technology systems department procedures manualconnorsstate.edu/ppf/its handbook.pdf · csc its...
TRANSCRIPT
-
InformationTechnology
SystemsDepartment
PoliciesandProceduresManual
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |2
OverviewThisdocumentservesasarulebookandroadmapforsuccessfullyandproperlyutilizingthetechnologyresourcesatConnorsStateCollege(CSC).Carefulconsiderationshouldbetakentoverifythatonesactionsfallwithintheauthorizedparametersforaccess,utilization,distribution,andmodificationofCSCstechnologyresourcessetforthwithinthisdocument.
Anymisuse,misappropriation,negligence,ordeliberatedisobedienceconcerningthesepoliciesandprocedureswillnotbetolerated.ItisuptoeachindividualemployeeandaffiliateofCSCtofamiliarizehim/herselfwiththepoliciesandproceduressetforthhereinpriortosigningtheagreementformattheendofthisdocument.
ItisthepurposeoftheCSCInformationTechnologySystems(ITS)Departmenttoprovidethesepoliciesandproceduresinordertoaddresspotentialsituationsandtoprovidestepstotakeduringthesesituations.However,notallsituationscaneverbeaddressedsoitisuptoeachindividualemployeeandaffiliatetousethesepoliciesandproceduresforanexampleofwhattypeofactionstotake.
TheCSCITSDepartmentdoesencourageallCSCemployeesandassociatestoerronthesideofcautionshouldadifficultsituationpresentitselfthatisnotdiscussedherein.Ifthisshouldoccur,theemployeeorassociateofCSCcanalwaystakeadvantageoftheCSCITSDepartmentsopendoorpolicyandaskforassistance.
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |3
ContentsOverview.......................................................................................................................................................2
Plans..............................................................................................................................................................6
BusinessContinuityPlan...........................................................................................................................6
DisasterRecoveryPlan..............................................................................................................................6
Policies..........................................................................................................................................................7
AcceptableUsePolicy...............................................................................................................................7
Overview...............................................................................................................................................7
Policy.....................................................................................................................................................7
AccessibilityPolicy..................................................................................................................................10
Overview.............................................................................................................................................10
Policy...................................................................................................................................................10
AuditingPolicy........................................................................................................................................11
Overview.............................................................................................................................................11
Policy...................................................................................................................................................11
BackupPolicy..........................................................................................................................................13
Overview.............................................................................................................................................13
Policy...................................................................................................................................................13
DataRetentionPolicy..............................................................................................................................18
Overview.............................................................................................................................................18
Policy...................................................................................................................................................18
ElectronicCommunicationsPolicy..........................................................................................................19
Overview.............................................................................................................................................19
Policy...................................................................................................................................................19
EmergencyNotificationPolicy................................................................................................................21
Overview.............................................................................................................................................21
Policy...................................................................................................................................................21
EncryptionPolicy.....................................................................................................................................22
Overview.............................................................................................................................................22
Policy...................................................................................................................................................22
EnforcementPolicy.................................................................................................................................24
Overview.............................................................................................................................................24
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |4
Policy...................................................................................................................................................24
EquipmentConfigurationPolicy.............................................................................................................25
Overview.............................................................................................................................................25
Policy...................................................................................................................................................25
Guest/VisitorAccessandTechnologyUsePolicy...................................................................................26
Overview.............................................................................................................................................26
Policy...................................................................................................................................................26
IllegalFileSharing...................................................................................................................................27
Overview.............................................................................................................................................27
Policy...................................................................................................................................................27
InformationSensitivityPolicy.................................................................................................................29
Overview.............................................................................................................................................29
Policy...................................................................................................................................................29
PasswordPolicy.......................................................................................................................................32
Overview.............................................................................................................................................32
Policy...................................................................................................................................................32
PhysicalSecurityPolicy...........................................................................................................................35
Overview.............................................................................................................................................35
Policy...................................................................................................................................................35
PersonallyIdentifiableInformationPolicy..............................................................................................36
Overview.............................................................................................................................................36
Policy...................................................................................................................................................36
PersonalTechnologyServicePolicy........................................................................................................37
Overview.............................................................................................................................................37
Policy...................................................................................................................................................37
RemoteAccessPolicy..............................................................................................................................39
Overview.............................................................................................................................................39
Policy...................................................................................................................................................39
StudentRightsandResponsibilitiesPolicy.............................................................................................40
Overview.............................................................................................................................................40
Policy...................................................................................................................................................40
VendorAccessPolicy..............................................................................................................................41
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |5
Overview.............................................................................................................................................41
Policy...................................................................................................................................................41
WirelessCommunicationPolicy..............................................................................................................42
Overview.............................................................................................................................................42
Policy...................................................................................................................................................42
Procedures..................................................................................................................................................43
EmergencyOperatingProcedure............................................................................................................43
EquipmentOrderingProcedure..............................................................................................................45
Guest/VisitorAccessProcedure..............................................................................................................46
IncidentManagementProcedure...........................................................................................................47
Remote/VPNAccessProcedure..............................................................................................................48
VendorAccessProcedure.......................................................................................................................49
TermsandDefinitions.................................................................................................................................50
Disclaimer....................................................................................................................................................55
Forms..........................................................................................................................................................56
AuthorizationofUserAccessForm.........................................................................................................56
EquipmentTransferForm.......................................................................................................................57
IncidentReportForm..............................................................................................................................58
PersonalTechnologyServiceConsentForm...........................................................................................59
PoliciesandProceduresManualCompliance.............................................................................................60
PoliciesandProceduresAgreementForm..............................................................................................61
NonDisclosureAgreementForm...........................................................................................................62
Updates.......................................................................................................................................................63
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |6
Plans
BusinessContinuityPlan(PleaseseetheCSCITSDepartmentsdedicatedBCPdocument.)
DisasterRecoveryPlan(PleaseseetheCSCITSDepartmentsdedicatedDRPdocument.)
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |7
Policies
AcceptableUsePolicy
OverviewThispolicyestablishestheacceptableusageguidelinesforallCSCownedtechnologyresources.Theseresourcescaninclude,butarenotlimitedto,thefollowingequipment:
Computerso DesktopComputers,MobileDevices,Servers,etc.
NetworkEquipmento Switches,Routers,NetworkandCommunicationsCabling,WallPlates,WirelessAntennas,
WirelessBridgeDevices,FiberOpticLines,FiberOpticEquipment,VoIPPhones,etc. Audio/VideoEquipment
o VideoCodecs,HDTVs,DocumentCameras,Projectors,SecurityCameras,MiscellaneousCabling,DigitalCamerasandCamcorders,Printers,Copiers,FaxMachines,etc.
Softwareo OperatingSystems,ApplicationSoftware,etc.
Resourceso GroupDriveFileStorage,WebsiteFileStorage,EmailAccounts,SocialNetworkingAccounts,
etc.
Thispolicyappliestoallemployees,contractors,consultants,temporaries,andotherworkersatCSC,includinganyandallpersonnelaffiliatedwiththirdparties,includingvendors.ThispolicyappliestoallequipmentthatisownedorleasedbyCSC.
PolicyWhileCSC'sITSDepartmentdesirestoprovideareasonableleveloffreedomandprivacy,usersshouldbeawarethatallCSCownedequipment,networkinfrastructure,andsoftwareapplicationsarethepropertyofCSCandthereforearetobeusedforofficialuseonly.Also,alldataresidingonCSCownedequipmentisalsothepropertyCSCandtherefore,shouldbetreatedassuch,andprotectedfromunauthorizedaccess.
ThefollowingactivitiesprovideageneralroadmaptouseCSCstechnologyresourcesinanacceptablemanner:
AllpasswordsusedtoaccessCSCsystemsmustbekeptsecureandprotectedfromunauthorizeduse.
Nouseraccountcanbesharedbetweenindividuals.Authorizedusersareresponsibleforthesecurityoftheirownpasswordsandaccounts.
Donottransferpersonallyidentifiableinformationonportableequipmentandstoragedevices.
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |8
PublicpostingsbyemployeesfromaCSCemailaddressshouldcontainthefollowingdisclaimerstatingthattheopinionsexpressedarestrictlytheirownandnotnecessarilythoseofCSC,unlessthepostingisinthecourseofbusinessduties:
o AnyviewsoropinionspresentedinthismessagearesolelythoseoftheauthoranddonotnecessarilyrepresentthoseofConnorsStateCollege.EmployeesofConnorsStateCollegeareexpresslyrequirednottomakedefamatorystatementsandnottoinfringeorauthorizeanyinfringementofcopyrightoranyotherlegalrightbyelectroniccommunications.AnysuchcommunicationiscontrarytoCSCpolicyandoutsidethescopeoftheemploymentoftheindividualconcerned.CSCwillnotacceptanyliabilityinrespectofsuchcommunication,andtheemployeeresponsiblewillbepersonallyliableforanydamagesorotherliabilityarising.
AllcomputersresidingontheinternalCSCnetwork,whetherownedbytheemployeeorCSC,shallbecontinuallyexecutingapprovedvirusscanningsoftwarewithacurrent,uptodatevirusdatabase.
Employeesmustuseextremecautionwhenopeningemailattachmentsreceivedfromunknownsenders.
PersonallyidentifiableinformationcannotbesentviaelectronicmeansandshouldbetransferredwithintheinternalnetworkorthroughsecureVPNconnections.
OffcampusworkshouldbecompletedviaasecureVPNconnectionsothatnodataistransferredoffnetwork.
Allworkstationsshouldbekeptsecure.Usersshouldlocktheworkstationwhennotattendedtoprotectunauthorizedusersfromaccessingsecurefiles.
Thefollowingactivitiesare,ingeneral,prohibited.Employeesmaybeexemptedfromtheserestrictionsduringthecourseoftheirlegitimatejobresponsibilities(e.g.,systemsadministrationstaffmayhaveaneedtodisablethenetworkaccessofahostifthathostisdisruptingproductionservices).
UndernocircumstancesisanemployeeofCSCauthorizedtoengageinanyactivitythatisillegalunderlocal,state,federalorinternationallawwhileutilizingCSCownedresources.
Thelistsbelowarebynomeansexhaustive,butattempttoprovideaframeworkforactivitieswhichfallintothecategoryofunacceptableuse.
Thefollowingactivitiesarestrictlyprohibited,withnoexceptions:
Violationsoftherightsofanypersonorcompanyprotectedbycopyright,tradesecret,patentorotherintellectualproperty,orsimilarlawsorregulations,including,butnotlimitedto,theinstallationordistributionof"pirated"orothersoftwareproductsthatarenotappropriatelylicensedforusebyCSC.
Unauthorizedcopyingofcopyrightedmaterialincluding,butnotlimitedto,digitizationanddistributionofphotographsfrommagazines,booksorothercopyrightedsources,copyrightedmusic,andtheinstallationofanycopyrightedsoftwareforwhichCSCortheenduserdoesnothaveanactivelicenseisstrictlyprohibited.
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |9
Exportingsoftware,technicalinformation,encryptionsoftwareortechnology,inviolationofinternationalorregionalexportcontrollaws,isillegal.Theappropriatemanagementshouldbeconsultedpriortoexportofanymaterialthatisinquestion.
Introductionofmaliciousprogramsintothenetworkorserverenvironments(e.g.,viruses,worms,Trojanhorses,rootkits,etc.).
Revealingyouraccountpasswordtoothersorallowinguseofyouraccountbyothers.Thisincludesfamilyandotherhouseholdmemberswhenworkisbeingdoneathome.
UsingaCSCcomputingassettoactivelyengageinprocuringortransmittingmaterialthatisinviolationofsexualharassmentorhostileworkplacelawsintheuser'slocaljurisdiction.
Makingfraudulentoffersofproducts,items,orservicesoriginatingfromanyCSCaccount. Makingstatementsaboutwarranty,expresslyorimplied,unlessitisapartofnormaljobduties. Effectingsecuritybreachesordisruptionsofnetworkcommunication.Securitybreachesinclude,
butarenotlimitedto,accessingdataofwhichtheemployeeisnotanintendedrecipientorloggingintoaserveroraccountthattheemployeeisnotexpresslyauthorizedtoaccess,unlessthesedutiesarewithinthescopeofregularduties.Forpurposesofthissection,"disruption"includes,butisnotlimitedto,networksniffing,pingedfloods,packetspoofing,denialofservice,andforgedroutinginformationformaliciouspurposes.
PortscanningorsecurityscanningisexpresslyprohibitedunlesspriornotificationtotheCSCITSDepartmentismade.
Executinganyformofnetworkmonitoringwhichwillinterceptdatanotintendedfortheemployee'shost,unlessthisactivityisapartoftheemployee'snormaljob/duty.
Circumventinguserauthenticationorsecurityofanyhost,networkoraccount. Interferingwithordenyingservicetoanyuserotherthantheemployee'shost(forexample,
denialofserviceattack). Usinganyprogram/script/command,orsendingmessagesofanykind,withtheintentto
interferewith,ordisable,auser'sterminalsession,viaanymeans,locallyorviatheInternet/Intranet/Extranet.
Sendingunsolicitedemailmessages,includingthesendingof"junkmail"orotheradvertisingmaterialtoindividualswhodidnotspecificallyrequestsuchmaterial(emailspam).
Anyformofharassmentviaemail,telephoneorpaging,whetherthroughlanguage,frequency,orsizeofmessages.
Unauthorizeduse,orforging,ofemailheaderinformation. Solicitationofemailforanyotheremailaddress,otherthanthatoftheposter'saccount,
withtheintenttoharassortocollectreplies. Creatingorforwarding"chainletters","Ponzi"orother"pyramid"schemesofanytype. UseofunsolicitedemailoriginatingfromwithinCSC'snetworksofother
Internet/Intranet/Extranetserviceprovidersonbehalfof,ortoadvertise,anyservicehostedbyCSCorconnectedviaCSC'snetwork.
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |10
AccessibilityPolicy
OverviewThispolicyestablishestheaccessibilityguidelinesforallCSCownedtechnologyresources.ThepurposeofthispolicyistoensurethateveryCSCstudentispresentedwithanequalopportunitytolearnandthatallemployeescanadequatelyusetherequiredtechnologyequipmentforthepurposeoftheirrequiredoccupation.TheserequirementsmustbemetwhereanylearningimpairmentexistsforanyCSCstudentorworklimitationexistsforanyCSCemployee.Thesetypesofaccessibilityrequirementsmayinclude,butarenotlimitedto,thefollowingapplicationsordevices:
Screenreadingsoftware Screenmagnificationsoftware Stereoheadsetsorothersounddevices
ThispolicyappliestoallCSCownedtechnologyresourcesinlabsandotherlearningareasforstudentuseandindepartmentalorteachingareasforemployeeuse.
PolicyAreasonableattemptshallbemadeatalltimestoaddresstheneedsofourstudentsandemployees,particularlywhenthoseneedsareduetoanaccessibilityissuepresentedbyaphysicalimpairmentorlearningdisabilityofsomekind.TheCSCITSDepartmentshallmakeeveryefforttoensurethateachandeverystudentispresentedwithanequalorcomparablelearningenvironmentregardlessofthehurdletheymayface.
TheCSCITSDepartmentwillalwaysstrivetooffertechnologysolutionsthathelpimprovethelearningenvironmentsforallstudentsbutwillbeparticularlydiligentinensuringthatnostudentwillbeunabletolearnwithinaclassroomduetoaphysicalimpairmentorlearningdisabilityofsomekind.Thesamewillbeprovidedforanyemployeerequiringaccommodationduetoaphysicalimpairmentorlearningdisabilityofanykind.
Pleasenotethatadvancenoticeoftheseneedsisrequiredandmaychangeduetotherequest.Forinstance,additionalsoftwareneedswilltakesometimetoproduceanorderandinstallthesoftwaresoitwillbeunreasonabletoexpectarequestsuchasthistohaveanimmediateturnaroundtime.
Castingasidethegeneralexpectationsabove,theCSCITSDepartmentcannotbeheldliableforissuessurroundingsoftwareapplicationissues,hardwarefailures,ortheinabilityofemployeesorstudentstoconveytheirrespectiveneedsinareasonableamountoftimetoallowsuchsoftwareorhardwaretobeproperlyinstalled.
Withthatsaid,theCSCITSDepartmentwillcontinuallystrivetoensurethatalllearningenvironmentshavethenecessarytechnologyandareadequatelystructuredinawaytoprovidethemostconducivelearningenvironmentpossible,regardlessifalearningdisabilityorphysicalimpairmentmaybepresentforanystudent.TheCSCITSDepartmentwillalsoensurethatallemployeeareasareadequatelydesignedtofacilitateaproductiveworkingenvironmentaswell.
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |11
AuditingPolicy
OverviewThispolicyaddressesthirdpartyentitiesandtheirabilitytoconductaninternaltechnologyaudit.Thistypeofauditisbasicallyastresstestonourtechnologyresourcestoevaluatethelevelofsecurityourtechnologysystemspresentaswellasthelevelofscrutinyitcanwithstand.
VulnerabilitiesareaprimaryfocusfortheCSCITSDepartment.SeekingthesevulnerabilitiesoutbeforetheydevelopintopotentialproblemsisbestforCSC,itsresources,employees,associates,andstudents.Toaccomplishthis,internalauditsarenecessarytoperiodicallydeterminewhatvulnerabilitiesmayexistwithinCSCstechnologyresources.
ThepurposeofthisagreementistosetforthapolicyregardingnetworksecurityscanningofferedbyathirdpartyauditgrouptoCSC.TheCSCITSDepartmentshallallowtheutilizationofvariousmethods(bothhardwareandsoftware)toperformelectronicscansofournetworks,firewalls,andotherhardwaredeviceslocatedatCSC.
Auditsmaybeconductedto: Ensureintegrity,confidentialityandavailabilityofinformationandresources InvestigatepossiblesecurityincidentstoensureconformancetotheestablishedCSCITS
Departmentssecuritypolicies Monitoruserorsystemactivitywhereappropriate
PolicyThispolicycoversallcomputers,equipment,andcommunicationdevicesownedoroperatedbyCSC.Thispolicyalsocoversanycomputers,equipment,andcommunicationsdevicesthatarepresentonCSCpremises,butwhichmaynotbeownedoroperatedbyConnorsStateCollege.ThethirdpartyauditgroupwillnotperformDenialofServiceactivitiesatanytimeduringanaudit.
Whenrequested,andforthepurposeofperforminganaudit,consentfortheaccessrequiredtoperformthescanwillbeprovidedtomembersofthethirdpartyauditgroupbytheCSCITSDepartment.TheCSCITSDepartmentherebyprovidesitsconsenttoallowthethirdpartyauditgrouptoaccessitsnetworks,firewalls,andotherhardwaredevicestotheextentnecessarytoperformthescansauthorizedinthisagreement.TheCSCITSDepartmentshallprovideprotocols,addressinginformation,andnetworkconnectionssufficientforthethirdpartyauditgrouptoperformnetworkscanning.
Theaccessinvolvedinthescanmayinclude:
Userleveland/orsystemlevelaccesstoanycomputing,networkingequipment,andcommunicationsdevices
Accesstoinformation(electronic,hardcopy,etc.)thatmaybeproduced,transmitted,orstoredonCSCequipmentand/orpremises
Accesstoworkareas(labs,offices,cubicles,storageareas,etc.) AccesstointeractivelymonitorandlogtrafficonCSCnetworks
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |12
SinceCSCgainsaccesstocertainresourcesfromthirdpartyentities,cooperationfromtheseresourcesmayberequiredtoperformafullnetworkscan.Forinstance,OneNetprovidestheInternetconnectionstotheCSCnetworks.Becauseofthis,acomprehensivenetworkscanmayrequiretheassistanceofOneNetorotherthirdpartyserviceprovidersshouldpartofthescanningactivitiesoriginateoutsidetheCSCnetwork.Networkperformanceand/oravailabilitymaybeaffectedbythenetworkscanning.TheCSCITSDepartmentreleasesanythirdpartyauditgroupofanyandallliabilityfordamagesthatmayarisefromnetworkavailabilityrestrictionscausedbythenetworkscanning,unlesssuchdamagesaretheresultofthethirdpartyauditgroupsgrossnegligenceorintentionalmisconduct.TheCSCITSDepartmentshallidentify,inwriting,apersontobeavailableshouldthethirdpartyhavequestionsregardingdatadiscoveredorshouldthethirdpartyrequireassistance.CSCandthethirdpartyauditgroupshallidentify,inwriting,theallowabledatesfortheauditvulnerabilityscantotakeplace.PermissiontoconductavulnerabilityscanwillbeobtainedfromtheDirectorofITSystems,thePresident,oradesigneeaminimumof48hourspriortothetest.
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |13
BackupPolicy
OverviewTheCSCITSystemsDepartmentmaintainssystemstoholdandretainallessentialdataforeachindividualdepartment.Thisstoragearea,orgroupdriveasitisreferredto,isusedtosecurelystorealldataforanygivendepartment.Becauseofthiscentralizedstoragearrangement,theCSCITSDepartmentisabletooffersecurebackupcapabilityensuringalldatawillbeaccessibleintheeventofadisasterorothereventinwhichthedatawouldbedestroyed.
Thispolicyestablishesregularbackupschedulesforourgroupdrivestoragedevicesandpertainstoallthisdata.Withthatsaid,thisdoesnotpertaintoindividual,departmental,orcomputerlabdevices,mobiledevices,orotherportablestoragemediumwherethedataresideslocallyonthedeviceormedium.TheCSCITSDepartmentdoesnotguaranteebackupforanyofthesetypesofdevicesorstoragemedium.
PolicyEveryeffortshallbemadebytheindividualdepartmentsandemployeesatCSCtostoresensitive,important,andconfidentialdataontheirrespectivegroupdrive.Asmentionedabove,theCSCITSDepartmentcannotbeheldliableforissueswithdatastoredelsewhere.
RegularbackupschedulesareinplacewithinthegroupdrivestoragedevicetoensurethatbackupsoccuratregularintervalsandoveratimespantoprovideampleopportunityfortheCSCITSDepartmenttorecoverafile,folder,orgroupofsuch.ItshouldbenotedthattheCSCITSDepartmentdoesrequireimmediatenotificationintheeventafile,folder,orcollectionofeitherisfoundtobemissing,corrupt,orotherwisedamaged.WaitingtoinformtheCSCITSDepartmentdecreasestheprobabilityofsuccessfulrecovery.
SpecificinformationregardingbackuprestorationonaninstitutionscalecanbefoundintheCSCITSDepartmentsDisasterRecoveryPlan(DRP)ortheassociatedBackupPriorityList(BPL).Thesedealwithcatastrophicrecoveryneedsthataffectmultipledepartmentsortheinstitutionasawhole.
ThehardwarethattheCSCITSDepartmentusesconsistsoftwoDellEqualLogicstoragedevices.OnedeviceisplacedintheserverareaoftheITSDepartmentontheWarnerCampustoserveasaprimarystorageandbackupdevicewhiletheotherisplacedintheserverareaoftheITSDepartmentontheMuskogeePortCampustoserveasanoffsitebackupandreplicationdevice.
TheprimarydeviceinWarnerholdsalldataandbackupsandservesastheprimarydeviceforfileaccessandimmediatebackup.Thesecondary,offsitedeviceinMuskogeereplicatesalldatafromtheWarnerdevicetocreateastableoffsitecopyofthedataandbackupspresentontheWarnerdevice.Forthisdocument,consideringthetypeofhardwaredescribedabove,normalbackupsdonotnecessarilyretainthesamemeaningaswhenusedinconjunctionwithotherhardwaredevices.Becauseofthis,thefollowingdescriptionsareprovided,basedonthecurrenthardwarebeingused,soastobetterunderstandtheoverallbackupprocess.
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |14
Backups:Theserefertosnapshotstakenofthefilestructureanddatabase.Thesesnapshotsareessentiallypointerstochangesoccurringwithinthestoragedevicesincethelastscheduledsnapshot.Thisgreatlyreducesthefilestoragerequirementsnecessarytoholdbackupswhilestillprovidingthesameorsuperiorlevelofbackupcapabilityfoundinotherdevices.
Replication:Thisreferstothecopyingprocessofalldataandassociatedbackupsfromtheprimary
backupdeviceinWarnertothesecondarybackupdeviceinMuskogee.Duringareplication,alldataandbackupsarereplicatedsothatamirrorcopyisretainedattheMuskogeelocationforoffsite,backupcapabilityshouldadisasterorotherissuesoccur.
RegularlyscheduledbackupsandreplicationsshallbeperformedbytheCSCITSDepartmentusingthefollowingschedule: HourlyBackups
7:00a.m.10:00p.m. Everyday,everyhourasnotedherein,onthehour
WeeklyBackups
10:30p.m. EveryFriday
MonthlyBackups
11:59p.m. Lastdayofeachcalendarmonth
MidYearlybackups
12:30a.m. July1
Yearlybackups
12:30a.m. January1
DailyReplication
12:01a.m. AlldataisreplicatedfromtheWarnerCampustotheMuskogeeCampus.
Atthebeginningofeachday,beginningat7:00a.m.,backupswillbeginandcontinueeachhour,onthehour,until10:00p.m.eachevening.
EveryFridayat10:30p.m.,afterthelasthourlybackupforthatday,aweeklybackupwillbecompleted.
Attheendofeachmonth,onthelastdayofthemonth,amonthlybackupwillbecompletedat11:59p.m.
OnJuly1ofeachyear,at12:30a.m.,amidyearlybackupwillbecompleted.
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |15
OnJanuary1ofeachyear,at12:30a.m.,ayearlybackupwillbecompleted.At12:01a.m.everymorning,allbackupsanddatawillbereplicatedfromWarnertoMuskogeeforoffsitestorageandsecondarybackup.Allbackupsareclearlylabeledsoastodistinguishonefromanothereasily.Atminimum,thefollowinginformationisprovidedforeachbackupfile:
Time(CST)e.g.12:00:00AMor12:34:59PM Datee.g.12/31/10or2/29/12 BackupTypee.g.HourlyorEndofYear
Testingfordataintegritywillbeperformedatregularlyscheduledintervalsbythebackuphardwarebutmayalsobeperformedmanuallyatrandomtimestoverifythevalidity,accuracy,andauthenticityofthebackup.Theserandomtestsshouldtotalnolessthansixperyearanditisrecommendedthatthesetestsfallapproximatelytwomonthsapart,lessifmorethantheminimumnumberoftestsareused.Weencouragethatbackuptestsbetakenwithinoneweekofthecompletionoftheyearlyandmidyearlybackupswiththeremainingbackupsspacedthroughouttheremainingmonthsoftheyear.Ifsixareused,itshouldfollowthistestingschedule:
Test1January17 Test2March17 Test3May17 Test4July17 Test5September17 Test6November17
Ifmorethansixtestsareused,thentheschedulemaybesetatthediscretionoftheCSCITSDepartment,however,twoofthetestsmustoccurnolaterthanoneweekaftertheyearlyandmidyearlybackupsarecompleted.Testingshallconsistofoneormoreofthefollowingmethodsofdatavalidationandverificationofaccuracyandauthenticity:
RandomDummyFileRestoration:Sixtotwelvedummyfilesareinsertedonthefileserveratrandomlocations.Afterwards,wewillintentionallydeletethesedummyfiles.Then,recoverywillbetestedtoverifydataisbeingrestoredproperly.Ifthisverifiesthedataisbeingrestoredproperly,thetestiscompletedandthedummyfilemayberemoved.
RandomActualFileRestoration:Recoveryofasixtotwelveactualrandomfileslocatedontheserver.Comparisonswillthenbemadewithcurrentversionsofthesamefilestoverifycontentandaccuracyofrestorationprocess.Ifthecomparisonsverifythattherecoverywassuccessful,thenthetestiscompleted.
RandomFileLocationVerification:Movementofasingledummyfiletovariouslocationsonthefileserver.Initiallythefileisinsertedontothefileserverandbackupsaretestedtoverifythefileexistsinbackupsattheinitiallocation.Ifthisisconfirmed,thenthefileismovedonthefileservertoasecondlocationandbackupsaretestedyetagaintoverifythatthefileisinthe
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |16
secondlocation.Oncethisisconfirmed,thefileismovedforathirdtimeandbackupsareonceagaintestedtoverifythefileexistsinthenewlocation.Ifthisisconfirmedthenthetestiscompletedandthedummyfilemayberemoved.Backupsareworkingcorrectlyandfilecontentsandlocationsarebeingupdatedappropriately.
Miscellaneous:OthertestsmaybeusedatthediscretionoftheCSCITSDepartmentwithonlyonerestriction:theymaynotinterferewithaccessorotherwisecauseanydatalossonthefileserver.
Allrestorationprocesseswillfollow,atminimum,oneofthefollowingmethods:
ReroutingprimarytrafficfrombackupandstoragedeviceinWarnertoaccompanyingdevicein
Muskogeeorviceversa Physicallytransportingonedevicetoanotherlocation Copyingallfilesorasubsetoffilesfromthebackupequipmenttothefileserver Viathetestingprocessdescribedinthisdocument UtilizingtheCSCITSDepartmentsDisasterRecoveryPlan UtilizingtheCSCITSDepartmentsBackupPriorityList Othermethods,approvedbytheCSCITSDepartment,thatdonotinterferewithaccessor
otherwisecauseanydatalossonthefileserverIfitisfoundthatascheduledbackupprocessisincompleteormissingduetoahardwareorsoftwaremalfunction,thenthebackupwillbecompletedassoonaspossibleandahardwaretestwillbeneededtoverifynolongtermproblemsexistthatmayaffectbackupsinthefuture.Shouldahardwaretestyieldresultsthatindicateseriousissues,thenareplacementforthefaultyhardwareshouldbefoundassoonaspossibleinordertopreventsuchissuesfromoccurringinthefuture.
Iftheseissuespreventbackupsfromoccurring,thentheoffsitebackupdeviceinMuskogeewillbetransferredtoprimarybackupdutiesandasecondarydeviceshouldbepurchasedandthenplacedatWarnertoregainprimaryfunctionality.ThefollowingisthemaximumnumberofbackupsandreplicationsthattheCSCITSDepartmentwillretainatanyonetime.Oncethesebackupsorreplicationsreachthemaximumcount,theoldestwillberecycledsothatthenewestmayberetained.
HourlyBackup
o Copiesonfile:16perday,112totalo 7daysworthofdataathourlyintervals
WeeklyBackup
o Copiesonfile:12totalo 12weeks(approx.3months)worthofdataatweeklyintervals
MonthlyBackup
o Copiesonfile:3permonth,36totalo 36months(approx.3years)worthofdataatmonthlyintervals
MidYearlyBackup
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |17
o Copiesonfile:3totalo 3yearsworthofdataatyearly(midyear)intervals
YearlyBackup
o Copiesonfile:3totalo 3yearsworthofdataatyearly(endofyear)intervals
DailyReplication
o Copiesonfile:32totalo 32daysworthofexactcopiesofexistingdataandbackupsreplicatedoffsiteindaily
intervalsOnlinelogfilesareretainedconsistingofinformationforeachbackuporreplicationprocess,hardware/softwareerrors,accessissues,orothercriticalerrorsinvolvingthebackuphardware.TheseentriesarealsoemailedtotheCSCBackupemailaccountforverificationandnotification.
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |18
DataRetentionPolicy
OverviewThispolicywilldeterminehowlongdatashallberetainedundertheguidelinesoffederalandstatelawandwithininstitutionalpoliciesasdictatedherein.
PolicyAlldatashallberetained,atminimum,thetimeframeasspecifiedinanycurrent,standingfederalorstatelaw.NodataresidingwithinanyCSCfacilityortechnologyequipmentwillknowinglybedestroyedpriortothistimeframeunlesssuchlawsaremodifiedtoreflectanewtimeframe.Ifsuchchangesdooccur,thenewtimeframewillbesusceptibletothenewlawandalldatawillberetainedwithinthenewspecifications.
Undernocircumstancesisdatatoberemoved,discarded,disposedof,orotherwisedestroyedthatwillcompromiselegalcompliance,dataintegrity,orinstitutionalneeds.TheCSCITSDepartmentshallmakeeveryefforttoextendthedataretentiontimeframesofalldataaslongastheinstitutionrequiresaccesswithoutcompromisinganylegalstatuessetforthregardingstorageordestructionofsuchdata.Nodatawillbedestroyedpriortoorretainedlongerthananylegalrequirementdictates.
TheCSCITSDepartmentwillcontinuallyutilizebackupequipment,secondarysitestorage,andregularbackupschedulestoensurethatcriticaldataisretainedandkeptfromcorruptionorothertypesofdataloss.Everyeffortshallbemadetoensuretheinstitutionaldataneedsaregiventoppriorityintheeventofalossofdata,corruptionofdata,orifdatarecoveryisnecessary.
Thispolicyshallneverdecreasetheretentiontimeunderanystateorfederallawbutmayonlyincreasetheretentiontimeframerequiredbytheinstitution.Thisincreasemayonlybeapplicableaslongasitdoesnotcompromisetheintegrity,storagecapability,orotherwisedegradetheoverallstoragecapabilityofthesystembeingused.
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |19
ElectronicCommunicationsPolicy
OverviewElectroniccommunicationisnecessarytofulfillmultiplerolesandactivitieshereatCSC.Becauseofthevaryingtypesofelectroniccommunication,wewillfocusonthoseusedprimarilyhereatCSC:
Email VoIP Videoconferencing DigitalSignage
EmailistheofficialmethodofcommunicationatCSC,bothforstudentsandemployees.Businessisconductedeverydayviaemail.Sinceemailhasbothpositiveandnegativeconnotations,itisimperativethatwerecognizethatthepositiveaspectsgreatlyoutweighthenegativeaspects.However,wemustalsorealizethatthenegativeaspectsexistandensurethatthismethodofcommunicationisusedeffectively,efficiently,andforitsintendedpurpose.
CSCsVoIPphonesystemisusedtotransmitandreceiveaudio/videowithintheinstitutiontofacilitatedirectcommunicationamongstemployeesanddepartments.Itisalsousedtotransmitandreceiveaudiooutsidetheinstitutiontofacilitatedirectcommunicationwithvendors,students,otherinstitutions,andotherthirdpartyentities.Becauseofthiscapability,wemustensurethatitisusedforworkpurposes.
VideoconferencingequipmentisusedprimarilyforinstructionalclassroomsrequiringconnectivitytootherCSClocationsandtolocalareahighschools.Videoconferencingequipmentisalsousedtofacilitateconferencesandmeetingswithotherinstitutions,stateagencies,orotherthirdpartyentities.Sincethistypeofcommunicationconveysnotonlyaudio,butvideoaswell,itisparticularlyimportantforittobeusedforitsintendedpurposes.
Digitalsignageisusedoncampustoconveystudentactivities,importantacademicdates,campusevents,andotherinformationtostudents,employees,andvisitors.Sincethisisalsoavisualandauditorycommunicationmechanism,itisalsoimportanttoensureitisusedforitsintendedpurposeaswell.
PolicyRegardlessofthetypeoftechnologybeingused,electroniccommunicationismeanttoservetheneedsofthecollegebysharinginformationwithstudents,employees,vendors,otherstateagencies,campusvisitors,andotherindividuals.Becauseoftheuniquecapabilitiesofeachsystemitisimportanttorealizethateachtypeofcommunicationmethodcontainsuniqueissuesthatmustbeaddressedonacasebycasebasis;however,generalrulescanbesetforthtoensurethatanycommunicationmethodisusedwiselyandaccordingtoitsintendedpurpose.
Ingeneral,CSCselectroniccommunicationmechanismsaretobeusedtoshareinformationwithstudents,employees,vendors,otherstateagencies,campusvisitors,andotherindividuals.
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |20
ItisalsoimportanttonotethatthetruedefinitionofinformationsharingatCSCistoadequatelyconveytheappropriateknowledgesothattheCollegemissionisnothinderedbutenhanced.Thisinformationisalwaystobedistributedunderthefollowingassumptions:
ElectroniccommunicationfromaCSCresource
isalwaysunderstoodtorepresentanofficialstatementfromtheinstitution. shallneverbeusedforthecreationordistributionofanyinformationthatmeetsthefollowing
criteria:o Disruptiveo Offensiveo Derogatoryo Specificcommentsaboutrace,gender,haircolor,disabilities,age,sexualorientation,
pornography,religiousbeliefsandpractice,politicalbeliefs,ornationalorigin.o Anyinformationthatcouldbeusedtosabotageinstitutionalprogresso Anypersonallyidentifiableinformation
shallnotbeusedforpersonalgain shallnotbeusedextensivelyforpersonaluse shallnotbeusedtodistributemaliciousorharmfulsoftwareorinformation.
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |21
EmergencyNotificationPolicy
OverviewCSCmaintainsanemergencynotificationsystemthatisusedtonotifystudentsandemployeeswhohaveoptedintotheserviceviatheCKeywebsite.Thissystemisupdateddailytoreflectthecurrentstudentdataavailablesothatanynotificationmessagewillbedeliveredtotherequiredstudentandemployeelist.
PolicyTheCSCEmergencyNotificationSystemistobeused,atalltimes,foremergencypurposesorpurposesdeemednecessarybythePresidentordesigneeonly.Thenotificationsystemistobeusedtosendmessagesviatexttoemailaddressesandmobilephones,viavoicetoofficephones,personalphones,andmobiledevices,andviaapplicationstodesktopsandofficephones.
Atnotimeshallthissystembeusedfornormalmessaging,notifications,orotherwisestandardcontactasthiswouldcompromisetheimportanceofthesemessagesandmaycreateanenvironmentwherestudentsandemployeesareabletooverlookthesetypesofmessagesbecauseofthefrequencywithwhichtheycouldoccur.
Withthatsaid,testsofthissystemshallbeconductedonceasemesteratminimumtoensurethesystemisfunctioningproperly.Additionaltestsmaybeconductedbutarenotrequired;however,morethanfourtestspersemestermaybetoomanytoretaintheimportanceofsuchmessageswhenanactualemergencyarisesrequiringthesystemtobeoperational.
Onlyusersdefinedbelowshallbeabletosendemergencynotificationmessagesviathissystem:
DirectorofITSystems DirectorofCollegeandCommunityRelations DirectorofCampusLife MuskogeeCampusAdministrators VicePresidentforAcademicAffairs OtherdesigneedeemednecessarybythePresident
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |22
EncryptionPolicy
OverviewThepurposeofthispolicyistoprovideguidancethatlimitstheuseofencryptiontothosealgorithmsthathavereceivedsubstantialpublicreviewandhavebeenproventoworkeffectively.Additionally,thispolicyprovidesdirectiontoensurethatFederalregulationsarefollowed,andlegalauthorityisgrantedforthedisseminationanduseofencryptiontechnologiesoutsideoftheUnitedStates.
WhileCSCemployeesdonottypicallyuseencryptionmethodstoagreatextent,itiswisetofollowthepolicybelowifencryptionofinformationisnecessaryonanydeviceresidingoncampus.
PolicyAproven,standardalgorithmsuchasAdvancedEncryptionStandard(AES)shouldbeusedasthebasisforencryptiontechnologies.Thisalgorithmrepresentstheactualcipherusedforanapprovedapplication.
Additionally,theNSAmentionsthatAESencryptionwith128bitkeysprovidesadequateprotectionforclassifiedinformationuptotheSECRETlevelsothisshouldbetheminimumlevelutilizedbyanyencryptiontool.Similarly,EphemeralUnifiedModelandtheOnePassDiffieHellman(ECDH)andtheEllipticCurveDigitalSignatureAlgorithm(ECDSA)usingthe256bitprimemodulusellipticcurveasspecifiedinFIPSPUB1863andSHA256provideadequateprotectionforclassifiedinformationuptotheSECRETlevel.DuringthetransitiontotheuseofellipticcurvecryptographyinECDHandECDSA,DH,DSAandRSAcanbeusedwitha2048bitmodulustoprotectclassifiedinformationuptotheSECRETlevel.
Theuseofproprietaryencryptionalgorithmsisnotallowedforanypurpose,unlessreviewedbyqualifiedexpertsoutsideofthevendorinquestionandapprovedbytheCSCITSDepartment.BeawarethattheexportofencryptiontechnologiesisrestrictedbytheU.S.Government.ResidentsofcountriesotherthantheUnitedStatesshouldmakethemselvesawareoftheencryptiontechnologylawsofthecountryinwhichtheyreside.
RecentdevelopmentsinthefieldofencryptionhaveindicatedthatitispossibleforanencryptionkeytostayresidentinvolatilememorylongenoughaftershutdownforittobestolenandusedtobreaktheencryptionprotectingtheassociatedPC.Becauseofthis,eventhoughtheuseofencryptionisrecommended,specificrulesarerequiredinordertoprotecttheencryptionand,therefore,thedataonthedrive.
NeverleaveanyPCunattendedthatcontainsconfidentialCSCdataoramethodtoaccessconfidentialCSCdata.
IfyoumustleaveaPCunattendedthatcontainsconfidentialinformation(i.e.inanopenofficeoraconferenceroom),onlydosoifproperencryptionhasbeenenabledandthePChasbeenpoweredofffornolessthan5minutes.
NeverauthenticatetheencryptiononaPCwhichcontainsconfidentialCSCdataoramethodtoaccessconfidentialCSCdataandleaveitunattended,allowanonCSCusertoutilizethedevice,orpermitthedevicetobecopiedinanyway.
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |23
NeverdisableorbypasstheencryptiononaPCwhichcontainsconfidentialCSCdataoramethodtoaccessconfidentialCSCdata.
Ifanyuserisunsureoftheappropriateencryptionstandardtouseorifencryptionisnecessary,he/shemaytakeadvantageofCSCsopendoorpolicyandrequestassistanceandinformationregardingtheseencryptionstandardsandhowtoencrypthis/herdatatosecureitappropriately.
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |24
EnforcementPolicy
OverviewThispolicyistoestablishenforcementguidelinestoensurethatallCSCITSDepartmentpoliciesandproceduresareadheredtoandobservedbyalldepartmentsandindividualsatCSCincludingstudents,employees,visitors,vendors,etc.AnyoneusingtechnologyresourcesatCSCwillberequiredtooperatewithintheparametersdescribedinthisdocumentorthefollowingenforcementoptionsmaybeadministered.
PolicyAllpolicieshereinareapplicabletoanyandallusersoftechnologyresourcesatCSC.
Ifitisfoundthatanyindividual,department,orexternalentitydisobeysthepoliciesandproceduressetforthwithinthisdocument,whetherknowinglyorunknowingly,thentheenforcementofsuchpolicymayinclude,butmaynotbelimitedto:
Forcedcompliancewiththepolicy Disciplinaryactionincludingterminationofemployment,ifanemployee DisciplinaryactionincludingexpulsionfromtheCollege,ifastudent Terminationofvendorcontractandorserviceagreement Prosecutiontothefullestextentofthelaw
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |25
EquipmentConfigurationPolicy
OverviewThispolicyhasbeenestablishedtocreateastandardconfigurationforalltechnologyresourcesatCSC.Becauseofthevariancesbetweenthetypes,makes,models,configurations,builds,versions,andbrandsoftechnologyresourcesavailable,itisnecessarytostandardizealltechnologyresourcestomakeserviceandmaintenanceeasierandalsotohelpkeepcostsdown.
PolicyAllemployeesshallorderandutilizeequipmentthatisserviceableandrecommendedbytheCSCITSDepartment.Sinceequipmentavailabilitychangesovertime,especiallywhenreferringtotechnology,acomprehensivelistindicatingappropriatehardwarewouldbevirtuallyimpossibletocreate.Becauseofthis,anyindividualordepartmentwishingtopurchasetechnologyequipmentshouldfirstconsultaCSCITSDepartmentpersonnelmemberforcurrentspecificationsforanygivenpieceofequipment.
Thisappliestoanyandalltechnologyequipmentincluding,butnotlimitedto:
Computers(Servers,Desktop,Laptop,TabletsandMobileDevices,etc.) HDTVs Printers,scanners,copiers,faxmachines,orallinonedevices Projectors,screens,andSmartBoards VoIPphones Digitalcamerasandcamcorders Software(Application,OperatingSystem,NetworkBased,etc.) Othertechnologyequipmentnotspecificallymentionedhere
Formoredetailsonproceduresrequiredtoplaceanorderfortechnologyequipment,pleaseseetheEquipmentOrderingProceduresincludedinthisdocumentfordetailedinstructions.
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |26
Guest/VisitorAccessandTechnologyUsePolicy
OverviewCSCmaintainsanatmospherethatisopenandallowsguestsandvisitorsaccesstoresources,aslongassuchaccessdoesnotcompromisetheintegrityofthesystemsorinformationcontainedwithinthecampusanddoesnotintroducemalicioussoftwareorintenttotheinternalnetwork.
PolicyGuestandvisitoraccessshallbeclassifiedintotwotypesasdescribedbelow:
StandardAccessgrantedtointernetresourcesandinstitutionalresourceslocatedonline. SpecialAccessgrantedaboveplusanyinternalaccessasrequestedbyanindividualwiththe
authoritytodoso:o VicePresidentforFiscalServices,VicePresidentforAcademicAffairs,President,or
otherdesigneedeemednecessarybythePresident
InternalAccessmayinclude:
WirelessVLANs(i.e.cscwireless,cscguest) WiredVLANs(i.e.housing,guest) Singularormultiplefileaccess SystemaccesssuchasBlackboard,IDCardSystem,etc.
Undernocircumstancesshouldvisitorsbegivenspecialaccessunlesspermissionhasbeenobtainedfromtheappropriateadministrativepersonnel(i.e.asignaturefromoneofthepersonnelabove)alongwithdetaileddescriptionofaccess.
Toobtainguest/visitoraccessusersshouldcontacttheCSCITSDepartmentwiththeirrequestedsystemaccessrequirementsusingtheattachedAuthorizationofUserAccessform.
Forvendoraccess,pleaseseetheappropriatevendoraccesspolicyincludedherein.
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |27
IllegalFileSharing
OverviewLegalcomplianceisaprimaryfocusatCSC.Becauseofthis,wehavesetforththispolicywhichaddressesillegalfilesharinglegislation,legalalternativestoillegalfilesharing,andpenaltiesforviolatingstateandfederalcopyrightlaws.
ThispolicyappliestoallCSCemployees,students,vendors,orvisitorsutilizingCSCownedcomputers,equipment,ortheCSCnetwork.
PolicyFilesharing(peertopeer)softwareprogramshaveledtosignificantincreasesinantipiracyeffortsandlegislation.Peertopeersoftwareallowsthesharingoffilesoftenconsistingofcopyrightedcontentsuchasmusic,movies,andsoftwarewhichusuallyoccurswithouttheconsentoftheowner.
ItisthepolicyofCSCtorespectcopyrightownershipandprotectionsgiventoauthors,owners,publishers,andcreatorsofcopyrightedwork.ItisagainstCSCpolicyforanyemployee,student,affiliate,orvisitortocopy,reproduce,ordistributeanycopyrightedmaterialsonCSCownedequipmentortheCSCmanagednetworkunlessexpresslypermittedbytheownerofsuchwork.
CSCalsodiscouragestheuseofanyfilesharingprogramasthesetypesofprogramsmayallowcopyrightedmaterialtobedownloadedtoaCSCownedcomputerordevice.Manyoftheseprogramsautomaticallyplacedownloadedfilesinasharedfolderonyourcomputer,whichmeansyoucouldbesharingfileswithoutyourknowledge.Thisalsomeansthatyoumaybeheldresponsibleforillegalfilesharing,whetheryouareawarethatcopyrightedfilesarebeingsharedornot.
CSCalsoemploystheuseofnetworkappliances,equipment,andrulestolimittheamountoffilesharingtrafficontheCSCnetwork.ActiveblockingofpeertopeertrafficisusedtoprotecttheCSCnetworkfromunwantedtrafficandthepresenceofpotentiallymaliciousfilesintroducedthroughfilesharingprograms.
CSCencouragesemployees,students,affiliates,andvisitorstoutilizelegalalternativestoillegalfilesharing.Thereareavarietyoffreeandpayperuseoptionsavailablethatcanbeusedinsteadofillegalfilesharingprograms.Severalofthesefreeandpayperuseoptionsarelistedbelow;however,thisisinnowayanallinclusivelist.CSCleavesittothediscretionoftheemployee,student,affiliate,orvisitortodecidewhichalternativetoutilize.TheyareprovidedhereinforreferenceonlyandCSCdoesnotendorseorprovideanyguaranteeorsupportforanyofthelegalalternativeslocatedbelow.
EducauseLegalSourcesofOnlineContent
Payperuseservices(PerSong,PerAlbum,PerMovie,etc.)orSubscriptionbasedservices(PerMonth)
iTunes HuluPlus Amazon:Books/Newspapers,Video,
Music,Games Rhapsody
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |28
CinemaNow Netflix Zune:Music,Video WalmartMP3Downloads Napster BlockbusterOnDemand MP3 eMusic AmieStreet Mindawn GameTap GameFly OnLive
Freeservices
Shoutcast Live365 Pandora Last.fm Blip.fm YouTube Hulu Joost Clicker [adultswim] MusicRebellion Clicker Slacker iLike ESPN360 ABC CBS NBC FOX
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |29
InformationSensitivityPolicy
OverviewInformationsensitivityisaprimaryfocusatCSC.Sinceweareaneducationalentity,wedealwithmanydifferenttypesofinformation,someforpublicuse,somenot.Tomakethesedistinctions,thisdocumentwilladdressbothtypesofinformation.
Thispolicyisintendedtohelpemployeesdeterminewhatinformationcanbedisclosedtononemployees,aswellastherelativesensitivityofinformationthatshouldnotbedisclosedoutsideofCSCwithoutproperauthorization.
Theinformationcoveredintheseguidelinesincludes,butisnotlimitedto,informationthatiseitherstoredorsharedviaanymeans.Thisincludes:electronicinformation,informationonpaper,andinformationsharedorallyorvisually(suchasviaphoneandvideoconferencing).
Allemployeesshouldfamiliarizethemselveswiththeinformationlabelingandhandlingguidelinesthatfollowthisintroduction.Itshouldbenotedthatthesensitivityleveldefinitionswerecreatedasguidelinesandtoemphasizecommonsensestepsthatyoucantaketoprotectconfidentialinformation(e.g.confidentialinformationshouldnotbeleftunattendedinconferencerooms.).
NOTE:Theimpactoftheseguidelinesondailyactivityshouldbeminimal.
QuestionsabouttheproperclassificationofaspecificpieceofinformationshouldbeaddressedtoyoursupervisorortheCSCITSDepartment.QuestionsabouttheseguidelinesshouldbeaddressedtotheCSCITSDepartment.
PolicyBygroupinginformationintotwodifferentcategories,wecanadequatelyaddresstheneedsofeachtypeofinformation.Thefirsttype,publicInformation,isinformationthathasbeendeclaredpublicknowledgebysomeonewiththeauthoritytodoso,andcanfreelybegiventoanyonewithoutanypossibledamagetotheinstitution.Thesecondtype,confidentialinformationcontainsallotherinformation.Itisacontinuum,inthatitisunderstoodthatsomeinformationismoresensitivethanotherinformation,andshouldbeprotectedinamoresecuremanner.Includedisinformationthatshouldbeprotectedveryclosely,suchasspecificpersonnelinformation,studentdata,billinginformation,etc.Alsoincludedinconfidentialinformationisinformationthatislesscritical,suchastelephonedirectories,personnelinformation,etc.,whichdoesnotrequireasstringentadegreeofprotection.
Asubsetofthelatteristhirdpartyconfidentialinformation.ThisisconfidentialinformationbelongingorpertainingtoanothercorporationwhichhasbeenentrustedtoCSCbythatcompanyundernondisclosureagreementsandothercontracts.Examplesofthistypeofinformationincludeeverythingfromjointdevelopmenteffortstovendorlists,customerorders,andsupplierinformation.Informationinthiscategoryrangesfromextremelysensitivetoinformationaboutthefactthatwe'veconnectedasupplier/vendorintoCSC'snetworktosupportouroperations.
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |30
CSCpersonnelareencouragedtousecommonsensejudgmentinsecuringconfidentialinformationtotheproperextent.Ifanemployeeisuncertainofthesensitivityofaparticularpieceofinformation,he/sheshouldcontacttheirsupervisorand/ortheCSCITSDepartmentformoreinformationandinstructionsonhowthisinformationshouldbehandled.
Thesensitivityguidelinesbelowprovidedetailsonhowtoprotectinformationatvarioussensitivitylevels.Usetheseguidelinesasareferenceonly,asCSCConfidentialInformationateachlevelmaynecessitatemoreorlessstringentmeasuresofprotectiondependinguponthecircumstancesandthenatureoftheCSCConfidentialInformationinquestion.
MinimalSensitivity
o Description:Generalinformation,somepersonnel,andtechnicalinformation.
o Access:CSCemployees,associates,orthirdpartieswithabusinessneedtoknow.
o DistributioninternaltoCSC:Approvedelectronicmailandapprovedelectronicfiletransmissionmethods.
o DistributionexternaltoCSC:Approvedelectronicmailandapprovedelectronicfiletransmissionmethods.
o Storage:Whenviewingdata,donotallowviewingbyunauthorizedindividuals.Donotleavedataopenand/orunattendedinanyformat.Protectdatafromloss,theft,ormisplacement.Electronicinformationshouldhaveindividualaccesscontrolswherepossibleandappropriate.
o Disposal/Destruction:Electronicdatashouldbepermanentlyexpungedorcleared.Reliablyeraseorphysicallydestroymedia.Dataretentionpolicyandfederalandstateretentionguidelinesshouldbeobservedfororiginalcopies.
MoreSensitive
o Description:Business,financial,technical,andmostpersonnelinformation.
o Access:CSCemployees,associates,orthirdpartieswithsignednondisclosureagreementswithabusinessneedtoknow.
o DistributioninternaltoCSC:Approvedelectronicfiletransmissionmethods.
o DistributionexternaltoCSC:ApprovedelectronicfiletransmissionmethodsviaaprivatelinktoapprovedrecipientsexternaltoCSClocations.
o Storage:Individualaccesscontrolsarehighlyrecommendedformoresensitiveelectronicinformation.
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |31
o Disposal/Destruction:Electronicdatashouldbepermanentlyexpungedorcleared.Reliablyeraseorphysicallydestroymedia.Dataretentionpolicyandfederalandstateretentionguidelinesshouldbeobservedfororiginalcopies.
MostSensitive
o Description:Operational,personnel,financial,sourcecode,&technicalinformation
integraltothesecurityoftheinstitution.
o Access:Onlythoseindividuals(CSCemployeesandassociates)designatedwithapprovedaccessandsignednondisclosureagreements.
o DistributioninternaltoCSC:Approvedelectronicfiletransmissionmethods.
o DistributionexternaltoCSC:ApprovedelectronicfiletransmissionmethodstorecipientswithinCSC.Strongencryptionishighlyrecommended.
o Storage:Individualaccesscontrolsareveryhighlyrecommendedforelectronicinformation.Physicalsecurityisgenerallyused,andinformationshouldbestoredonaphysicallysecuredcomputer.
o Disposal/Destruction:Anecessity.Electronicdatashouldbepermanentlyexpungedorcleared.Reliablyeraseorphysicallydestroymedia.Dataretentionpolicyandfederalandstateretentionguidelinesshouldbeobservedfororiginalcopies.
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |32
PasswordPolicy
OverviewPasswordsareanimportantaspectofcomputersecurity.Theyarethefrontlineofprotectionforuseraccounts.ApoorlychosenpasswordmayresultinthecompromiseofCSC'sentirenetwork.Assuch,allCSCemployees(includingcontractorsandvendorswithaccesstoCSCsystems)areresponsiblefortakingtheappropriatesteps,asoutlinedbelow,toselectandsecuretheirpasswords.
Thepolicyisapplicabletoallpersonnelwhohaveorareresponsibleforanaccount(oranyformofaccessthatsupportsorrequiresapassword)onanysystemthatbelongstoCSC,residesatanyCSClocation,hasaccesstotheCSCnetwork,orstoresanyCSCinformation.
PolicyAllpasswordswillmeetthefollowingcriteria:
Allsystemlevelpasswords(e.g.,root,admin,applicationadministrationaccounts)mustbechangedatleastevery180days.
Alluserlevelpasswords(e.g.,email,web,desktopcomputer,etc.)mustbechangedatleastevery120days.
Useraccountsthathavesystemlevelprivilegesgrantedthroughgroupmembershipsorprogramssuchas"sudo"musthaveauniquepasswordfromallotheraccountsheldbythatuser.
PasswordsmustNOTbeinsertedintoemailmessagesorotherformsofelectroniccommunication.
WhereSNMPisused,thecommunitystringsmustbedefinedassomethingotherthanthestandarddefaultsof"public,""private"and"system"andmustbedifferentfromthepasswordsusedtologininteractively.Akeyedhashmustbeusedwhereavailable(e.g.,SNMPv2).
Alluserlevelandsystemlevelpasswordsmustconformtotheguidelinesdescribedbelow.
PasswordsareusedforvariouspurposesatCSC.Someofthemorecommonusesinclude:userlevelaccounts,webaccounts,emailaccounts,screensaverprotection,voicemailpassword,andlocalrouterlogins.Veryfewsystemshavepropersupportforonetimetokens(i.e.,dynamicpasswordsthatareonlyusedonce);therefore,everyCSCemployeeshouldknowhowtoselectstrongpasswords.
Poor,weakpasswordshavethefollowingcharacteristics:
Thepasswordcontainslessthaneightcharacters Thepasswordorasubsetofthepasswordisawordfoundinadictionary(Englishorforeign) Thepasswordisacommonusagewordsuchas:
o Namesoffamily,pets,friends,coworkers,fantasycharacters,etc.
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |33
o Computertermsandnames,commands,sites,companies,hardware,softwareo Thewords"CSC","connors","state",collegeoranyderivationo Birthdaysandotherpersonalinformationsuchasaddressesandphonenumberso Wordornumberpatternslikeaaabbb,qwerty,zyxwvuts,123321,etc.o Anyoftheabovespelledbackwardso Anyoftheaboveprecededorfollowedbyadigit(e.g.,secret1,1secret)
Strongpasswordshavethefollowingcharacteristics:
Containbetween8and32characters Containbothupperandlowercasecharacters(e.g.,az,AZ) Containatleastonenumber(e.g.,09) Containspecialcharacters(e.g.,~,!,@,#,$,^,(,),_,+,=,,?,or,) Doesnotcontainadictionarywordinanylanguage,slang,dialect,jargon,etc. Doesnotcontainpersonalinformation,namesoffamily,etc.
Passwordsshouldneverbewrittendownorstoredonline.Trytocreatepasswordsthatcanbeeasilyremembered.Onewaytodothisiscreateapasswordbasedonasongtitle,affirmation,orotherphrase.Forexample,thephrasemightbe:"ThisMayBeOneWayToRemember"andthepasswordcouldbe:"TmB1w2R!"or"Tmb1W>r~"orsomeothervariation.
NOTE:Pleasedonotuseeitheroftheseexamplesaspasswords!
DonotusethesamepasswordforCSCaccountsasforothernonCSCaccess(e.g.,personalISPaccount,optiontrading,benefits,etc.).DonotshareCSCpasswordswithanyone,includingadministrativeassistantsorsecretaries.Allpasswordsaretobetreatedassensitive,confidentialCSCinformation.
Hereisalistof"dont's":
Don'trevealapasswordoverthephonetoANYONE. Don'trevealapasswordinanemailmessage. Don'trevealapasswordtoasupervisor. Don'ttalkaboutapasswordinfrontofothers. Don'thintattheformatofapassword(e.g.,"myfamilyname"). Don'trevealapasswordonquestionnairesorsecurityforms. Don'tshareapasswordwithfamilymembers. Don'trevealapasswordtocoworkers. Dontrevealapasswordtovendors. Inshort,dontrevealapasswordtoANYONE. Donotusethe"RememberPassword"featureofapplications(e.g.,Eudora,OutLook,Netscape
Messenger,InternetExplorer,Firefox,Thunderbird). Donotwritepasswordsdownandstorethemanywhereinyouroffice.
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |34
DonotstorepasswordsinafileonANYcomputersystem(includingPalmPilotsorsimilardevices)withoutproperencryption.
Changepasswordsatleastonceeverythreemonths.
Otheritemstoremember:
Ifsomeonedemandsapassword,referthemtothisdocumentorhavethemcalltheCSCITSDepartmenttodeterminethevalidityoftheirrequest.
Ifanaccountorpasswordissuspectedtohavebeencompromised,reporttheincidenttotheCSCITSDepartmentimmediatelyandchangeallpasswordsassoonaspossible.
PasswordcrackingorguessingmaybeperformedonaperiodicorrandombasisbytheCSCITSDepartmentoritsdelegates.Ifapasswordisguessedorcrackedduringoneofthesescans,theuserwillberequiredtochangeit.
Nevergiveyourpasswordouttoanyone.Thismayormaynotincludeyoursupervisor,afriendorrelative,astudentorparttimeworker,orevenacoworker.
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |35
PhysicalSecurityPolicy
OverviewThispolicywillestablishphysicalsecurityguidelinesthatapplytoallcomputingandnetworkingequipmentlocations.Itisimportanttonotethatincrementaldegreesofsecuritywillbeneededforeachareadependingontheactualequipmentconfigurationandcriticalneedtotheinstitution.
PolicyAllareaswillbeclassifiedintotwocategories:
Office Restricted
Officeareasaresimplythat,officelocationsforCSCITSDepartmentemployees.Theseareascontaincomputingequipmentandotherdatathatshouldbeprotectedatalltimes.
RestrictedareasarethoseareasthatbelongtotheCSCITSDepartmentandcontainequipmentownedand/oroperatedbytheCSCITSDepartmentorathirdpartyvendor(i.e.OneNet)suchas:
Switchclosets Serverrooms Telecommunicationsrooms ITSDepartmentstorageareas
Atthetimeofthispolicy,ourcurrentphysicalsecurityofferingsaresomewhatlimitedsomoreadvancedoptionscannotcurrentlybeused.Asupgradesoccur,recommendedoptionswillbechangedtorequiredoptionstoincreaseandenhancesecurity.
Atminimum,allofficeandrestrictedlocationsrequirethefollowingsecuritymechanisms:
Solidwoodorsteeldoor Eitherkeyedhandleordeadboltlock
AllCSCITSDepartmentrestrictedandofficelocationsshouldcontainthefollowingrecommendedsecuritymechanisms:
Reinforcedsteeldoorsandframes Keyeddeadboltlocks IDcardaccess Steelbarsoverwindows
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |36
PersonallyIdentifiableInformationPolicy
OverviewThispolicywillestablishCSCsdefinitionofPersonallyIdentifiableInformation(PII)andindicatewhatinformationmaybeshared,ifany,withthirdpartyentities.
PolicyItisimportanttonotethatinformationshouldneverbesharedwithoutcauseorrequirement,unlessdictatedbystateorfederalgovernmentregulationssuchasannualreportingguidelinesandstatisticalreportingdata,inthecourseofpresetinstitutionaloperationsorvendoragreements,orduetotherequestofCSCsPresidentordesignee.
PIIisthetypeofinformationthatshouldbekeptsafeusingthehighestlevelofsecurity.PIIisdescribedasinformationaboutanindividualthatidentifies,links,relates,orisuniqueto,ordescribeshimorher.Thisinformationmayinclude:
Name SSN Address(es) PhoneNumber(s) SSN Birthdate Birthplace Mothersmaidenname Familynames Otherfamilydatasuchasaddresses,contactinformation,etc. Financialinformationsuchasbankaccountinformation,accountbalances,etc. Otherinformationthat,aloneorincombination,islinkedorlinkabletoaspecificstudentthat
wouldallowareasonablepersonintheschoolcommunity,whodoesnothaveapersonalknowledgeoftherelevantcircumstances,toidentifythestudentwithareasonablecertainty
Informationrequestedbyapersonwhotheeducationalagencyorinstitutionbelievesknowstheidentityofthestudenttowhomtheeducationalrecorddirectlyrelates
UndernocircumstancesshouldPIIbetransportedoffcampus.OncampusstorageofPIIshouldmeetotherpolicyrequirementsasdictatedherein.OffcampususeofthistypeofdatamaybefacilitatedviatheCSCITSDepartmentsRemoteAccessPolicy.
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |37
PersonalTechnologyServicePolicy
OverviewThispolicywillsetforththerulesandregulationswhichwilldeterminehowtheCSCITSDepartmentpersonnelaretoperformworkonpersonallyownedemployeeorstudenttechnologyproducts.
TheCSCITSDepartmentdoesnotservicetechnologyequipmentforindividualswhoarenotCSCemployeesorstudents.
PolicyTheCSCITSystemsDepartmentalwaysstrivestoensurethatCSCemployees,students,affiliates,andvisitorsreceivethebestpossibletechnologyassistanceavailableforustoprovide.However,thiscanleavesomethingtobedesiredfornonCSC,personallyownedtechnologyequipmentownedbyemployees,students,affiliates,andvisitors.
Thispolicywillsetforththerules,regulations,andguidelinesforwhichtheCSCITSystemsDepartmentpersonnelmayprovideservicesforpersonallyownedtechnologyequipmentand/orprojectsoutsideofnormalworkhours.
NOTE:AlltechnologyrequestsforconfigurationorconnectivitytotheCSCnetworkfrompersonaltechnologydeviceswillbehandledatnocost.Thispolicyappliesonlytotechnologyissuesrelatedtothepersonalneedsoftheuser.
AllrequestsforpersonaltechnologyassistancewillbeginwithapreliminarydiagnosisandtroubleshootingprocesswhichisprovidedforFREE.IfadditionalworkisauthorizedbytheuserthentheaccompanyingPersonalTechnologyServicePolicyConsentFormmustbereadandsignedbeforeanyworkmaybegin.
TheCSCITSDepartmentoffersnoimpliedwarrantyorguaranteeonanyworkperformedonpersonaltechnologyequipment.Allworkisperformedasisasaservicetoourstudentsandasacostsavingalternativefortheirbenefit.However,itisbeneficialtonotethatallworkisperformedonthesamelevelascomparableserviceonCSCownedequipment.
Allpersonaltechnologyworkwillbeperformedwithinthefollowingrestrictions:
Personaltechnologyworkmaybeperformedduringregularbusinesshours,onlyifsuchworkdoesnotdirectlyinterfereordelaythenormaloperationsorjobdutiesoftheCSCITSDepartmentemployee.
Noonsitework.AllequipmentmustbebroughttotheCSCITSystemsDepartmentforapreliminarydiagnosisandtroubleshooting.
Nopartspurchases.Allpartstobeinstalledmustbepurchasedbytheuser.
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |38
Noillegalsoftware.Onlylegallylicensedsoftwaremaybeinstalled. Noworkwithoutproperauthorizationsignatureonconsentform.
Allissuesshouldbeexpectedtotakeapproximately2448hourstocomplete;however,theymaytakelongerdependingupontheseverityoftheproblemathand.Pleaseexpecttoleaveanyequipmentforaminimumof48hoursforproperproblemresolution.
ConnorsStateCollegecannotbeheldresponsibleforanyworkdoneafterhoursbyCSCITSDepartmentpersonnelonanypersonaltechnologyequipment.Allworkprovidedisnotwarrantedorguaranteed.BysigningthePersonalTechnologyServicePolicyConsentForm,youagreetothesetermsandconditionsandwaiveanydamageswhichmayoccurduetoanyworkonyourpersonaltechnologyequipment.Allworkisdoneandoncecompletedisleftasisandnostandingwarrantyorguaranteeisimplied.
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |39
RemoteAccessPolicy
OverviewThispolicyestablishestheofficialrulessetforthtoallowuserstoremotelyaccessandmanipulatepersonallyidentifiableinformation,networkapplications,andotherdatafromoffcampus.
PolicyAnyuserwhoseekstoworkoffcampusforthepurposeofworkingfromhomeoratanotherlocationcanfacilitatethisthroughtheuseoftheCSCorOSUVPNconnection.AllusersneedingaccesstoSCTorotherapplicationsrequiringnetworkconnectivitytothecampuscanfacilitatethisbyconnectingfromhomeviaaVPNconnection.
Thistypeofconnectionestablishesasecure,encryptedconnection,tothecampusnetworktoallowtheusertomanipulateandaccessthedataatadistance.AtnotimeshouldanyPIIbetransferredoffcampusonanytypeofdevice.Ifagivenuserwishestoworkwhileoffcampus,he/sheshouldusetheenclosedRemoteAccessProceduretoobtainasecureconnectiontothenetworkandworkfromadistance.
ThistypeofconnectionallowstheusertoremotelymanipulateandaccessthedatawithoutactuallytransferringanydataoffsitethusensuringallPIIandotherdataiskeptsafeandsecurefromunauthorizedaccess.
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |40
StudentRightsandResponsibilitiesPolicy
OverviewItistheunderstandingofallstudents,uponbeingadmittedtoCSC,thatthetechnologyresourcesandequipmentprovidedareforthebenefitofallstudents.Thispolicyexplainswhatrightsstudentshavewithrespecttothistechnologyandalsowhatresponsibilitiesareexpectedofeachstudent.
PolicyEverystudentthatattendsCSCshallbegivenanequalopportunitytolearnandequalaccesstotechnologytohelpfacilitatelearning.Allstudents,regardlessofmajor,classification,studenttype,housinglocation,orotheridentifyingfactorshallreceivethesametechnologyaccessasanyotherstudent.
Studentsshouldexpecttoreceiveaccesstowirelessconnectionsinclassrooms,learningareas,commonareas,dorms,etc.Studentsshouldalsoexpectuptodatecomputersinlabsandteachingareas,multimediaequipmentinmostclassrooms,stateoftheartinstructionaltelevisionclassrooms,andeasilyaccessibleonlinesystemssuchasBlackboard,CSCemail,CKey,etc.Studentsshouldalsoexpecttoreceivereliable,freeinternetservicewhileoncampusatspeedsunobtainablethroughanynormalISP.
Withalloftheserightsandamenities,theCSCITSDepartmentdoesmakesomeresponsibilitiesandassumptionsofourstudents.Theseresponsibilitiesareasfollows:
StudentsareexpectedtoactivateaCKeyaccounttherebycreatinganemailaccount. StudentsareexpectedtomaintaintheirrespectiveCKeyaccountthroughtheircareeratCSC. StudentsareexpectedtoutilizetheirCSCemailaddressasitistheofficialmethodof
communicationwithCSC. Studentsarerequiredtosafeguardlogincredentialsandnotshareuseraccounts. Studentsareexpectedtorespectothersprivacyandequipment. Studentsareexpectedtouseonlypermissibleequipmentoncampus:
o Computerssuchaslaptops,desktops,mobiledevices,etc.) Studentsaretoobserveprohibiteddevicesindormareas:
o Personalrouters,wirelessaccesspoints,bridges,orothernetworkequipment. Studentsareexpectedtoobservealllocal,state,andfederallawsconcerningtechnology. Studentsarerequiredtocomplywithallpoliciesincludedinthisdocument.
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |41
VendorAccessPolicy
OverviewThispolicywillsetforthparametersforvendorstoabidebywhenaccesstoourinternalorexternalnetwork,workstations,orserversisrequired.Allvendors,regardlessofstatus,frequencyofvisitation,workbeingperformed,orsizeofentityshallabidebythispolicyatalltimesunlesssuchworkdoesnotrequireaccesstotheCSCnetworkorcomputingresources.
PolicyAllvendorsshallnotifytheircontactoncampusofanyworkthatwillrequireaccesstoanyofthefollowingCSCresources:
Internalnetwork Externalnetwork Oncampusworkstation(s) Oncampusserver(s) Networkinfrastructure Anyothercomputingdeviceoncampus
Uponnotificationoftheneedforaccess,theCSCITSDepartmentshallcreatelogincredentialsandaccessrequirementsnecessarytofacilitatetheaccessrequiredforthevendortocompletetheirjobfunction.Accessshallalwaysberestrictivemeaningunwarrantedorunneededaccesswillnotbeavailableuntildeemednecessarybytherequirementsoftheproject.Allrequestsforaccessshallbeevaluatedonacasebycasebasistoensurethatproperaccessisgrantedandnounwarrantedorunneededaccessisgivenwithoutcause.
Atalltimes,thevendorshall
Fulfilltheirprimaryjobresponsibilityonly; Notseektoundermineorcircumnavigatetheaccesswhichhasbeenprovided; Nottamperoradjustsecuritysettingsonexistingnetworkinfrastructureordevices; Ensurethataccesscredentialsarenotsharedwithanyoneotherthanthoseindividualapproved
foraccess; WorktoensurethatCSCsinformationiskeptsafeandsecurefromlossortheft; NeverdiscloseanyinformationheorshemaycometoknowfromworkingwithoronanyCSC
technologyresourcewithaseparatethirdpartentity; NotifytheCSCITSDepartmentIMMEDIATELYuponanyinclinationthatlossorthefthas
occurred,accesshasbeenlostortamperedwith,orthereisaconcernthatanyothertypeofaccessviolationhasoccurred;
NeverseektouseanyofCSCsinformationforpersonalorothermonetarygain; Notuseanyaccessortechnologyresourceinamannerthathasbeenprohibitedforemployees,
students,orvisitorsinanyoftheother,enclosedpoliciesherein.
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |42
WirelessCommunicationPolicy
OverviewWirelessimplementationsareabenefittoCSCaswellasitsfaculty,staff,andstudents.Maintainingthisequipmentcanbeatediousprocessbutisanecessity.
Atpresent,thispolicyallowsaccesstotheCSCwirelessnetworkviaanydatacommunicationdevicecontainingthehardwarerequiredtoconnect.ConnectingtotheCSCwirelessnetworkdoesnotgrantauseraccesstotheinternalnetworkinginfrastructureoranyinternalinformationofCSC,onlyexternalaccesstotheinternet.UtilizingCSCswirelessnetworkforaccesstotheinternalnetworkand/orinformationrequiresadditionalsoftwarethatmustbeobtainedthroughtheCSCITSDepartment.
Thispolicycoversallwirelessdatacommunicationdevices(e.g.,personalcomputers,cellularphones,PDAs,etc.)connectedtoanyofCSC'swirelessnetworkingaccesspoints.Thisincludesanyformofwirelessdatacommunicationdevicecapableoftransmittingpacketdata.
PolicyAllwirelessdatacommunicationdevicesconnectedwithCSCswirelessnetworkwillberequiredtohavecurrentvirusscanningsoftwareinstalledwiththemostrecentupdatesandperformafullsystemscanaminimumofonceperweek.
AllwirelessdatacommunicationdevicesconnectedwithCSCswirelessnetworkthatrequireaccesstoCSCsinternalnetworkand/orinformationwillberequiredtoutilizespecificsoftwareand/oraccesscredentialsobtainedthroughtheCSCITSDepartmenttodoso.
AtnotimeshallanydeviceconnectedtotheCSCwirelessnetworkoperateoutsidetheparametersdefinedintheAcceptableUsePolicyprovidedherein.AllwirelesslyconnecteddevicesmaybemonitoredandtheirinformationsuchasIPaddress,MACaddress,generalhardwareprofile,etc.bearchivedforfutureuse.RandomscansmayalsobeperformedtoensurethesecurityofthewirelessnetworksandconnecteddevicesandtoobtainageneraldevicesurveytofurtherenhancetheaccessibilityandusabilityofCSCswirelessnetworks.
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |43
Procedures
EmergencyOperatingProcedureIntheeventofanemergency,normaloperatingproceduresshouldberestoredasquicklyaspossible.Duetothesmallsizeofourdepartment,itisbeneficialthatallemployeeslearnlaterallytoallowforgreaterabilitytomaintainoperationsshouldanyindividualemployeebeunavailable.ThestepsbelowwillindicatehowoperationsshouldcontinueintheeventofanemergencydirectlyaffectingtheCSCITSDepartment.
1. AssesssituationanddetermineifanypersonnelimpacttotheCSCITSDepartmentexists.Ifso,gotostep2.Ifnot,gotostep3.
2. Givenanypersonnelimpactbelow,thefollowingoptionsareavailabletoensureITSoperationscancontinueinanemergency.IftheITSDepartmentsuffersthelossofanyofthefollowingemployees,theavailableoptionsare:
a. DirectorofITSystemsi. ResponsibilitieswilldefertothePresidentordesigneeuntilasuitable
appointmentcanbemade.b. NetworkAdministrator
i. ResponsibilitieswilldefertotheDirector.ii. InterimassistancecanbeperformedbyChickasawTelecomoranothersuitable
vendortofacilitatenetworkmanagement.iii. Networkmanagementismorespecializedthanworkstationmanagementso
vendorassistancewillmostlikelybeanecessity.c. DesktopAdministrator
i. Responsibilitieswillbesharedbetweenremainingpersonnel.ii. Emergency/Interimhiringmayberequired.
d. HelpdeskAdministratori. Responsibilitieswillbesharedbetweenremainingpersonnel.ii. Emergency/Interimhiringmayberequired.
e. StudentHelpdeskTechnicians(5)i. ResponsibilitieswilldefertotheHelpdeskAdministrator.ii. Emergency/Interimhiringmayberequired.
f. DistanceEducationAdministratori. ResponsibilitieswilldefertotheDirector.ii. Emergency/Interimhiringmayberequired.
g. Programmeri. ResponsibilitieswilldefertotheDirector.ii. InterimassistancecanbeperformedbyOSUoranotherA&Minstitutionwilling
toassist.iii. Emergency/Interimhiringmayberequired.
h. Departmentalcatastrophe(3+usersunavailabletoperformduties)
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |44
i. ResponsibilitieswilldefertothePresidentordesigneeuntilemergencyhiringcanbefinalized.
ii. Ifnecessary,assistancemaybeobtainedfromotherinstitutionsand/orvendors:
1. SCTOperations:OSUA&MSystemInstitutions2. Networking:ChickasawTelecom,VIPTechnologySolutions
i. NOTE:Emergencyapprovalforcostsassociatedwithassistancewillneedtobeobtainedunderanyscenario.
3. Determineifanyequipmentlosshasoccurred.Ifso,proceedtostep4.Ifnot,proceedtostep5.4. Determinewhatresourcesareaffectedandbringthembackupassoonaspossible:
a. Networkandconnectivityequipmentb. Missioncriticalservices(SCT,groupdrives,IDcardsystem,etc.)c. Nonmissioncriticalservices(securitycameras,wirelessinfrastructure,dorm
connectivity,etc.)5. Onceallconnectivityandresourceshavebeenrestored,normaloperationscannowresume.
NOTE:PleaseseetheCSCITSDepartmentsdetailedDisasterRecoveryPlanfordetailedinformationregardingdisasterscenariosandspecificplanninginformation.
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |45
EquipmentOrderingProcedureThisdocumentistoserveasasetofguidelinesforallCSCFacultyandStaffwhochoosetoordercomputingequipment.
1. ContacttheCSCITSDepartmenttoobtainaquoteandorinformationregardingtheequipmentyouwishtopurchase.
2. ForDellcomputersandsomeotherspecifictechnologyequipment,theITSDepartmentwillcreateashoppingcartforyouandsubmittheorderforprocessing.Ifthisisthecase,skiptoStep5,otherwisegotoStep3.
3. Obtainthequote(s)foryourorderfromtheITSDepartmentandcreateanewcartontheOKCorralwebsite:http://okcorral.okstate.edu
4. Submityourorder.5. Yourorderwillberoutedthroughtheappropriateapprovingchannels,includingtheITS
Department,sinceitisatechnologyequipmentpurchase.6. Onceyourorderhasbeenapproved,youmaychecktheprogressviaOKCorral.7. Whenyourequipmentarrives,theBookstoremaynotifyyoutopickuptheequipment.
Otherwise,theITSDepartmentwillretrieveyourequipmentandconfigureit,ifnecessary,priortodeliveringittoyou.NOTE:AlltechnologyordersmustbereceivedbytheITSDepartmentbeforeitcanbereleasedtothepurchaser.Thisistoensurethatthepropersoftwareisinstalledandallequipmentisproperlytaggedandplacedininventory.
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |46
Guest/VisitorAccessProcedureThisprocedurewillindicatehowguestsandvisitorstocampusshouldobtainaccesstoCSCstechnologyresources.
1. Obtaincontactinformationfromuserneedingaccess:a. Nameb. Phonec. Email
2. FillouttheenclosedAuthorizationofUserAccessForm.3. SubmittheformtotheCSCITSDepartment.4. Accesswillbecreatedassoonaspossible.Confirmationwillbesenttorequestingemployee
onceaccesshasbeencreated.
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |47
IncidentManagementProcedureThisprocedureaddresseshowincidentsshouldbehandledwhenrelatedtotechnology.Thisincludesthefts,datacorruption,etc.
1. Determinescopeofincident.2. FilloutattachedIncidentManagementForm.3. Ensuresupervisorofemployeethatreportedorcausedincidenthasbeennotified.4. SubmitformtoDirectorofITSystems.5. Administrationwillbenotifiedofincident.6. Resolutionwillbedraftedgivenincidentscopeandindividualsinvolved.
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |48
Remote/VPNAccessProcedureForusersthatrequireaccesstosensitiveinformationathomeorontheroad,pleaseusetheseremoteaccessprocedures:
1. OpenyourbrowserandvisitCSCsorOSUsVPNlocation.a. CSC:http://vpn.connorsstate.edub. OSU:http://osuvpn.okstate.edu
2. LoginwithyourCKeyaccountcredentials.3. Allowtheclienttodownloadandinstall.4. Followtheonscreenpromptsassoftwareisrequestedtobeinstalled.5. Iftheinstallergetsstuck,simplyrefreshscreenbyselectingbrowsersrefreshbuttonorhitting
theF5keyonthekeyboard.6. Oncecomplete,theclientwillshowupinyourtaskbaronthebottomrightindicatingyouare
connected.7. YoumaynowaccessSCT,groupdrives,oryourofficecomputerasnotedbelow:
a. SCT:UseclientonPCorfollowdownloadinstructionslocatedat:http://connorsstate.edu/SCT
b. GroupDrives:OpenMyComputer,ifgroupdrivesdonotshowupbydefault,simplytypethefollowingintheaddressbaratthetoptonavigatetothegroupdriveserverandseeyouravailablegroupdrives:\\10.110.2.5\CSC_Group
c. OfficeComputer:Openaremotedesktopconnectiononyourcomputerandtypeinyourofficecomputername.LoginwithyourCKeycredentialstogainaccess.
i. Youmustknowthenameofyourofficecomputertousethismethod.ii. Toobtainyourofficecomputername,simplyholdtheWindowskeyonthe
keyboardandpressthePause/Breakkeywhileyouareatyourofficecomputer.iii. Theresultingdialogboxwillshowyouyourcomputername.
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |49
VendorAccessProcedureIfanyvendorrequiresaccesstotechnologyresources,pleasefollowthesesteps:
1. SubmitAuthorizationofUserAccessFormtoCSCITSDepartment.2. ITSDepartmentwillevaluaterequestandgrantaccessbaseduponneedandpolicies.3. Vendoraccesswillbecreatedtocomplywithexistingpolicies.4. Requestingemployeewillreceiveemailonceappropriateaccesshasbeencreated.
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |50
TermsandDefinitionsAppropriateMeasures
ReferstothemeasuresthattheCSCITSDepartmentisauthorizedtotaketosecureCSCscomputingresources.ThismayrefertomeasuresconcerningCSCownedhardwareorsoftware,data,employees,students,associates,visitors,etc.TheCSCITSDepartmentmustmaintainanappropriatemeasuresoptionsothatCSCisprotected,concerningbothequipmentandinformation.
ApprovedElectronicFileTransmissionMethods
IncludessupportedFTPclientsincluding,butnotlimitedto,FileZilla,SecureFTP,andSmartFTP.ThisalsoincludessupportedWebbrowsersincluding,butnotlimitedto,MicrosoftInternetExplorer,MozillaFirefox,NetscapeNavigator,andOpera.IfyouhaveabusinessneedtouseothermailerscontacttheCSCITSDepartmentpriortoimplementation.
ApprovedElectronicMail
IncludesallmailsystemssupportedbytheCSCITSDepartment.Thisincludes,butisnotlimitedto,CSCWebmail,Outlookconfiguredemail,andconfiguredemailonmobiledevices.IfyouhaveabusinessneedtouseothermailerscontacttheCSCITSDepartmentpriortoimplementation.
ApprovedEncryptedEmailandFiles
TechniquesincludetheuseofAESandothers.PleasecontacttheCSCITSDepartmentforfurtherinformation.
AsymmetricCryptosystem
Amethodofencryptioninwhichtwodifferentkeysareused:oneforencryptingandonefordecryptingthedata(e.g.,publickeyencryption).
Chainemailorletter
Anemailsenttosuccessivepeople.Typicallythebodyofthenotehasdirectiontosendoutmultiplecopiesofthenoteandpromisesgoodluckand/ormoneyifthedirectionsarefollowed.
InformationSystemResources
InformationSystemResourcesinclude,butarenotlimitedto,allcomputers,peripherals,data,andprogramsresidingontheCSCCampuses,networks,servers,etc.Theseresourcesalsoincludeallpaperinformationandanyinformationforinternaluseonlyandabove.
InformationTechnologySystems
ThetechnologydepartmentresponsibleformanagingCSCscomputingresources.
ConfigurationofCSCtoThirdPartyConnections
ConnectionsshallbesetuptoallowthirdpartiesrequiringaccesstotheCSCcampuses,networks,data,etc.Theseconnectionswillbesetupinordertoallowminimumaccesssothatthirdparty
-
CSCITSDepartment PoliciesandProceduresManual
CSCInformationTechnologySystems P a g e |51
entitieswillonlyseewhattheyneedtosee,nothingmore.Thisinvolvessettingupaccess,applications,andnetworkconfigurationstoallowaccesstoonlywhatisnecessary.
DomainNameSystem
EssentiallyservesastheInternetphonebookbyassociatingvariousdomainnames(i.e.http://www.connorsstate.edu,http://it.c