SDSU Computing Security Policy

Approved by the San Diego State University Senate on November 7, 2000

http://security.sdsu.edu/policy/security-policy.html

1.0 Introduction

The mission of San Diego State University (SDSU) is to provide high-quality education for undergraduate and graduate students, and to contribute to the solution of problems through excellence and distinction in teaching, research, and service. Computers and network resources, including the World Wide Web, play an important and essential role in fulfilling the educational mission of the University. In keeping with this mission, the University endeavors to provide a safe and secure computing environment. 1

Computing resources–hardware, software, and the data–are vital University assets. All users of SDSU computing resources need to be aware of and respect the value of these resources. By using these resources all users are part of a community responsible for ensuring that data is kept confidential, reliable, and available, and that the integrity of SDSU computing resources is not jeopardized.

San Diego State University recognizes that local, state, and federal laws relating to copyrights, security, and other statutes regarding electronic media and intellectual property bind all members of the University. It also recognizes the responsibility of faculty, management, and system administrators to take a leadership role in implementing existing policies.

To ensure that all members of the SDSU community have a clear understanding of the University's policies regarding computing resources, this document, the SDSU Computing Security Policy, was written and its guidelines implemented. It provides a framework for the implementation and enforcement of computer and network security policies at SDSU. The document assists the faculty, staff, and students in understanding the need for and the means of protecting SDSU's computing resources.

Faculty who require or recommend the use of University technology resources in their courses are encouraged to notify students in their course syllabus of this policy and its possible effect on their academic activities.

2.0 Reasons for a Security Policy

The SDSU Computing Security Policy defines the minimum standards for a common level of security that is to be implemented across all computing and network resources at SDSU. This policy may be supplemented by additional policies and guidelines created by the individual campus units. The supplemental policies will address each unit's specialized security needs with the understanding that they are consistent with the standard defined in the SDSU Computing Security Policy. It is the responsibility of the individual campus units to inform their subset of users regarding any documents specific to their processing environment.

This policy makes an effort to explain the rationale and intent of the policies contained in this document, and where appropriate, provide common examples of forbidden or unauthorized activity. Where examples are provided, they are not intended to be a complete list of authorized or unauthorized activities and are provided only to clarify the intent of the policy. This document also assumes as a condition of use the exercise of common sense, common courtesy, and a respect for the rights or property and privacy of the University and other users.

Issues concerning the "appropriate use" of computing resources, other than those dealing with security or legal issues, are not covered by the SDSU Computing Security Policy

3.0 Scope

The SDSU Computing Security Policy applies to all SDSU computing and network resources including computers, software, data, and communication networks controlled, administered, or accessed directly or indirectly by users at SDSU. Privately owned computer systems, when attached to the campus network and/or resources, are subject to the same responsibilities and regulations as pertain to University-owned systems.

The SDSU Computing Security Policy only covers computer security and is not a substitute for other campus policies related to campus computing.

This document addresses five key principles of security and the responsibilities that each individual has:

 
  • Privacy of Data

 

  • Data Integrity

 

  • Service Integrity

 

  • Legal Issues

 

  • Authorized Use

4.0 Privacy Statement

The University supports each individual's right to privacy when using SDSU computing resources, and will take reasonable steps to ensure security of these resources. However, the University cannot guarantee absolute privacy of electronic communication and computing resources. Each user must recognize that risks exist with regard to the confidentiality of personal email, data, files and activity logs due to system limitations, software bugs, unauthorized activity, and potential system failures.

Data contained on SDSU computer systems is accessible to authorized personnel. These individuals are responsible for conducting normal system administration activities including diagnosing or correcting problems. Additionally, should suspicious activity become evident and at the request of the appropriate administrative authority, files may be examined by system personnel to determine if a user is acting in violation of the policies defined in the SDSU Computing Security Policy, other University policies, and state or federal statutes. Access to University computer systems and accounts is generally monitored. In addition, systems and accounts may also be more closely inspected or monitored when:

As a public institution, data on SDSU computer systems may also be made available to the public through public record laws. All requests for such data should be immediately forwarded to campus legal counsel.

5.0 Authorized Access and Use

Access to University information resources may be granted based on the following: relevant laws and contractual obligations, the requester's need to know, the information's sensitivity, and the risk of damage to or loss by the University. Access may be temporarily or permanently revoked for violation of security policy, other campus policies and CSU policies.

The University reserves the rights to limit, restrict, or extend computing privileges and access to its information resources. Data owners, whether departments, auxiliary units, faculty, students, or staff, may allow individuals other than University faculty, staff, and students access to information for which they are responsible. Methods for such access should not violate any license or contractual agreement, University policy, or any federal, state, county, or local law or ordinance; nor degrade the performance of the University community. Access by non-University members is subject to approval by and at the discretion of the system administrator(s) responsible for the information resource(s) involved.

Every authorized user is responsible for the integrity of these resources. All users of computing systems must respect the rights of other computing users, respect the integrity of the physical facilities and controls, and respect all pertinent license and contractual agreements.

6.0 Responsibilities

6.1 User Responsibilities

A user is one who has authorized access to University computing resources. Everyone on or off-campus who accesses a University computing resource, through whatever authorized (or unauthorized) means, is considered a user and is bound by the user responsibilities stated in this policy.

    1. Users are ultimately responsible for the effect(s) of computing activity when using a computer.
    2. Accounts created for an individual are for the use of that individual only. Computer accounts, passwords, and other types of authorization are assigned to individual users and must not be shared with others. Users are responsible for any use of their account.
    3. Use only those computing resources for which authorization has been issued. Do not attempt to obtain system privileges to which authorization has not been granted or give unauthorized access to others.
    4. Do not violate the security policy on any computer or network facility, interfere with the authorized computer use of others, or interfere with the normal running of services on any computer system or network. This includes unauthorized modifications to software or hardware of any computer or network, propagating viruses, or excessive network traffic that interferes with the use of others.
    5. Users are responsible for the data and information that they are entrusted with and must not disclose confidential or sensitive information without authorization from the data owner. Confidential data transferred over networks should be encrypted to ensure security.
    6. Never attempt to intercept, capture, alter, or interfere in any way with the normal transmission data on any computer or network, without prior authorization from the person or persons responsible for that resource.
    7. Observe all applicable policies of external computers or networks when using such resources.
    8. Report unauthorized use of computing resources or observed gaps in system or network security to your project director, instructor, supervisor, system administrator, or other appropriate University authority immediately upon discovery. Provide system administrators with information about computing activities when a reasonable request is made.
    9. Protect their password so that others cannot gain access to their account. Guidelines for good passwords can be found in Appendix C.

6.2 System/Network Administrator Responsibilities

System/network administrator is a user who has special access to one or more than one University computing resource. This special access includes control over the function of said computing resource(s). Technically, one is a system/network administrator if one exercises direct control over the following on a computing resource:

 
  • hardware

 

  • software

 

  • (optionally) access level

System/network administrators are bound by all user responsibilities. In addition, they are bound by the responsibilities enumerated for system/network administrators. System/network administrators may also be bound by other responsibilities and definitions herein as appropriate to their designated tasks.

    1. A system administrator manages systems, networks, and servers to provide available software or hardware to users for their University computing. A system administrator, with appropriate supervision and authority from management, is responsible for the security of a system, network, or server and is responsible for enforcing this and other campus policies. Access to system administrator accounts and passwords must be limited and on a "need to know" basis.
    2. May take reasonable action as authorized by the provisions of this security policy. In addition, action may be taken based on other campus policies, management, or lawful grounds to inspect, monitor, and/or suspend access privileges determined to be necessary or appropriate in order to maintain the integrity of the computer system, network, or protection of other users.
    3. Has special access to information and other special computing privileges and will use such access only in performing official duties. Such access shall not be used to satisfy idle curiosity. Access to users' information shall be governed by relevant University policies and procedures as well as State and Federal laws.
    4. Must develop, test, maintain, and document effective computer and network security procedures and take reasonable precautions to guard against corruption of software, damage to hardware or facilities, or unauthorized access. This includes installing system patches, security software, and conducting periodic security audits as appropriate for the resource being managed. They must be aware of network topology issues that affect the security of their systems and data. Systems should be configured to run only necessary system services which limits the potential vulnerability of the system. Appropriate backup procedures and disaster recovery plans must be developed.
    5. Shall take reasonable and appropriate steps to see that all the terms of the hardware and software license agreements are faithfully fulfilled on all systems, networks, and servers for which they are responsible.

6.3 Application Developer Responsibilities

An application developer is a user who has access to a University computing resource for the purpose of developing software for use on that system or for any other system deemed appropriate and permissible. Application Developers may be employed by the University in this capacity and/or other capacities as well. For the purposes of this security policy, an Application Developer is one who does any of the following:

 
  • Writing program code

 

  • Writing HTML, CGI or other World Wide Web-based content

 

  • Writing SQL code or other user interface-related tasks

 

  • Facilitating data transmission routines

 

  • Any user performing any like functions as part of the regular curriculum or their course of study

Application Developers are additionally bound by all the user responsibilities. They may also be bound by other responsibilities and definitions herein as appropriate to their designated tasks. Application Developers shall:

    1. Ensure that applications are written in a method consistent with this and other applicable security policies.
    2. Apply data transfer methods that maintain the integrity and security of the data using encryption methods when applicable.
    3. Apply security patches and close security holes in applications when they are known.
    4. Test applications for common security risks.
    5. Document code so that others can maintain it.
    6. Document software installations so that others can perform maintenance.

6.4 Database Administrator Responsibilities

A database administrator is a user who has special access to a University-owned or used dataset. Such special access includes control over access to this data, access to the software functioning to present the data and control over said software. The database administrator is bound by all user responsibilities as well as the responsibilities enumerated for database administrators. Database administrators may also be bound by other responsibilities and definitions herein as appropriate to their designated tasks.

    1. A Database Administrator must maintain knowledge of the data within their trust and is expected to be familiar with the functions to which the data applies, the structure and functioning of the database management systems in which the data resides, and the methods available for accessing the data.
    2. A DBA, with appropriate supervision and authority from management, is responsible for the security of the database and is responsible for enforcing this and other campus policies. Access to DBA accounts and passwords must be limited and on a "need to know" basis.
    3. Working with the data owner and/or management, a DBA must define the sensitivity of the information in the database and must develop guidelines and procedures for requesting access to database and information in the database. A DBA has special access to information contained in the database and a DBA's access to such information shall be governed by relevant University policies and procedures as well as State and Federal laws.
    4. A DBA must protect the database and the information contained in the database from unauthorized access or modification and must develop, test, maintain, and document effective database security procedures.

6.5 Management Responsibilities

A Manager/Supervisor is defined, for purposes of this document, as an individual who oversees others in the above defined areas, to wit:

 
  • users

 

  • system/network administrators

 

  • database administrators

 

  • application developers
    1. Review access of their users
    2. Ensure that users comply with security policies and procedures
    3. Monitor use to identify problems
    4. Remove access when users leave the department or University
    5. Translate policies into operational procedures
    6. Provide appropriate funding and resources to implement policies and procedures
    7. Promote security awareness and training

7.0 Implementation, Enforcement and Appeals

A system administrator, network administrator, application developer or DBA shall take action to temporarily limit access to computing resources for the purpose of maintaining integrity of the resource based on the defined security standards of that resource (system) when he or she:

    1. Observes a violation of this policy
    2. Notices an unusual degradation of service or other aberrant behavior on the system, network, or server for which he or she is responsible
    3. Receives a complaint of computing abuse or degradation of service
    4. Is alerted by system-monitoring or management software that indicates a potential security intrusion

Depending on the severity of the violation, users may be subject to any or all of the following:

    1. Temporary loss of computing and network access
    2. Permanent loss of computing and network access
    3. University disciplinary actions
    4. Civil proceedings
    5. Criminal prosecution

The system administrator shall notify the user of any such action as soon as possible and the user will have an opportunity to respond before any restrictions are made permanent. If the violation is non-serious or unintentional, common sense, reason and sensitivity should be used to resolve issues in a constructive and positive manner without escalation.

If the issue cannot be resolved informally, or if, in the opinion of the system administrator or the user, the violation warrants action beyond a system administrator's authority, the case shall be referred to other authorities, such as the University disciplinary body appropriate to the violator's status:

 

Students -

Judicial Review

 

Staff -

Employee's Supervisor or Human Resources

 

Faculty -

Faculty Affairs

 

All -

Law Enforcement when the administrator believes the law has been broken

Such appeals should be handled by the appropriate disciplinary body expeditiously, so as to minimize the disruption of crucial teaching and research tools.

In all cases where enforcement action is taken, the system administrator must keep accurate records and logs and produce them as required by campus disciplinary bodies or law enforcement officials.

8.0 Security Resources

Security Audits

NAC Security subcommittee

Security Related Web Pages

9.0 Legal and Policy Issues

All existing laws (Federal and State) as well as University regulations and policies apply, including not only those laws and regulations specific to computers and networks, but also those that may apply generally to personal conduct.

Misuse of computing, networking, or information resources may result in loss of computing privileges. Additionally, misuse can be prosecuted under applicable statutes. Users may be held accountable for their conduct under any applicable University or campus policies, procedures, or collective bargaining agreements. Complaints alleging misuse of SDSU computing resources will be directed to those responsible for taking appropriate disciplinary action.

(Briefly describe and provide links to these....)

9.1 Federal Statutes

9.2 State of California Statutes

9.4 CSU Policies

9.5 SDSU Policies

Appendix A - Definitions

Computer Account The combination of a user number, username, or user ID and a password that allows an individual access to a computer or network.
Computing Resources In the context of these guidelines, this phrase refers to the computers, network, software and hardware that makes electronic data or information available to users.
Data, Confidential Data requiring high level of protection due to the risk and magnitude of loss or harm that could result from disclosure, alteration or destruction of the data. This includes information whose improper use or disclosure could adversely affect the ability of the University to accomplish its mission as well as records about individuals requiring protection.
Data, Public Information which can be made generally available both within and beyond the University.
Data, Sensitive Information that requires some level of protection because its unauthorized disclosure, alteration, or destruction will cause perceivable damage to the University.
Data Owner The individual or department that can authorize accesses to information, data, or software and that is responsible for the integrity and accuracy of that information, data, or software. The data owner can be the author of the information, data, or software or can be the individual or department that has negotiated a license for the University's use of the information, data, or software.
Network A group of computers and peripherals that share information electronically, typically connected with each other by either cable, modem, or wireless.
Normal Resource Limits The amount of disk space, memory, printing, and so forth, allocated to your computer account by that computer's system administrator.

 

Appendix B - Acknowledgements

The SDSU Computing Security Policy was influenced by the following documents:

    1. "General Catalog, 1999-2000", San Diego State University
    2. "Administrative Information Systems Information and Data Security Manual", Brown University
    3. "Electronic Mail Policy", University of California, Office of the President
    4. "Computer Use Policy", University of California, Berkeley
    5. "Guidelines for Administering Appropriate Use of Campus Computing and Network Services", University of California, Berkeley
    6. "COMPUTING & COMMUNICATIONS SERVICES SECURITY GUIDE", San Francisco State University
    7. "Computing Ethics and Security", San Francisco State University
    8. "Appropriate Use Policy", Humboldt State University
    9. "Rules for Responsible Computing", Texas A&M University
    10. "Computer Security Policy", Texas A&M University
    11. "Policy on Use of Computing and Communications Technology", California State University, Chico
    12. "Information Technology Services: Appropriate Use Policy", Yale University
    13. "Information Technology Resources and Internet Access -- Guidelines for Use", Princeton University
    14. "Policy for Responsible Computing", University of Delaware
    15. "COMPUTER AND NETWORK USE POLICY", Keene State College
    16. "Why is security important for NPACI sites and users?", San Diego Supercomputer Center
    17. "Network Security at UCSD", University of California, San Diego
    18. "ACT Security Policy", University of California, San Diego
    19. EDUCAUSE web site
    20. Electronic Frontier Foundation web site

Appendix C - Good Passwords

Guidelines for choosing a good password can be found on the SDSU Security web page at: