ABAC Employee Use of Technology Resources

CONTENTS

PHILOSOPHY

TYPES OF COMPUTER SECURITY RISKS

RESPONSIBILITY AND ETHICS IN COMPUTER ACTIVITIES

APPLICABILITY

RESPONSIBILITY

OWNER, CUSTODIAN AND USER RESPONSIBILITIES

SECURITY ASSESSMENT

CONTROL OF COMPUTERS AND INFORMATION RESOURCES

PHYSICAL SECURITY AND ACCESS TO DATA PROCESSING

FACILITIES

LOGICAL AND PHYSICAL ACCESS CONTROL

DATA AND SYSTEM INTEGRITY

NETWORK SECURITY

BACKUP AND RECOVERY

PERSONNEL SECURITY AND SECURITY AWARENESS

SYSTEMS ACQUISITION

AUDITS

INCIDENT REPORTING

COMPLIANCE AND CERTIFICATION

PAGE

PHILOSOPHY

The intent of this document is to recognise and implement the stated goals and philosophy of the Board of Regents with regard to information resources security standards. The purpose of this institutional security policy is to ensure that the security of the information and communication processing resources of the institution are sufficient to reduce the risk of loss, modification or disclosure of those assets to a level that is acceptable to institutional management. This document shall include written policies and procedures for the protection of information resources; shall be an instrument implementing the Board of Regents security policies and standards; and shall be applicable to all elements of the institution.

Institutional security programs shall include the following objectives:

(1) To identify sensitive data and take steps to protect such data from disclosure or unauthorized modification.

(2) To identify which information resources are essential to the continued operation of critical state or institution functions and take steps to ensure their controlled availability.

(3) To apply security safeguards which can be cost justified, considering the exposure.

(4) To ensure the accuracy and integrity of data and automated processes.

(5) To educate employees, faculty, students and contractor personnel concerning their responsibilities for maintaining the security of information resources.

In keeping with these objectives, it is the philosophy of Abraham Baldwin Agricultural College that:

(1) All computer and computer-related resources are valuable state assets and require some degree of protection. The degree of protection needed is based on the nature of the resource and its intended use.

(2) Information which, by law, is sensitive or confidential must be protected from unauthorized access or modification. Data which is essential to critical functions must be protected from loss, contamination or destruction.

(3) Custodial responsibilities for information resources must be clearly defined.

(4) The lack of appropriate security in one area of the computer environment must not compromise and/or place under increased risk other data and/or resource areas.

(5) Systems security activities must be subject to audit.

(6) Risks to information resources must be managed. The expense of security safeguards must be appropriate to the value of the assets being protected, considering both the value to the state and a potential intruder.

(7) The integrity of data, its source, its destination, and processes applied to it must be assured. Data must change only in authorized, predictable and acceptable ways.

(8) In the event a disaster or catastrophe disabled information processing and related telecommunications functions, the ability to continue critical services must be assured. Information resources must be available when needed. Systems must be maintained so that they are reasonably recoverable from the worst possible security violations.

(9) Unauthorized access to a computer is the equivalent to physical breaking and entering and must be treated with the same degree of seriousness.

(10) Security must reflect a hierarchical design that provides access/protection matched to risk or need for confidentiality.

(11) Security needs must be considered and addressed in all phases of development or acquisition of new information processing systems.

(12) User education is a vital part of security. Information regarding the applicable laws, regulations and policies must be distributed and be readily available to computer users. The college must have a formal plan for distributing the security information. Each individual must be accountable for his/her actions relating to information resources.

(13) Disciplinary actions for violations of computer security must be consistent with those established elsewhere in the University System. Procedures must be in place to provide for this discipline in accordance with Regents Policy.

(14) There must be clear, documented and widely distributed procedures for reporting and handling security violations.

(15) The college’s information security program must be responsive and adaptable to changing vulnerabilities and technologies affecting institutional information resources.

(16) The college must support and uphold the legitimate proprietary interests of intellectual property holders.

TYPES OF COMPUTER SECURITY RISKS

Some common types of computer security risks are:

(1) ACTS OF GOD- Such things as tornados, earthquakes, fire, lightning, floods, etc., can carry a high price. A well designed and tested contingency recovery program can reduce the recovery time and efforts, as well as reduce the final cost.

(2) SABOTAGE BY EMPLOYEES- Damage done by an employee with access to the system can be extensive, since there may be few warning bells once a person has gotten into an actual program.

(3) DELIBERATE SABOTAGE BY OUTSIDERS- This could include vandalism, manipulation of data or programs, destruction of data, programs or hardware.

(4) LOSS OF CONFIDENTIALITY- The loss of confidentiality due to an unauthorized person’s access to sensitive information. This could take the form of a person looking at confidential personnel records or classified government information.

(5) VIRUSES- The damage done by viruses could include destruction of software or hardware, destruction or alteration of data, or simply the tying up of resources for a period of time resulting in costs to the institution.

(6) THEFT OF HARDWARE- Theft of hardware includes the theft of any computer or computer-related equipment, including connecting lines. Access security is important to prevent this type of security risk.

(7) UNAUTHORIZED USE OF HARDWARE OR SOFTWARE RESOURCES- Any unauthorized use of hardware or software, whether it be for personal or business reasons.

(8) CARELESSNESS- Running the wrong program, hitting the wrong key, putting in incorrect information, running a program out of order, and other acts of carelessness can have a very small to catastrophic impact on data and software programs.

(9) COMPUTER CRIME- This might include embezzlement, disclosing secret information, selling of data, fraud, willful destruction of data, unauthorized use of state resources, etc.

(10) DAMAGE FROM ENVIRONMENTAL CONDITIONS- Damage can occur from failure to control temperature or humidity, particulate and chemical contaminants, magnetic field radiation, smoking, etc., in the computing area.

RESPONSIBILITY AND ETHICS IN COMPUTER ACTIVITIES

At the most general level, the principles of responsible and ethical behaviour in regard to computing are no different from those related to other aspects of work. However, with computing being relatively new in many areas of endeavour, and with the changes in procedures, practices, risks, etc., often brought on by the introduction of computing, some statements specialized to computing activities may enhance the development of perspective and understanding in this area. Users should be aware of computing practices that are considered unethical. Examples of irresponsible, unethical or illegal activities include:

(1) Misappropriation of computer time and computer programs.

(2) Compromising integrity by falsifying records, documents, etc.

(3) Unauthorized modification of programs and files.

(4) Accessing, changing or copying information belonging to others without authorization.

(5) Unauthorized use of facilities, accounts, software and data.

(6) Divulging confidential and sensitive information.

(7) Unauthorized use of state resources for personal use, e.g., private consulting, personal business.

(8) Sending unsolicited obscene or vulgar personal messages or data to other users.

(9) Violating licensing agreements.

(10) Maliciously or irresponsibly interfering with normal operations of day-to-day computing.

(11) Failing to maintain courteous and professional relations with other users.

(12) Concealing violations of conduct or security rules.

(13) Subverting the restrictions associated with computer accounts.

APPLICABILITY

Information security policies and standards apply to all automated information systems which access, process or have custody of data. They apply to mainframe, minicomputer, microcomputer, distributed processing and networking environments. They apply equally to all levels of management and to the personnel they supervise.

RESPONSIBILITY

The information security program shall be administered by the Director of Technology in cooperation with the Coordinator of Administrative Computing, the Coordinator of Academic Computing and the Coordinator of Instructional Technology. These individuals shall:

(1) Keep the administration informed of legal and regulatory changes affecting information privacy and computer crime.

(2) Develop institutional security policies and standards and an institutional security awareness and training program.

(3) Serve as Abraham Baldwin Agricultural College’s internal and external point of contact on information security matters.

(4) Ensure the college’s critical and sensitive information resources are identified, that all information resources are assigned ownership, and that the duties of owners are prescribed.

(5) Ensure that authorized user lists are current and subject to audit.

(6) Develop, implement and maintain the institution security assessment program.

(7) Manage the development, implementation and testing of security controls and methods for their evaluation; direct efforts for including security safeguards in the development of acquisition stages of new automated information systems.

(8) In conjunction with other staff, schedule and conduct periodic audits to assure that institution security policies and standards are being complied with.

(9) With assistance of appropriate staff, develop and monitor procedures for detecting, reporting and investigating breaches of security.

(10) Oversee procedures for institution password control.

(11) Report to the administration periodically on institutional security posture and progress, including problem areas with recommended enhancements.

OWNER, CUSTODIAN AND USER RESPONSIBILITIES

The major objective of computer and information security is to provide cost-effective controls to ensure that information is not subject to unauthorized modification, disclosure or destruction. To achieve this objective, procedures which govern access to each collection of information must be in place. The effectiveness of access rules depends to a large extent on the correct identification of the owners, custodians and users of the information. All data and software shall be assigned to an owner. Where data or software is aggregated for purposes of ownership, the aggregation shall be at a level which assures individual accountability. The following distinctions among owner, custodian and user responsibilities shall guide determination of these roles.

(1) Owner Responsibilities: The owner of information resources is the designated individual upon whom responsibility rests for carrying out the program that uses the resources. The owner is responsible and authorized to:

(a) Approve access to, and formally assign custody of, the asset;

(b) Judge the asset’s value;

(d) Ensure compliance with applicable controls.

(2) Custodian Responsibilities: The custodian of information resources is the individual assigned the responsibility to:

(a) Implement the controls specified by the owner;

(b) Provide physical and procedural safeguards for the information in his/her possession or in the facility;

(d) Make provisions for the timely detection, reporting and analysis of unauthorized attempts to gain access to information resources;

(e) Assist owners in evaluating the cost-effectiveness of controls.

(3) User Responsibilities: The users of information resources have the responsibility to:

(a) Use the resource only for the purposes specified by the owner;

(b) Comply with controls established by the owner;

SECURITY ASSESSMENT

Absolute security which assures protection against all threats is unachievable. Therefore, a means of weighing losses against the costs of implementing the control is required. Security assessment is a systematic process of evaluating vulnerabilities of a processing system and its data to the threats facing it in its environment. Security assessment provides the basis for security management; i.e., for managers to assume risks and the potential losses or to select cost effective controls and safeguards to reduce risks to an acceptable level. The Coordinators within the areas of Technology shall perform a comprehensive security assessment of all critical and sensitive information processing systems at least annually. Security assessment results shall be presented to the owner of the information resource for security management. Management shall implement security controls determined through security assessment to be cost effective. Management may deviate from those controls and accept an identified risk only when it has been clearly demonstrated that available options for reducing exposure have been identified and evaluated, and that implementation of the control will have a significant and unacceptable impact.

CONTROL OF COMPUTER AND INFORMATION RESOURCES

Information resources are valuable assets. The willful and knowing unauthorized use, alteration or destruction of these assets is a computer-related crime, punishable under O.C. G. A. Section 16-9-90(Open Records Act). All information and telecommunications resources owned by Abraham Baldwin Agricultural College shall be used only to conduct the institution’s business. Access to data files and programs shall be limited to those individuals authorized to view, process or maintain particular systems. The principles of least access, separation of functions and need to know should be applied in the determination of user authorizations.

More specifically:

(1) A user shall be allowed to maintain data only on constrained ways which are designed to preserve or ensure the integrity of the data and the process.

(2) Functions involving sensitive or financial information shall be under dual control. For example, the clerk who enters payment instructions must not be permitted to verify his/her own work.

(3) Evidence, such as signatures, must be required to show individual accountability for transaction origin, authorization and approval. All transactions must be audible.

Access To And Handling Of Sensitive Information

Sensitive information shall be accessible only to personnel who are authorized by the owner on the basis of strict ‘need to know’ in the performance of their duties. Data containing any sensitive information shall be readily identifiable and treated as sensitive in its entirety. An audible, continuous chain of custody shall record the transfer of sensitive information.

Guidelines:

(1) The principles of least access. Separation of functions and need to know shall guide the determination of user authorizations.

(2) Sensitive data, files and software shall be marked or flagged as ‘Confidential’, or other designation which clearly distinguishes it from non-sensitive material.

(3) Sensitive hardcopy data shall have markings on each page. Physical markings shall also be applied to the exterior of all input/output media such as diskettes, tapes and volumes which contain sensitive information.

(4) Magnetic media and hardcopy data which has contained sensitive information must not be disposed of or removed from state security controls without assurance that sensitive information has been deleted and cannot be recovered. Processes to delete information from magnetic media include degaussing, electronic over-writing and physical destruction.

Audit Trails

Audit trails shall be maintained to provide accountability for all accesses to sensitive and critical information and to sensitive software, for all modifications to records which control movement of funds, assets and other financial transactions, and all changes to automated security or access rules. The trail or path which usually includes the transaction image itself, existing at some point because of such transactions, shall be recorded and retained until they are no longer needed. In this context, the audit trail implies the existence of data and/or information at selected stages of the process cycle that can be used to define, verify, reconstruct, and very importantly, to establish easy accountability for those operations carried out.

Ownership Of Software

Computer software developed by institution employees on behalf of the institution belongs to the institution. Contracts for programming work by outside personnel must spell out the ownership of all rights to the software and associated documentation.

PHYSICAL SECURITY AND ACCESS TO DATA PROCESSING FACILITIES

All institution information processing areas must be protected by physical controls appropriate for the size and complexity of the operations and the criticality or sensitivity of the systems operating at these locations.

Central Computer Room

The computer center, as well as other areas containing sizeable collections of information resources, such as minicomputers, microcomputers, and/or terminals, must be protected by physical controls appropriate for the size and complexity of the operations and the criticality or sensitivity of the systems operating therein.

Guidelines:

(1) Access to the computer center shall be restricted to authorized personnel. Presence of users and vendor service personnel must be closely monitored. Casual visitors are to be discouraged.

(2) Facilities shall be securely locked outside of normal working hours and whenever an area will be unattended for a significant period of time.

(3) Access to tape storage areas and archived documents shall be restricted to designated individuals.

(4) The computer center director shall be notified immediately when a person is no longer allowed access to the computer facility or when such an action is impending.

(5) Controls similar to those in effect for the computer center shall be implemented for all areas containing sizable concentrations of computer resources.

Outside Central Computer Room

While handled or processed by terminals, communications switches and network components outside the computer center, critical or sensitive information shall receive the level of protection necessary to ensure its integrity and confidentiality. The required protection may be achieved by physical or logical controls, or a mix thereof.

Guidelines:

(1) Insufficient physical controls for remote system components may be compensated for by strengthened logical controls for gaining access to the information handled by the remote components. Extreme vulnerability may require logical isolation and special handling by the system administrator.

(2) Terminals, while unattended, must be protected from unauthorized use. Terminal devices must never be left logged-on while unattended.

(3) Terminals should be installed where they are not readily accessible to personnel not authorized to use them and should be positioned in such a manner that minimizes unauthorized use of the screen.

Hardware Maintenance and Service

Experience has shown that the most well-meaning and otherwise knowledgeable users will create more problems than they solve when attempting to service their own computer equipment or to help another user with a hardware problem. Several such instances in the past have tied up computer center personnel for hours and left the user with no computer access while corrections are made to what should have been a simple modification. As networking and strategic planning continue to shape the campus computing community into a cohesive, cooperative entity it becomes ever more vital that equipment is configured and maintained to a single standard by an office which can be responsible for the well-being of the user community and responsive to any unmet needs. All service, maintenance and installation orders must be processed by written request through the computer center. All such service will either be preformed by written request through the computer center. All such service will either be performed or monitored by computer center personnel or the computer center will assist in obtaining outside service. Individual users must not be allowed to modify any computer or network hardware or system-related batch files without the presence and explicit consent of the computer center.

Environmental Controls

One of the major causes of computer down time is the failure to maintain proper controls over the temperature, humidity, air movement, cleanliness and power. Environmental controls must also provide for safety of personnel.

Guidelines:

(1) Temperature and humidity within the computer center shall be monitored and controlled to ensure that the operational environment conforms to the manufacturer’s specifications.

(2) Air handler filters shall be changed or cleaned on a regular basis.

(3) Personal computer equipment shall be protected as specified by the system manufacturer to the extent practical.

(4) All equipment directly connected to the main computer system must be protected by surge protection devices. All other computers and computer-related equipment will be so protected to the extent practical.

(5) The main computer system, campus network hardware, and any critical components thereof must be maintained on an interruptible power supply with sufficient power to allow an orderly shutdown of affected systems.

Fire Prevention and Protection

National Fire Protection Association Standard 75(NFPA75), “Standard for the Protection of Electronic Computer/Data Processing Equipment” (reference section 20(1)(j)), adopted by State Fire Marshal’s Rule 4A-3012, Georgia Administrative Code, sets forth minimum requirements for the protection of electronic computer/data processing equipment from damage by fire or its associated affects, i.e., smoke, corrosion, heat, water. The standard covers the requirements for installations of electronic computer/data processing equipment where either:

(1) Special building construction, rooms, areas or operating environment are required, or

(2) Fire protection for the equipment is required.

(a) Pursuant to State Fire Marshal’s Rule 4A-3012, Georgia Administrative Code, for purposes of the rules in Title 4A, all appendices to the NFPA Standards adopted in this rule which prescribe recommended operating procedures and sound practices are mandatory. Although NFPA75 does not cover installations of electronic computer/data processing equipment that do not require special construction or protection, it will be useful as a management guide for the protection of other information resources.

Water Damage Prevention and Protection

Controls to prevent or minimize water damage to information resources in the event of a water leak or rising water shall be established and enforced.

Guidelines:

(1) As noted in the section above, NFPA75 sets forth minimum requirements for the protection of electronic computer/data processing equipment from damage by fire or its associated effects, i.e., smoke, corrosion, heat, water. Measures instituted for the protection against fire-associated effects of water will satisfy many protection needs against leaks or flooding unrelated to fire protection.

(2) Water cutoff valves, where available, should be clearly marked and easily accessible.

(3) The risk of falling water can be compensated for, in part, by having plastic sheeting material readily available.

LOGICAL AND DATA ACCESS CONTROLS

Information handled by processing systems and associated telecommunications networks must be adequately protected against unauthorized modification, disclosure or destruction. Effective controls for logical access to information resources minimizes inadvertent employee error and negligence, and reduces opportunities for computer crime.

Personal Identification, Authentication and Access

Properly implemented and managed, access control systems will improve the likelihood that users are who they purport to be and that a user’s access can be controlled effectively. Access control systems are an important deterrent to intrusion. Except for public users of systems where such access is authorized, or situations where risk analysis demonstrates no need for individual accountability of users, which likely will rarely be the case, each user of a multiple-user automated system shall be assigned a unique user identification. User identification shall be authorized before the system may grant the user access to automated information. A user’s access authorization shall be removed from the system when the user’s employment is terminated or the user transfers to a position where access to the system is no longer required.

Guidelines:

(1) User’s access rights shall be established on the basis of validated identification. The user identification code should be traceable to the user for the lifetime of the records and reports in which they appear.

(2) Each user will be required to have a unique USER-ID, generated from an application form specifying any privileges or restrictions to accompany the userid. ‘Generic’, general-use USER-ID’s will not be permitted.

(3) The user will be required to provide unique authentication, e.g., a password, with something that is known or possessed only by the user.

(4) Each user shall agree in writing to only use the identification code for the purpose for which it was intended, to not disclose a password to any other person, and to change the password promptly if he suspects that it has been disclosed to anyone else. A copy of the agreement will be retained by the system administrator.

(5) Periodic change of passwords will be required by the system. Password selection will be at the discretion of the user, within certain bounds, but must be changed significantly.

(6) An automatic terminal time-out shall occur after a certain period of inactivity. The user will be forced to authenticate his/her identity before resuming activity.

(7) Users must be trained to log-off or secure terminals when not in use.

(8) Inadequate physical controls for remote system components may be compensated for by strengthened logical access controls. Extreme vulnerability may require logical isolation and special handling by the system administrator.

(9) Consultants and contractors shall have their access rights carefully controlled. Automatic expiration of access authorization is one effective technique.

(10) The computer center director must be notified immediately when a person is no longer allowed logical access to the computer facility or when such an action is impending. In situations where an employee’s system access is terminated under adverse conditions (such as forced termination of employment or forced reassignment), it is particularly important that the employee to be denied any further opportunity for unsupervised access to the system once he/she is so notified.

Password Controls

Personal passwords are used to authenticate a user’s identity and to establish accountability.

Guidelines:

(1) Passwords generally need to have the shortest practical lifetime, selected by the security officer, that provides the desired level of protection at a reasonable cost. The maximum password life shall be 9 months, with individual lifetimes to be set by the computer center director.

(2) System operators shall not have unlimited access to ‘super passwords’. Such passwords must be carefully controlled by user management. Monitoring the use of privileged passwords is critical.

(3) Consideration should be given to use of one-time passwords when there is a high threat of password compromise or for very sensitive applications.

Access Software and Controls

Controls shall ensure that legitimate users of the computer can not access stored software or system control data unless they have been authorized to do so.

Guidelines:

(1) If software is inadequate to control access to segregated parts of information within the computer, access to the entire computer system must be restricted to those with permission to access all the information.

(2) Violations of access controls shall be reviewed by both the owner and the user’s manager.

(3) If access control software is incapable of preventing or detecting programmed attacks on the information, all program compliers or assemblers and all general-purpose utilities capable of reading or updating files should be partitioned or removed from the system.

DATA AND SYSTEM INTEGRITY

A major goal of data processing is to ensure the integrity of the process to prevent fraud and errors. No user of a system, even if authorized, may be permitted to modify data items in such a way that assets or accounting records are lost or corrupted.

Data Integrity

In terms of volume, the problem of errors and omissions is the greatest cause of incorrect information processing. Controls shall be established to ensure the accuracy and completeness of data. User management shall ensure that data comes from the appropriate source for the intended use.

Guidelines:

(1) Redundant data, parity checks, control totals, etc., should be used to guard against errors in entry and transmission.

(2) Selected fields should be verified. Programmed edit checks, feedback, confirmations and reconciliations should be employed as indicated.

(3) Once it has been processed, each collection of source material shall be cancelled or specially marked to prevent duplications or omissions.

(4) User management shall reconcile data submitted against data processed and returned.

Separation of Functions

Segregation of duties is a fundamental element of internal control and an effective risk reduction technique. For tasks that are susceptible to fraudulent or other unauthorized activity, the likelihood of such activity successfully occurring is reduced when it requires collusion between employees. The purpose of separation of functions is to minimize the opportunity for any one person to subvert or damage the system.

Guidelines:

(1) Tasks related to the design, implementation, operation, maintenance and use of information systems shall be structured such that each acts as a check upon the others.

(2) Access right to data and programs must be based on specific job requirements.

(3) Personnel duties should not overlap and must be separated in a way such that a single individual cannot independently perform all of the steps necessary to violate the protection mechanisms of the system.

(4) Information processing personnel may record and process data, but they must not originate or authenticate transactions, perform final reconciliation of input and output, correct reconciliation differences, or have unchecked access to assets.

(5) Responsibilities for day-to-day production processing shall be separate from system development, testing and maintenance.

(6) Those who can authorize and approve must not be able to originate and record.

(7) No individual will be allowed to have exclusive control of any automated system.

Testing Controls and Program Maintenance

The test functions shall be kept either physically or logically separate from the production functions. Copies of production data should not be used for testing unless the data has been desensitized or unless all personal involved in testing are otherwise authorized access to the data. After a new system has been placed in operation, all program changes shall be approved before implementation to determine whether they have been authorized, tested and documented.

Guidelines:

(1) Requested program changes shall be documented and signed by both the initiator of the request and the system owner. Changes will also be approved by the programming manager.

(2) Independent peer review (whereby programmers examine each other’s program code) will reduce program maintenance exposure.

(3) System testing should be a joint effort of users and information processing personnel.

(4) Software generally referred to as ‘public domain’ software (such as might be acquired through software exchanges or electronic bulletin boards) or software not acquired under license or contract must never be used for processing sensitive or critical information unless specifically approved by the computer center director.

(5) For all applications including non-sensitive or non-critical applications, public domain software shall not be used unless it has been thoroughly tested in a non-operational, isolated environment and validated to be free of contaminants or malicious code such as so-called software ‘viruses’ or ‘trojan horses’.

(6) It shall be the responsibility of the owner of a file system to notify the computer center director in writing of any problems encountered with his/her data or with the software provided for his/her use with this data. Any desired enhancements must likewise be reported. No changes of any type are to be made to data files, source programs, procedure files, documentation or documented procedures without an appropriate request form approved by the computer center director and the Director of Admissions and Records.

Transaction History

Automated chronological or systematic records of changes to data are important in the reconstruction of previous versions of data in the event of corruption. Such records, sometimes referred to as journals, are useful in establishing normal activity, in identifying unusual activity and in the assignment of responsibility for corrupted data. A sufficiently complete history of transactions shall be maintained for each session involving access to critical and sensitive information to permit an audit of the system by tracing the activities of individuals through the system and by tracing transactions through the system.

Guidelines:

(1) In addition to system start-up and shutdown times, transaction histories shall log the following information at a minimum:

(a) Update transactions

(b) Date, time of activity

(d) Sign-on and sign-off activity

(e) Sensitive display transactions

(2) An analysis of transaction histories for the purpose of detecting variances from the norm shall be conducted regularly. In addition to checks against authorizations, particular attention must be paid to unusual items, frequency and length of accesses, as well as anomalies which could indicate potential violations.

NETWORK SECURITY

Networking, including distributed processing, concerns the transfer of data among users, hosts, applications and intermediate facilities. During transfer, data is particularly vulnerable to unintended access or alteration. Network resources participating in the access of sensitive information shall assume the sensitivity level of that information for the duration of the session. Controls shall be implemented commensurate with the highest risk. All network components under state control must be identifiable and restricted to their intended use.

Network Controls, General

Guidelines:

(1) All line junction points (cable and line facilities) shall be located in secure areas or under lock and key.

(2) Control units, concentrators, multiplexors or front-end processors shall be protected from unauthorized physical access. The sophistication and extent of this control will depend on the sensitivity of the systems involved.

(3) Procedures shall be implemented which ensure that institutional access to data or information is not dependent on any individual. There must be more than one person with authorized access.

(4) All repairs or upgrades to the campus LAN must be approved in advance and monitored by the appropriate coordinator.

(5) Eliminating removable media, e.g., diskettes, capability from LAN workstations reduces vulnerability of LANs to unauthorized copying. This approach requires that workstations be equipped without diskette drives, and that all data and programs be stored on the network.

(6) Manual controls external to the computer system shall be used where necessary to provide additional controls.

(7) As separate user LANs are developed within office and lab areas, LAN managers shall be designated having primary responsibility for their routine functioning. The computer center will assist in bridging these LANs to the campus network and in making all benefits of the campus network and Peachnet available to these LAN users. However, the computer center does not have sufficient resources to oversee the day-to -day maintenance of each LAN.

Security at Network Entry and Host Entry

University System owned network facilities and host systems are University System assets. Their use must be restricted to authorized users and purposes. Where public users are authorized access to networks or host systems, these public users as a class must be clearly identifiable and restricted to only services approved for public functions. University System employees who have not been assigned a user identification code and means of authenticating their identity to the system are not distinguishable from public users and must not be afforded broader access. Owners of information resources served by networks shall prescribe sufficient controls to ensure that access to network services and host services and subsystems is restricted to authorized users and uses only. These controls shall selectively limit services based upon user identification and authentication (e.g., password), or designation of other users, including the public where authorized, as a class (e.g.,0 public access through dial-up or public switched networks), for the duration of a session.

Guidelines:

(1) Authorization at network entry on the basis of valid user identification code and authentication (e.g., password) shall be provided under the framework of network services and controlled by the network management program.

(2) Connections between users on a network must be authorized by the host or the network node security manager program, as appropriate.

(3) The designated manager of a host-independent network of a host-independent network serves the dual role as owner of the network system and as custodian of data under another’s ownership while the data is being transported by the network.

(4) The host security management program should maintain current user-application-activity authorizations through which each request must pass before a connection is made or a session is initiated.

Security at the Application

Network access to an application containing critical or sensitive data, and data sharing between applications, shall be authorized by the application owners and shall require authentication.

Guidelines:

(1) The owner of applications containing non-critical or non-sensitive data must likewise establish criteria for access and user validation, particularly on systems authorized for public use.

(2) Additional protection, such as might be applicable to especially sensitive data, is afforded by a two-person password procedure; each person’s password validates user authorization for either host or application access, exclusively. Neither person alone can gain combined host-application access.

Dial-Up Access

System accessible from dial-up terminals are particularly vulnerable to unauthorized access since the call can be initiated from virtually any telephone instrument. Official users of dial-up facilities must be distinguishable from public users if they are to be given access rights greater than those given public users. For services other than those authorized for the public, users of dial-up terminals shall be positively and uniquely identifiable and their identity authenticated (e.g., by password) to the systems being accessed.

Guidelines: For dial-up services other than those authorized for public use.

(1) Dial-up numbers should be unlisted and changed periodically.

(2) At a minimum, dial-up facilities should be provided automatic hangup and call-back features, with call-back only to pre-authorized numbers.

(3) A port protection device (PPD) connected to communication ports of a host computer is typically capable of providing:

(a) authentication and access control decisions

(b) automatic hangup and call-back to originator

(4) Security may be enhanced by instituting a two person password procedure. One person’s password gains access to the host and the other person’s password gains access to the application. Under this procedure, neither acting alone can gain access to the application through dial-up.

Guidelines