Office of the Vice President for
Administration and Finance
SECTION: TECHNOLOGY SERVICES INDEX: G-1
SUBJECT: COMPUTER AND INFORMATION SECURITY
Information resources, including data, computers, networks, telephone systems, video conferencing, and related infrastructure, are vital assets to the university which require protection and security from intruders, malicious acts, and situations and circumstances that may affect availability of use. The Technology Services (TS) department is responsible for developing and maintaining procedures to provide the following security measures to protect those resources:
- Log-on ID's and passwords to provide controlled, legitimate access
- Protection of software, equipment, and infrastructure
- Protection of data, including identification of confidential information
- Security Monitoring
- Disaster recovery/business continuity
- Employee training and notification of security issues
All of the following procedures will be implemented in compliance with Texas Administrative Code 202 (TAC 202), the Gramm-Leach-Bliley (GLB) Act, the Family Education Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPPA).
Log-on ID’s and passwords
TS provides controlled, legitimate access to resources through the issuance of user ID’s and passwords as specified in the Application Servers section of policy G-3, Campus TS Services. Changes in employment status, such as hires, department transfers, and terminations, must be reported to the Sr. Systems Administrator and/or Systems Specialist in TS immediately so that access to campus technology resources can be given, modified, or disabled, as appropriate.
Users must not share their accounts or passwords with anyone. The account should only be used by the person to whom the account was assigned. Under specific circumstances, the supervisor of an employee or former employee may be granted access to files and/or email to ensure business continuity.
Protection of Software, Equipment, and Infrastructure
Technology Services is responsible for protecting software, equipment and infrastructure.
Software: Software control is specified in Policy G4, Software Management. Before adding new software to university computers and networks, system defaults should be carefully reviewed for potential security holes, and passwords shipped with the software should be changed. Downloading software, particularly software that is not job-related or supported by TS or university administration, may introduce security risks and may be controlled or removed if problems arise from its presence.
Equipment: Responsibility for University owned technology assets rest with the individual property owners for each school and department and, as appropriate, the immediate user of the equipment.
- Faculty and staff are responsible to their school/department property manager for all technology assets assigned to them including, but not limited to, desktops and accessories, laptops and accessories, companion printers, tablets, office telephones and remote communication devices such as cell phones and hotspots.
- Network Services is responsible for the physical security and management of UHV Servers, network appliances, switches, voice communication hardware and all supporting infrastructure and the rooms and/or cabinets housing this equipment. All core and/or vital server and network resources will be housed in a secure area with access limited to authorized personnel only.
- Technology not purchased or approved by TS will be the sole responsibility of the purchasing school or department and if not approved by TS may not have the same access to University resources as a similar device provided by TS.
Infrastructure: Network configuration is installed and maintained in accordance with TAC 202. The university provides our students, faculty and staff a wireless environment with Internet access as well as limited access to university resources. Guest access can be granted with prior approval through System Services for account creation.
Protection of Data
Technology Services will provide and maintain recommended practices (Recommended Practices) for efficient and effective use of technological resources. Access to data is controlled through user ID's and granting permission through those user ID's.
Users are responsible for following all University, System, State, and Federal policies regarding protection of confidential or sensitive data that is stored or transmitted electronically. The storage or transmission of said data must be adequately protected and encrypted using applications or processes available in TS. Contact the Information Security Officer for more information regarding these processes.
Electronic backups are a business requirement to enable the recovery of data and applications in the case of events such as natural disasters, disk drive failures, intrusion, malicious acts, espionage, data entry errors, or system operations errors. Data is backed up as described in the Application Servers section of policy G-3, Campus TS Services
As obsolete or unneeded equipment is disposed of, the university will assess the data stored therein and remove the appropriate data files or sanitize the device. Hard drives will be erased via methods exceeding DOD 5220.22-M for the deletion and overwriting of data. In the event a deletion is not possible the drive will be removed from the computer, server or appliance and physically destroyed. A record of that process and the systems affected will be maintained.
No data classified by UH’s Data Classification Level as Sensitivity/Criticality Level 2 or higher (UH Data Classification Levels) shall be stored on a mobile device such as a tablet or smart phone. Any mobile device configured to access University resources (i.e.email) must be protected by a password or similar security measure to prevent unauthorized use and this device may not be shared with anyone. If a mobile device on which University data is lost or stolen, it is the owner’s responsibility to inform the Information Security Officer immediately in order to implement security measures to prevent further unauthorized access.
Security Monitoring is a method used to confirm that the security practices and controls in place are being adhered to and are effective. Monitoring consists of activities such as the review of
- Continual automated intrusion detection and prevention logs
- Firewall logs
- User account logs
- Network scanning logs
- Application logs
- Data backup recovery logs
- Help desk logs
- Other log and error files
TS will maintain audit logs on controlled systems to track usage information to a level appropriate for that system, including user sessions and failed connection attempts. TS has the discretion to implement any additional logging as necessary. TS will also perform vulnerability testing of university networks annually.
As per System policy, the CIO will appoint the University’s Information Security Officer who will be the contacted for questions or concerns regarding information security or to report violations of security policies or procedures.
TS will follow the System Policy (SAM 01.C.14 Identity Theft) and will support and enforce the Red Flag rules as needed by the University. Disaster Recovery/Business Continuity
TS is responsible for insuring business continuity as specified in the University Business Contingency Plan.
Employee Training and Notification of Security Issues
The University of Houston System provides training regarding required security practices, and UHV TS will notify university personnel of security incidents of which to be aware and will occasionally send emails reminding university employees of best security practices and confirming their agreement to abide by the Acceptable Usage Policy.
Philip Castille, Ph.D.
Next Review Date: August, 2016
Originating Department: Technology Services