOR MAINTAINING INFORMATION SYSTEMS WITH PUBLIC ACCESS COMPONENTS
09.01 Information
systems with public access components (e. g. self service systems) must
incorporate security procedures and controls to ensure data integrity and the
protection of confidential information.
09.02 Public
access systems must authenticate the identity of any individual retrieving,
creating, or updating sensitive or confidential information about themselves.
10. PROCEDURES
FOR MAINTAINING DATA COMMUNICATION SYSTEMS
10.01 Network resources utilized to exchange confidential information shall maintain confidentiality of the information for the duration of the session. Controls shall be implemented commensurate with the highest risk.
10.02 All
network components under university control must be identifiable and restricted
to their intended use.
10.03 Custodians
of distributed information resources served by distributed networks shall
prescribe sufficient controls to ensure that access to those resources is
restricted to authorized users and uses only. These controls shall selectively
limit services based upon:
a. user
identification and authentication (e. g., password, smart card/token), or
b. designation
of other users, including the public where authorized, as a class (e. g.,
public access through dial-up or public switched networks), for the duration of
a session, or
c. physical
access controls.
10.04 Network access to an application containing confidential or sensitive data, and data sharing between applications, shall be as authorized by the application custodians and shall require authentication of any user of the application.
10.05 Each
university department shall, as part of its contingency plan, provide for an
alternate means of accomplishing its program objectives in case the system or
its communication network becomes unavailable. Alternative procedures shall be
established that enable university personnel to continue critical day-to-day
operations in spite of the loss of the communication network.
10.06 For
services other than those authorized for the public, users accessing
10.07 Communication
system identification screens shall include the following warning statements:
a. Unauthorized
Access (Use) is Prohibited;
b. Usage May
be Subject to Security Testing and Monitoring;
c. Abuse is
Subject to Criminal Prosecution.
11. REVIEWERS OF THIS UPPS
11.01 Reviewers of this UPPS include the following:
Position Date
Assistant Vice President for April 1 E3Y
Technology Resources
Chair, Campus Information April 1 E3Y
Resource Advisory Council
12. CERTIFICATION STATEMENT
This
UPPS has been approved by the following individuals in their official
capacities and represents
Assistant
Vice President for Technology Resources; senior reviewer of this UPPS
Vice
President for Information Technology and Chair, Campus Information Resource
Advisory Council; reviewer of this UPPS
President