Breadcrumb
Network Security Regulations
University of Central Missouri Procedure
|
Procedure Name: Network Security Regulations |
Date Approved: May 1, 2003 |
|
Procedure Category: Technology |
Date Effective: May 1, 2003 |
|
Policy Authority: Board of Governors Policy 1.2.040 |
Date Last Revised: |
|
Approval Authority: University President |
Review Cycle: |
|
Responsible Member: Chief Information Officer |
|
I. Purpose
Information technology exists to support the mission and operation of the University of Central Missouri. The University of Central Missouri relies on information technology to perform daily operations vital to achieving the university’s mission. UCM ’s network must be protected and secured in a manner which strikes a balance between the functional needs of academic disciplines, functional needs of administrative units and the realistic threat of network security breaches.
II. Procedure
A. Campus-level Security Mearsures
- When the university’s network or other information technology resources come under
attack, from external or internal sources, the director of information services will
take prudent steps to secure the university’s information technology resources. This
may include immediate electronic or physical isolation of network resources, e-mail
systems, internet access, etc.
- A priority list of systems to return to normal function during/after an attack on university information technology resources will be identified as a general guideline in the Department of Information Services and posted on the web. An ad hoc committee consisting of the chairs of each of the Information Technology Policy Council (ITPC) subcommittees and the chair of the ITPC may convene whenever an attack occurs to advise the Department of Information Services. This ad hoc committee may make recommendations to modify the priority list, according to the immediate needs of the university.
B. Network-level Security Measures
- The Department of Information Services monitors the level of operating system and
security patches on university and departmental servers under its responsibility to
maintain the best possible security of network resources. All servers that are connected
to the university network but which are not under the responsibility of the Department
of Information Services must register with the Department of Information Services,
which will then communicate regularly with the operators of those servers to ensure
the best possible security. When a server that poses a security risk due to out-of-date
security patches and operating systems is detected by the Department of Information
Services, that server may be isolated from the network until the security problems
are resolved. Before a server is isolated from the network, the Department of Information
Services will attempt to contact the registered administrator of that server.
- Servers managed by the Department of Information Services maintain log files consistent
with MOREnet requirements. (See MOREnet’s web site for requirements or contact the
Department of Information Services for additional information.) Servers not under
the responsibility of the Department of Information Services are expected to maintain
log files consistent with MOREnet requirements as well. Servers which are not maintaining
adequate log files will be isolated from the network.
- File sharing and printer sharing at the workstation level is not permitted. File sharing
and printer sharing must be done via the network servers to reduce security risks.
If students residing in a residence hall wish to share a printer directly, they should
contact the Department of Information Services to request an exception to the rule.
When a workstation operating with direct sharing of files or printers is detected,
it will be isolated from the network until the sharing option is discontinued.
- The Department of Information Services will establish and implement, with the approval of the ITPC, standards for network passwords. Passwords must be adequately complex to prevent “hacking”, and must be changed at least annually. The Department of Information Services will establish a secure, user-friendly process to ensure the regular modification of passwords.
C. User-level Security Measures
- When users leave their workstations, they should log off the network or secure their
workstations to prevent unauthorized use. The Department of Information Services may
implement a network tool that automatically logs off users after a certain period
of inactivity. The length of this period of inactivity may be determined based upon
the necessary security level of the open application. Users should also close all
applications and turn off the desktop computer when they have completed computing
work and are leaving for the day, unless they are participating in a project which
requires that their computers be left on. Every effort should be made to reduce energy
usage, including turning off monitors and other peripherals that are not needed for
a project. (Note: Before an automatic log off tool is implemented, the Department
of Information Services will give users the opportunity to identify machines that
should be exempted from automatic log off processes.)
- Software installed by users may create security risks. Users should exercise caution
in downloading software from the Internet, as the software may be contaminated with
viruses or other security problems. To ensure full support from the Department of
Information Services, all software to be installed must be approved by the Department
of Information Services to ensure that the software is safe for use and will not conflict
with other programs on the user’s machine. When users install software without proper
consultation with the Department of Information Services, troubleshooting will be
limited to rebuilding the base system from a standard desktop or from a ghost image.
The Department of Information Services will obtain the user’s permission before rebuilding
a system from a standard desktop or a ghost image.
Specific computer labs may be designated as experimental labs for the purpose of downloading experimental or test software for educational purposes. Labs designated as such will implement procedures to ensure the security of the hardware used as well as the network.
- Software must not be installed on university equipment without a valid license.
- All student workstations in university Residence Halls which are connected to the
university network are required to have an up-to-date anti-virus software installed
and operating at all times. The Department of Information Services may be contacted
for information about anti-virus software available at no cost to students. When a
student workstation without an anti-virus software installed and operating in a university
Residence Hall is detected, that workstation will be isolated from the network. Student
work orders initiated as a result of improper anti-virus protection may be billable
to the student at a reasonable rate to be determined by the Department of Information
Services.
- Faculty and staff workstations must have the university-selected anti-virus application
active at all times. The automatic update option of the virus software must be activated
at all times. When a faculty or staff workstation that does not have the anti-virus
software active and up-to-date is detected because it has been disabled by the user,
it will be isolated from the network. Work orders initiated as a result of the user
disabling the ant-virus software or disabling the automatic update feature of the
software may be billable to the department at a reasonable rate to be determined by
the Department of Information Services.
- The University of Central Missouri has limited resources with which to maintain security and deliver services to students, faculty and staff. Unopened aged email messages occupy storage space on information technology equipment which could otherwise be used to provide more and better services to the university community. Unopened aged email messages can also pose a security risk. Therefore, the Department of Information Services, while not reading the email, will periodically use an automated process to detect unopened aged email in the accounts of all students, faculty and staff and delete any unopened messages which are over three months old.
