Printable Policy

 

INT124 - Information Resources Acceptable Use and Security Policy

  

 

Seal of the University of Texas

 

 

UT System Administration Policy Library -- Policy INT124

Information Resources Acceptable Use and Security Policy

 

Responsible Officer: Director of Technology and Information Services
Sponsoring Office: Office of Technology and Information Services
Effective Date: February 1, 2006
Last Reviewed: November 28, 2007
Next Scheduled Review: November 1, 2009
Errors or changes to: policyoffice@utsystem.edu

 

CONTENTS

 

Policy Statement
Rationale
Scope
Website Address For This Policy
Related Statutes, Policies, Requirements Or Standards
Contacts
Definitions
Responsibilities
Procedures

Forms Tools/Online Processes

Appendix


 

POLICY STATEMENT

 

The subsections of this document comprise the UT System Administration Information Resources Acceptable Use and Security Policy. This policy is established to achieve the following:

  • To establish prudent and acceptable practices regarding the use and safeguarding of Information Resources;
  • To protect the privacy of individuals for whom we hold personally identifiable information including protected health information and education records;
  • To educate individuals who may use Information Resources with respect to their responsibilities associated with such use;
  • To ensure compliance with applicable statutes, regulations, and mandates regarding the management of Information Resources; and
  • To gain a signed annual acknowledgement of this policy from every individual granted access to UT System Administration Information Resources

 

NOTE: A companion document to this policy, the UT System Administration
Information Resources Security Operations Manual (see appendix), details security practices and requirements relating to each policy topic is incorporated by reference into this policy.

These two documents comprise the policy and procedures foundation for the UT System Administration computer security program.

 

RATIONALE

 

 

The assets of the University of Texas System Administration must be available and protected commensurate with their value and must be administered in conformance with federal and state law and the Board of Regents’ Rules and Regulations. Measures shall be taken to protect these assets against accidental or unauthorized access, disclosure, modification or destruction, as well as to assure the availability, integrity, utility, authenticity and confidentiality of information. As stated in Title 1 Texas Administrative Code 202.2 (1), it is the policy of the state of Texas that Information Resources residing in the various agencies of State government are strategic and vital assets belonging to the people of Texas.  The formal acknowledgment of the Acceptable Use and Security Policy serves as a compliance and enforcement tool.

 

SCOPE

 

 

All Offices of UT System Administration.

WEBSITE ADDRESS FOR THIS POLICY

 

 

http://www.utsystem.edu/policy/policies/int124.html
 

RELATED STATUTES, POLICIES, REQUIREMENTS OR STANDARDS

 

 

CONTACTS

 

If you have any questions about UT System Administration policy INT 124, Information Resources Acceptable Use and Security Policy, contact the following office(s):

 

Subject

Office Name

Telephone Number

Email/URL

 

OTIS

512-499-4592

oir@utsystem.edu

 

 

DEFINITIONS  

 

 

 Backup:
Copy of files and applications made to avoid loss of data and facilitate recovery in the event of a system crash.

 

Custodian:
Guardian or caretaker; the holder of data, the agent charged with implementing the controls specified by the owner. The custodian is responsible for the processing and storage of information. The Office of Technology and Information Services (OTIS) acts as custodian of network resources at UT System Administration.

 

Change Management:
The process of controlling modifications to hardware, software, firmware, and documentation to ensure that Information Resources are protected against improper modification before, during, and after system implementation.

 

Change:
Any implementation of new functionality
Any interruption of service
Any repair of existing functionality
Any removal of existing functionality

 

Confidential:
The Classification of data of which unauthorized disclosure/use could cause serious damage to an organization or individual.

 

Confidential Information:
Information maintained by state agencies and universities that is exempt from disclosure under the provisions of the Public Records Act or other applicable state and federal laws. The controlling factor for confidential information is dissemination.

 

Electronic mail (email):
Any message, image, form, attachment, data, or other communication sent, received, or stored within an electronic mail system.

 

Electronic mail system:
Any computer software application that allows electronic mail to be communicated from one computing system to another.

 

Email:
Abbreviation for electronic mail.

 

Information Resources (IR):
Any and all computer printouts, online display devices, mass storage media, and all computer-related activities involving any device capable of receiving email, browsing Web sites, or otherwise capable of receiving, storing, managing, or transmitting data including, but not limited to, mainframes, servers, personal computers, notebook computers, hand-held computers, personal digital assistant (PDA), pagers, distributed processing systems, network attached and computer controlled medical and laboratory equipment (i.e. embedded technology), telecommunication resources, network environments, telephones, fax machines, printers and service bureaus. Additionally, it is the procedures, equipment, facilities, software, and data that are designed, built, operated, and maintained to create, collect, record, process, store, retrieve, display, and transmit information.

 

Information Resources facilities:
Any location that houses Information Resource equipment (includes servers, hubs, switches, and routers).  Facilities are usually dedicated rooms or mechanical/wiring closets in the buildings.

 

Integrity:
The accuracy and completeness of information and assets and the authenticity of transactions.

 

Internet:
A global system interconnecting computers and computer networks. The computers and networks are owned separately by a host of organizations, government agencies, companies, and colleges.

 

Local Area Network (LAN):
A data communications network spanning a limited geographical area, a few miles at most. It provides communication between computers and peripherals at relatively high data rates and relatively low error rates.

 

Office of Technology and Information Services (OTIS):
The name of the UT System Administration department responsible for computers, networking and data management.

 

Owner:
The manager or agent responsible for the function that is supported by the resource or the individual upon whom responsibility rests for carrying out the program that uses the resources. The owner is responsible for establishing the controls that provide the security. The owner of a collection of information is the person responsible for the business results of that system or the business use of the information. Where appropriate, ownership may be shared by managers of different departments.

 

Password:
A string of characters used to verify or "authenticate" a person's identity.

 

Portable Computing Devices:
Any easily portable device that is capable of receiving and/or transmitting data. These include, but are not limited to, notebook computers, handheld computers, PDAs (personal digital assistants), pagers, and cell phones.

 

Strong Passwords:
A strong password is constructed so that another User or a "hacker" program cannot easily guess it. It is typically a minimum number of positions in length and contains a combination of alphabetic, numeric, or special characters.

 

Scheduled Change:
Formal notification received, reviewed, and approved through the review process in advance of a change being made.

 

Sensitive Information:
Information maintained by state agencies that requires special precautions to protect it from unauthorized modification or deletion. Sensitive information may be either public or confidential. It is information that requires a higher than normal assurance of accuracy and completeness. The controlling factor for sensitive information is that of integrity.

 

Server:
A computer program that provides services to other computer programs in the same, or another, computer. A computer running a server program is frequently referred to as a server, though it may also be running other client (and server) programs.

 

Trojan Horse:
Destructive programs, usually viruses or worms, that are hidden in an attractive or innocent-looking piece of software, such as a game or graphics program.  Victims may receive a Trojan horse program by email or on a diskette or CD, often from another unknowing victim, or may be urged to download a file from a Web Site or bulletin board.

 

User:
An individual, automated application or process that is authorized by the owner to access the resource, in accordance with the owner's procedures and rules. User includes employees, faculty, contractors, and others.

 

Has the responsibility to (1) use the resource only for the purpose specified by the owner, (2) comply with controls established by the owner, and (3) prevent disclosure of confidential or sensitive information. The user is any person who has been authorized by the owner of the information to read, enter, or update that information. The user is the single most effective control for providing adequate security.

 

Vendor:
Someone outside of UT System Administration who exchanges goods or services for money.

 

Virus:
Virus: A program that attaches itself to an executable file or vulnerable application and delivers a payload that ranges from annoying to extremely destructive. A file virus executes when an infected file is accessed. A macro virus infects the executable code embedded in Microsoft Office programs that allows users to generate macros.

 

Web page:
A document on the World Wide Web. Every Web page is identified by a unique URL (Uniform Resource Locator).

 

Web server:
A location on the World Wide Web, accessed by typing its address (URL) into a Web browser.  A Web site always includes a home page and may contain additional documents or pages.

 

World Wide Web:
Also referred as the Web is a system of Internet hosts that supports documents formatted in HTML (Hypertext Markup Language), which contains links to other documents (hyperlinks) and to audio, video, and graphic images. Users can access the Web with special applications called browsers, such as Netscape Navigator, and Microsoft Internet Explorer.

 

Worm:
A program that makes copies of itself elsewhere in a computing system. These copies may be created on the same computer or may be sent over networks to other computers. The first use of the term described a program that copied itself benignly around a network, using otherwise-unused resources on networked machines to perform distributed computation. Some worms are security threats, using networks to spread themselves against the wishes of the system owners and disrupting networks by overloading them. A worm is similar to a virus in that it makes copies of itself, but different in that it need not attach to particular files or sectors at all.

 

RESPONSIBILITIES 

 

Responsibilities for security shall align with UTS165.  UT System Administration designees for roles identified in that document but not specifically titled are:

  • The Information Resource Manager for UT System Administration shall be the Director of the Office of Technology and Information Services.

 

  • The Information Security Officer for UT System Administration shall be the chief security analyst in the Office of Technology and Information Services
  • The Information Security Administrators shall be the chief information technology staff member in each technology team embedded in a business unit.

 

Information Resource Manager

  • Responsible for compliance of UT System Administration with tenets of UTS165 directing:
    • Account Management
    • Administration of Special Access
    • Backup Recovery of Network Servers and Data
    • Administration and oversight of Change Management
    • Management of Sensitive Digital Data
    • Network Access (Application access is the responsibility of the Data Owner)
    • Network Configuration
    • Server and Network Device Hardening Standards
    • Software Licensing Management
    • System Development and Deployment Process Management
    • Vendor Access control
  • Creation and maintenance of an Acceptable Use Policy Acknowledgement form for UT System Administration.
  • Approval of purchase of information technology hardware, software, and systems development services, participate in the specification, design, development and deployment of technology initiatives.
  • Backup all UT System Administration servers connected to the UT System Administration network in accordance with a risk assessment as determined by the data owner and, is required to have a backup and recovery plan.
  • Establishment of standards for individuals who create or manage information systems or applications including security assessment
  • Advise and assist Department Heads in compliance with this policy

Information Security Officer

  • Responsible for compliance of UT System Administration with tenets of UTS165 directing:
    • Security Monitoring
    • Security Training
    • Password Management
    • Reduction of Use and Collection of Social Security Numbers
    • Incident Management including reports to leadership, DIR and CISO
    • Information Services (IS) Privacy Oversight
    • Secure portable Computing and Remote Access controls and oversight
    • Computer Virus Prevention Management
  • Evaluate security strategy effectiveness of all security initiatives
  • Conduct a security compliance program, including training and coordination of risk assessments of mission critical Information Resources

Information Security Administrator

  • Implement and comply with all information technology policies and procedures relating to assigned systems
  • Perform an annual information security risk assessment for mission critical Information Resources
  • Report general computing and security incidents to the Information Security Officer
  • Assist, as a member of the ISA Work Group, the Information Security Officer in developing, implementing and monitoring the Information Security Program
  • Establish reporting guidance, metrics and timelines for Information Security Officer to monitor effectiveness of security strategies in both the centralized and decentralized operations.
  • Reports at least annually to the Information Security Officer about the status and effectiveness of Information Resources security controls.

Data Owners / Department Heads

  • Responsible for compliance of UT System Administration with tenets of UTS165 for resources and resource usage under their control directing:
    • Classification of Sensitive Digital Data
    • Electronic Mail
    • Internet Use
    • Risk Assessment and Management of their Information Resources
    • Access control to department Information Resources

UT System Administration Employee/ Users

  • Read, acknowledge and abide by the Information Resources Acceptable Use Policy Acknowledgement Form
  • Do their best to safeguard the privacy and security customer account data, protected health information, and education record data.
  • Adheres to prudent and responsible internet use practices as outlined in the Information Resources Acceptable Use Policy Acknowledgement Form

Users of administrative/special access accounts

  • Must be aware of special responsibilities associated with the use of special access privileges and follow the Administrative/Special Access section of the Information Resources Security Operations Manual.

Internal auditors

  • Participate in evaluating the effectiveness of security controls and in assuring their auditability during the acquisition and system development process.
  • Provide high level monitoring of Information Security Compliance program through inspections and verifications of reported information and periodic audits.

UT System Administration Police Department

  • Responsible for compliance with tenets of UTS165 directing:
    • Physical Access

Vendors and Contract Employees

  • Comply with all applicable UT System Administration rules associated with this policy, practice standards and agreements, and will adhere to Federal and State laws to which UT System Administration must adhere.

UT System Administration

  • Responsible for compliance with tenets of UTS165 directing:
    • Resource Monitoring
    • Disciplinary Action
    • Adequate funding of security activities
    • Approval of security plans and initiatives

PROCEDURES  

 

 

Information Resources Acceptable and Secure Use
All individuals granted access to technology resources of UT System Administration must acknowledge the rules of use of these resources annually.  Each individual is responsible for exercising good judgment regarding the reasonableness and security of their behaviors and their use of Information Resources. 

 

As a convenience to individuals, limited incidental personal use of Information Resources is permitted.  Incidental use of Information Resources must not result in direct cost to the UT System Administration or expose UT System Administration to unnecessary risks.

 

Disciplinary Actions
Pursuant to Title 1 Texas Administrative Code Section 202 and to ensure compliance with this Policy and state laws and regulations related to the use and security of Information Resources, UT System Administration has the authority and responsibility to monitor Information Resources. If there is a reasonable basis to believe that this policy or state laws or regulations regarding the use and security of Information Resources have been violated, the contents of User files may be accessed for purposes of investigation with the written approval of a UT System Administration executive officer.

Violation of this policy may result in disciplinary action for employees, including but not limited to termination. For contractors and consultants this may include a termination of the work engagement. For interns and volunteers, this may include dismissal. Any student who violates this policy will be referred to student judicial services at the student’s home campus. Additionally, individuals are subject to possible civil and criminal prosecution.

 

All Other Procedures
For all other procedures and mechanisms outlined in this policy and UTS165 consult the Information Resources Operations Manual referenced in the Appendix list.  Compliance with these procedures will be enforced as outlined in the Disciplinary Actions outlined in this policy.

 

FORMS AND TOOLS/ONLINE PROCESSES

 

 
Information Resources Acceptable Use Policy Agreement Form

 

APPENDIX

 

 
Information Resources Security Operations Manual: http://www.utsystem.edu/policy/forms/int124/infosecurityoperationsmanual.pdf

 

  • © 2008 The University of Texas System
  • 702 Colorado Street, Suite 3.220
  • Austin, Texas 78701
  • Phone: (512)499-4744

    •