Policy # : 04-02
Effective: July 1, 2004
Revised: June 19, 2008
Subject: Computer and Network Security
To list the conditions under which computers and other networked devices are permitted to connect to the college networks and the requirements and responsibilities of the users and administrators of these devices.
POLICY APPLIES TO
All full and part-time Penn State employees who require access to the college networks.
Any computer, computer system or other networked device connected to college computer and network resources will be subject to and must comply with the University's Administrative Guideline ADG02 - "Computer Facility Security." In addition, these devices will be subject and must comply to the conditions set forth in University Policy AD20 and in this policy.
In order to protect the security and integrity of computer and network resources against unauthorized or improper use, and to protect authorized users from the effects of such abuse or negligence, the college reserves the rights, at its sole discretion, to limit, restrict, or terminate any account or use of computer and network resources, and to inspect, copy, remove or otherwise alter any data, file, or system resources which may undermine authorized use. The college also reserves the right to inspect or check the configuration of computer and network resources for compliance with this policy, and to take such other actions as in its sole discretion it deems necessary to protect college computer and network resources.
The college shall not be liable for, and the user assumes the risk of, inadvertent loss of data or interference with files resulting from the college's efforts to maintain the privacy, integrity and security of the college's computer and network resources.
The college reserves the right to suspend network access or computer account(s) if user-maintained files, programs or services are believed to have been operating in violation of either law or policy.
The college reserves the right to install and maintain network firewalls to protect the college networks by restricting network communication that is deemed to be a security risk.
The college reserves the right to maintain log files for the purpose of diagnosing network and system problems. The log files generally do not contain personal information on users. University Policy governs the purposes under which these files can be used.
The college reserves the right to limit or prevent the operation of computer servers in any campus building or off-campus office location. The only approved location for a server is in the college's server room. If a staff member is exempted from this policy and allowed to administer their own server, we reserve the right to revoke their server administration privileges and relocate their equipment if events demonstrate that they are incapable of performing the duties of the system administrator's job (as described below under System Administrator Responsibilities) in a professional manner.
System User Responsibilities
(as defined in ADG01):
- Understanding, agreeing to and complying with all security policies governing college computer and network resources and with all federal, state and local laws, including laws applicable to the use of computer facilities, electronically encoded data and computer software.
- Safeguarding passwords and/or other sensitive access control information related to their own accounts or network access. Such information must not be transmitted to, shared with, or divulged to others. Similarly, system users must recognize the sensitivity of all other passwords and computer or network access information in any form, and must not use, copy, transmit, share or divulge such information, nor convert the same from encrypted or enciphered form to unencrypted form or legible text. Any attempt to conduct such actions by a system user is a violation of this policy.
- Ensuring accounts or computer and network access privileges are restricted to their own use only. Users must not share their accounts, nor grant accounts to others nor otherwise extend their own authorized computer and network access privileges to others.
- Respecting the physical hardware and network configuration of college-owned networks. System users must not extend the physical network on which their system resides. No use of mini-hubs, switches, wireless access points, routers, wire splitters, etc. is permitted. The use of these devices is permitted on private networks as long as those networks are not connected to college-owned networks in any way. In the case of wireless access points, the college reserves the right to request removal of wireless access points if they are causing interference with college-owned/operated wireless access points.
- Helping to ensure that the college has an accurate and up to date inventory of all computers and other networked devices that are connected to college networks. This involves not attaching new computers and other networked devices to existing network connections and not swapping or moving existing computers and other networked devices between network connections. Users may physically move the computers and other networked devices but must request that their computer deputy submit a service request for ISS to update its record of the device before connecting the devices to the new network connection. In the case of attaching new computers and networked devices to existing network connections, users must contact ISS before connecting the new device. ISS will inventory the device, affix an identification tag to the device for the purpose of recording the device in our network database and either configure the network settings or verify the correctness of the user configured network settings. Violators of this policy will lose their network access.
- Ensuring that the one computer or other networked device per one network connection rule is not exceeded. No sharing of network connections or IP addresses between multiple computers or other networked devices is allowed unless approved by ISS. Exceptions may be allowed in the event that a user wishes to use a laptop temporarily on their desktop's network connection. In this case, the IP address from the desktop may be temporarily assigned to the laptop. Prior approval must be given by ISS in these cases.
- Treating non-college computer and network resources in accordance with this policy. College computer and network resources must not be used to attempt to breach the security or security policy of other sites (either willfully or negligently).
- Taking reasonable and appropriate steps to see that all hardware and software license agreements are faithfully executed on their systems.
- Individuals aware of any breach of information or network security, or compromise of computer or network security safeguards, must report such situations to either ISS or the University's Security Operations and Services Director.
- Ensuring the content of files, programs or services that they operate, maintain, store or disseminate using college computer and network resources (to include personally-owned computers connected to such resources) are compliant with both law and college and university policy.
System Administrator Responsibilities
(as defined in ADG01)
Unless otherwise stated, system administrators have the same responsibilities as system users. However, because of their position, system administrators have additional responsibilities and privileges for specific systems or networks. For systems which they directly administer, system administrators are responsible for:
- Ensuring the secure configuration and operation of the computers and other networked devices that are connected to college computer and network resources. This includes the devices themselves and any services (e.g., web servers) they may have established. This includes good administration and configuration practices, installing security patches in a timely manner and running anti-virus software and updating the definition files, usually at a minimum of once a week, on such software.
- Ensuring user accounts and passwords meet minimum standards as defined in University Policy ADG02. In addition to the base level of security as required by university policy, the college requires that advanced account policy settings must be utilized when available. This includes configuring the system to remember, at a minimum, the previous 4 passwords and configuring the system to set a minimum password age of 14 days or higher.
Exceptions and Exemptions
Exception to or exemptions from any provision of this policy must be approved by ISS. Users may request exceptions to the firewall rules by referring to College Policy 04-01. Similarly, any questions about the contents of this policy, or the applicability of this policy to a particular situation should be referred to the College's Computer Security Officer.