Policies

Computer and Information Security

SECTION: Index G - Information Technology
SUBJECT: G-01 Computer and Information Security>

POLICY

Information resources, including data, computers, networks, telephone systems, video conferencing, and related infrastructure, are vital assets to the university which require protection and security from intruders, malicious acts, and situations and circumstances that may affect availability of use. The Information Technology (IT) department is responsible for developing and maintaining procedures to provide the following security measures to protect those resources:

• Log-on ID's and passwords to provide controlled, legitimate access
• Protection of software, equipment, and infrastructure
• Protection of data, including identification of Level 1, 2 and 3 data
• Security Monitoring
• Disaster recovery/business continuity
• Employee training and notification of security issues

All of the following procedures will be implemented in compliance with UHS Policy, Texas Administrative Code 202 (TAC 202), the Gramm-Leach-Bliley (GLB) Act, the Family Education Rights and Privacy Act (FERPA) and the Health Insurance Portability and Accountability Act (HIPPA).

In compliance with Texas Administrative Code 202.71, UHV will have an Information Security Officer (ISO) who is given the authority for information security for the entire institution. The ISO can be reached at security@uhv.edu.

PROCEDURE

LOG-ON ID’s AND PASSWORDS

IT provides controlled, legitimate access to resources through the combination of user ID’s, passwords cards and multi-factor authentication as specified in the Application Servers section of policy G-03, Campus IT Services. Changes in employment status, such as hires, department transfers, and terminations, must be reported to IT Application Services immediately so that access to campus technology resources can be given, modified, or disabled, as appropriate. Application Services can be reached at AppSrv@uhv.edu.

Users shall not share their accounts or passwords with anyone.

Every UHV employee and student shall have their own account for accessing university resources and for performing their assigned duties or class work. Employee’s files, network shares and emails may be made available to their supervisor under extraordinary circumstances in order to maintain business continuity. This process is defined by IT posted policies and based on UHS policies covering the protection of email and data including SAM 07.A.06 E-Mail Retention and SAM 07.A.07 Use of Electronic Messaging Services by Employees.

PROTECTION OF SOFTWARE, EQUIPMENT, AND INFRASTRUCTURE

All university employees have some level of responsibility for protecting UHV owned software, equipment, infrastructure and data, regardless of where the data is stored.

Software: Software control is specified in Policy G-04, Software Management. Only supported software shall be installed on university computers, servers and network devices. During installation, system defaults should be carefully reviewed for potential security holes, and default passwords shall be changed. Unsupported software may be uninstalled automatically at the discretion of the IT Help Desk or IT Security if it is known to have vulnerabilities or poses an unnecessary risk to, or disruption of, university business. Request for unsupported software shall be made to the IT Help Desk.

Equipment: Responsibility for University owned technology assets rest with the individual property owners for each school and department and, as appropriate, the immediate user of the equipment.

• Faculty and staff are responsible to their school/department property custodians for all technology assets assigned to them including, but not limited to, desktops and accessories, laptops and accessories, companion printers, tablets, office telephones and remote communication devices such as cell phones and hotspots.

• Network Operations (Net Ops) is responsible for the physical security and management of UHV Servers, network appliances, switches, voice communication hardware (excluding individual’s desktop phones) and all supporting infrastructure and the rooms and/or cabinets housing this equipment. All core and/or vital server and network resources shall be housed in a secure area with access limited to Net Ops, Security and emergency personnel only.

• Technology not purchased or approved by IT will be the sole responsibility of the purchasing school or department and may not have the same access to University resources as a similar device provided by IT.

Infrastructure: The University’s network and server infrastructure is installed and maintained based on industry best practices and in accordance with TAC 202, and system policies. As maintenance and upgrades are a necessary part of a university supporting and maintaining an advanced network environment, planned downtime will be scheduled during times of historically low utilization. Significant maintenance will be performed during the LEARN maintenance window of 00:00 to 06:00 with a two-week prior notice. Server and individual device upgrades may be scheduled on Friday’s from 18:00 – 23:59 with notice posted by 17:00 the proceeding Wednesday with a reminder by 09:00 on the Friday of the maintenance. Emergency maintenance may be performed at any time. Net Ops will notify users as possible via email, voicemail or social media.

While the UHV network is intended for use in support of university business, Guests may access Internet resources via the UHV wireless network. Because this environment is property of the State of Texas, Net Ops and/or IT Security may, at their discretion, temporarily restrict or block access to the Guest wireless in the event of an abuse of this resource.

PROTECTION OF DATA

IT will provide and maintain recommended practices for efficient and effective use of technological resources. Access to data is controlled through locally administered, centrally managed accounts using some combination of user ID's, passwords, and, depending on the environment, other multi-factor authentication methods.

Users are responsible for following all University, System, State, and Federal policies regarding the protection of Level 1 data as defined by SAM 07.A.08 Data Classification and Protection. The storage and sharing of said data must be adequately protected and encrypted using applications or processes available in IT or approved by the ISO. Contact the ISO at Security@uhv.edu for more information regarding these processes.

Electronic backups are a business requirement to enable the recovery of data and applications in the case of events such as natural disasters, disk drive failures, intrusion, malicious acts, espionage, data entry errors, or system operations errors. Data is backed up as described in the Application Servers section of policy G-03, Campus IT Services. Backups are not maintained for archival or incidental recovery purposes. Per SAM 07.A.06 E-Mail Retention, no email is recoverable after twelve weeks. It is the responsibility of Data Owners to ensure data that must be preserved is stored in IT provided network storage and labeled appropriately.

As obsolete or unneeded equipment is disposed of, the university will assess the data stored therein and remove the appropriate data files or sanitize the device. Hard drives will be erased via methods exceeding DOD 5220.22-M for the deletion and overwriting of data. In the event a deletion is not possible the drive will be removed from the computer, server or appliance and physically destroyed. A record of that process and the systems affected will be maintained.

No data classified as Level 1 per SAM 07.A.08 shall be stored on a non-University owned device or mobile device such as a tablet or smart phone. Accessing Level 1 data on these devices shall be through the IT provided JagSpace portal or Office 365. Any mobile device configured to access University resources (i.e. JagSpace, Office 365, and/or email) must be protected by a password or similar security measure to prevent unauthorized use and this device may not be shared with anyone. If a mobile device on which University data is lost or stolen, it is the owner’s responsibility to inform the Information Security Officer immediately in order to implement security measures to prevent further unauthorized access.

Level 1 data may not be stored on mobile or portable devices without prior authorization by IT Security and shall meet the following requirements:

• Device is configured to receive all critical and security updates of the operating system
• All data stored on the device must be encrypted at rest.

In addition, if the device is a laptop, tablet or computer:

• Full Hard Disk encryption shall be configured
• Primary user account shall not be a local admin

SECURITY MONITORING

Security Monitoring is a method used to confirm that the security practices and controls in place are being adhered to and are effective. Monitoring consists of activities such as the review of

• Continual automated intrusion detection and prevention logs
• Firewall logs
• User account logs
• Network scanning logs
• Application logs
• Data backup recovery logs
• Help desk logs
• Other log and error files

IT will maintain audit logs on controlled systems to track usage information to a level appropriate for that system, including user sessions and failed connection attempts. IT has the discretion to implement any additional logging as necessary. IT will also perform vulnerability testing of university networks monthly.

IDENTITY THEFT

IT will follow the System Policy (SAM 01.C.14 Identity Theft) and will support and enforce the Red Flag rules as needed by the University.

BUSINESS CONTINUITY / DISASTER RECOVERY

IT is responsible for insuring business continuity as specified in the University Business Contingency Plan.

IT Security is responsible for documenting and maintaining the Information Technology Security Response and Disaster Recovery Plan

EMPLOYEE TRAINING AND NOTIFICATION OF SECURITY ISSUES

The University of Houston System and IT Security provides training regarding required security practices, and UHV IT will notify university personnel of security incidents of which to be aware and will occasionally send emails reminding university employees of best security practices and confirming their agreement to abide by the Acceptable Usage Policy.

Approved by:

Signature Obtained 01/03/2022
Robert K. Glenn, Jr., Ph.D.
President

Next Review Date: January 2027 (5 years)
Origination: Information Technology

COMMENTS/QUESTIONS

If there are any comments and/or questions regarding this policy, please contact the Sr. Director of Information Technology.