Computer & Network Security

Definition:This document establishes the computer and network security policy for the California State University San Marcos. The computer and network security policy is intended to protect the integrity of campus networks and to mitigate the risks and losses associated with security threats to campus networks and network resources, while striving to maintain the free and open access to technology which is one of the campus' core values.
Authority:By the authority of the President of Cal State San Marcos.
Scope:This policy applies to faculty, staff, students and guests of Cal State San Marcos.
Responsible Division:Academic Affairs
Approval Date:07/29/2002
Implementation Date:04/29/2002
Originally Implemented:04/29/2002
Signature Page/PDF:View Signatures for Computer & Network Security Policy


Procedure

I. PURPOSE

This document establishes the computer and network security policy for the California State University San Marcos. The computer and network security policy is intended to protect the integrity of campus networks and to mitigate the risks and losses associated with security threats to campus networks and network resources, while striving to maintain the free and open access to technology which is one of the campus' core values.

Attacks and security incidents constitute a risk to the University's academic mission. The loss or corruption of data or unauthorized disclosure of information on campus computers could greatly hinder the legitimate activities of University staff, faculty and students. The University also has a legal responsibility to secure its computers and networks from misuse. Failure to exercise due diligence may lead to financial liability for damage done by persons accessing the network from or through the University. This document will provide the policy required to implement and enforce responsible network security practices.

This policy is subject to revision and will be evaluated as needed. Procedures and guidelines associated with this policy will be posted on the IITS Network Security Website.

II. GOALS

The goals of this network security policy are:
  • to establish University wide policies to protect the University's networks and computer systems from damage related to poor security practices.
  • to establish mechanisms that will aid in the identification and prevention of security related abuse of University networks and computer systems.
  • to provide an effective mechanism for responding to external complaints and queries about real or perceived security related abuses of University networks and computer systems.
  • to establish mechanisms that will protect the reputation of the University and will allow the University to satisfy its legal and ethical responsibilities with regard to its networks' and computer systems' connectivity to the worldwide Internet.
  • to establish mechanisms that will support the goals of other existing policies, including but not limited to:
    • Computer Equipment Access Policies ;
    • Student Code of Conduct.

III. POLICY

The California State University San Marcos provides network resources to its divisions, faculties and departments in support of its Academic Mission. This policy puts in place measures to prevent or at least minimize the number of security incidents on the campus. Some of these measures may impact, or make more difficult, the free exchange of information and open connectivity that was, before the onset of the many computer viruses and hacking tools, a standard practice on campus networks.

The responsibility for the security of the University's computing and network resources rests with the system administrators who manage those resources. Instructional & Information Technology Services (IITS) will carry out these responsibilities according to this policy. In the event a network device is maintained outside of the IITS department, the person responsible for that device is required to adhere to these policies.

When a security problem (or potential security problem) is identified on a system not managed by IITS, IITS will seek the co-operation of the appropriate contacts for the systems and networks involved in order to resolve such problems, but in the absence or unavailability of such individuals IITS may need to act unilaterally to contain the problem. Such action may include temporary isolation of systems or devices from the network, and notification of the responsible system administrator when this is done

The University Computing and Telecommunications Committee (UCTC) will review and respond to formal complaints resulting from the implementation of this policy. IITS will prepare an annual report for UCTC and when necessary, make recommendations to UCTC regarding Computer and Network Security Policy changes.

In support of this policy, IITS will:

  • monitor in real-time, network traffic, as necessary and appropriate, for the detection of unauthorized activity and intrusion attempts;
  • publish security alerts, vulnerability notices and patches, and other pertinent information in an effort to prevent security problems;
  • update and maintain servers with current patches in order to avoid security problems;
  • carry out and review the results of automated network-based security scans of the systems and devices on University networks in order to detect known vulnerabilities or compromised hosts;
  • maintain password standards in order to ensure that passwords are changed regularly and are of sufficient complexity to forestall discovery by sophisticated "guessing" tools;
  • maintain mechanisms such as connection authentication, intrusion detection systems and written procedures to govern the connection and proper use of state-owned and non-state equipment (such as student laptops) when such equipment is connected to a campus network;
  • prohibit the download and installation of freeware-type executables such as screen savers, instant messaging services, etc, for those versions known to be subject to attack by viruses or other malicious activities. IITS shall provide a list of such software versions to the campus community;
  • regularly scan campus computers for software applications known to be subject to attack by viruses or other malicious activities;
  • maintain a campus firewall that will prohibit access to internal campus computers from the internet except where such access is arranged;
  • maintain an email scanner that will remove infected email files and attachments and prevent delivery of infected messages; and
  • investigate any alleged computer or network security compromises, incidents and/or problems.

IV. DEFINITIONS

Network Resources: Network resources include any networks connected to the California State University San Marcos backbone, any devices attached to these networks and any services made available over these networks. Devices and services include network servers, peripheral equipment, workstations and personal computers.

System Administrator: "System Administrator" refers to the individual who is responsible for system and network support for computing devices in a local computing group. In some instances, this may be a single person, while in others the responsibility may be shared by several individuals some of whom may be at different organizational levels.

V. CONTACT

For information about this policy or for clarification of any of the provisions of this policy, please contact the Manager of Computer Security Administration at securityadmin@csusm.edu