Computer Security

COMPUTER SECURITY POLICY (p)

Topics: Introduction, Definitions, Purpose and Scope, Physical Security, Use of Computer Resources

 

Introduction
Academic and administrative information processing, digital telecommunication and related technology are critical academic and business tools of The Victoria College. Inappropriate exposures of confidential and/or sensitive information, loss of data, inappropriate use of computer networks, and risks of physical damage can be minimized by compliance with reasonable standards, attention to the proper design and control of information systems, and sanctions for violation of security policy. To safeguard the College's resources, and to protect the confidentiality of data, adequate security measures must be taken. This security policy attempts to establish a balance between the risk of loss of information resources, including data misuse, and the inconvenience and cost of the security measures. These security measures are designed to conform to the Texas Department of Information Resources rule 1 TAC 201.13, Information Security Standards, and take into account local, state, and federal reporting and auditing requirements, as well as provisions to eliminate, as far as feasible, the incidence of theft, fraud, destruction, or other misuses of the College's resources. These security measures are designed to supplement other College policies regarding the use of computer systems.Computer security is the responsibility of all employees. Each supervisor is responsible for administering the provisions of this policy. In addition, it is the responsibility of the instructional departments to inform students of this policy and the importance of adhering to the policy in using College computers, networks, and information resources. Computers owned by the College shall be used only for official College business, including academic pursuits.

Definitions

CONFIDENTIAL INFORMATION is information maintained by the College that is exempt from disclosure under the provisions of the Texas Open Records Act or other state or federal law.
SENSITIVE INFORMATION is administrative information maintained by the College that requires special precautions to assure its accuracy and integrity by utilizing error checking, verification procedures and/or access control to protect it from unauthorized modification or deletion.
An APPLICATION is an automated system used by an office/department for processing confidential and/or sensitive information for administrative purposes.
THE COLLEGE COMPUTER SYSTEM is the set of computer systems and applications provided and operated centrally by Technology Services.
A DEPARTMENTAL COMPUTER SYSTEM is: (1) any computer system capable of operating independently of the college computer system and which processes confidential and/or sensitive information, or (2) any computer system which is physically connected to either the college computer network or to a computer network maintained by Technology Services.
A SHARED COMPUTER SYSTEM is one that is capable of serving more than one logged-on user at a time.
A TERMINAL is any device capable of supporting a login/logon session by receiving data from or transmitting data to a shared computer system.
A SUPERVISOR is the person in the organizational chart to whom an employee reports.
An ELECTRONIC IDENTIFIER (ID) is a unique identification assigned to each user of a computer installation or information system, used to gain access to the installation and/or system and provide accountability for all actions taken by the user.
A SECURITY ADMINISTRATOR is a person authorized to assign electronic IDs, and/or assign ownership of information in the college computer. Ownership may involve (a) a file, (b) an application (i.e., a set of programs used to accomplish a specific function), or (c) specific data items in a file.
USERS are individuals who have been authorized to gain access to computer systems and computer information.
REMOVABLE MEDIA are data storage media, such as magnetic tape, floppy-disks, CDROMs, that can be removed from a computer system and be easily carried from place to place.
A NETWORK is a series of points, including computers or other devices, interconnected by communication paths. Networks include interconnections with other networks, may contain subnetworks, and may carry voice, data, or other types of signals.
An INFORMATION RESOURCE is any information, not limited to information stored in electronic format, and/or the tools used to access and make use of that information (including but not limited to computer programs and applications, databases, computer systems and networks).

 

Purpose and Scope
  • The primary purpose of this policy is to establish rules to insure the protection of confidential and/or sensitive information stored electronically.
  • This policy applies to all network services operated by the College.
  • This policy assigns general responsibility and provides guidelines for security to protect the computer systems and data against misuse and/or loss.
  • This policy applies to any and all users of the College's computer systems including all locations on the College's wide-area network.
  • This policy applies to all aspects of security including, but not limited to, accidental or unauthorized destruction, disclosure, or modification of hardware, programs, and data.
Physical SecuritySecurity of Computer Systems
  1. Technology Services will take action to provide necessary protection against natural disasters, and will provide disaster recovery plans and procedures to restore core functions.
  2. The College will provide an environment, which provides appropriate physical access for the authorized users of the computer systems. Appropriate access may range from open access by students on networked computers to severely restricted access in offices responsible for creating, modifying, or deleting confidential and/or sensitive information.
  3. Technology Services will conduct and document a risk analysis of anticipated threats to physical security, and responses. This analysis will be maintained and updated as conditions change.
  4. Technology Services is responsible for installation and configuration of virus detection software for protection of computer systems and software. It is the responsibility of the user to make sure that the virus detection software is running and is current.
  5. Technology Services will provide and implement security measures to protect the information stored in the computer systems. Procedures for data backup and recovery on the servers is the responsibility of Technology Services.
Data/Data Bases
  1. Technology Services will provide the mechanisms to identify the owner(s) of all confidential and/or sensitive information stored on the computer system.
  2. Classification of information as confidential and/or sensitive is the responsibility of the owner of the data.
  3. Owners of confidential and/or sensitive information will identify those users authorized to access or update that information.
  4. Owners of confidential and/or sensitive information will conduct and document a risk analysis of anticipated threats, and responses. This analysis will be maintained and updated as conditions change.
Programs and Applications
  1. Technology Services will maintain a mechanism to restrict access to programs and applications which process confidential and/or sensitive information. This mechanism will be based on user electronic identifiers (IDs).
  2. Technology Services will maintain a mechanism that allows the owner of a program or application which processes confidential and/or sensitive information to designate the set of users who can execute or modify the program or application.
  3. Owners of confidential and/or sensitive information will provide associated test data for all such information. Owners of programs or applications that are used to generate, modify, or delete confidential and/or sensitive information will maintain a regular schedule of testing of programs and applications against the test data.
  4. The owner of confidential and/or sensitive information is responsible for monitoring access to that information and applications that update that information.
Document Retention and Audit
  1. Departments will inform the Technology Services of each new administrative application installed on their computer systems.

Use of Computer Resources

Employee Information
  1. The College will inform all persons who use the computer systems provided by the College of the Computer Security Policy.
  2. All users will be required to sign an acknowledgment of understanding and acceptance of this and other policies, rules and laws related to the use of College computing resources.
Access Control (Login/Logon)
  1. Technology Services will assign a unique electronic identifier (ID) to each user of the computer system.
  2. Each user of an electronic ID will establish a password, known only to the user. The individual user will be responsible for the confidentiality of the password and for any breaches of security committed via access gained by the electronic ID.
  3. Technology Services will develop mechanisms that (1) assure that each user of an electronic ID which provides access to confidential and/or sensitive information changes the password regularly. The procedure for changing passwords will be published by Technology Services.
  4. Each supervisor is responsible for revoking access for persons no longer requiring access.
  5. Technology Services will provide a mechanism that locks an electronic ID after multiple unsuccessful attempts to logon to the computer system.
Sanctions
  1. Each supervisor will take corrective action on security violations within the department and report serious violations to the Chair of the Technology Committee for review and advice.
  2. Employees of the College who violate the provisions of this policy may be subject to prosecution under applicable criminal or civil laws and to discipline and/or dismissal under applicable College policies.
  3. Students who violate the provisions of this policy may be subject to prosecution under applicable criminal or civil laws and to discipline under applicable College policies.
  4. Other persons who violate the provisions of this policy will be subject to prosecution under applicable criminal or civil laws, and to restriction of access to the College and/or its resources.
 
© 2012 Victoria College | 2200 E. Red River | Victoria, TX 77901 | 361.573.3291 | 877.843.4369