SECTION: INFORMATION TECHNOLOGY INDEX: G-1

SUBJECT:  COMPUTER AND INFORMATION SECURITY

POLICY

Information resources, including data, computers, networks, telephone systems, and related infrastructure, are vital assets to the university which require protection and security from intruders, malicious acts, and situations and circumstances that may affect availability of use.  The Information Technology (IT) department is responsible for developing and maintaining procedures to provide the following security measures to protect those resources:

• Log-on ID’s and passwords to provide controlled, legitimate access

• Protection of software, equipment, and infrastructure

• Protection of data, including identification of confidential information

• Security Monitoring

• Disaster recovery/business continuity

• Employee training and notification of security issues

PROCEDURES

Log-on ID’s and passwords

IT provides controlled, legitimate access to resources through the issuance of user ID’s and passwords as specified in the Application Servers section of policy G-3, Campus IT Services. Changes in employment status, such as hires, department transfers, and terminations, must be reported to IT promptly so that access to campus technology resources can be given, modified, or disabled, as appropriate.

Protection of Software, Equipment, and Infrastructure

Information Technology is responsible for protecting software, equipment and infrastructure.

Software: Software control is specified in Policy G4, Software Management. Before adding new software to university computers and networks, system defaults should be carefully reviewed for potential security holes, and passwords shipped with the software should be changed. Downloading software, particularly software that is not job-related or supported by IT or university administration, may introduce security risks and may be controlled or removed if problems arise from its presence.

Equipment:  The university’s technology assets are to be housed in appropriately secure physical environments. Technology assets include personal computers, laptops, printers, modems, servers, network equipment and components, interactive video systems, and telephone equipment.  All of these items should be located in areas that can be secured for general protection, but the servers and network equipment and components should be located in secure areas with access limited to authorized personnel only.

Infrastructure: Network configuration is installed and maintained in accordance with the Texas Department of Information Resources security policy for network configuration.

Protection of Data

Information Technology will provide and maintain recommended practices (Recommended Practices) for efficient and effective use of technological resources.  Access to data is controlled through user ID's and granting permission through those user ID's.

Electronic backups are a business requirement to enable the recovery of data and applications in the case of events such as natural disasters, disk drive failures, intrusion, malicious acts, espionage, data entry errors, or system operations errors.  Data is backed up as described in the Application Servers section of policy G-3, Campus IT Services.

Security Monitoring

Security Monitoring is a method used to confirm that the security practices and controls in place are being adhered to and are effective. Monitoring consists of activities such as the review of

• Automated intrusion detection system logs

• Firewall logs

• User account logs

• Network scanning logs

• Application logs

• Data backup recovery logs

• Help desk logs

• Other log and error files

IT will maintain audit logs on controlled systems to track usage information to a level appropriate for that system, including user sessions and failed connection attempts. IT has the discretion to implement any additional logging as necessary.

Disaster Recovery/Business Continuity

IT is responsible for insuring business continuity as specified in the University Business Contingency Plan.

Employee Training and Notification of Security Issues

Information Technology is responsible for providing training regarding required security practices and notifying university personnel of security incidents of which to be aware. IT will also occasionally send emails reminding university employees of best security practices and confirming their agreement to abide by the Acceptable Usage Policy.

Approved:

Signature obtained           06/03/05
Tim Hudson, Ph.D.          Date
President

Next review date:   February 2007
Origination:   Director of Information Technology