technology systems department procedures manualconnorsstate.edu/ppf/its handbook.pdf · csc its...

InformationTechnology

SystemsDepartment

PoliciesandProceduresManual

CSCITSDepartment PoliciesandProceduresManual

CSCInformationTechnologySystems P a g e |2

OverviewThisdocumentservesasarulebookandroadmapforsuccessfullyandproperlyutilizingthetechnologyresourcesatConnorsStateCollege(CSC).Carefulconsiderationshouldbetakentoverifythatonesactionsfallwithintheauthorizedparametersforaccess,utilization,distribution,andmodificationofCSCstechnologyresourcessetforthwithinthisdocument.

Anymisuse,misappropriation,negligence,ordeliberatedisobedienceconcerningthesepoliciesandprocedureswillnotbetolerated.ItisuptoeachindividualemployeeandaffiliateofCSCtofamiliarizehim/herselfwiththepoliciesandproceduressetforthhereinpriortosigningtheagreementformattheendofthisdocument.

ItisthepurposeoftheCSCInformationTechnologySystems(ITS)Departmenttoprovidethesepoliciesandproceduresinordertoaddresspotentialsituationsandtoprovidestepstotakeduringthesesituations.However,notallsituationscaneverbeaddressedsoitisuptoeachindividualemployeeandaffiliatetousethesepoliciesandproceduresforanexampleofwhattypeofactionstotake.

TheCSCITSDepartmentdoesencourageallCSCemployeesandassociatestoerronthesideofcautionshouldadifficultsituationpresentitselfthatisnotdiscussedherein.Ifthisshouldoccur,theemployeeorassociateofCSCcanalwaystakeadvantageoftheCSCITSDepartmentsopendoorpolicyandaskforassistance.



ContentsOverview.......................................................................................................................................................2

Plans..............................................................................................................................................................6

BusinessContinuityPlan...........................................................................................................................6

DisasterRecoveryPlan..............................................................................................................................6

Policies..........................................................................................................................................................7

AcceptableUsePolicy...............................................................................................................................7

Overview...............................................................................................................................................7

Policy.....................................................................................................................................................7

AccessibilityPolicy..................................................................................................................................10

Overview.............................................................................................................................................10

Policy...................................................................................................................................................10

AuditingPolicy........................................................................................................................................11

Overview.............................................................................................................................................11

Policy...................................................................................................................................................11

BackupPolicy..........................................................................................................................................13

Overview.............................................................................................................................................13

Policy...................................................................................................................................................13

DataRetentionPolicy..............................................................................................................................18

Overview.............................................................................................................................................18

Policy...................................................................................................................................................18

ElectronicCommunicationsPolicy..........................................................................................................19

Overview.............................................................................................................................................19

Policy...................................................................................................................................................19

EmergencyNotificationPolicy................................................................................................................21

Overview.............................................................................................................................................21

Policy...................................................................................................................................................21

EncryptionPolicy.....................................................................................................................................22

Overview.............................................................................................................................................22

Policy...................................................................................................................................................22

EnforcementPolicy.................................................................................................................................24

Overview.............................................................................................................................................24



Policy...................................................................................................................................................24

EquipmentConfigurationPolicy.............................................................................................................25

Overview.............................................................................................................................................25

Policy...................................................................................................................................................25

Guest/VisitorAccessandTechnologyUsePolicy...................................................................................26

Overview.............................................................................................................................................26

Policy...................................................................................................................................................26

IllegalFileSharing...................................................................................................................................27

Overview.............................................................................................................................................27

Policy...................................................................................................................................................27

InformationSensitivityPolicy.................................................................................................................29

Overview.............................................................................................................................................29

Policy...................................................................................................................................................29

PasswordPolicy.......................................................................................................................................32

Overview.............................................................................................................................................32

Policy...................................................................................................................................................32

PhysicalSecurityPolicy...........................................................................................................................35

Overview.............................................................................................................................................35

Policy...................................................................................................................................................35

PersonallyIdentifiableInformationPolicy..............................................................................................36

Overview.............................................................................................................................................36

Policy...................................................................................................................................................36

PersonalTechnologyServicePolicy........................................................................................................37

Overview.............................................................................................................................................37

Policy...................................................................................................................................................37

RemoteAccessPolicy..............................................................................................................................39

Overview.............................................................................................................................................39

Policy...................................................................................................................................................39

StudentRightsandResponsibilitiesPolicy.............................................................................................40

Overview.............................................................................................................................................40

Policy...................................................................................................................................................40

VendorAccessPolicy..............................................................................................................................41



Overview.............................................................................................................................................41

Policy...................................................................................................................................................41

WirelessCommunicationPolicy..............................................................................................................42

Overview.............................................................................................................................................42

Policy...................................................................................................................................................42

Procedures..................................................................................................................................................43

EmergencyOperatingProcedure............................................................................................................43

EquipmentOrderingProcedure..............................................................................................................45

Guest/VisitorAccessProcedure..............................................................................................................46

IncidentManagementProcedure...........................................................................................................47

Remote/VPNAccessProcedure..............................................................................................................48

VendorAccessProcedure.......................................................................................................................49

TermsandDefinitions.................................................................................................................................50

Disclaimer....................................................................................................................................................55

Forms..........................................................................................................................................................56

AuthorizationofUserAccessForm.........................................................................................................56

EquipmentTransferForm.......................................................................................................................57

IncidentReportForm..............................................................................................................................58

PersonalTechnologyServiceConsentForm...........................................................................................59

PoliciesandProceduresManualCompliance.............................................................................................60

PoliciesandProceduresAgreementForm..............................................................................................61

NonDisclosureAgreementForm...........................................................................................................62

Updates.......................................................................................................................................................63



Plans

BusinessContinuityPlan(PleaseseetheCSCITSDepartmentsdedicatedBCPdocument.)

DisasterRecoveryPlan(PleaseseetheCSCITSDepartmentsdedicatedDRPdocument.)



Policies

AcceptableUsePolicy

OverviewThispolicyestablishestheacceptableusageguidelinesforallCSCownedtechnologyresources.Theseresourcescaninclude,butarenotlimitedto,thefollowingequipment:

Computerso DesktopComputers,MobileDevices,Servers,etc.

NetworkEquipmento Switches,Routers,NetworkandCommunicationsCabling,WallPlates,WirelessAntennas,

WirelessBridgeDevices,FiberOpticLines,FiberOpticEquipment,VoIPPhones,etc. Audio/VideoEquipment

o VideoCodecs,HDTVs,DocumentCameras,Projectors,SecurityCameras,MiscellaneousCabling,DigitalCamerasandCamcorders,Printers,Copiers,FaxMachines,etc.

Softwareo OperatingSystems,ApplicationSoftware,etc.

Resourceso GroupDriveFileStorage,WebsiteFileStorage,EmailAccounts,SocialNetworkingAccounts,

etc.

Thispolicyappliestoallemployees,contractors,consultants,temporaries,andotherworkersatCSC,includinganyandallpersonnelaffiliatedwiththirdparties,includingvendors.ThispolicyappliestoallequipmentthatisownedorleasedbyCSC.

PolicyWhileCSC'sITSDepartmentdesirestoprovideareasonableleveloffreedomandprivacy,usersshouldbeawarethatallCSCownedequipment,networkinfrastructure,andsoftwareapplicationsarethepropertyofCSCandthereforearetobeusedforofficialuseonly.Also,alldataresidingonCSCownedequipmentisalsothepropertyCSCandtherefore,shouldbetreatedassuch,andprotectedfromunauthorizedaccess.

ThefollowingactivitiesprovideageneralroadmaptouseCSCstechnologyresourcesinanacceptablemanner:

AllpasswordsusedtoaccessCSCsystemsmustbekeptsecureandprotectedfromunauthorizeduse.

Nouseraccountcanbesharedbetweenindividuals.Authorizedusersareresponsibleforthesecurityoftheirownpasswordsandaccounts.

Donottransferpersonallyidentifiableinformationonportableequipmentandstoragedevices.



PublicpostingsbyemployeesfromaCSCemailaddressshouldcontainthefollowingdisclaimerstatingthattheopinionsexpressedarestrictlytheirownandnotnecessarilythoseofCSC,unlessthepostingisinthecourseofbusinessduties:

o AnyviewsoropinionspresentedinthismessagearesolelythoseoftheauthoranddonotnecessarilyrepresentthoseofConnorsStateCollege.EmployeesofConnorsStateCollegeareexpresslyrequirednottomakedefamatorystatementsandnottoinfringeorauthorizeanyinfringementofcopyrightoranyotherlegalrightbyelectroniccommunications.AnysuchcommunicationiscontrarytoCSCpolicyandoutsidethescopeoftheemploymentoftheindividualconcerned.CSCwillnotacceptanyliabilityinrespectofsuchcommunication,andtheemployeeresponsiblewillbepersonallyliableforanydamagesorotherliabilityarising.

AllcomputersresidingontheinternalCSCnetwork,whetherownedbytheemployeeorCSC,shallbecontinuallyexecutingapprovedvirusscanningsoftwarewithacurrent,uptodatevirusdatabase.

Employeesmustuseextremecautionwhenopeningemailattachmentsreceivedfromunknownsenders.

PersonallyidentifiableinformationcannotbesentviaelectronicmeansandshouldbetransferredwithintheinternalnetworkorthroughsecureVPNconnections.

OffcampusworkshouldbecompletedviaasecureVPNconnectionsothatnodataistransferredoffnetwork.

Allworkstationsshouldbekeptsecure.Usersshouldlocktheworkstationwhennotattendedtoprotectunauthorizedusersfromaccessingsecurefiles.

Thefollowingactivitiesare,ingeneral,prohibited.Employeesmaybeexemptedfromtheserestrictionsduringthecourseoftheirlegitimatejobresponsibilities(e.g.,systemsadministrationstaffmayhaveaneedtodisablethenetworkaccessofahostifthathostisdisruptingproductionservices).

UndernocircumstancesisanemployeeofCSCauthorizedtoengageinanyactivitythatisillegalunderlocal,state,federalorinternationallawwhileutilizingCSCownedresources.

Thelistsbelowarebynomeansexhaustive,butattempttoprovideaframeworkforactivitieswhichfallintothecategoryofunacceptableuse.

Thefollowingactivitiesarestrictlyprohibited,withnoexceptions:

Violationsoftherightsofanypersonorcompanyprotectedbycopyright,tradesecret,patentorotherintellectualproperty,orsimilarlawsorregulations,including,butnotlimitedto,theinstallationordistributionof"pirated"orothersoftwareproductsthatarenotappropriatelylicensedforusebyCSC.

Unauthorizedcopyingofcopyrightedmaterialincluding,butnotlimitedto,digitizationanddistributionofphotographsfrommagazines,booksorothercopyrightedsources,copyrightedmusic,andtheinstallationofanycopyrightedsoftwareforwhichCSCortheenduserdoesnothaveanactivelicenseisstrictlyprohibited.



Exportingsoftware,technicalinformation,encryptionsoftwareortechnology,inviolationofinternationalorregionalexportcontrollaws,isillegal.Theappropriatemanagementshouldbeconsultedpriortoexportofanymaterialthatisinquestion.

Introductionofmaliciousprogramsintothenetworkorserverenvironments(e.g.,viruses,worms,Trojanhorses,rootkits,etc.).

Revealingyouraccountpasswordtoothersorallowinguseofyouraccountbyothers.Thisincludesfamilyandotherhouseholdmemberswhenworkisbeingdoneathome.

UsingaCSCcomputingassettoactivelyengageinprocuringortransmittingmaterialthatisinviolationofsexualharassmentorhostileworkplacelawsintheuser'slocaljurisdiction.

Makingfraudulentoffersofproducts,items,orservicesoriginatingfromanyCSCaccount. Makingstatementsaboutwarranty,expresslyorimplied,unlessitisapartofnormaljobduties. Effectingsecuritybreachesordisruptionsofnetworkcommunication.Securitybreachesinclude,

butarenotlimitedto,accessingdataofwhichtheemployeeisnotanintendedrecipientorloggingintoaserveroraccountthattheemployeeisnotexpresslyauthorizedtoaccess,unlessthesedutiesarewithinthescopeofregularduties.Forpurposesofthissection,"disruption"includes,butisnotlimitedto,networksniffing,pingedfloods,packetspoofing,denialofservice,andforgedroutinginformationformaliciouspurposes.

PortscanningorsecurityscanningisexpresslyprohibitedunlesspriornotificationtotheCSCITSDepartmentismade.

Executinganyformofnetworkmonitoringwhichwillinterceptdatanotintendedfortheemployee'shost,unlessthisactivityisapartoftheemployee'snormaljob/duty.

Circumventinguserauthenticationorsecurityofanyhost,networkoraccount. Interferingwithordenyingservicetoanyuserotherthantheemployee'shost(forexample,

denialofserviceattack). Usinganyprogram/script/command,orsendingmessagesofanykind,withtheintentto

interferewith,ordisable,auser'sterminalsession,viaanymeans,locallyorviatheInternet/Intranet/Extranet.

Sendingunsolicitedemailmessages,includingthesendingof"junkmail"orotheradvertisingmaterialtoindividualswhodidnotspecificallyrequestsuchmaterial(emailspam).

Anyformofharassmentviaemail,telephoneorpaging,whetherthroughlanguage,frequency,orsizeofmessages.

Unauthorizeduse,orforging,ofemailheaderinformation. Solicitationofemailforanyotheremailaddress,otherthanthatoftheposter'saccount,

withtheintenttoharassortocollectreplies. Creatingorforwarding"chainletters","Ponzi"orother"pyramid"schemesofanytype. UseofunsolicitedemailoriginatingfromwithinCSC'snetworksofother

Internet/Intranet/Extranetserviceprovidersonbehalfof,ortoadvertise,anyservicehostedbyCSCorconnectedviaCSC'snetwork.



AccessibilityPolicy

OverviewThispolicyestablishestheaccessibilityguidelinesforallCSCownedtechnologyresources.ThepurposeofthispolicyistoensurethateveryCSCstudentispresentedwithanequalopportunitytolearnandthatallemployeescanadequatelyusetherequiredtechnologyequipmentforthepurposeoftheirrequiredoccupation.TheserequirementsmustbemetwhereanylearningimpairmentexistsforanyCSCstudentorworklimitationexistsforanyCSCemployee.Thesetypesofaccessibilityrequirementsmayinclude,butarenotlimitedto,thefollowingapplicationsordevices:

Screenreadingsoftware Screenmagnificationsoftware Stereoheadsetsorothersounddevices

ThispolicyappliestoallCSCownedtechnologyresourcesinlabsandotherlearningareasforstudentuseandindepartmentalorteachingareasforemployeeuse.

PolicyAreasonableattemptshallbemadeatalltimestoaddresstheneedsofourstudentsandemployees,particularlywhenthoseneedsareduetoanaccessibilityissuepresentedbyaphysicalimpairmentorlearningdisabilityofsomekind.TheCSCITSDepartmentshallmakeeveryefforttoensurethateachandeverystudentispresentedwithanequalorcomparablelearningenvironmentregardlessofthehurdletheymayface.

TheCSCITSDepartmentwillalwaysstrivetooffertechnologysolutionsthathelpimprovethelearningenvironmentsforallstudentsbutwillbeparticularlydiligentinensuringthatnostudentwillbeunabletolearnwithinaclassroomduetoaphysicalimpairmentorlearningdisabilityofsomekind.Thesamewillbeprovidedforanyemployeerequiringaccommodationduetoaphysicalimpairmentorlearningdisabilityofanykind.

Pleasenotethatadvancenoticeoftheseneedsisrequiredandmaychangeduetotherequest.Forinstance,additionalsoftwareneedswilltakesometimetoproduceanorderandinstallthesoftwaresoitwillbeunreasonabletoexpectarequestsuchasthistohaveanimmediateturnaroundtime.

Castingasidethegeneralexpectationsabove,theCSCITSDepartmentcannotbeheldliableforissuessurroundingsoftwareapplicationissues,hardwarefailures,ortheinabilityofemployeesorstudentstoconveytheirrespectiveneedsinareasonableamountoftimetoallowsuchsoftwareorhardwaretobeproperlyinstalled.

Withthatsaid,theCSCITSDepartmentwillcontinuallystrivetoensurethatalllearningenvironmentshavethenecessarytechnologyandareadequatelystructuredinawaytoprovidethemostconducivelearningenvironmentpossible,regardlessifalearningdisabilityorphysicalimpairmentmaybepresentforanystudent.TheCSCITSDepartmentwillalsoensurethatallemployeeareasareadequatelydesignedtofacilitateaproductiveworkingenvironmentaswell.



AuditingPolicy

OverviewThispolicyaddressesthirdpartyentitiesandtheirabilitytoconductaninternaltechnologyaudit.Thistypeofauditisbasicallyastresstestonourtechnologyresourcestoevaluatethelevelofsecurityourtechnologysystemspresentaswellasthelevelofscrutinyitcanwithstand.

VulnerabilitiesareaprimaryfocusfortheCSCITSDepartment.SeekingthesevulnerabilitiesoutbeforetheydevelopintopotentialproblemsisbestforCSC,itsresources,employees,associates,andstudents.Toaccomplishthis,internalauditsarenecessarytoperiodicallydeterminewhatvulnerabilitiesmayexistwithinCSCstechnologyresources.

ThepurposeofthisagreementistosetforthapolicyregardingnetworksecurityscanningofferedbyathirdpartyauditgrouptoCSC.TheCSCITSDepartmentshallallowtheutilizationofvariousmethods(bothhardwareandsoftware)toperformelectronicscansofournetworks,firewalls,andotherhardwaredeviceslocatedatCSC.

Auditsmaybeconductedto: Ensureintegrity,confidentialityandavailabilityofinformationandresources InvestigatepossiblesecurityincidentstoensureconformancetotheestablishedCSCITS

Departmentssecuritypolicies Monitoruserorsystemactivitywhereappropriate

PolicyThispolicycoversallcomputers,equipment,andcommunicationdevicesownedoroperatedbyCSC.Thispolicyalsocoversanycomputers,equipment,andcommunicationsdevicesthatarepresentonCSCpremises,butwhichmaynotbeownedoroperatedbyConnorsStateCollege.ThethirdpartyauditgroupwillnotperformDenialofServiceactivitiesatanytimeduringanaudit.

Whenrequested,andforthepurposeofperforminganaudit,consentfortheaccessrequiredtoperformthescanwillbeprovidedtomembersofthethirdpartyauditgroupbytheCSCITSDepartment.TheCSCITSDepartmentherebyprovidesitsconsenttoallowthethirdpartyauditgrouptoaccessitsnetworks,firewalls,andotherhardwaredevicestotheextentnecessarytoperformthescansauthorizedinthisagreement.TheCSCITSDepartmentshallprovideprotocols,addressinginformation,andnetworkconnectionssufficientforthethirdpartyauditgrouptoperformnetworkscanning.

Theaccessinvolvedinthescanmayinclude:

Userleveland/orsystemlevelaccesstoanycomputing,networkingequipment,andcommunicationsdevices

Accesstoinformation(electronic,hardcopy,etc.)thatmaybeproduced,transmitted,orstoredonCSCequipmentand/orpremises

Accesstoworkareas(labs,offices,cubicles,storageareas,etc.) AccesstointeractivelymonitorandlogtrafficonCSCnetworks



SinceCSCgainsaccesstocertainresourcesfromthirdpartyentities,cooperationfromtheseresourcesmayberequiredtoperformafullnetworkscan.Forinstance,OneNetprovidestheInternetconnectionstotheCSCnetworks.Becauseofthis,acomprehensivenetworkscanmayrequiretheassistanceofOneNetorotherthirdpartyserviceprovidersshouldpartofthescanningactivitiesoriginateoutsidetheCSCnetwork.Networkperformanceand/oravailabilitymaybeaffectedbythenetworkscanning.TheCSCITSDepartmentreleasesanythirdpartyauditgroupofanyandallliabilityfordamagesthatmayarisefromnetworkavailabilityrestrictionscausedbythenetworkscanning,unlesssuchdamagesaretheresultofthethirdpartyauditgroupsgrossnegligenceorintentionalmisconduct.TheCSCITSDepartmentshallidentify,inwriting,apersontobeavailableshouldthethirdpartyhavequestionsregardingdatadiscoveredorshouldthethirdpartyrequireassistance.CSCandthethirdpartyauditgroupshallidentify,inwriting,theallowabledatesfortheauditvulnerabilityscantotakeplace.PermissiontoconductavulnerabilityscanwillbeobtainedfromtheDirectorofITSystems,thePresident,oradesigneeaminimumof48hourspriortothetest.



BackupPolicy

OverviewTheCSCITSystemsDepartmentmaintainssystemstoholdandretainallessentialdataforeachindividualdepartment.Thisstoragearea,orgroupdriveasitisreferredto,isusedtosecurelystorealldataforanygivendepartment.Becauseofthiscentralizedstoragearrangement,theCSCITSDepartmentisabletooffersecurebackupcapabilityensuringalldatawillbeaccessibleintheeventofadisasterorothereventinwhichthedatawouldbedestroyed.

Thispolicyestablishesregularbackupschedulesforourgroupdrivestoragedevicesandpertainstoallthisdata.Withthatsaid,thisdoesnotpertaintoindividual,departmental,orcomputerlabdevices,mobiledevices,orotherportablestoragemediumwherethedataresideslocallyonthedeviceormedium.TheCSCITSDepartmentdoesnotguaranteebackupforanyofthesetypesofdevicesorstoragemedium.

PolicyEveryeffortshallbemadebytheindividualdepartmentsandemployeesatCSCtostoresensitive,important,andconfidentialdataontheirrespectivegroupdrive.Asmentionedabove,theCSCITSDepartmentcannotbeheldliableforissueswithdatastoredelsewhere.

RegularbackupschedulesareinplacewithinthegroupdrivestoragedevicetoensurethatbackupsoccuratregularintervalsandoveratimespantoprovideampleopportunityfortheCSCITSDepartmenttorecoverafile,folder,orgroupofsuch.ItshouldbenotedthattheCSCITSDepartmentdoesrequireimmediatenotificationintheeventafile,folder,orcollectionofeitherisfoundtobemissing,corrupt,orotherwisedamaged.WaitingtoinformtheCSCITSDepartmentdecreasestheprobabilityofsuccessfulrecovery.

SpecificinformationregardingbackuprestorationonaninstitutionscalecanbefoundintheCSCITSDepartmentsDisasterRecoveryPlan(DRP)ortheassociatedBackupPriorityList(BPL).Thesedealwithcatastrophicrecoveryneedsthataffectmultipledepartmentsortheinstitutionasawhole.

ThehardwarethattheCSCITSDepartmentusesconsistsoftwoDellEqualLogicstoragedevices.OnedeviceisplacedintheserverareaoftheITSDepartmentontheWarnerCampustoserveasaprimarystorageandbackupdevicewhiletheotherisplacedintheserverareaoftheITSDepartmentontheMuskogeePortCampustoserveasanoffsitebackupandreplicationdevice.

TheprimarydeviceinWarnerholdsalldataandbackupsandservesastheprimarydeviceforfileaccessandimmediatebackup.Thesecondary,offsitedeviceinMuskogeereplicatesalldatafromtheWarnerdevicetocreateastableoffsitecopyofthedataandbackupspresentontheWarnerdevice.Forthisdocument,consideringthetypeofhardwaredescribedabove,normalbackupsdonotnecessarilyretainthesamemeaningaswhenusedinconjunctionwithotherhardwaredevices.Becauseofthis,thefollowingdescriptionsareprovided,basedonthecurrenthardwarebeingused,soastobetterunderstandtheoverallbackupprocess.



Backups:Theserefertosnapshotstakenofthefilestructureanddatabase.Thesesnapshotsareessentiallypointerstochangesoccurringwithinthestoragedevicesincethelastscheduledsnapshot.Thisgreatlyreducesthefilestoragerequirementsnecessarytoholdbackupswhilestillprovidingthesameorsuperiorlevelofbackupcapabilityfoundinotherdevices.

Replication:Thisreferstothecopyingprocessofalldataandassociatedbackupsfromtheprimary

backupdeviceinWarnertothesecondarybackupdeviceinMuskogee.Duringareplication,alldataandbackupsarereplicatedsothatamirrorcopyisretainedattheMuskogeelocationforoffsite,backupcapabilityshouldadisasterorotherissuesoccur.

RegularlyscheduledbackupsandreplicationsshallbeperformedbytheCSCITSDepartmentusingthefollowingschedule: HourlyBackups

7:00a.m.10:00p.m. Everyday,everyhourasnotedherein,onthehour

WeeklyBackups

10:30p.m. EveryFriday

MonthlyBackups

11:59p.m. Lastdayofeachcalendarmonth

MidYearlybackups

12:30a.m. July1

Yearlybackups

12:30a.m. January1

DailyReplication

12:01a.m. AlldataisreplicatedfromtheWarnerCampustotheMuskogeeCampus.

Atthebeginningofeachday,beginningat7:00a.m.,backupswillbeginandcontinueeachhour,onthehour,until10:00p.m.eachevening.

EveryFridayat10:30p.m.,afterthelasthourlybackupforthatday,aweeklybackupwillbecompleted.

Attheendofeachmonth,onthelastdayofthemonth,amonthlybackupwillbecompletedat11:59p.m.

OnJuly1ofeachyear,at12:30a.m.,amidyearlybackupwillbecompleted.



OnJanuary1ofeachyear,at12:30a.m.,ayearlybackupwillbecompleted.At12:01a.m.everymorning,allbackupsanddatawillbereplicatedfromWarnertoMuskogeeforoffsitestorageandsecondarybackup.Allbackupsareclearlylabeledsoastodistinguishonefromanothereasily.Atminimum,thefollowinginformationisprovidedforeachbackupfile:

Time(CST)e.g.12:00:00AMor12:34:59PM Datee.g.12/31/10or2/29/12 BackupTypee.g.HourlyorEndofYear

Testingfordataintegritywillbeperformedatregularlyscheduledintervalsbythebackuphardwarebutmayalsobeperformedmanuallyatrandomtimestoverifythevalidity,accuracy,andauthenticityofthebackup.Theserandomtestsshouldtotalnolessthansixperyearanditisrecommendedthatthesetestsfallapproximatelytwomonthsapart,lessifmorethantheminimumnumberoftestsareused.Weencouragethatbackuptestsbetakenwithinoneweekofthecompletionoftheyearlyandmidyearlybackupswiththeremainingbackupsspacedthroughouttheremainingmonthsoftheyear.Ifsixareused,itshouldfollowthistestingschedule:

Test1January17 Test2March17 Test3May17 Test4July17 Test5September17 Test6November17

Ifmorethansixtestsareused,thentheschedulemaybesetatthediscretionoftheCSCITSDepartment,however,twoofthetestsmustoccurnolaterthanoneweekaftertheyearlyandmidyearlybackupsarecompleted.Testingshallconsistofoneormoreofthefollowingmethodsofdatavalidationandverificationofaccuracyandauthenticity:

RandomDummyFileRestoration:Sixtotwelvedummyfilesareinsertedonthefileserveratrandomlocations.Afterwards,wewillintentionallydeletethesedummyfiles.Then,recoverywillbetestedtoverifydataisbeingrestoredproperly.Ifthisverifiesthedataisbeingrestoredproperly,thetestiscompletedandthedummyfilemayberemoved.

RandomActualFileRestoration:Recoveryofasixtotwelveactualrandomfileslocatedontheserver.Comparisonswillthenbemadewithcurrentversionsofthesamefilestoverifycontentandaccuracyofrestorationprocess.Ifthecomparisonsverifythattherecoverywassuccessful,thenthetestiscompleted.

RandomFileLocationVerification:Movementofasingledummyfiletovariouslocationsonthefileserver.Initiallythefileisinsertedontothefileserverandbackupsaretestedtoverifythefileexistsinbackupsattheinitiallocation.Ifthisisconfirmed,thenthefileismovedonthefileservertoasecondlocationandbackupsaretestedyetagaintoverifythatthefileisinthe



secondlocation.Oncethisisconfirmed,thefileismovedforathirdtimeandbackupsareonceagaintestedtoverifythefileexistsinthenewlocation.Ifthisisconfirmedthenthetestiscompletedandthedummyfilemayberemoved.Backupsareworkingcorrectlyandfilecontentsandlocationsarebeingupdatedappropriately.

Miscellaneous:OthertestsmaybeusedatthediscretionoftheCSCITSDepartmentwithonlyonerestriction:theymaynotinterferewithaccessorotherwisecauseanydatalossonthefileserver.

Allrestorationprocesseswillfollow,atminimum,oneofthefollowingmethods:

ReroutingprimarytrafficfrombackupandstoragedeviceinWarnertoaccompanyingdevicein

Muskogeeorviceversa Physicallytransportingonedevicetoanotherlocation Copyingallfilesorasubsetoffilesfromthebackupequipmenttothefileserver Viathetestingprocessdescribedinthisdocument UtilizingtheCSCITSDepartmentsDisasterRecoveryPlan UtilizingtheCSCITSDepartmentsBackupPriorityList Othermethods,approvedbytheCSCITSDepartment,thatdonotinterferewithaccessor

otherwisecauseanydatalossonthefileserverIfitisfoundthatascheduledbackupprocessisincompleteormissingduetoahardwareorsoftwaremalfunction,thenthebackupwillbecompletedassoonaspossibleandahardwaretestwillbeneededtoverifynolongtermproblemsexistthatmayaffectbackupsinthefuture.Shouldahardwaretestyieldresultsthatindicateseriousissues,thenareplacementforthefaultyhardwareshouldbefoundassoonaspossibleinordertopreventsuchissuesfromoccurringinthefuture.

Iftheseissuespreventbackupsfromoccurring,thentheoffsitebackupdeviceinMuskogeewillbetransferredtoprimarybackupdutiesandasecondarydeviceshouldbepurchasedandthenplacedatWarnertoregainprimaryfunctionality.ThefollowingisthemaximumnumberofbackupsandreplicationsthattheCSCITSDepartmentwillretainatanyonetime.Oncethesebackupsorreplicationsreachthemaximumcount,theoldestwillberecycledsothatthenewestmayberetained.

HourlyBackup

o Copiesonfile:16perday,112totalo 7daysworthofdataathourlyintervals

WeeklyBackup

o Copiesonfile:12totalo 12weeks(approx.3months)worthofdataatweeklyintervals

MonthlyBackup

o Copiesonfile:3permonth,36totalo 36months(approx.3years)worthofdataatmonthlyintervals

MidYearlyBackup



o Copiesonfile:3totalo 3yearsworthofdataatyearly(midyear)intervals

YearlyBackup

o Copiesonfile:3totalo 3yearsworthofdataatyearly(endofyear)intervals

DailyReplication

o Copiesonfile:32totalo 32daysworthofexactcopiesofexistingdataandbackupsreplicatedoffsiteindaily

intervalsOnlinelogfilesareretainedconsistingofinformationforeachbackuporreplicationprocess,hardware/softwareerrors,accessissues,orothercriticalerrorsinvolvingthebackuphardware.TheseentriesarealsoemailedtotheCSCBackupemailaccountforverificationandnotification.



DataRetentionPolicy

OverviewThispolicywilldeterminehowlongdatashallberetainedundertheguidelinesoffederalandstatelawandwithininstitutionalpoliciesasdictatedherein.

PolicyAlldatashallberetained,atminimum,thetimeframeasspecifiedinanycurrent,standingfederalorstatelaw.NodataresidingwithinanyCSCfacilityortechnologyequipmentwillknowinglybedestroyedpriortothistimeframeunlesssuchlawsaremodifiedtoreflectanewtimeframe.Ifsuchchangesdooccur,thenewtimeframewillbesusceptibletothenewlawandalldatawillberetainedwithinthenewspecifications.

Undernocircumstancesisdatatoberemoved,discarded,disposedof,orotherwisedestroyedthatwillcompromiselegalcompliance,dataintegrity,orinstitutionalneeds.TheCSCITSDepartmentshallmakeeveryefforttoextendthedataretentiontimeframesofalldataaslongastheinstitutionrequiresaccesswithoutcompromisinganylegalstatuessetforthregardingstorageordestructionofsuchdata.Nodatawillbedestroyedpriortoorretainedlongerthananylegalrequirementdictates.

TheCSCITSDepartmentwillcontinuallyutilizebackupequipment,secondarysitestorage,andregularbackupschedulestoensurethatcriticaldataisretainedandkeptfromcorruptionorothertypesofdataloss.Everyeffortshallbemadetoensuretheinstitutionaldataneedsaregiventoppriorityintheeventofalossofdata,corruptionofdata,orifdatarecoveryisnecessary.

Thispolicyshallneverdecreasetheretentiontimeunderanystateorfederallawbutmayonlyincreasetheretentiontimeframerequiredbytheinstitution.Thisincreasemayonlybeapplicableaslongasitdoesnotcompromisetheintegrity,storagecapability,orotherwisedegradetheoverallstoragecapabilityofthesystembeingused.



ElectronicCommunicationsPolicy

OverviewElectroniccommunicationisnecessarytofulfillmultiplerolesandactivitieshereatCSC.Becauseofthevaryingtypesofelectroniccommunication,wewillfocusonthoseusedprimarilyhereatCSC:

Email VoIP Videoconferencing DigitalSignage

EmailistheofficialmethodofcommunicationatCSC,bothforstudentsandemployees.Businessisconductedeverydayviaemail.Sinceemailhasbothpositiveandnegativeconnotations,itisimperativethatwerecognizethatthepositiveaspectsgreatlyoutweighthenegativeaspects.However,wemustalsorealizethatthenegativeaspectsexistandensurethatthismethodofcommunicationisusedeffectively,efficiently,andforitsintendedpurpose.

CSCsVoIPphonesystemisusedtotransmitandreceiveaudio/videowithintheinstitutiontofacilitatedirectcommunicationamongstemployeesanddepartments.Itisalsousedtotransmitandreceiveaudiooutsidetheinstitutiontofacilitatedirectcommunicationwithvendors,students,otherinstitutions,andotherthirdpartyentities.Becauseofthiscapability,wemustensurethatitisusedforworkpurposes.

VideoconferencingequipmentisusedprimarilyforinstructionalclassroomsrequiringconnectivitytootherCSClocationsandtolocalareahighschools.Videoconferencingequipmentisalsousedtofacilitateconferencesandmeetingswithotherinstitutions,stateagencies,orotherthirdpartyentities.Sincethistypeofcommunicationconveysnotonlyaudio,butvideoaswell,itisparticularlyimportantforittobeusedforitsintendedpurposes.

Digitalsignageisusedoncampustoconveystudentactivities,importantacademicdates,campusevents,andotherinformationtostudents,employees,andvisitors.Sincethisisalsoavisualandauditorycommunicationmechanism,itisalsoimportanttoensureitisusedforitsintendedpurposeaswell.

PolicyRegardlessofthetypeoftechnologybeingused,electroniccommunicationismeanttoservetheneedsofthecollegebysharinginformationwithstudents,employees,vendors,otherstateagencies,campusvisitors,andotherindividuals.Becauseoftheuniquecapabilitiesofeachsystemitisimportanttorealizethateachtypeofcommunicationmethodcontainsuniqueissuesthatmustbeaddressedonacasebycasebasis;however,generalrulescanbesetforthtoensurethatanycommunicationmethodisusedwiselyandaccordingtoitsintendedpurpose.

Ingeneral,CSCselectroniccommunicationmechanismsaretobeusedtoshareinformationwithstudents,employees,vendors,otherstateagencies,campusvisitors,andotherindividuals.



ItisalsoimportanttonotethatthetruedefinitionofinformationsharingatCSCistoadequatelyconveytheappropriateknowledgesothattheCollegemissionisnothinderedbutenhanced.Thisinformationisalwaystobedistributedunderthefollowingassumptions:

ElectroniccommunicationfromaCSCresource

isalwaysunderstoodtorepresentanofficialstatementfromtheinstitution. shallneverbeusedforthecreationordistributionofanyinformationthatmeetsthefollowing

criteria:o Disruptiveo Offensiveo Derogatoryo Specificcommentsaboutrace,gender,haircolor,disabilities,age,sexualorientation,

pornography,religiousbeliefsandpractice,politicalbeliefs,ornationalorigin.o Anyinformationthatcouldbeusedtosabotageinstitutionalprogresso Anypersonallyidentifiableinformation

shallnotbeusedforpersonalgain shallnotbeusedextensivelyforpersonaluse shallnotbeusedtodistributemaliciousorharmfulsoftwareorinformation.



EmergencyNotificationPolicy

OverviewCSCmaintainsanemergencynotificationsystemthatisusedtonotifystudentsandemployeeswhohaveoptedintotheserviceviatheCKeywebsite.Thissystemisupdateddailytoreflectthecurrentstudentdataavailablesothatanynotificationmessagewillbedeliveredtotherequiredstudentandemployeelist.

PolicyTheCSCEmergencyNotificationSystemistobeused,atalltimes,foremergencypurposesorpurposesdeemednecessarybythePresidentordesigneeonly.Thenotificationsystemistobeusedtosendmessagesviatexttoemailaddressesandmobilephones,viavoicetoofficephones,personalphones,andmobiledevices,andviaapplicationstodesktopsandofficephones.

Atnotimeshallthissystembeusedfornormalmessaging,notifications,orotherwisestandardcontactasthiswouldcompromisetheimportanceofthesemessagesandmaycreateanenvironmentwherestudentsandemployeesareabletooverlookthesetypesofmessagesbecauseofthefrequencywithwhichtheycouldoccur.

Withthatsaid,testsofthissystemshallbeconductedonceasemesteratminimumtoensurethesystemisfunctioningproperly.Additionaltestsmaybeconductedbutarenotrequired;however,morethanfourtestspersemestermaybetoomanytoretaintheimportanceofsuchmessageswhenanactualemergencyarisesrequiringthesystemtobeoperational.

Onlyusersdefinedbelowshallbeabletosendemergencynotificationmessagesviathissystem:

DirectorofITSystems DirectorofCollegeandCommunityRelations DirectorofCampusLife MuskogeeCampusAdministrators VicePresidentforAcademicAffairs OtherdesigneedeemednecessarybythePresident



EncryptionPolicy

OverviewThepurposeofthispolicyistoprovideguidancethatlimitstheuseofencryptiontothosealgorithmsthathavereceivedsubstantialpublicreviewandhavebeenproventoworkeffectively.Additionally,thispolicyprovidesdirectiontoensurethatFederalregulationsarefollowed,andlegalauthorityisgrantedforthedisseminationanduseofencryptiontechnologiesoutsideoftheUnitedStates.

WhileCSCemployeesdonottypicallyuseencryptionmethodstoagreatextent,itiswisetofollowthepolicybelowifencryptionofinformationisnecessaryonanydeviceresidingoncampus.

PolicyAproven,standardalgorithmsuchasAdvancedEncryptionStandard(AES)shouldbeusedasthebasisforencryptiontechnologies.Thisalgorithmrepresentstheactualcipherusedforanapprovedapplication.

Additionally,theNSAmentionsthatAESencryptionwith128bitkeysprovidesadequateprotectionforclassifiedinformationuptotheSECRETlevelsothisshouldbetheminimumlevelutilizedbyanyencryptiontool.Similarly,EphemeralUnifiedModelandtheOnePassDiffieHellman(ECDH)andtheEllipticCurveDigitalSignatureAlgorithm(ECDSA)usingthe256bitprimemodulusellipticcurveasspecifiedinFIPSPUB1863andSHA256provideadequateprotectionforclassifiedinformationuptotheSECRETlevel.DuringthetransitiontotheuseofellipticcurvecryptographyinECDHandECDSA,DH,DSAandRSAcanbeusedwitha2048bitmodulustoprotectclassifiedinformationuptotheSECRETlevel.

Theuseofproprietaryencryptionalgorithmsisnotallowedforanypurpose,unlessreviewedbyqualifiedexpertsoutsideofthevendorinquestionandapprovedbytheCSCITSDepartment.BeawarethattheexportofencryptiontechnologiesisrestrictedbytheU.S.Government.ResidentsofcountriesotherthantheUnitedStatesshouldmakethemselvesawareoftheencryptiontechnologylawsofthecountryinwhichtheyreside.

RecentdevelopmentsinthefieldofencryptionhaveindicatedthatitispossibleforanencryptionkeytostayresidentinvolatilememorylongenoughaftershutdownforittobestolenandusedtobreaktheencryptionprotectingtheassociatedPC.Becauseofthis,eventhoughtheuseofencryptionisrecommended,specificrulesarerequiredinordertoprotecttheencryptionand,therefore,thedataonthedrive.

NeverleaveanyPCunattendedthatcontainsconfidentialCSCdataoramethodtoaccessconfidentialCSCdata.

IfyoumustleaveaPCunattendedthatcontainsconfidentialinformation(i.e.inanopenofficeoraconferenceroom),onlydosoifproperencryptionhasbeenenabledandthePChasbeenpoweredofffornolessthan5minutes.

NeverauthenticatetheencryptiononaPCwhichcontainsconfidentialCSCdataoramethodtoaccessconfidentialCSCdataandleaveitunattended,allowanonCSCusertoutilizethedevice,orpermitthedevicetobecopiedinanyway.



NeverdisableorbypasstheencryptiononaPCwhichcontainsconfidentialCSCdataoramethodtoaccessconfidentialCSCdata.

Ifanyuserisunsureoftheappropriateencryptionstandardtouseorifencryptionisnecessary,he/shemaytakeadvantageofCSCsopendoorpolicyandrequestassistanceandinformationregardingtheseencryptionstandardsandhowtoencrypthis/herdatatosecureitappropriately.



EnforcementPolicy

OverviewThispolicyistoestablishenforcementguidelinestoensurethatallCSCITSDepartmentpoliciesandproceduresareadheredtoandobservedbyalldepartmentsandindividualsatCSCincludingstudents,employees,visitors,vendors,etc.AnyoneusingtechnologyresourcesatCSCwillberequiredtooperatewithintheparametersdescribedinthisdocumentorthefollowingenforcementoptionsmaybeadministered.

PolicyAllpolicieshereinareapplicabletoanyandallusersoftechnologyresourcesatCSC.

Ifitisfoundthatanyindividual,department,orexternalentitydisobeysthepoliciesandproceduressetforthwithinthisdocument,whetherknowinglyorunknowingly,thentheenforcementofsuchpolicymayinclude,butmaynotbelimitedto:

Forcedcompliancewiththepolicy Disciplinaryactionincludingterminationofemployment,ifanemployee DisciplinaryactionincludingexpulsionfromtheCollege,ifastudent Terminationofvendorcontractandorserviceagreement Prosecutiontothefullestextentofthelaw



EquipmentConfigurationPolicy

OverviewThispolicyhasbeenestablishedtocreateastandardconfigurationforalltechnologyresourcesatCSC.Becauseofthevariancesbetweenthetypes,makes,models,configurations,builds,versions,andbrandsoftechnologyresourcesavailable,itisnecessarytostandardizealltechnologyresourcestomakeserviceandmaintenanceeasierandalsotohelpkeepcostsdown.

PolicyAllemployeesshallorderandutilizeequipmentthatisserviceableandrecommendedbytheCSCITSDepartment.Sinceequipmentavailabilitychangesovertime,especiallywhenreferringtotechnology,acomprehensivelistindicatingappropriatehardwarewouldbevirtuallyimpossibletocreate.Becauseofthis,anyindividualordepartmentwishingtopurchasetechnologyequipmentshouldfirstconsultaCSCITSDepartmentpersonnelmemberforcurrentspecificationsforanygivenpieceofequipment.

Thisappliestoanyandalltechnologyequipmentincluding,butnotlimitedto:

Computers(Servers,Desktop,Laptop,TabletsandMobileDevices,etc.) HDTVs Printers,scanners,copiers,faxmachines,orallinonedevices Projectors,screens,andSmartBoards VoIPphones Digitalcamerasandcamcorders Software(Application,OperatingSystem,NetworkBased,etc.) Othertechnologyequipmentnotspecificallymentionedhere

Formoredetailsonproceduresrequiredtoplaceanorderfortechnologyequipment,pleaseseetheEquipmentOrderingProceduresincludedinthisdocumentfordetailedinstructions.



Guest/VisitorAccessandTechnologyUsePolicy

OverviewCSCmaintainsanatmospherethatisopenandallowsguestsandvisitorsaccesstoresources,aslongassuchaccessdoesnotcompromisetheintegrityofthesystemsorinformationcontainedwithinthecampusanddoesnotintroducemalicioussoftwareorintenttotheinternalnetwork.

PolicyGuestandvisitoraccessshallbeclassifiedintotwotypesasdescribedbelow:

StandardAccessgrantedtointernetresourcesandinstitutionalresourceslocatedonline. SpecialAccessgrantedaboveplusanyinternalaccessasrequestedbyanindividualwiththe

authoritytodoso:o VicePresidentforFiscalServices,VicePresidentforAcademicAffairs,President,or

otherdesigneedeemednecessarybythePresident

InternalAccessmayinclude:

WirelessVLANs(i.e.cscwireless,cscguest) WiredVLANs(i.e.housing,guest) Singularormultiplefileaccess SystemaccesssuchasBlackboard,IDCardSystem,etc.

Undernocircumstancesshouldvisitorsbegivenspecialaccessunlesspermissionhasbeenobtainedfromtheappropriateadministrativepersonnel(i.e.asignaturefromoneofthepersonnelabove)alongwithdetaileddescriptionofaccess.

Toobtainguest/visitoraccessusersshouldcontacttheCSCITSDepartmentwiththeirrequestedsystemaccessrequirementsusingtheattachedAuthorizationofUserAccessform.

Forvendoraccess,pleaseseetheappropriatevendoraccesspolicyincludedherein.



IllegalFileSharing

OverviewLegalcomplianceisaprimaryfocusatCSC.Becauseofthis,wehavesetforththispolicywhichaddressesillegalfilesharinglegislation,legalalternativestoillegalfilesharing,andpenaltiesforviolatingstateandfederalcopyrightlaws.

ThispolicyappliestoallCSCemployees,students,vendors,orvisitorsutilizingCSCownedcomputers,equipment,ortheCSCnetwork.

PolicyFilesharing(peertopeer)softwareprogramshaveledtosignificantincreasesinantipiracyeffortsandlegislation.Peertopeersoftwareallowsthesharingoffilesoftenconsistingofcopyrightedcontentsuchasmusic,movies,andsoftwarewhichusuallyoccurswithouttheconsentoftheowner.

ItisthepolicyofCSCtorespectcopyrightownershipandprotectionsgiventoauthors,owners,publishers,andcreatorsofcopyrightedwork.ItisagainstCSCpolicyforanyemployee,student,affiliate,orvisitortocopy,reproduce,ordistributeanycopyrightedmaterialsonCSCownedequipmentortheCSCmanagednetworkunlessexpresslypermittedbytheownerofsuchwork.

CSCalsodiscouragestheuseofanyfilesharingprogramasthesetypesofprogramsmayallowcopyrightedmaterialtobedownloadedtoaCSCownedcomputerordevice.Manyoftheseprogramsautomaticallyplacedownloadedfilesinasharedfolderonyourcomputer,whichmeansyoucouldbesharingfileswithoutyourknowledge.Thisalsomeansthatyoumaybeheldresponsibleforillegalfilesharing,whetheryouareawarethatcopyrightedfilesarebeingsharedornot.

CSCalsoemploystheuseofnetworkappliances,equipment,andrulestolimittheamountoffilesharingtrafficontheCSCnetwork.ActiveblockingofpeertopeertrafficisusedtoprotecttheCSCnetworkfromunwantedtrafficandthepresenceofpotentiallymaliciousfilesintroducedthroughfilesharingprograms.

CSCencouragesemployees,students,affiliates,andvisitorstoutilizelegalalternativestoillegalfilesharing.Thereareavarietyoffreeandpayperuseoptionsavailablethatcanbeusedinsteadofillegalfilesharingprograms.Severalofthesefreeandpayperuseoptionsarelistedbelow;however,thisisinnowayanallinclusivelist.CSCleavesittothediscretionoftheemployee,student,affiliate,orvisitortodecidewhichalternativetoutilize.TheyareprovidedhereinforreferenceonlyandCSCdoesnotendorseorprovideanyguaranteeorsupportforanyofthelegalalternativeslocatedbelow.

EducauseLegalSourcesofOnlineContent

Payperuseservices(PerSong,PerAlbum,PerMovie,etc.)orSubscriptionbasedservices(PerMonth)

iTunes HuluPlus Amazon:Books/Newspapers,Video,

Music,Games Rhapsody



CinemaNow Netflix Zune:Music,Video WalmartMP3Downloads Napster BlockbusterOnDemand MP3 eMusic AmieStreet Mindawn GameTap GameFly OnLive

Freeservices

Shoutcast Live365 Pandora Last.fm Blip.fm YouTube Hulu Joost Clicker [adultswim] MusicRebellion Clicker Slacker iLike ESPN360 ABC CBS NBC FOX



InformationSensitivityPolicy

OverviewInformationsensitivityisaprimaryfocusatCSC.Sinceweareaneducationalentity,wedealwithmanydifferenttypesofinformation,someforpublicuse,somenot.Tomakethesedistinctions,thisdocumentwilladdressbothtypesofinformation.

Thispolicyisintendedtohelpemployeesdeterminewhatinformationcanbedisclosedtononemployees,aswellastherelativesensitivityofinformationthatshouldnotbedisclosedoutsideofCSCwithoutproperauthorization.

Theinformationcoveredintheseguidelinesincludes,butisnotlimitedto,informationthatiseitherstoredorsharedviaanymeans.Thisincludes:electronicinformation,informationonpaper,andinformationsharedorallyorvisually(suchasviaphoneandvideoconferencing).

Allemployeesshouldfamiliarizethemselveswiththeinformationlabelingandhandlingguidelinesthatfollowthisintroduction.Itshouldbenotedthatthesensitivityleveldefinitionswerecreatedasguidelinesandtoemphasizecommonsensestepsthatyoucantaketoprotectconfidentialinformation(e.g.confidentialinformationshouldnotbeleftunattendedinconferencerooms.).

NOTE:Theimpactoftheseguidelinesondailyactivityshouldbeminimal.

QuestionsabouttheproperclassificationofaspecificpieceofinformationshouldbeaddressedtoyoursupervisorortheCSCITSDepartment.QuestionsabouttheseguidelinesshouldbeaddressedtotheCSCITSDepartment.

PolicyBygroupinginformationintotwodifferentcategories,wecanadequatelyaddresstheneedsofeachtypeofinformation.Thefirsttype,publicInformation,isinformationthathasbeendeclaredpublicknowledgebysomeonewiththeauthoritytodoso,andcanfreelybegiventoanyonewithoutanypossibledamagetotheinstitution.Thesecondtype,confidentialinformationcontainsallotherinformation.Itisacontinuum,inthatitisunderstoodthatsomeinformationismoresensitivethanotherinformation,andshouldbeprotectedinamoresecuremanner.Includedisinformationthatshouldbeprotectedveryclosely,suchasspecificpersonnelinformation,studentdata,billinginformation,etc.Alsoincludedinconfidentialinformationisinformationthatislesscritical,suchastelephonedirectories,personnelinformation,etc.,whichdoesnotrequireasstringentadegreeofprotection.

Asubsetofthelatteristhirdpartyconfidentialinformation.ThisisconfidentialinformationbelongingorpertainingtoanothercorporationwhichhasbeenentrustedtoCSCbythatcompanyundernondisclosureagreementsandothercontracts.Examplesofthistypeofinformationincludeeverythingfromjointdevelopmenteffortstovendorlists,customerorders,andsupplierinformation.Informationinthiscategoryrangesfromextremelysensitivetoinformationaboutthefactthatwe'veconnectedasupplier/vendorintoCSC'snetworktosupportouroperations.



CSCpersonnelareencouragedtousecommonsensejudgmentinsecuringconfidentialinformationtotheproperextent.Ifanemployeeisuncertainofthesensitivityofaparticularpieceofinformation,he/sheshouldcontacttheirsupervisorand/ortheCSCITSDepartmentformoreinformationandinstructionsonhowthisinformationshouldbehandled.

Thesensitivityguidelinesbelowprovidedetailsonhowtoprotectinformationatvarioussensitivitylevels.Usetheseguidelinesasareferenceonly,asCSCConfidentialInformationateachlevelmaynecessitatemoreorlessstringentmeasuresofprotectiondependinguponthecircumstancesandthenatureoftheCSCConfidentialInformationinquestion.

MinimalSensitivity

o Description:Generalinformation,somepersonnel,andtechnicalinformation.

o Access:CSCemployees,associates,orthirdpartieswithabusinessneedtoknow.

o DistributioninternaltoCSC:Approvedelectronicmailandapprovedelectronicfiletransmissionmethods.

o DistributionexternaltoCSC:Approvedelectronicmailandapprovedelectronicfiletransmissionmethods.

o Storage:Whenviewingdata,donotallowviewingbyunauthorizedindividuals.Donotleavedataopenand/orunattendedinanyformat.Protectdatafromloss,theft,ormisplacement.Electronicinformationshouldhaveindividualaccesscontrolswherepossibleandappropriate.

o Disposal/Destruction:Electronicdatashouldbepermanentlyexpungedorcleared.Reliablyeraseorphysicallydestroymedia.Dataretentionpolicyandfederalandstateretentionguidelinesshouldbeobservedfororiginalcopies.

MoreSensitive

o Description:Business,financial,technical,andmostpersonnelinformation.

o Access:CSCemployees,associates,orthirdpartieswithsignednondisclosureagreementswithabusinessneedtoknow.

o DistributioninternaltoCSC:Approvedelectronicfiletransmissionmethods.

o DistributionexternaltoCSC:ApprovedelectronicfiletransmissionmethodsviaaprivatelinktoapprovedrecipientsexternaltoCSClocations.

o Storage:Individualaccesscontrolsarehighlyrecommendedformoresensitiveelectronicinformation.



o Disposal/Destruction:Electronicdatashouldbepermanentlyexpungedorcleared.Reliablyeraseorphysicallydestroymedia.Dataretentionpolicyandfederalandstateretentionguidelinesshouldbeobservedfororiginalcopies.

MostSensitive

o Description:Operational,personnel,financial,sourcecode,&technicalinformation

integraltothesecurityoftheinstitution.

o Access:Onlythoseindividuals(CSCemployeesandassociates)designatedwithapprovedaccessandsignednondisclosureagreements.

o DistributioninternaltoCSC:Approvedelectronicfiletransmissionmethods.

o DistributionexternaltoCSC:ApprovedelectronicfiletransmissionmethodstorecipientswithinCSC.Strongencryptionishighlyrecommended.

o Storage:Individualaccesscontrolsareveryhighlyrecommendedforelectronicinformation.Physicalsecurityisgenerallyused,andinformationshouldbestoredonaphysicallysecuredcomputer.

o Disposal/Destruction:Anecessity.Electronicdatashouldbepermanentlyexpungedorcleared.Reliablyeraseorphysicallydestroymedia.Dataretentionpolicyandfederalandstateretentionguidelinesshouldbeobservedfororiginalcopies.



PasswordPolicy

OverviewPasswordsareanimportantaspectofcomputersecurity.Theyarethefrontlineofprotectionforuseraccounts.ApoorlychosenpasswordmayresultinthecompromiseofCSC'sentirenetwork.Assuch,allCSCemployees(includingcontractorsandvendorswithaccesstoCSCsystems)areresponsiblefortakingtheappropriatesteps,asoutlinedbelow,toselectandsecuretheirpasswords.

Thepolicyisapplicabletoallpersonnelwhohaveorareresponsibleforanaccount(oranyformofaccessthatsupportsorrequiresapassword)onanysystemthatbelongstoCSC,residesatanyCSClocation,hasaccesstotheCSCnetwork,orstoresanyCSCinformation.

PolicyAllpasswordswillmeetthefollowingcriteria:

Allsystemlevelpasswords(e.g.,root,admin,applicationadministrationaccounts)mustbechangedatleastevery180days.

Alluserlevelpasswords(e.g.,email,web,desktopcomputer,etc.)mustbechangedatleastevery120days.

Useraccountsthathavesystemlevelprivilegesgrantedthroughgroupmembershipsorprogramssuchas"sudo"musthaveauniquepasswordfromallotheraccountsheldbythatuser.

PasswordsmustNOTbeinsertedintoemailmessagesorotherformsofelectroniccommunication.

WhereSNMPisused,thecommunitystringsmustbedefinedassomethingotherthanthestandarddefaultsof"public,""private"and"system"andmustbedifferentfromthepasswordsusedtologininteractively.Akeyedhashmustbeusedwhereavailable(e.g.,SNMPv2).

Alluserlevelandsystemlevelpasswordsmustconformtotheguidelinesdescribedbelow.

PasswordsareusedforvariouspurposesatCSC.Someofthemorecommonusesinclude:userlevelaccounts,webaccounts,emailaccounts,screensaverprotection,voicemailpassword,andlocalrouterlogins.Veryfewsystemshavepropersupportforonetimetokens(i.e.,dynamicpasswordsthatareonlyusedonce);therefore,everyCSCemployeeshouldknowhowtoselectstrongpasswords.

Poor,weakpasswordshavethefollowingcharacteristics:

Thepasswordcontainslessthaneightcharacters Thepasswordorasubsetofthepasswordisawordfoundinadictionary(Englishorforeign) Thepasswordisacommonusagewordsuchas:

o Namesoffamily,pets,friends,coworkers,fantasycharacters,etc.



o Computertermsandnames,commands,sites,companies,hardware,softwareo Thewords"CSC","connors","state",collegeoranyderivationo Birthdaysandotherpersonalinformationsuchasaddressesandphonenumberso Wordornumberpatternslikeaaabbb,qwerty,zyxwvuts,123321,etc.o Anyoftheabovespelledbackwardso Anyoftheaboveprecededorfollowedbyadigit(e.g.,secret1,1secret)

Strongpasswordshavethefollowingcharacteristics:

Containbetween8and32characters Containbothupperandlowercasecharacters(e.g.,az,AZ) Containatleastonenumber(e.g.,09) Containspecialcharacters(e.g.,~,!,@,#,$,^,(,),_,+,=,,?,or,) Doesnotcontainadictionarywordinanylanguage,slang,dialect,jargon,etc. Doesnotcontainpersonalinformation,namesoffamily,etc.

Passwordsshouldneverbewrittendownorstoredonline.Trytocreatepasswordsthatcanbeeasilyremembered.Onewaytodothisiscreateapasswordbasedonasongtitle,affirmation,orotherphrase.Forexample,thephrasemightbe:"ThisMayBeOneWayToRemember"andthepasswordcouldbe:"TmB1w2R!"or"Tmb1W>r~"orsomeothervariation.

NOTE:Pleasedonotuseeitheroftheseexamplesaspasswords!

DonotusethesamepasswordforCSCaccountsasforothernonCSCaccess(e.g.,personalISPaccount,optiontrading,benefits,etc.).DonotshareCSCpasswordswithanyone,includingadministrativeassistantsorsecretaries.Allpasswordsaretobetreatedassensitive,confidentialCSCinformation.

Hereisalistof"dont's":

Don'trevealapasswordoverthephonetoANYONE. Don'trevealapasswordinanemailmessage. Don'trevealapasswordtoasupervisor. Don'ttalkaboutapasswordinfrontofothers. Don'thintattheformatofapassword(e.g.,"myfamilyname"). Don'trevealapasswordonquestionnairesorsecurityforms. Don'tshareapasswordwithfamilymembers. Don'trevealapasswordtocoworkers. Dontrevealapasswordtovendors. Inshort,dontrevealapasswordtoANYONE. Donotusethe"RememberPassword"featureofapplications(e.g.,Eudora,OutLook,Netscape

Messenger,InternetExplorer,Firefox,Thunderbird). Donotwritepasswordsdownandstorethemanywhereinyouroffice.



DonotstorepasswordsinafileonANYcomputersystem(includingPalmPilotsorsimilardevices)withoutproperencryption.

Changepasswordsatleastonceeverythreemonths.

Otheritemstoremember:

Ifsomeonedemandsapassword,referthemtothisdocumentorhavethemcalltheCSCITSDepartmenttodeterminethevalidityoftheirrequest.

Ifanaccountorpasswordissuspectedtohavebeencompromised,reporttheincidenttotheCSCITSDepartmentimmediatelyandchangeallpasswordsassoonaspossible.

PasswordcrackingorguessingmaybeperformedonaperiodicorrandombasisbytheCSCITSDepartmentoritsdelegates.Ifapasswordisguessedorcrackedduringoneofthesescans,theuserwillberequiredtochangeit.

Nevergiveyourpasswordouttoanyone.Thismayormaynotincludeyoursupervisor,afriendorrelative,astudentorparttimeworker,orevenacoworker.



PhysicalSecurityPolicy

OverviewThispolicywillestablishphysicalsecurityguidelinesthatapplytoallcomputingandnetworkingequipmentlocations.Itisimportanttonotethatincrementaldegreesofsecuritywillbeneededforeachareadependingontheactualequipmentconfigurationandcriticalneedtotheinstitution.

PolicyAllareaswillbeclassifiedintotwocategories:

Office Restricted

Officeareasaresimplythat,officelocationsforCSCITSDepartmentemployees.Theseareascontaincomputingequipmentandotherdatathatshouldbeprotectedatalltimes.

RestrictedareasarethoseareasthatbelongtotheCSCITSDepartmentandcontainequipmentownedand/oroperatedbytheCSCITSDepartmentorathirdpartyvendor(i.e.OneNet)suchas:

Switchclosets Serverrooms Telecommunicationsrooms ITSDepartmentstorageareas

Atthetimeofthispolicy,ourcurrentphysicalsecurityofferingsaresomewhatlimitedsomoreadvancedoptionscannotcurrentlybeused.Asupgradesoccur,recommendedoptionswillbechangedtorequiredoptionstoincreaseandenhancesecurity.

Atminimum,allofficeandrestrictedlocationsrequirethefollowingsecuritymechanisms:

Solidwoodorsteeldoor Eitherkeyedhandleordeadboltlock

AllCSCITSDepartmentrestrictedandofficelocationsshouldcontainthefollowingrecommendedsecuritymechanisms:

Reinforcedsteeldoorsandframes Keyeddeadboltlocks IDcardaccess Steelbarsoverwindows



PersonallyIdentifiableInformationPolicy

OverviewThispolicywillestablishCSCsdefinitionofPersonallyIdentifiableInformation(PII)andindicatewhatinformationmaybeshared,ifany,withthirdpartyentities.

PolicyItisimportanttonotethatinformationshouldneverbesharedwithoutcauseorrequirement,unlessdictatedbystateorfederalgovernmentregulationssuchasannualreportingguidelinesandstatisticalreportingdata,inthecourseofpresetinstitutionaloperationsorvendoragreements,orduetotherequestofCSCsPresidentordesignee.

PIIisthetypeofinformationthatshouldbekeptsafeusingthehighestlevelofsecurity.PIIisdescribedasinformationaboutanindividualthatidentifies,links,relates,orisuniqueto,ordescribeshimorher.Thisinformationmayinclude:

Name SSN Address(es) PhoneNumber(s) SSN Birthdate Birthplace Mothersmaidenname Familynames Otherfamilydatasuchasaddresses,contactinformation,etc. Financialinformationsuchasbankaccountinformation,accountbalances,etc. Otherinformationthat,aloneorincombination,islinkedorlinkabletoaspecificstudentthat

wouldallowareasonablepersonintheschoolcommunity,whodoesnothaveapersonalknowledgeoftherelevantcircumstances,toidentifythestudentwithareasonablecertainty

Informationrequestedbyapersonwhotheeducationalagencyorinstitutionbelievesknowstheidentityofthestudenttowhomtheeducationalrecorddirectlyrelates

UndernocircumstancesshouldPIIbetransportedoffcampus.OncampusstorageofPIIshouldmeetotherpolicyrequirementsasdictatedherein.OffcampususeofthistypeofdatamaybefacilitatedviatheCSCITSDepartmentsRemoteAccessPolicy.



PersonalTechnologyServicePolicy

OverviewThispolicywillsetforththerulesandregulationswhichwilldeterminehowtheCSCITSDepartmentpersonnelaretoperformworkonpersonallyownedemployeeorstudenttechnologyproducts.

TheCSCITSDepartmentdoesnotservicetechnologyequipmentforindividualswhoarenotCSCemployeesorstudents.

PolicyTheCSCITSystemsDepartmentalwaysstrivestoensurethatCSCemployees,students,affiliates,andvisitorsreceivethebestpossibletechnologyassistanceavailableforustoprovide.However,thiscanleavesomethingtobedesiredfornonCSC,personallyownedtechnologyequipmentownedbyemployees,students,affiliates,andvisitors.

Thispolicywillsetforththerules,regulations,andguidelinesforwhichtheCSCITSystemsDepartmentpersonnelmayprovideservicesforpersonallyownedtechnologyequipmentand/orprojectsoutsideofnormalworkhours.

NOTE:AlltechnologyrequestsforconfigurationorconnectivitytotheCSCnetworkfrompersonaltechnologydeviceswillbehandledatnocost.Thispolicyappliesonlytotechnologyissuesrelatedtothepersonalneedsoftheuser.

AllrequestsforpersonaltechnologyassistancewillbeginwithapreliminarydiagnosisandtroubleshootingprocesswhichisprovidedforFREE.IfadditionalworkisauthorizedbytheuserthentheaccompanyingPersonalTechnologyServicePolicyConsentFormmustbereadandsignedbeforeanyworkmaybegin.

TheCSCITSDepartmentoffersnoimpliedwarrantyorguaranteeonanyworkperformedonpersonaltechnologyequipment.Allworkisperformedasisasaservicetoourstudentsandasacostsavingalternativefortheirbenefit.However,itisbeneficialtonotethatallworkisperformedonthesamelevelascomparableserviceonCSCownedequipment.

Allpersonaltechnologyworkwillbeperformedwithinthefollowingrestrictions:

Personaltechnologyworkmaybeperformedduringregularbusinesshours,onlyifsuchworkdoesnotdirectlyinterfereordelaythenormaloperationsorjobdutiesoftheCSCITSDepartmentemployee.

Noonsitework.AllequipmentmustbebroughttotheCSCITSystemsDepartmentforapreliminarydiagnosisandtroubleshooting.

Nopartspurchases.Allpartstobeinstalledmustbepurchasedbytheuser.



Noillegalsoftware.Onlylegallylicensedsoftwaremaybeinstalled. Noworkwithoutproperauthorizationsignatureonconsentform.

Allissuesshouldbeexpectedtotakeapproximately2448hourstocomplete;however,theymaytakelongerdependingupontheseverityoftheproblemathand.Pleaseexpecttoleaveanyequipmentforaminimumof48hoursforproperproblemresolution.

ConnorsStateCollegecannotbeheldresponsibleforanyworkdoneafterhoursbyCSCITSDepartmentpersonnelonanypersonaltechnologyequipment.Allworkprovidedisnotwarrantedorguaranteed.BysigningthePersonalTechnologyServicePolicyConsentForm,youagreetothesetermsandconditionsandwaiveanydamageswhichmayoccurduetoanyworkonyourpersonaltechnologyequipment.Allworkisdoneandoncecompletedisleftasisandnostandingwarrantyorguaranteeisimplied.



RemoteAccessPolicy

OverviewThispolicyestablishestheofficialrulessetforthtoallowuserstoremotelyaccessandmanipulatepersonallyidentifiableinformation,networkapplications,andotherdatafromoffcampus.

PolicyAnyuserwhoseekstoworkoffcampusforthepurposeofworkingfromhomeoratanotherlocationcanfacilitatethisthroughtheuseoftheCSCorOSUVPNconnection.AllusersneedingaccesstoSCTorotherapplicationsrequiringnetworkconnectivitytothecampuscanfacilitatethisbyconnectingfromhomeviaaVPNconnection.

Thistypeofconnectionestablishesasecure,encryptedconnection,tothecampusnetworktoallowtheusertomanipulateandaccessthedataatadistance.AtnotimeshouldanyPIIbetransferredoffcampusonanytypeofdevice.Ifagivenuserwishestoworkwhileoffcampus,he/sheshouldusetheenclosedRemoteAccessProceduretoobtainasecureconnectiontothenetworkandworkfromadistance.

ThistypeofconnectionallowstheusertoremotelymanipulateandaccessthedatawithoutactuallytransferringanydataoffsitethusensuringallPIIandotherdataiskeptsafeandsecurefromunauthorizedaccess.



StudentRightsandResponsibilitiesPolicy

OverviewItistheunderstandingofallstudents,uponbeingadmittedtoCSC,thatthetechnologyresourcesandequipmentprovidedareforthebenefitofallstudents.Thispolicyexplainswhatrightsstudentshavewithrespecttothistechnologyandalsowhatresponsibilitiesareexpectedofeachstudent.

PolicyEverystudentthatattendsCSCshallbegivenanequalopportunitytolearnandequalaccesstotechnologytohelpfacilitatelearning.Allstudents,regardlessofmajor,classification,studenttype,housinglocation,orotheridentifyingfactorshallreceivethesametechnologyaccessasanyotherstudent.

Studentsshouldexpecttoreceiveaccesstowirelessconnectionsinclassrooms,learningareas,commonareas,dorms,etc.Studentsshouldalsoexpectuptodatecomputersinlabsandteachingareas,multimediaequipmentinmostclassrooms,stateoftheartinstructionaltelevisionclassrooms,andeasilyaccessibleonlinesystemssuchasBlackboard,CSCemail,CKey,etc.Studentsshouldalsoexpecttoreceivereliable,freeinternetservicewhileoncampusatspeedsunobtainablethroughanynormalISP.

Withalloftheserightsandamenities,theCSCITSDepartmentdoesmakesomeresponsibilitiesandassumptionsofourstudents.Theseresponsibilitiesareasfollows:

StudentsareexpectedtoactivateaCKeyaccounttherebycreatinganemailaccount. StudentsareexpectedtomaintaintheirrespectiveCKeyaccountthroughtheircareeratCSC. StudentsareexpectedtoutilizetheirCSCemailaddressasitistheofficialmethodof

communicationwithCSC. Studentsarerequiredtosafeguardlogincredentialsandnotshareuseraccounts. Studentsareexpectedtorespectothersprivacyandequipment. Studentsareexpectedtouseonlypermissibleequipmentoncampus:

o Computerssuchaslaptops,desktops,mobiledevices,etc.) Studentsaretoobserveprohibiteddevicesindormareas:

o Personalrouters,wirelessaccesspoints,bridges,orothernetworkequipment. Studentsareexpectedtoobservealllocal,state,andfederallawsconcerningtechnology. Studentsarerequiredtocomplywithallpoliciesincludedinthisdocument.



VendorAccessPolicy

OverviewThispolicywillsetforthparametersforvendorstoabidebywhenaccesstoourinternalorexternalnetwork,workstations,orserversisrequired.Allvendors,regardlessofstatus,frequencyofvisitation,workbeingperformed,orsizeofentityshallabidebythispolicyatalltimesunlesssuchworkdoesnotrequireaccesstotheCSCnetworkorcomputingresources.

PolicyAllvendorsshallnotifytheircontactoncampusofanyworkthatwillrequireaccesstoanyofthefollowingCSCresources:

Internalnetwork Externalnetwork Oncampusworkstation(s) Oncampusserver(s) Networkinfrastructure Anyothercomputingdeviceoncampus

Uponnotificationoftheneedforaccess,theCSCITSDepartmentshallcreatelogincredentialsandaccessrequirementsnecessarytofacilitatetheaccessrequiredforthevendortocompletetheirjobfunction.Accessshallalwaysberestrictivemeaningunwarrantedorunneededaccesswillnotbeavailableuntildeemednecessarybytherequirementsoftheproject.Allrequestsforaccessshallbeevaluatedonacasebycasebasistoensurethatproperaccessisgrantedandnounwarrantedorunneededaccessisgivenwithoutcause.

Atalltimes,thevendorshall

Fulfilltheirprimaryjobresponsibilityonly; Notseektoundermineorcircumnavigatetheaccesswhichhasbeenprovided; Nottamperoradjustsecuritysettingsonexistingnetworkinfrastructureordevices; Ensurethataccesscredentialsarenotsharedwithanyoneotherthanthoseindividualapproved

foraccess; WorktoensurethatCSCsinformationiskeptsafeandsecurefromlossortheft; NeverdiscloseanyinformationheorshemaycometoknowfromworkingwithoronanyCSC

technologyresourcewithaseparatethirdpartentity; NotifytheCSCITSDepartmentIMMEDIATELYuponanyinclinationthatlossorthefthas

occurred,accesshasbeenlostortamperedwith,orthereisaconcernthatanyothertypeofaccessviolationhasoccurred;

NeverseektouseanyofCSCsinformationforpersonalorothermonetarygain; Notuseanyaccessortechnologyresourceinamannerthathasbeenprohibitedforemployees,

students,orvisitorsinanyoftheother,enclosedpoliciesherein.



WirelessCommunicationPolicy

OverviewWirelessimplementationsareabenefittoCSCaswellasitsfaculty,staff,andstudents.Maintainingthisequipmentcanbeatediousprocessbutisanecessity.

Atpresent,thispolicyallowsaccesstotheCSCwirelessnetworkviaanydatacommunicationdevicecontainingthehardwarerequiredtoconnect.ConnectingtotheCSCwirelessnetworkdoesnotgrantauseraccesstotheinternalnetworkinginfrastructureoranyinternalinformationofCSC,onlyexternalaccesstotheinternet.UtilizingCSCswirelessnetworkforaccesstotheinternalnetworkand/orinformationrequiresadditionalsoftwarethatmustbeobtainedthroughtheCSCITSDepartment.

Thispolicycoversallwirelessdatacommunicationdevices(e.g.,personalcomputers,cellularphones,PDAs,etc.)connectedtoanyofCSC'swirelessnetworkingaccesspoints.Thisincludesanyformofwirelessdatacommunicationdevicecapableoftransmittingpacketdata.

PolicyAllwirelessdatacommunicationdevicesconnectedwithCSCswirelessnetworkwillberequiredtohavecurrentvirusscanningsoftwareinstalledwiththemostrecentupdatesandperformafullsystemscanaminimumofonceperweek.

AllwirelessdatacommunicationdevicesconnectedwithCSCswirelessnetworkthatrequireaccesstoCSCsinternalnetworkand/orinformationwillberequiredtoutilizespecificsoftwareand/oraccesscredentialsobtainedthroughtheCSCITSDepartmenttodoso.

AtnotimeshallanydeviceconnectedtotheCSCwirelessnetworkoperateoutsidetheparametersdefinedintheAcceptableUsePolicyprovidedherein.AllwirelesslyconnecteddevicesmaybemonitoredandtheirinformationsuchasIPaddress,MACaddress,generalhardwareprofile,etc.bearchivedforfutureuse.RandomscansmayalsobeperformedtoensurethesecurityofthewirelessnetworksandconnecteddevicesandtoobtainageneraldevicesurveytofurtherenhancetheaccessibilityandusabilityofCSCswirelessnetworks.



Procedures

EmergencyOperatingProcedureIntheeventofanemergency,normaloperatingproceduresshouldberestoredasquicklyaspossible.Duetothesmallsizeofourdepartment,itisbeneficialthatallemployeeslearnlaterallytoallowforgreaterabilitytomaintainoperationsshouldanyindividualemployeebeunavailable.ThestepsbelowwillindicatehowoperationsshouldcontinueintheeventofanemergencydirectlyaffectingtheCSCITSDepartment.

1. AssesssituationanddetermineifanypersonnelimpacttotheCSCITSDepartmentexists.Ifso,gotostep2.Ifnot,gotostep3.

2. Givenanypersonnelimpactbelow,thefollowingoptionsareavailabletoensureITSoperationscancontinueinanemergency.IftheITSDepartmentsuffersthelossofanyofthefollowingemployees,theavailableoptionsare:

a. DirectorofITSystemsi. ResponsibilitieswilldefertothePresidentordesigneeuntilasuitable

appointmentcanbemade.b. NetworkAdministrator

i. ResponsibilitieswilldefertotheDirector.ii. InterimassistancecanbeperformedbyChickasawTelecomoranothersuitable

vendortofacilitatenetworkmanagement.iii. Networkmanagementismorespecializedthanworkstationmanagementso

vendorassistancewillmostlikelybeanecessity.c. DesktopAdministrator

i. Responsibilitieswillbesharedbetweenremainingpersonnel.ii. Emergency/Interimhiringmayberequired.

d. HelpdeskAdministratori. Responsibilitieswillbesharedbetweenremainingpersonnel.ii. Emergency/Interimhiringmayberequired.

e. StudentHelpdeskTechnicians(5)i. ResponsibilitieswilldefertotheHelpdeskAdministrator.ii. Emergency/Interimhiringmayberequired.

f. DistanceEducationAdministratori. ResponsibilitieswilldefertotheDirector.ii. Emergency/Interimhiringmayberequired.

g. Programmeri. ResponsibilitieswilldefertotheDirector.ii. InterimassistancecanbeperformedbyOSUoranotherA&Minstitutionwilling

toassist.iii. Emergency/Interimhiringmayberequired.

h. Departmentalcatastrophe(3+usersunavailabletoperformduties)



i. ResponsibilitieswilldefertothePresidentordesigneeuntilemergencyhiringcanbefinalized.

ii. Ifnecessary,assistancemaybeobtainedfromotherinstitutionsand/orvendors:

1. SCTOperations:OSUA&MSystemInstitutions2. Networking:ChickasawTelecom,VIPTechnologySolutions

i. NOTE:Emergencyapprovalforcostsassociatedwithassistancewillneedtobeobtainedunderanyscenario.

3. Determineifanyequipmentlosshasoccurred.Ifso,proceedtostep4.Ifnot,proceedtostep5.4. Determinewhatresourcesareaffectedandbringthembackupassoonaspossible:

a. Networkandconnectivityequipmentb. Missioncriticalservices(SCT,groupdrives,IDcardsystem,etc.)c. Nonmissioncriticalservices(securitycameras,wirelessinfrastructure,dorm

connectivity,etc.)5. Onceallconnectivityandresourceshavebeenrestored,normaloperationscannowresume.

NOTE:PleaseseetheCSCITSDepartmentsdetailedDisasterRecoveryPlanfordetailedinformationregardingdisasterscenariosandspecificplanninginformation.



EquipmentOrderingProcedureThisdocumentistoserveasasetofguidelinesforallCSCFacultyandStaffwhochoosetoordercomputingequipment.

1. ContacttheCSCITSDepartmenttoobtainaquoteandorinformationregardingtheequipmentyouwishtopurchase.

2. ForDellcomputersandsomeotherspecifictechnologyequipment,theITSDepartmentwillcreateashoppingcartforyouandsubmittheorderforprocessing.Ifthisisthecase,skiptoStep5,otherwisegotoStep3.

3. Obtainthequote(s)foryourorderfromtheITSDepartmentandcreateanewcartontheOKCorralwebsite:http://okcorral.okstate.edu

4. Submityourorder.5. Yourorderwillberoutedthroughtheappropriateapprovingchannels,includingtheITS

Department,sinceitisatechnologyequipmentpurchase.6. Onceyourorderhasbeenapproved,youmaychecktheprogressviaOKCorral.7. Whenyourequipmentarrives,theBookstoremaynotifyyoutopickuptheequipment.

Otherwise,theITSDepartmentwillretrieveyourequipmentandconfigureit,ifnecessary,priortodeliveringittoyou.NOTE:AlltechnologyordersmustbereceivedbytheITSDepartmentbeforeitcanbereleasedtothepurchaser.Thisistoensurethatthepropersoftwareisinstalledandallequipmentisproperlytaggedandplacedininventory.



Guest/VisitorAccessProcedureThisprocedurewillindicatehowguestsandvisitorstocampusshouldobtainaccesstoCSCstechnologyresources.

1. Obtaincontactinformationfromuserneedingaccess:a. Nameb. Phonec. Email

2. FillouttheenclosedAuthorizationofUserAccessForm.3. SubmittheformtotheCSCITSDepartment.4. Accesswillbecreatedassoonaspossible.Confirmationwillbesenttorequestingemployee

onceaccesshasbeencreated.



IncidentManagementProcedureThisprocedureaddresseshowincidentsshouldbehandledwhenrelatedtotechnology.Thisincludesthefts,datacorruption,etc.

1. Determinescopeofincident.2. FilloutattachedIncidentManagementForm.3. Ensuresupervisorofemployeethatreportedorcausedincidenthasbeennotified.4. SubmitformtoDirectorofITSystems.5. Administrationwillbenotifiedofincident.6. Resolutionwillbedraftedgivenincidentscopeandindividualsinvolved.



Remote/VPNAccessProcedureForusersthatrequireaccesstosensitiveinformationathomeorontheroad,pleaseusetheseremoteaccessprocedures:

1. OpenyourbrowserandvisitCSCsorOSUsVPNlocation.a. CSC:http://vpn.connorsstate.edub. OSU:http://osuvpn.okstate.edu

2. LoginwithyourCKeyaccountcredentials.3. Allowtheclienttodownloadandinstall.4. Followtheonscreenpromptsassoftwareisrequestedtobeinstalled.5. Iftheinstallergetsstuck,simplyrefreshscreenbyselectingbrowsersrefreshbuttonorhitting

theF5keyonthekeyboard.6. Oncecomplete,theclientwillshowupinyourtaskbaronthebottomrightindicatingyouare

connected.7. YoumaynowaccessSCT,groupdrives,oryourofficecomputerasnotedbelow:

a. SCT:UseclientonPCorfollowdownloadinstructionslocatedat:http://connorsstate.edu/SCT

b. GroupDrives:OpenMyComputer,ifgroupdrivesdonotshowupbydefault,simplytypethefollowingintheaddressbaratthetoptonavigatetothegroupdriveserverandseeyouravailablegroupdrives:\\10.110.2.5\CSC_Group

c. OfficeComputer:Openaremotedesktopconnectiononyourcomputerandtypeinyourofficecomputername.LoginwithyourCKeycredentialstogainaccess.

i. Youmustknowthenameofyourofficecomputertousethismethod.ii. Toobtainyourofficecomputername,simplyholdtheWindowskeyonthe

keyboardandpressthePause/Breakkeywhileyouareatyourofficecomputer.iii. Theresultingdialogboxwillshowyouyourcomputername.



VendorAccessProcedureIfanyvendorrequiresaccesstotechnologyresources,pleasefollowthesesteps:

1. SubmitAuthorizationofUserAccessFormtoCSCITSDepartment.2. ITSDepartmentwillevaluaterequestandgrantaccessbaseduponneedandpolicies.3. Vendoraccesswillbecreatedtocomplywithexistingpolicies.4. Requestingemployeewillreceiveemailonceappropriateaccesshasbeencreated.



TermsandDefinitionsAppropriateMeasures

ReferstothemeasuresthattheCSCITSDepartmentisauthorizedtotaketosecureCSCscomputingresources.ThismayrefertomeasuresconcerningCSCownedhardwareorsoftware,data,employees,students,associates,visitors,etc.TheCSCITSDepartmentmustmaintainanappropriatemeasuresoptionsothatCSCisprotected,concerningbothequipmentandinformation.

ApprovedElectronicFileTransmissionMethods

IncludessupportedFTPclientsincluding,butnotlimitedto,FileZilla,SecureFTP,andSmartFTP.ThisalsoincludessupportedWebbrowsersincluding,butnotlimitedto,MicrosoftInternetExplorer,MozillaFirefox,NetscapeNavigator,andOpera.IfyouhaveabusinessneedtouseothermailerscontacttheCSCITSDepartmentpriortoimplementation.

ApprovedElectronicMail

IncludesallmailsystemssupportedbytheCSCITSDepartment.Thisincludes,butisnotlimitedto,CSCWebmail,Outlookconfiguredemail,andconfiguredemailonmobiledevices.IfyouhaveabusinessneedtouseothermailerscontacttheCSCITSDepartmentpriortoimplementation.

ApprovedEncryptedEmailandFiles

TechniquesincludetheuseofAESandothers.PleasecontacttheCSCITSDepartmentforfurtherinformation.

AsymmetricCryptosystem

Amethodofencryptioninwhichtwodifferentkeysareused:oneforencryptingandonefordecryptingthedata(e.g.,publickeyencryption).

Chainemailorletter

Anemailsenttosuccessivepeople.Typicallythebodyofthenotehasdirectiontosendoutmultiplecopiesofthenoteandpromisesgoodluckand/ormoneyifthedirectionsarefollowed.

InformationSystemResources

InformationSystemResourcesinclude,butarenotlimitedto,allcomputers,peripherals,data,andprogramsresidingontheCSCCampuses,networks,servers,etc.Theseresourcesalsoincludeallpaperinformationandanyinformationforinternaluseonlyandabove.

InformationTechnologySystems

ThetechnologydepartmentresponsibleformanagingCSCscomputingresources.

ConfigurationofCSCtoThirdPartyConnections

ConnectionsshallbesetuptoallowthirdpartiesrequiringaccesstotheCSCcampuses,networks,data,etc.Theseconnectionswillbesetupinordertoallowminimumaccesssothatthirdparty



entitieswillonlyseewhattheyneedtosee,nothingmore.Thisinvolvessettingupaccess,applications,andnetworkconfigurationstoallowaccesstoonlywhatisnecessary.

DomainNameSystem

EssentiallyservesastheInternetphonebookbyassociatingvariousdomainnames(i.e.http://www.connorsstate.edu,http://it.c

technology systems department procedures manualconnorsstate.edu/ppf/its handbook.pdf · csc its...

Documents