4.1.080 Acceptable Use Policy

This policy provides for a framework for the acceptable use of Information Technology resources at the University of Central Missouri.  These rules are in place to protect the University of Central Missouri, as well as all staff, students, and visitors, from risks due to inappropriate use of University information systems and technology resources.

The scope of this policy includes all University information systems and technology resources managed by the University, including third party systems used to store, process, or transmit University data. It also applies to all employees (faculty, staff, student employees), students, and other individuals (affiliates, vendors, guests, etc.) provided with credentials to utilize the University’s information system and technology resources whether accessing University information systems remotely or from on campus. 

Access –

1. Ability to make use of any information system (IS) resource.
   2. To make contact with one or more discrete functions of an online, digital service.

Antivirus Software –

1. A program specifically designed to detect many forms of malware and prevent them from infecting computers, as well as cleaning computers that have already been infected.
   2. A program that monitors a computer or network to identify all major types of malware and prevent or contain malware incidents. Users should be prevented from modifying audit information.

Authentication –

1. The corroboration that a person is the one claimed.
   2. A security measure designed to protect a communications system against acceptance of fraudulent transmission or simulation by establishing the validity of a transmission, message, originator, or a means of verifying an individual's eligibility to receive specific categories of information.
   3. Security measures designed to establish the validity of a transmission, message, or originator, or a means of verifying an individual’s authorization to receive specific categories of information.
2. Verifying the identity of a user, process, or device, often as a prerequisite to allowing access to resources in an information system.

Authorization –  

1. The right or a permission that is granted to a system entity to access a system resource.
   2. Access privileges granted to a user, program, or process or the act of granting those privileges.

Data –

1. Information in a specific representation, usually as a sequence of symbols that have meaning.
2. Distinct pieces of digital information that have been formatted in a specific way.
3. Pieces of information from which “understandable information” is derived.

Encryption –

1. The cryptographic transformation of data to produce ciphertext.
2. Cryptographic transformation of data (called “plaintext”) into a form (called “ciphertext”) that conceals the data’s original meaning to prevent it from being known or used. If the transformation is reversible, the corresponding reversal process is called “decryption,” which is a transformation that restores encrypted data to its original state.
3. The process of changing plaintext into ciphertext using a cryptographic algorithm and key.

Export Controls –

Federal laws which apply to the transfer or transmission of classified or restricted technologies and information to foreign nationals, both inside and outside of the United States, or into foreign countries as it relates to foreign policy and national security.

Firewall –

1. An inter-network connection device that restricts data communication traffic between two connected networks. A firewall may be either an application installed on a general-purpose computer or a dedicated platform (appliance), which forwards or rejects/drops packets on a network. Typically, firewalls are used to define zone borders. Firewalls generally have rules restricting which ports are open.
2. A gateway that limits access between networks in accordance with local security policy.

Flooding –

1. An attack that attempts to cause a failure in a system by providing more input than the system can process properly.
2. An attack in which an attacker sends large numbers of wireless messages at a high rate to prevent the wireless network from processing legitimate traffic.

Incident –

An occurrence that actually or potentially jeopardizes the confidentiality, integrity, or availability of an information system or the information the system processes, stores, or transmits or that constitutes a violation or imminent threat of violation of security procedures or this policy.

Information Technology –

Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information. The term information technology includes computers, phones, ancillary equipment, software, firmware and similar procedures, services (including support services), and related resources.

Internet –

The single, interconnected, worldwide system of commercial, governmental, educational, and other computer networks that share (a) the protocol suite specified by the Internet Architecture Board (IAB) and (b) the name and address spaces managed by the Internet Corporation for Assigned Names and Numbers (ICANN).

Malicious cyber activity -

Activities, other than those authorized by or in accordance with U.S. law, that seek to compromise or impair the confidentiality, integrity, or availability of computers, information or communications systems, networks, physical or virtual infrastructure controlled by computers or information systems, or information resident thereon.

Malware –

1. Hardware, firmware, or software that is intentionally included or inserted in a system for a harmful purpose.
2. Software or firmware intended to perform an unauthorized process that will have adverse impact on the confidentiality, integrity, or availability of an information system. A virus, worm, Trojan horse, or other code-based entity that infects a host. Spyware and some forms of adware are also examples of malicious code.
3. A program that is inserted into a system, usually covertly, with the intent of compromising the confidentiality, integrity, or availability of the victim’s data, applications, or operating system or of otherwise annoying or disrupting the victim.

Network –

Information system(s) implemented with a collection of interconnected components. Such components may include routers, hubs, cabling, telecommunications controllers, key distribution centers, and technical control devices.

Network Sniffing –

A passive technique that monitors network communication, decodes protocols, and examines headers and payloads for information of interest. It is both a review technique and a target identification and analysis technique.

Password –

A string of characters (letters, numbers, and other symbols) used to authenticate an identity or to verify access authorization.

Patch –

A software component that, when installed, directly modifies files or device settings related to a different software component without changing the version number or release details for the related software component.

Port Scanning –

Using a program to remotely determine which ports on a system are open (e.g., whether systems allow connections through those ports).

Security Control Assessment –

The testing and/or evaluation of the management, operational, and technical security controls in a system to determine the extent to which the controls are implemented correctly, operating as intended, and producing the desired outcome with respect to meeting the security requirements for the system.

Spoofing –

1. Faking the sending address of a transmission to gain unauthorized entry into a secure system.
2. The deliberate inducement of a user or resource to take incorrect action. Note: Impersonating, masquerading, piggybacking, and mimicking are forms of spoofing.

Trojan Horse –

A computer program that appears to have a useful function, but also has a hidden and potentially malicious function that evades security mechanisms, sometimes by exploiting legitimate authorizations of a system entity that invokes the program.

Technology Transfer –

The University’s patenting of research discoveries and then making them available through licensing to businesses or other researchers who want to build upon them.

Worm –

1.  A computer program that can run independently, can propagate a complete working version of itself onto other hosts on a network, and may consume computer resources destructively.
2. A self-replicating program that propagates itself through a network onto other computer systems without requiring a host program or any user intervention to replicate.

Virus –

1. A computer program that can copy itself and infect a computer without permission or knowledge of the user. A virus might corrupt or delete data on a computer, use e-mail programs to spread itself to other computers, or even erase everything on a hard disk.
2. A computer program containing a malicious segment that attaches itself to an application program or other executable component.
3. A program that replicates itself by attaching to other programs or files, where it hides until activated.

 

A.    Measurement

The Office of Technology will verify compliance to this policy through various methods, including but not limited to, business tool reports, internal and external audits, and feedback to the policy owner, as authorized and documented by the Associate Vice President of Technology or his/her designee.

B.     Exceptions

Any exception to this policy must be approved by the Associate Vice President for Information Systems/ CIO or appointed designee.

C.    Enforcement

Any user found to have violated this policy may be subject to discipline, including loss of network access privileges and referral to law enforcement.

Any device found in violation of this policy may be disconnected from the university network until the device is brought into compliance.

An employee found to have violated this policy and may be subject to disciplinary action, up to and including termination of employment.

A student found to have violated this policy may be subject to disciplinary sanctions, which may include suspension or expulsion from the University.