University Policy Office
NETWORK SECURITY REGULATIONS
Approval: Approved by the President on May 1, 2003
Authority: Board of Governors Policy 1.2.040
Responsibility: University Director of Information Services
IF YOU HAVE SPECIFIC QUESTIONS REGARDING THESE REGULATIONS, PLEASE CONTACT THE DEPARTMENT OF INFORMATION SERVICES.
Information technology exists to support the mission and operation of the University of Central Missouri. The University of Central Missouri relies on information technology to perform daily operations vital to achieving the university’s mission. UCM ’s network must be protected and secured in a manner which strikes a balance between the functional needs of academic disciplines, functional needs of administrative units and the realistic threat of network security breaches.
A. Campus-level Security Mearsures
- When the university’s network or other information technology resources come under attack, from external or internal sources, the director of information services will take prudent steps to secure the university’s information technology resources. This may include immediate electronic or physical isolation of network resources, e-mail systems, internet access, etc.
- A priority list of systems to return to normal function during/after an attack on university information technology resources will be identified as a general guideline in the Department of Information Services and posted on the web. An ad hoc committee consisting of the chairs of each of the Information Technology Policy Council (ITPC) subcommittees and the chair of the ITPC may convene whenever an attack occurs to advise the Department of Information Services. This ad hoc committee may make recommendations to modify the priority list, according to the immediate needs of the university.
B. Network-level Security Measures
- The Department of Information Services monitors the level of operating system and security patches on university and departmental servers under its responsibility to maintain the best possible security of network resources. All servers that are connected to the university network but which are not under the responsibility of the Department of Information Services must register with the Department of Information Services, which will then communicate regularly with the operators of those servers to ensure the best possible security. When a server that poses a security risk due to out-of-date security patches and operating systems is detected by the Department of Information Services, that server may be isolated from the network until the security problems are resolved. Before a server is isolated from the network, the Department of Information Services will attempt to contact the registered administrator of that server.
- Servers managed by the Department of Information Services maintain log files consistent with MOREnet requirements. (See MOREnet’s web site for requirements or contact the Department of Information Services for additional information.) Servers not under the responsibility of the Department of Information Services are expected to maintain log files consistent with MOREnet requirements as well. Servers which are not maintaining adequate log files will be isolated from the network.
- File sharing and printer sharing at the workstation level is not permitted. File sharing and printer sharing must be done via the network servers to reduce security risks. If students residing in a residence hall wish to share a printer directly, they should contact the Department of Information Services to request an exception to the rule. When a workstation operating with direct sharing of files or printers is detected, it will be isolated from the network until the sharing option is discontinued.
- The Department of Information Services will establish and implement, with the approval of the ITPC, standards for network passwords. Passwords must be adequately complex to prevent “hacking”, and must be changed at least annually. The Department of Information Services will establish a secure, user-friendly process to ensure the regular modification of passwords.
C. User-level Security Measures
- When users leave their workstations, they should log off the network or secure their workstations to prevent unauthorized use. The Department of Information Services may implement a network tool that automatically logs off users after a certain period of inactivity. The length of this period of inactivity may be determined based upon the necessary security level of the open application. Users should also close all applications and turn off the desktop computer when they have completed computing work and are leaving for the day, unless they are participating in a project which requires that their computers be left on. Every effort should be made to reduce energy usage, including turning off monitors and other peripherals that are not needed for a project. (Note: Before an automatic log off tool is implemented, the Department of Information Services will give users the opportunity to identify machines that should be exempted from automatic log off processes.)
- Software installed by users may create security risks. Users should exercise caution in downloading software from the Internet, as the software may be contaminated with viruses or other security problems. To ensure full support from the Department of Information Services, all software to be installed must be approved by the Department of Information Services to ensure that the software is safe for use and will not conflict with other programs on the user’s machine. When users install software without proper consultation with the Department of Information Services, troubleshooting will be limited to rebuilding the base system from a standard desktop or from a ghost image. The Department of Information Services will obtain the user’s permission before rebuilding a system from a standard desktop or a ghost image.
Specific computer labs may be designated as experimental labs for the purpose of downloading experimental or test software for educational purposes. Labs designated as such will implement procedures to ensure the security of the hardware used as well as the network.
- Software must not be installed on university equipment without a valid license.
- All student workstations in university Residence Halls which are connected to the university network are required to have an up-to-date anti-virus software installed and operating at all times. The Department of Information Services may be contacted for information about anti-virus software available at no cost to students. When a student workstation without an anti-virus software installed and operating in a university Residence Hall is detected, that workstation will be isolated from the network. Student work orders initiated as a result of improper anti-virus protection may be billable to the student at a reasonable rate to be determined by the Department of Information Services.
- Faculty and staff workstations must have the university-selected anti-virus application active at all times. The automatic update option of the virus software must be activated at all times. When a faculty or staff workstation that does not have the anti-virus software active and up-to-date is detected because it has been disabled by the user, it will be isolated from the network. Work orders initiated as a result of the user disabling the ant-virus software or disabling the automatic update feature of the software may be billable to the department at a reasonable rate to be determined by the Department of Information Services.
- The University of Central Missouri has limited resources with which to maintain security and deliver services to students, faculty and staff. Unopened aged email messages occupy storage space on information technology equipment which could otherwise be used to provide more and better services to the university community. Unopened aged email messages can also pose a security risk. Therefore, the Department of Information Services, while not reading the email, will periodically use an automated process to detect unopened aged email in the accounts of all students, faculty and staff and delete any unopened messages which are over three months old.
III. Implementation Procedures
The Department of Information Services will develop and maintain implementation procedures for each item contained in the procedure above.