|
Untitled Document
Computer & Network Security Policy
| Procedure Status: Active |
|
| |
| Definition: |
This document establishes the computer and network security policy
for the California State University San Marcos. The computer and network
security policy is intended to protect the integrity of campus networks
and to mitigate the risks and losses associated with security threats to
campus networks and network resources, while striving to maintain the
free and open access to technology which is one of the campus' core
values.
|
| Scope: |
This policy applies to faculty, staff, students and guests of Cal
State San Marcos.
|
| Exclusions: |
|
| Procedure Number: |
44558064.1 |
| Related Policy: |
|
| Generating Unit: |
Academic Affairs |
| Approval Date: |
|
| Implementation Date: |
4/29/2002 |
| Expiration Date: |
|
| Revised: |
|
| Procedure Status: |
Active |
| Procedures Superseded by this Procedure: |
|
| Procedures Superseding
this Procedure: |
|
| Regulatory Authority: |
By the authority of the President of Cal State
San Marcos |
| Enforcement Authority: |
|
| Procedure Location: |
Office of
the President |
| Notes: |
|
1. PURPOSE
1.1. This document establishes the computer and network security policy for
the California State University San Marcos. The computer and network security
policy is intended to protect the integrity of campus networks and to mitigate
the risks and losses associated with security threats to campus networks and
network resources, while striving to maintain the free and open access to technology
which is one of the campus' core values.
1.2. Attacks and security incidents constitute a risk to the University's academic
mission. The loss or corruption of data or unauthorized disclosure of information
on campus computers could greatly hinder the legitimate activities of University
staff, faculty and students. The University also has a legal responsibility
to secure its computers and networks from misuse. Failure to exercise due diligence
may lead to financial liability for damage done by persons accessing the network
from or through the University. This document will provide the policy required
to implement and enforce responsible network security practices.
1.3. This policy is subject to revision and will be evaluated as needed. Procedures
and guidelines associated with this policy will be posted on the IITS Network
Security Website.
2. GOALS
2.1. The goals of this network security policy are:
2.1.1. to establish University wide policies to protect the University's networks
and computer systems from damage related to poor security practices.
2.1.2. to establish mechanisms that will aid in the identification and prevention
of security related abuse of University networks and computer systems.
2.1.3. to provide an effective mechanism for responding to external complaints
and queries about real or perceived security related abuses of University networks
and computer systems.
2.1.4. to establish mechanisms that will protect the reputation of the University
and will allow the University to satisfy its legal and ethical responsibilities
with regard to its networks' and computer systems' connectivity to the worldwide
Internet.
2.1.5. to establish mechanisms that will support the goals of other existing
policies, including but not limited to:
2.1.5.1.1. Computer Equipment Access Policies ;
2.1.5.1.2. Student Code of Conduct.
3. POLICY
3.1. The California State University San Marcos provides network resources
to its divisions, faculties and departments in support of its Academic Mission.
This policy puts in place measures to prevent or at least minimize the number
of security incidents on the campus. Some of these measures may impact, or make
more difficult, the free exchange of information and open connectivity that
was, before the onset of the many computer viruses and hacking tools, a standard
practice on campus networks.
3.2. The responsibility for the security of the University's computing and
network resources rests with the system administrators who manage those resources.
Instructional & Information Technology Services (IITS) will carry out these
responsibilities according to this policy. In the event a network device is
maintained outside of the IITS department, the person responsible for that device
is required to adhere to these policies.
3.3. When a security problem (or potential security problem) is identified
on a system not managed by IITS, IITS will seek the co-operation of the appropriate
contacts for the systems and networks involved in order to resolve such problems,
but in the absence or unavailability of such individuals IITS may need to act
unilaterally to contain the problem. Such action may include temporary isolation
of systems or devices from the network, and notification of the responsible
system administrator when this is done
3.4. The University Computing and Telecommunications Committee (UCTC) will
review and respond to formal complaints resulting from the implementation of
this policy. IITS will prepare an annual report for UCTC and when necessary,
make recommendations to UCTC regarding Computer and Network Security Policy
changes.
3.5. In support of this policy, IITS will:
3.5.1. monitor in real-time, network traffic, as necessary and appropriate,
for the detection of unauthorized activity and intrusion attempts;
3.5.2. publish security alerts, vulnerability notices and patches, and other
pertinent information in an effort to prevent security problems;
3.5.3. update and maintain servers with current patches in order to avoid security
problems;
3.5.4. carry out and review the results of automated network-based security
scans of the systems and devices on University networks in order to detect known
vulnerabilities or compromised hosts;
3.5.5. maintain password standards in order to ensure that passwords are changed
regularly and are of sufficient complexity to forestall discovery by sophisticated
"guessing" tools;
3.5.6. maintain mechanisms such as connection authentication, intrusion detection
systems and written procedures to govern the connection and proper use of state-owned
and non-state equipment (such as student laptops) when such equipment is connected
to a campus network;
3.5.7. prohibit the download and installation of freeware-type executables
such as screen savers, instant messaging services, etc, for those versions known
to be subject to attack by viruses or other malicious activities. IITS shall
provide a list of such software versions to the campus community;
3.5.8. regularly scan campus computers for software applications known to be
subject to attack by viruses or other malicious activities;
3.5.9. maintain a campus firewall that will prohibit access to internal campus
computers from the internet except where such access is arranged;
3.5.10. maintain an email scanner that will remove infected email files and
attachments and prevent delivery of infected messages; and
3.5.11. investigate any alleged computer or network security compromises, incidents
and/or problems.
4. DEFINITIONS
4.1. Network Resources: Network resources include any networks connected to
the California State University San Marcos backbone, any devices attached to
these networks and any services made available over these networks. Devices
and services include network servers, peripheral equipment, workstations and
personal computers.
4.2. System Administrator: "System Administrator" refers to the
individual who is responsible for system and network support for computing devices
in a local computing group. In some instances, this may be a single person,
while in others the responsibility may be shared by several individuals some
of whom may be at different organizational levels.
5. CONTACT
5.1. For information about this policy or for clarification of any of the
provisions of this policy, please contact the Manager of Computer Security Administration
at securityadmin@csusm.edu.
|