University-Wide EIT Information Technology Security Policies and Procedures

Transcription

1 University-Wide EIT Information Technology Security Policies and Procedures EIT-One FAMU 1

2 University-Wide EIT Information Technology Security Policies and Procedures EIT-One FAMU 2

3 EIT Information Technology Security Policies and Procedures Revisions This section of the document is for any and all changes in the form of a review, changes and modifications to the FAMU Information Technology Security Policies and Procedures. This document is a living document which, can change on a daily, weekly or monthly basis depending law, administration, auditing or past or present issues causing changes to the security at Florida A&M University. Section Reviewed or Changed Description of Modifications Date Change Occurred: Reviewed or Changed by: All Sections Created & First Review All Sections Second Review 08/14// /04/2006 Tim Pace Robert Seniors, Daniel Andrew Sharif Morrison All Sections Third Review 08/17/2006 Other EIT Staff Members All Titles & TOC All Sections Comply with Board of Trustees (BOT) Utilizing the 17F.000 subsection Headings Final Review and Document Adjustments 09/02/ /02/2006 Robert Seniors Tim Pace Larry Henderson Charles Ghini Rufus Little All Sections Submitted to Audit Compliance 09/05/2006 Internal/External Review All Sections Submitted to FAMU President and Executive Committee (Board of Trustee) 09/06/2006 Castell Bryant Larry Henderson Final Review and Approval All Sections Submitted FAMU Board of Trustee 09/07/2006 Final Review and Approval 3

4 17F.010 INTRODUCTION PURPOSE SCOPE OBJECTIVE MISSION STATEMENT DEFINITION OF INFORMATION SECURITY STATEMENT FROM MANAGEMENT F.020 EIT ACCEPTABLE USE OF INFORMATION TECHNOLOGY RESOURCES UNIVERSITY DATA SECURITY AND PRIVACY ETHICAL USE OF COMPUTERS AND INFORMATION TECHNOLOGY RESOURCES PROPER USE OF INFORMATION RESOURCES, TECHNOLOGY RESOURCES AND NETWORKS POLICY ON ETHICAL USE OF SOFTWARE AND OTHER COMPUTING RESOURCES F.030 ROLES AND RESPONSIBILITIES ORGANIZATIONS ROLES & RESPONSIBILITIES Senior Vice President & Chief Information Officer (CIO) Information Technologies & Services Vice Presidents / Directors Information Security Manager (ISM) Department or Unit Managers and Supervisors Security Organization and Personnel Data Owners Information System Users (Employees, Consultants, Students) Information Technology Security Committee INFORMATION TECHNOLOGY STEERING COMMITTEE POLICIES AND PROCEDURES DEVELOPMENT TEAM USER ACCOUNTABILITY AND COMPLIANCE CONDITIONS OF USE FOR INFORMATION SYSTEM REPORTING OF SECURITY VIOLATIONS F.040 PERSONNEL SECURITY PRIOR TO EMPLOYMENT DURING EMPLOYMENT TRANSFER OF TERMINATION OF EMPLOYMENT INFORMATION ACCESS SECURITY CONFIDENTIALITY AGREEMENT FOR EMPLOYEES F.050 INFORMATION SYSTEM USER ACCESS AND AUTHENTICATION ACCESS TO COMPUTER RESOURCES USER LOGON ID S & USER IDENTIFICATION INFORMATION TECHNOLOGY PASSWORD MANAGEMENT INFORMATION TECHNOLOGY PASSWORD GUIDELINES INFORMATION TECHNOLOGY PASSWORD SYNTAX STANDARDS INFORMATION TECHNOLOGY "BATCH" PASSWORD GUIDELINES INFORMATION TECHNOLOGY SUPER PASSWORD POLICY RE-CERTIFICATION F.060 EIT INFORMATION TECHNOLOGY SYSTEMS, APPLICATIONS & DATABASES POLICY AND PROCEDURES EIT INFORMATION TECHNOLOGY SECURITY POLICY EIT INFORMATION TECHNOLOGY RESOURCES EIT ENVIRONMENT RESOURCES POLICIES EIT NETWORK POLICIES & STANDARDS Network Standards EIT Network Backbone

5 6.4.3 Providing Separate Networks Network Services EIT MAINFRAME ADMINISTRATIVE SYSTEMS PROCESS (NWRDC) PEOPLESOFT APPLICATION PeopleSoft IT Resources PeopleSoft Best Practices PeopleSoft Confidentiality ACCESS TO DATABASE POLICIES Storage of Database User Names and Passwords Retrieval of Database User Names and Passwords Access to Database User Names and Passwords LAPTOP/PORTABLE COMPUTER SECURITY GUIDELINES Physical Security Information Security PERSONAL HOME COMPUTERS: F.070 COMMUNICATIONS SECURITY PROTECTING HIGHLY SENSITIVE AND CRITICAL UNIVERSITY COMMUNICATIONS VIRTUAL PRIVATE NETWORK (VPN) POLICY ROUTER SECURITY POLICY EIT TELECOMMUNICAITON ROOMS (CLOSETS) DIAL-UP MODEMS WIDE-AREA NETWORKS SECURITY ENCRYPTION ELECTRONIC COMMERCE (E-COMMERCE) INTERNET SECURITY ELECTRONIC MAIL SECURITY Communication Policy Electronic Mail Requirements and the Public Records Act Legal custodian of an Message Types of Messages Procedures for Compliance with the Records Retention Requirement of the Public Record Law ANTI-SPAM POLICY REMOTE ACCESS SECURITY VIRUS POLICY & PREVENTION Additional Precautions Users Should Take Virus Scanners and/or Detection Program F.080 PHYSICAL SECURITY COMPUTER ROOM ACCESS/SERVER ACCESS COMPUTER ROOM SAFETY AIR CONDITIONING AND ELECTRICAL DATA STORAGE F.090 HARDWARE AND SOFTWARE SECURITY COMPUTING FOR FAMU APPROVED PURPOSES HARDWARE AND SOFTWARE ACQUISITION, INSTALLATION AND MAINTENANCE DESKTOP STANDARDS AND POLICY OTHER INFORMATION TECHNOLOGY ORDERS FROM DEPARTMENTS CELLULAR PHONE USE POLICY OWNERSHIP OF SOFTWARE POLICY PHYSICAL SECURITY OF UNIVERSITY'S PROPERTY DOWNLOADING DATA AND REQUESTERS RESPONSIBILITIES F.100 SYSTEM MONITORING. 67 5

6 10.1 SECURITY AUDIT LOGS LOGGING OF SECURITY VIOLATIONS Logging and Audit Trails Reporting Network Security Internet / Intranet Dial-Up Access Security LOGGING AND AUDIT TRAILS REQUIREMENTS Reconstruction of Events Information to be Recorded Tracing Transactions Support Information Retention Period Documentation / Audit Trail Data JOB RELATED DATA LOGS Program Related logs Operating Systems File logs Application System logs Transaction Batch logs Online Transaction logs Message Related logs Database Related logs SATISFACTORY COMPLIANCE REPORTING SECURITY VIOLATIONS SECURITY VIOLATIONS DISCIPLINARY ACTIONS Enforcement RISK ASSESSMENTS AND ANALYSIS Risk Assessments & Analysis Effectively Safeguard Against Vulnerabilities Unauthorized Disclosure of Sensitive Information Denial of Service or Use Unauthorized Manipulation of Information Unauthorized Use Roles and Responsibilities within Risk Management Program Requirements Frequency Relationship to Effective Security Design Selection of Safeguards Request of Waiver RISK ANALYST PROGRAM BASIC ELEMENTS Threat and Vulnerability Analysis Exposure Analysis Calculation of Annual Loss Expectancy Countermeasure Evaluation and Selection Cost/Benefit Analysis Selection of a Countermeasure Management Decision Control Implementation Effectiveness Review F.110 THIRD-PARTY AND OUTSOURCING SERVICES SERVICE CONTRACTS OUTSIDE CONTRACTORS AND NON-DISCLOSER AGREEMENTS SERVICE AGREEMENTS APPLICATION SERVICE PROVIDERS (ASP) POLICY Outsourced must be Evaluated Requirements of the Application Service Provider 87 6

7 11.5 VENDOR SELECTION CONSULTANTS AND CONTRACTORS.88 17F.120 INFORMATION CLASSIFICATION POLICY INFORMATION CLASSIFICATION RESPONSIBILITIES CATEGORIES OF INFORMATION SENSITIVITY / CRITICALITY OF DATA AND INFORMATION HANDLING AND CONTROLS OF DATA AND INFORMATION Disposing of Computer Generated Documents Containing Confidential Information COMPUTER DISPOSAL POLICY AND GUIDELINES Security Processing for University Redistribution or Salvage SECURITY PROCESSING FOR MAGNETIC TAPE AND MEMORY DEVICES DATA ELIMINATION GUIDELINES SOFTWARE SCRUBBING DISSEMINATION OF FAMU DATA AND INFORMATION CLASSIFICATION OF APPLCIATIONS AND PLATFORMS F.130 BACKUP AND STORAGE POLICY TARGET ENVIRONMENT POLICIES AND PROCEDURES END-USER DATA (INFORMATION CLASSIFICATION LEVEL 0) NORMAL DATA (INFORMATION CLASSIFICATION LEVEL 1) CRITICAL DATA (INFORMATION CLASSIFICATION LEVEL 2) ESSENTIAL DATA (INFORMATION CLASSFICATION LEVEL 3) OFFISITE STORAGE AND BACKUP RESTORES.95 17F.140 COMPUTER LAWS THE PRIVACY PROTECTION ACT OF THE COMPUTER FRAUD AND ABUSE ACT THE COMPUTER VIRUS ERADICATION ACT OF THE ELECTRONIC COMMUNICATION PRIVACY ACT CDA COMMUNICATION DECENCY ACT WEB COPYRIGHT LAW COPA CHILD ONLINE PROTECTION ACT DIGITAL MILLENNIUM COPYRIGHT ACT OCT 28, F.150 SECURITY AWARENESS CREDENTIALING OBJECTIVES AUDIENCE CATAGORIES INFORMATION SECURITY ORANIZATION AND SYSTEM ADMINISTRATORS INFORMATION SYSTEM USERS CREDENTIALING LEVELS CREDENTIALING TOPICS Information Security Basics What is Information Security? How are you involved with Information Security? Threats and Vulnerabilities of Information Systems SECURITY AWARENESS PRACTICES INFORMATION SECURITY POLICIES, STANDARDS, PROCEDRUES AND GUIDELINES F.160 BUSINESS CONTINUITY PLANNING (Secondary Doc TBA) F.170 DISASTER RECOVERY DOCUMENT (Secondary Doc TBA) F.180 FORMS AND PROCEDURES (TBA) F.190 GLOSSARY OF TERMS

8 17F.010 INTRODUCTION 1.1 PURPOSE Information is a valuable university asset. The purpose of the Information Security Policies and Procedures is to establish responsibilities and minimum requirements for the protection of Florida A&M University information assets, computer systems and facilities. These policies were created in order to prevent misuse and loss of assets, establish the basis for audits and self-certifications, and preserve management s perspectives and legal remedies in the event of information asset loss or misuse. The cost of these safeguards must be appropriate to the value of the assets so protected. 1.2 SCOPE This document conveys mid-level policies, standards, and procedures. It is intended to be the basis for the development of specific procedures and guidelines which encompass particular information security for system platforms and applications. This document applies to the integrity, confidentiality and availability of information obtained, created or maintained by Florida A&M University employees. For the purpose of this document, information shall include data or unprocessed information which may become information when processed by computer applications. The definition of information includes paper documents and all computer-related processing activities involving mainframes, micro and mini computers. The Information Technology Security Policies and Procedures shall apply to all Florida A&M University employees, contractors and consultants acting as authorized agents of Florida A&M University in all locations. They shall also apply as appropriate to employees and agents of other corporations or organizations whom may be directly or indirectly granted access to information associated with Florida A&M University business operations. The following definitions will apply when used in this manual: 8

9 Policy A policy is a broad statement of principle that presents management's position for each defined control area. Policies are interpreted and supported by standards, guidelines and procedures. Policies are intended to be long-term and guide the development of rules to address specific situations. Standard Guideline Procedure Information Systems Availability A standard is a rule that specifies a particular course of action or response to a given situation. Standards are mandatory directives to carry out management's policies and are used to measure compliance with policies. A guideline is a statement that recommends or suggests conduct in a specific situation. Guidelines are essentially recommendations to consider when assessing the particular level of security needed for each information system. They are to be followed unless there is a documented and approved reason to exclude them. A procedure documents a plan of action for how a standard or guideline will be implemented in a given part of the organization. Procedures may be developed by division, at the local level or by specific system, under the direction of the system owner. The Florida A&M University Local Information Security Officers (Information Security Officers) are responsible for reviewing and approving procedures to ensure that they fully support the Florida A&M University Information Security Policies, Standards, Procedures, and Guidelines. The computers, communications facilities, networks, data and information that may be stored, processed, retrieved or transmitted by them, including programs, specifications and procedures for their operation, use and maintenance. The characteristic of data, information and information systems being accessible and usable on a timely basis in the required manner. Confidentiality The characteristic of data and information being disclosed only to authorized persons, entities and processes with a right to know at authorized times and in an authorized manner. Integrity The characteristic of data and information being accurate and complete and the preservation of accuracy and completeness. 9

10 1.3 OBJECTIVE The objective of the Information Security Policies and Procedures are as follows; To ensure that Florida A&M University information assets are protected adequately on a cost-effective basis and to a level that allows Florida A&M University to fulfill it s mission and operate within acceptable levels of risk to information assets To provide a mandate to all individuals employed by Florida A&M University to properly handle and protect the information that they have access to in order for Florida A&M University to be able to properly conduct its business and provide services to its staff and students To provide written documentation of indication of the statutory provisions that should be adhered to by all employees and students at the university To establish policy for the means by which information exchanged by the university and its employees and students and other parties will be controlled and safeguarded To create and implement an appropriate level of information security awareness within the university. 1.4 MISSION STATEMENT Florida A&M University recognizes its dependency on data, information, and computer systems used to facilitate effective operation of our business in serving the needs of our customers which includes students, employees, consultants, temporary staff, vendors and agencies. We also recognize the value of the information we maintain and provide to our students, employees, agencies and others. It is, therefore, essential that this data, information, and the manual and technical infrastructure that supports it, is secure from destruction, corruption, unauthorized access and breach of confidentiality whether accidental or deliberate. 10

11 1.5 DEFINITION OF INFORMATION SECURITY Florida A&M University holds and manages information which by its nature is proprietary to the successful operation of the university and therefore represents valuable assets of the university, which need to be protected. Additionally, others share information with Florida A&M University which is of a confidential nature, and for which there may be a legal obligation to maintain that confidentiality. The Information Security Policies and Procedures provide a basis for how Florida A&M University will establish controls and manage this information and the responsibilities of individuals handling that information. The policy defines a set of standards, procedures and controls to be used as common practice within Florida A&M University to protect the university information from unauthorized access, disclosure, accidental or deliberate modification, and loss of availability or use. 1.6 STATEMENT FROM MANAGEMENT The letter attached below was written by Larry W. Henderson, Vice President of Enterprise Information Technology / CIO to the Florida A&M University Campus Community. It address all individuals that utilize information technology on the FAMU Campus from employee s to students and to fully notify of the creation of written security policies, procedures, standards and guidelines to be utilized by all FAMU College students, employee s and consultants who utilize Enterprise Information Technology (EIT) Resources. 11

12 Florida Agricultural and Mechanical University Tallahassee, Florida TO: FROM: The Florida A&M University Campus Community Larry W. Henderson, Vice President, Enterprise Information Technology/CIO SUBJECT: Information Technology Policies and Procedures DATE: July 17, 2006 The Florida A&M University Enterprise Information Division has developed written guidelines regarding the Security Policies and Procedures in support of Information Technology related services and practices. The purpose of the policies and procedures is to serve as an oversight and governance for handling of issues, policies and guidelines that have an impact on, relate to, or part of the University Computing Technology Environment and Infrastructure. The EIT Division manages the University's computer networks and accessibility to the Internet; and Web services; Our FAMU Student Information System; Video and Web Conferencing; and Telephony Services. The Enterprise Information Technology Division is responsible for the acquisition, installation, configuration, maintenance, management and administration of all data, networking and infrastructure components serving the FAMU campuses and remote FAMU users. Consequently, all network additions and modifications of any type, including minor renovations must receive written approval from the EIT Network Director. Enterprise Information Technology (EIT) Division s mission is to provide effective, efficient and reliable access to emerging technology resources for students, faculty, and staff in the quest for knowledge, applying the power of such technology to unite people and content anytime, anyplace. The security and integrity of the University s computer systems, campus networks, and telephone services is our collective responsibility. As we increasingly rely on electronic means of communication and electronic access to important data and information, we must ensure their reliability and protect our environment against ever more sophisticated security threats. The process of developing the Information Technology related Policies and Procedures by the EIT staff based on their functional area of responsibility within the Division. Once the draft documents are developed, the University s Enterprise Information Security Committee reviews, edits, and recommend the policies and procedures for the review and approval of the Enterprise Information Technology Steering Committee. Once the policies are approved by the EIT Steering Committee, the policies are submitted to the Board of Trustees for adoption and University-wide dissemination. The establishment of the EIT related policies and procedures affords the University with the opportunity to maintain the highest level of awareness, guidance, compliance and governance for use of FAMU technology resources and services. 12

13 17F.020 EIT Acceptable Use of Information Technology Resources 2.1 University Data Security and Privacy This policy establishes data security standards and practices for the protection of University administrative, financial and student data from unauthorized disclosure. Protecting the security of university information and information systems is the responsibility of every member of the university community. Each faculty, staff, and student is responsible for knowing and complying with published Information Technology (IT) policies and procedures. Such policies and procedures include the Ethical Use of Computers and IT Resources, Proper Use of Information Resources, Technology Resources and Networks and Information Security Policy. In addition, individuals are required to know and comply with additional security practices established by colleges, departments or other units. Failure to comply with these policies and practices may result in loss of computing privileges and/or disciplinary action. Florida A&M University provides access Information systems within the University that contain data necessary to conduct the business of the institution. This data are institutional resources and must be protected from unauthorized modification, destruction, or disclosure, whether accidental or intentional. The Information Technology Division is responsible for the development of policies regarding the security of collecting, accessing, maintaining, usage, or disseminating of University data. It is the responsibility of all levels of management to ensure that all University administrative data users within their area of accountability are aware of their responsibilities as established by this policy, and for guaranteeing a secure office environment and computer equipment with regard to University data Adhering to applicable federal and state laws and University policies and procedures concerning storage, retention, usage, release, transportation, and destruction of data Adhering to administrative University data security and access standards as described in University to fulfill the performance of their job functions and responsibility Exercising due care to protect University computing equipment that stores data from unauthorized use, disclosure, alteration, or destruction Data custodians and users are responsible for all transactions occurring during the use of his/her User ID and/or password when accessing computing equipment A workstation that is logged into the network must not be left unattended The sharing of passwords and/or use of a computer account that is used to access data is prohibited. 13

14 Any Violations of this policy will result in the appropriate disciplinary action, which may include loss of computing privileges, suspension, termination, or expulsion from the University, and legal action. In addition, any violations of any federal, state, or local law concerning the unauthorized access or use of University computers and computing services will result in the appropriate disciplinary action up to, and including termination from the University. 2.2 Ethical Use of Computers and Information Technology Resources A focus on the issues related to ethics in the use of computing resources, especially software has occurred within the FAMU community for several years. In addition, there has been intense national interest and concern stimulated in part by legal cases involving unauthorized use of copyrighted materials, both hardware and software, by large corporations competing in the marketing of information technology in higher education. The concern for ethical use of computing resources remains very high. Much of the focus on ethical use of computing by colleges and universities results from the self assumed trusteeship for standards of intellectual honesty, and the vanguard role these institutions have chosen to play in the protection of privacy of faculty, students, and alumni. Computer software is essential to the effective operation of many programs and services of the University. Such software is intellectual property and the copyright and terms of license of use of this type of property must be strictly adhered to by all university employees as they engage in work for the University. Students are often required to utilize software licensed to the University as well as other computing resources. Many uses of university software by students are of a voluntary nature, i.e., use by students to enhance the learning experience. During any use of software and other computing resources of the University students are required to adhere to the conditions specified in the licensing agreement by which the University has acquired use of the computer software or other computing resource. To guide students and employees in their use of software licensed to the University (or otherwise brought into the programs and operations of the institution), a Florida A&M University policy statement on the ethical use of software and other computing resources has been developed and adopted. It is set forth below. 2.3 Proper Use of Information Resources, Technology Resources and Networks It is the policy of Florida A&M University to maintain access for its faculty, staff and students to local, national and international sources of information and to provide a framework environment that encourages access to knowledge and information. It is the policy of the University that information resources will be used by members of its University with respect for the public trust through which they have been provided and in accordance with policy and regulations established from time to time by the University and its operating units. As a member of the University, you may not assume another person s identity or role through deception or without proper authorization. You may not communicate or act under the 14

15 guise, name, identification, address, signature, or indicia of another person without proper authorization, nor may you communicate under the rubric of an organization, entity, or unit that you do not have the authority to represent. Access to the information resource infrastructure both within the University and beyond the campus, sharing of information, and security of the intellectual products, all require that each and every user accept responsibility to protect the rights of the University. Any member of the University who, without authorization, accesses, uses, destroys, alters, dismantles or disfigures the University information technologies, properties or facilities, including those owned by third parties, thereby threatens the atmosphere of increased access and sharing of information, threatens the security within which members of the community may create intellectual products and maintain records, and in light of the University s policy in this area, has engaged in unethical and unacceptable conduct. Access to the networks and to the information technology environment at the Florida A&M University is a privilege and must be treated as such by all users of these systems. To ensure the existence of this information resource environment, members of the University will take actions, in concert with State of Florida and Federal agencies and other interested parties, to identify and to set up technical and procedural mechanisms to make the information technology environment at the Florida A&M University and its internal and external networks resistant to disruption University Regulations and Guidelines This policy is applicable to any member of the University, whether at the University or elsewhere, and refers to all information resources whether individually controlled, or shared, stand alone or networked. Individual units within the University may define conditions of use for facilities under their control. These statements must be consistent with this overall policy but may provide additional detail, guidelines and/or restrictions. Where such conditions of use exist, enforcement mechanisms defined therein shall apply. The University characterizes as unethical and unacceptable, and just cause for taking disciplinary action up to and including non-reappointment, discharge, dismissal, and/or legal action, any activity through which an individual: Violates such matters as University or third party copyright or patent protection and authorizations, as well as license agreements and other contracts, Interferes with the intended use of the information resources, Seeks to gain or gains unauthorized access to information resources, Without authorization, destroys, alters, dismantles, disfigures, prevents rightful access to or otherwise interferes with the integrity of computer-based information and/or information resources, Without authorization invades the privacy of individuals or entities that are creators, authors, users, or subjects of the information resources. 15

16 2.3.2 Downloading and Viewing of Obscene Materials Viewing and/or printing obscene material in University offices, public labs or University equipment is specifically prohibited unless being conducted for official university business. Using a computer, computer system, computer network, or any other University property for the creation, design, manufacture, preparation, display, or distribution of any written or graphic obscene material is prohibited. Unauthorized or fraudulent use of any University Information Technology Resources can result in a felony prosecution as provided for in Florida Statutes, Chapter 775 of the Florida Criminal Code. 2.4 Policy on Ethical Use of Software and Other Computing Resources Computing resources at Florida A&M University are allocated for the use of students, faculty, and employees in the instruction and research programs at the institution, and in performing the duties and responsibilities of employment so as to effectively support the operations of the University. Other use of computing resources shall occur only upon appropriate authorization by the VP of Information Technology or designee.. The University does not condone unauthorized use of any of its computing resources inclusive of: use for personal profits; attempts to gain access to files for which permission to enter has not been granted; copy of proprietary software without licensed approval; attempts to impair performance of computing resources; and, use for purposes of harassment. As an institution of higher learning, the University is especially cognizant of its responsibility as a trustee for integrity and honesty in academic discourse. Given a mission to foster intellectual activity and scholarship, coupled with an awareness of the easy by which electronic works can be reproduced, the University has a particular responsibility to convey that it does not condone the duplication or distribution of software in violation of copyright or license agreement. The University reserves the right to sanction its students, employees, and others to whom it may have granted access to computing resources, for such violations. Florida A&M University recognized that respect for creativity, intellectual labor, and discovery arising from scholarly undertaking, is fundamental to its mission. The University further recognizes that only through strongly adhering to principles of academic honesty, will it achieve the goals it has set for excellence in higher education. Careful consideration has been give to issues that involve ethics in computing and ethics in utilization of computing resources. Therefore employees and students are expressly advised that the above policy give the university great latitude in the sanctions it can impose on employees and students. Such sanctions can range from warning or reprimand to termination in case of violations by employees. Violations of the policy by students can result in a broad range of sanctions including denial of access to computer resources or expulsion from the University. The above University statement was developed for consideration as University policy by a 16

17 subcommittee of the University administrative users group. The statement was reviewed by the appropriate campus groups and adopted as a policy statement by the University. The formally adopted form of the above policy statement has been disseminated broadly on campus. In addition, the student handbook, faculty manual, and other pertinent documents, will carry the policy statement. Other more specific notices will appearing the computing newsletter and in the student newspaper Violations of Computer Ethic There is regular and broad distribution to students and employees of acts that violate the FAMU ethics in computing policy. The following list identifies only some of the acts that are a clear violation of the policy. Students, faculty and staff are encouraged to avoid the following: Copying of software in violation of terms of the license held by the University installation of software on university owned computers in violation of the license held on the software; Unauthorized access to files on university computers; Destruction of university computing resources (this includes hardware and software); Use of university computing resources to harass employees or students; Use of university computing resources to commit any computer crime Unauthorized use of university computers and software; Unauthorized relocation of computer software or computer hardware; and The intentional use or operation of computing resources in a way that will impair the performance of a university computing resource inclusive of computer networks. The university will further develop and strengthen policies and procedures to assure an environment with ethical practices that is implemented by adequate dissemination of those rules, regulations and procedures. 17

18 17F.030 Roles and Responsibilities This section identifies the various roles and responsibilities within Florida A&M University related to the protection of information system resources. 3.1 Organizations Roles & Responsibilities Senior Vice President & Chief Information Officer (CIO) The Senior Vice President & Chief Information Officer is responsible for all matters related to the management and control of the university s computing and telecommunication resources and will institute university-wide policies and procedures in connection with this responsibility. The Senior Vice President & Chief Information Officer is responsible for the following general functions: Meeting the University s information service needs through the use and development of the necessary computing and telecommunication systems as determined by business need and enabled by technology advancements (both hardware and software) Maintaining a secure, reliable and economic operation of the University s computing and telecommunication system environments Planning, budgeting, and implementing the various computing and telecommunication system enhancements as required and determined by business need and enabled by technology advancement Developing, providing and enforcing the policies and procedures governing the computing and telecommunication systems use Information Technologies & Services Vice Presidents / Directors The Information Technologies & Services Vice Presidents and/or Directors provide primary support for computer and communications hardware and software for product determination, acquisition, installation, configuration, maintenance, upgrading and training. The VP s of EIT primary responsibilities include: Providing on-going expert technical support and advice by establishing support teams Maintaining a help desk to serve as a single point of contact for all computer and communications support requirements Providing centralized, physically and logically secure platforms for information asset storage and transport. 18

19 Designing, implementing, integrating and maintaining all computer applications Providing and maintaining effective information asset control facilities Providing an information-asset backup service Maintaining up-to-date equipment and software inventories Advising staff on information-asset security practices Information Security Manager (ISM) The Information Security Manager reports to the CIO. The ISM has primary responsibility for the oversight of the state of information security at the University and is charged with the definition of security strategy and scope. The ISM develops, recommends, and monitors Florida A&M University s Information Security Policies, Standards, Procedures, and Guidelines. Duties include directing the activities of the corporate information security function with regard to researching and evaluating security for mainframe computer systems, end user/personnel computing systems, departmental computers and communications facilities Drafting of information security policies and procedures Reporting on the state of information security Performing oversight of the security efforts of area managers, security engineers and other security related specialists as appropriate; insuring adherence to operations related security policies and procedures Serving as primary point of contact for auditors during formal audit processes Preparing formal responses and action plans pursuant to internal audits Identifying individuals responsible for security engineering functions outsourced Reviewing operations related to security Performing annual risk assessment based on CobIT 3 standards included by reference and will be complied with except where superseded by University approved procedures Evaluating and adjusting the University information security program in light of its annual risk assessment Providing Security Awareness Training for University employees and students. 19

20 3.1.4 Department or Unit Managers and Supervisors Each Florida A&M University Managers and Supervisors are responsible for security as it relates to the following items: Distributing information regarding the Ethical Use of Computer and IT Resources Identifying and protecting information assets within each assigned area of management control Ensuring that these assets are used for management and University approved purposes only Ensuring that all employees understand their obligation to protect these assets Periodically monitoring use of computers and IT resources for potential violations Ensuring effective use of access control facilities Ensuring that all employees are aware of and comply with the information security policies and procedures Authorizing access on a need-to-know basis for management-approved purposes Implementing division and department specific security practices and procedures which are consistent with the information security policies and procedures Noting variances from established security practice and initiating corrective action Conducting self, students and staff assessments for compliance Ensuring that employees who encrypt documents provide the necessary decryption keys to the appropriate people (e.g. ISM, Information Security staff team member) Notification of violations of this policy should be reported immediately to the Division of Information Technology, Information Security Manager. The University will make every effort to maintain confidentiality to the extent possible consistent with other obligations Security Organization and Personnel The security organization consists of appointed individuals whose primary responsibilities are related to security and supporting the ISM, including the following task items: 20

21 Establish and maintain information security policies, standards, procedures, and guidelines Perform certifications checks for user access privileges Administrate access control software Perform certification checks to ensure that systems, telecommunications, servers, networks all meet security and control standards Provide support and knowledge to the university as it pertains to Information Security Identify owners of data entities to ensure maintenance of their integrity Assistance to the Information Security Manager to ensure compliance is met Monitor security and investigate security violation attempts Review data security of the existing data structures Review logs, audits and other outputs to ensure proper action is taken for any security violations against established security policies and procedures Data Owners All Florida A&M University data processed by computer systems shall have a designated owner. The owner of the data has the responsibility to: Ensure that users are aware of the organization s information security policies, standards, procedures, and guidelines associated with the data Maintain the data they own with proper backups and government of the data Maintain the users whom are granted access to their data Verify that systems meet user requirements Ensure that system users are trained and specific controls for the information s use and the control requirements for the data s use are communicated Ensure that an annual risk assessment of each system is completed and the data processing system have been assigned a classification sensitivity level in accordance with the levels described in this document. 21

22 Authorize users to access their data Ensure that business continuity plans are in place and can recover information systems on a timely basis in the event of a disaster Information System Users (Employees, Consultant, Students) Employees of Florida A&M University who have received permission from data owners to access the owner s data are considered users of information systems. All users must demonstrate a business need to access the desired information in order for access to be granted. It is the responsibility of information system users to: Use information systems for authorized business purposes only Comply with university security policies, standards and guidelines as well as any procedures specified by the data owner. Participate in the testing of the business continuity plans as necessary Prevent unauthorized disclosure of data Report security exposures, misuse or non-compliance situations to management Protect the confidentiality of their user IDs and passwords Notification of violations of this policy should be reported immediately to the Division of Information Technology, Information Security Manager. The University will make every effort to maintain confidentiality to the extent possible consistent with other obligations. 3.2 Information Technology Security Committee The IT Security Committee supports the IT Security Manager and his staff. The performance of his tasks by coordinating measures which impact the entire organization, compiling information and performing supervisory tasks. The precise shape of the team will depend on the size of the organization concerned, the aspired-to level of IT security and the available resources. In extreme cases the IT Security Committee may consist of only one person, the CIO who in this case is responsible for all the tasks in the IT security process. In order to be able to carry out its tasks effectively, the IT Security Committee members should have knowledge of IT security, technical knowledge of IT systems and experience in organization and administration. In addition, the IT Security Committee should reflect the different operational areas within the organization Specifying IT security objectives and strategies and developing the Information Security Policy, 22

23 3.2.2 Reviewing implementation of the Information Security Policy, Initiating, directing and monitoring the IT security process, Helping to draw up the IT security concept, Examining whether the IT security measures planned in the Information Security Policy function as intended and are appropriate and effective, Approving the IT security measure implementation plan and making available the necessary resources, Preparing the program of IT security and IT security awareness promotion training courses, and advising the IT Coordination Committee and Management on IT security issues. IT Security Committee should include an IT staff member, the IT Security Manager (ISM) and an IT user representative. If a similar body already exists in the organization, its tasks could be extended accordingly. However, to underline the importance of IT security it is advisable to set up an IT Security Committee and to place at its disposal the resources it needs. 3.3 Information Technology Steering Committee The EIT Steering Committee is a group of individuals responsible for general IT operating policy, procedures, and related matters affecting the FAMU enterprise as a whole. It is the committee responsibility to make recommendations for program initiatives and funding. The statutes also charge the Steering Committee with establishing guidelines and policies for 7/20/2006IT operation and management to include: databases, hardware and software, setting of standards, education, and general coordination of IT development. 3.4 Policies and Procedures Development Team Security Development Team provides a uniform set of information security policies, standards and general guidelines for Florida A&M University. All, unless specifically exempted, are required to abide by the policies hereby established. All users (employees, students, contractors, vendors, and other parties) are expected to understand and abide by them. 3.5 User Accountability and Compliance All employees, contractors, students and consultants are required to become familiar with and acknowledge compliance with the security policies in this document. Security violations will result in corrective action by management. Disciplinary action will be consistent with the severity 23

24 of the incident, as determined by an investigation. Disciplinary actions may include, but are not limited to: Loss of access privileges to data processing resources Dismissal of consultants Cancellation of contracts Termination or suspension of employment Civil and/or criminal prosecution or other actions as deemed appropriate by management if the security violation: Exposes the company to actual or potential monetary loss through the compromise of data security or damage and loss of computer equipment The access and/or use of Florida A&M University information system resources for functions unrelated to business activities, unauthorized removal of data from the company (e.g., removal of tapes or diskettes), unauthorized access to programs, files and data or any other event that would compromise the security of Florida A&M University information systems Involves the disclosure of trade secrets, intellectual property, confidential information or the unauthorized use of corporate data Involves the use of data for illicit purposes, which may include violation of any law, regulation or reporting requirement of any law enforcement or government body 3.6 Conditions of Use for Information System Users may not provide their own information systems or computers. The Enterprise Information Technologies and Services is responsible for hardware and software product determination and selection, including budgeting and cost/benefit analysis. The EIT will team will with system users to determine the appropriate information-processing system required for each user. The ITS will also install, configure, maintain and upgrade all computer and communications hardware and software. Employees, temporary and consultants who must use computer equipment to do work off site will be provided the necessary equipment to meet their needs. It is the responsibility of each system user to use information systems provided by the university for valid business use only. Users should be aware that systems are periodically backed-up and retained. In addition, Florida A&M University Management and Internal Audit reserve the right to 24

25 review, audit and observe all data files stored on any university computer systems and data processing resources used to support business activity. 3.7 Reporting of Security Violations All employees, consultants, students and temporary staff members of Florida A&M University are responsible for maintaining a familiarity with the information security policies and procedures are responsible for reporting any suspected security breaches or violations. Employees who suspect a security breach or violation will communicate their concerns to their direct supervisor. If this is not possible, employees must report the alleged violation to their business manager or Human Resource Department Representative. These parties must then evaluate the allegations and refer severe violations to the Information Security Officer. The Information Security Officer is responsible for establishing periodic security monitoring review schedules to detect unauthorized attempts to access university computers. The Information Security Officer will determine when the reviews will occur and who will perform them. 17F.040 Personnel Security This section addresses how data security controls are integrated into the hiring, transfer and termination of employees. This area of data security is critical since employees are ultimately responsible for controlling the dissemination of Florida A&M University maintained information. 4.1 Prior to Employment The Human Resources Department shall subject all employees of Florida A&M University preemployment screening, which may include background investigations. In addition, the Human Resource Department will facilitate secure and confidential information handling policies when introducing new individuals to the company. All new employees will receive a copy of the information security policies and procedures, and guidelines and/or security awareness materials appropriate for their position and role within the university and acknowledge in writing that they understand their responsibilities as stated in the policies. 4.2 During Employment University will consider an employee's chronic problems adhering to security policies and procedures during the performance evaluation process. Assign a liaison for each consultant who is responsible for ensuring that they comply with all University security policies and procedures. Provide training to employees upon changes in security policies or procedures. 25

26 4.3 Transfer of Termination of Employment The Human Resource Department shall immediately notify the Information Security Manager upon the resignation or termination of employees, consultants, contractors and students. Upon notification of transfer or termination, the EIT Information Security Organization shall ensure that the user ID access is revoked or modified immediately Require that all PCs, Keys, ID, cards, software, data documentation, manuals etc.. are returned to the employees direct Manager or Supervisor or if a student items must be returned to a Departmental or Unit Manager at the University Upon termination of employees, consultants, temporaries or students, all materials must be inspected if they are to be removed from the campus premises An established proper procedure will be documented for the removal of employee, consultant, temporary or student by having terminated for a cause. Depending on the nature of the termination, the former employee, consultants, students and others will be subject to varying levels of observation and escort from the University premises For situations where users with access to highly sensitive or critical information are terminated, the employee s supervisor is responsible for directly coordinating with the Information Security Manager to ensure proper remove the user s access rights. 4.4 Information Access Security The Human Resource Department shall be responsible for the initiation of new or transfer employees, consultants or vendor access requests. The employee s manager must report changes in employee status immediately to the Human Resource Department. For situations where users with access to highly sensitive information are terminated, the employee s manager is responsible for directly coordinating with the Information Security Officer and Human Resource Department to remove the user s logical and physical access rights. 4.5 Confidentiality Agreement for Employees University situations where users with access to highly sensitive information are terminated, the employee s manager is responsible for directly coordinating with the Information Security Officer and Human Resource Department to remove the user s logical and physical access rights 26

27 Florida A&M University PSII Information Service & System Confidentiality Agreement For Consultant/Vendor/Employee I understand that FAMU student, employee, employer, and financial information from any source and in any form is confidential and is available to me solely for the performance of my official duties as a Florida A&M University employee. I shall protect the privacy and confidentiality of student, employee, and financial information to which I have access and shall use it solely for the performance of my official duties. I agree not to access student, employee, or financial information unless such access is required for the performance of my official duties. FURTHERMORE: I agree that I will be a responsible user of data. Data I obtain from this system will be stored under secure conditions. I will make every reasonable effort to maintain privacy of the data. I will make every reasonable effort to interpret the data accurately and in a professional manner. Prior to sharing data with others, electronically or otherwise, I will ensure that the recipient is authorized and has a need to access the data and understands their responsibilities as a user. I will sign off the system when not using it or enable system to have a screen saver with password. I will not disclose my password to other individuals. I will not use another person s password. If I have reason to believe my password, or that of another individual has been compromised or is being used by a person other than the individual to whom it was issued, I will immediately report that information to the FAMU EIT Security Manager. I will safeguard all of the University confidential and sensitive information at all times, such as reports, spreadsheets and documents in accordance to the University s prescribe manner according to written security policies and procedures. I am responsible for protecting the security of the records and confidentiality of the information to which I have access. Specifically: I will not use the information I have access to in an unauthorized manner I will neither knowingly include nor cause to be included a false or misleading entry in any record. I will not change or delete any entry in any record unless it is done in accordance with University policies and procedures. I will not copy, reproduce, electronically print, or forward any record, except in the performance of my defined duties and in accordance with University policies and procedures. I will not divulge, in any way, knowledge of any confidential information that I have learned. I will dispose of confidential reports in an appropriate manner when done with them. Note: At the end of the consultant/vendor contract, access and password will expire by date, unless other wise agreed. My signature indicates that I have read, understand, and agree to abide by the terms and conditions of this agreement. Consultant/Vendor Name (Please Print) Consultant/Vendor Name Signature Date Company (Please Print) 27