Official University Policy Manual

File code: ADM.COMPSEC.POL
Approval Date: 3/3/05
Approved By: President

Policy on Computer Security

Introduction

Continuing availability of information is essential to the operation of WIU programs. Expanded use of computers and telecommunications has resulted in more accurate, reliable, and faster information processing, with information more readily available to administration, faculty, and staff than ever before. WIU has realized increased productivity, in terms of improved delivery of services, enhanced administrative capabilities, and lower operating costs, as a direct result of the growing commitment to use information technology.

Information technology has also brought new administrative concerns, challenges, and responsibilities. Information assets must be protected from natural and human hazards. Policies and practices must be established to ensure that hazards are eliminated or their effects minimized.

The focus of information security is on ensuring protection of information and continuation of program operations. Providing efficient accessibility to necessary information is the impetus for establishing and maintaining automated information systems. Protecting that information and the surrounding investment is the impetus for establishing an information security program.

Protecting information assets includes:

Many program operations that traditionally were manual or partially automated are today fully dependent upon the availability of automated information services to perform and support their daily functions. The interruptions, disruption, or loss of information support services may adversely affect WIU's ability to administer programs and provide services. The effects of such risks must be eliminated or minimized.

Additionally, information entered, processed, stored, generated, or disseminated by automated information systems must be protected from internal data or programming errors and from misuse by individuals inside or outside WIU. Specifically, the information must be protected from unauthorized or accidental modification, destruction, or disclosure. Otherwise, we risk compromising the integrity of WIU programs, violating individual rights to privacy, violating copyrights, or facing administrative, civil or criminal penalties.

An effective and efficient security management program requires active support and ongoing participation from multiple disciplines and all levels of administration. Responsibilities include identifying vulnerabilities that may affect information assets and implementing cost-effective security practices to minimize or eliminate the effects of the vulnerabilities.

Policy Administration

The Computer Security Policy is administered by the Associate Vice President for Technological Services (Vice President for Administrative Services) and the Cyber-Security group. Policy violations are reported to the Internal Auditing office.

Administrative Data Ownership

The administrative data "owner" is the department having primary responsibility for creation and maintenance of the data content.

Data Owner Responsibilities

The data owner is responsible for determining how the data may be used within existing policies, and authorizing who may access the data.

Data User Responsibilities

The data user is the person who has been granted explicit authorization to access the data by the owner. This authorization must be granted according to established procedures. The user must use the data only for purposes specified by the owner, comply with security measures specified by the owner or custodian, and not disclose information in the data nor the access controls over the data unless specifically authorized in writing by the owner.

Security Policy

Policy Purpose

The purpose of the WIU Computer Security Policy is to address security issues related to the safety and integrity of information maintained on WIU computerized information systems. This policy is not intended to address the proprietary interests of intellectual property and/or copyright issues.

Policy Applicability

The Computer Security Policy applies to all WIU faculty, staff, students, and others (e.g. vendors, grant or independent contractors, etc.) accessing or attaching to computers operated by WIU.

It is the policy of WIU that:

  1. Persons using or attaching to WIU computer resources will acknowledge compliance with the Computer Security Policy when userids and passwords are assigned, and in some cases, when an application is accessed.
  2. Computer resources are valuable assets and unauthorized use, alteration, destruction, or disclosure of these assets is a computer-related crime, punishable under Illinois statutes and federal laws, as well as through administrative and/or civil sanctions.
  3. Computer software purchased using university or state funds is WIU property and shall be protected as such.
  4. Unauthorized/unlicensed use of software (software piracy) will not be tolerated and such software will be removed by the appropriate administrators.
  5. Use of WIU systems to attack other computer systems, internal or external to WIU, is a violation of this policy subject to administrative, civil, and/or criminal sanctions.
  6. Attempting to circumvent security or administrative access controls for computer resources is a violation of this policy, as is assisting someone else or requesting someone else to circumvent security or administrative access controls. Persons violating the Computer Security Policy will be subject to appropriate administrative, civil, and/or criminal sanctions.
  7. Violations of the Computer Security Policy will be reported to the WIU Internal Auditing office. All computer incidents involving WIU computer systems must be reported to the WIU Internal Auditing office, whether or not damage, unauthorized review and/or unauthorized use of information contained on the system occurred.
  8. Willful violations of the Computer Security Policy that may be violations of state and federal laws will be reported to the Office of Public Safety.
  9. Userids and passwords must control access to all computer resources except for those specific resources identified as having public access. All servers must require passwords of 6 or more characters which include at least one numeric and one alpha character.
  10. Passwords must be changed periodically by the user. All computer resources will require passwords to be changed at least every 90 days and be unique up to or exceeding eight previous passwords.
  11. Users are responsible for managing their passwords and for all actions and functions performed by their userids, according to the guidelines specified in Appendix B, Password Management.
  12. All computer resources must provide a notice before logon stating that the computer system is protected by a computer security system; that unauthorized access is not permitted; and that usage may be monitored. The message text for the notice is contained in Appendix A, Security Access Warning Message.
  13. Information, which by law is confidential, must be protected from unauthorized access or modification. Data, which is essential to critical functions must be protected from loss, contamination, or destruction.
  14. Confidential information shall be accessible only by personnel who are authorized by the owner on a basis of strict "need to know" in the performance of their duties. Data containing any confidential information shall be readily identifiable and treated as confidential in its entirety.
  15. An auditable, continuous chain of custody shall record the transfer of confidential information. When confidential information from a department is received by another department in the connection with the transaction of WIU business, the receiving department shall maintain the confidentiality of the information in accordance with the conditions imposed by the providing department.
  16. All employees accessing an administrative application must receive appropriate training for using the application and must acknowledge the security and privacy requirements for the data contained in the application. Employees will be trained by the WIU Internal Auditing office (or an office designated by the Internal Audit Director) on security over WIU information systems.
  17. When an employee terminates employment and a future contract has not been issued, their access to Computer resources will be terminated. Retired employees may be permitted access to electronic mail systems. Similarly, students who are not enrolled for two consecutive semesters will have their access to computer resources terminated.
  18. All computer resources used for mission critical applications shall have a cost effective, written contingency plan that will provide for prompt and effective continuation of critical missions in the event of a disaster. Appendix C, Disaster Recovery contains additional information. The office of the Vice President for Administrative Services and the Internal Auditing office will maintain a list of computer resources that have been designated as used for mission critical applications.
  19. Microcomputer end-user workstations used in sensitive or critical tasks must have adequate controls to provide continued confidentiality, integrity, and availability of data stored on the system. Adequate controls are department specific and will be defined by the Director of Internal Auditing, in accordance with the standards issued by appropriate regulatory bodies.
  20. All microcomputer end-user workstations should have virus protection software installed or other, appropriate security measures.
  21. All information processing areas used to house computer resources supporting mission critical applications must be protected by physical controls appropriate for the size and complexity of the operations and the criticality or sensitivity of the systems operated at those locations. Physical access to these areas shall be restricted to authorized personnel.
  22. Individuals who believe they have experienced computer generated harassment or discrimination should contact the Internal Auditing office to file a complaint.
  23. Individuals who have reason to believe that their personal information or computer intrusion/tampering have occurred with respect to their accounts should contact their system administrator and/or the WIU Internal Auditing office immediately.
  24. Internet access to the WIU Network will be controlled as appropriate under guidelines established by the Cyber-Security group.
  25. Guest access to servers is permitted only in the WIU Library. Server Administrators who find the need to permit others to attach to a server as a guest must identify such servers to the Director of Internal Auditing and must employ suitable compensating controls.
  26. Students may not set up servers in their residence hall rooms. Exceptions to this policy must be approved by the Directors of Computer Support Services and Internal Auditing (e.g. computer science majors may be required to do this as part of their academic requirements). Exceptions will be approved on a case-by-case basis.
  27. Employees may not use WIU computer resources to set up services or accounts the purpose of which is not in accordance with the non-profit, educational mission of the university. Individuals with questions concerning the appropriate use of a university computer should contact the WIU Internal Auditing office.
  28. Electronic mail is provided to faculty, staff, and students as part of the computer resources of WIU to conduct the business of WIU. Electronic mail is intended to be a convenient way for the faculty, staff, and students to communicate with one another and colleagues at other locations. It is not the practice of WIU to monitor the contents of electronic mail messages. However, the information in electronic mail files may be subject to disclosure under certain circumstances; for example, during audit or legal investigations. WIU does not routinely monitor (e.g. via cookies) the Internet browsing habits of its students and employees.

Sanctions for Non-Compliance

Sanctions for non-compliance with the WIU Computer Security Policy will be as provided for in the appropriate student, faculty, or staff rules and regulations.

Appendix A - Security Access Warning Message

Successful prosecution of unauthorized access to WIU computerized systems requires that users are notified prior to their entry into the systems that the data is owned by WIU and that activities on the system are subject to monitoring. All multi-user computer systems will display the following warning message when a user attempts to access the system and prior to actually logging into a system:

This system is to be used only by authorized personnel, and all others will be prosecuted. Activities on this system are automatically logged and subject to review. All data on this system is the property of Western Illinois University, which reserves the right to intercept, record, read or disclose it at the sole discretion of authorized personnel. Specifically, system administrators may disclose any information on or about this system to law enforcement or other appropriate individuals. Users should not expect privacy from system review for any data, whether business or personal, even if encrypted or password-protected. WIU abides by the Family Educational Rights Act of 1974, and takes precautions to prevent the disclosure of confidential information. Use of this system constitutes consent to these terms.

Each system must require an active response from the user to move past this screen at the time of sign-on (i.e. user must press the Enter/Return key to continue).

Appendix B - Password Management

Information stored on WIU computer systems must be adequately protected against unauthorized modification, disclosure, or destruction. Effective controls for logical access to computer resources minimizes inadvertent employee error and negligence, and reduces opportunities for computer crime.

Each user of an automated system is assigned a unique personal identifier for user identification. User identification is authenticated before the system may grant access to automated information.

Password Selection

Passwords are used to authenticate a user's identity and to establish accountability. A password that is easily guessed is a bad password which compromises security and accountability of actions taken by the userids which represents the user's identity.

Today, computer crackers are extremely sophisticated. Instead of typing each password by hand, crackers use personal computers to make phone calls to try the passwords, automatically re-dialing when they become disconnected. Instead of trying every combination of letters, starting with AAAAAA (or whatever), crackers use hit lists of common passwords such as WIZARD or DEMO. Even a modest home computer with a good password guessing program can try thousands of passwords in less than a day's time. Some hit lists used by crackers contain several hundred thousand words. Therefore, any password that anybody might guess to be a password is a bad choice.

What are popular passwords? Your name, your spouse's name, or your parents' names. Other bad passwords are these names spelled backwards or followed by a single digit. Short passwords are also bad, because there are fewer of them; they are more easily guessed. Especially bad are "magic words" from computer games, such a XYZZY. Other bad choices include phone numbers, characters from favorite movies or books, local landmark names, favorite drinks, or famous people.

Some rules for choosing a good password are:

Password Handling

A standard admonishment is "never write down a password." You should not write your password on your desk calendar, on a Post-It label attached to your computer terminal, on the pull-out drawer of your desk or any other area accessible to anyone else. If you must write your password down, then keep it in a secure area (e.g. your wallet) that only you have access to and do not indicate the system in which the password is used.

A password you memorize is more secure than the same password written down, simply because there is less opportunity for other people to learn a memorized password. But a password that must be written down in order to be remembered is quite likely a password that is not going to be guessed easily.

Never record a password on-line and never send a password to another person via electronic mail.

**This information on passwords was adapted from the book Practical UNIX Security by Simson Garfinkel and Gene Spafford.

Appendix C - Disaster Recovery

It is prudent and required by the Western Illinois University Internal Auditing department to anticipate and prepare for the loss of information processing capabilities. The plans and actions to recover from losses range from routine backup of data and software in the event of minor losses or temporary outages, to comprehensive disaster recovery planning in the preparation for catastrophic losses of computer resources.

Data Backup

On-site backup is employed to have current data readily available in machine-readable form in the production area in the event operating data is lost, damaged, or corrupted; and to avoid having to reenter the data from source material. Off-site backup or storage embodies the same principle but is designed for longer term protection in a more sterile environment, requires less frequent updating, and provides an additional protection against threats potentially damaging to the primary site and data.

Data and software essential to the continued operation of critical department functions must be backed up. The security controls over the backup resources must be as stringent as the protection required of the primary resources.

Alternate Data Backup

The backup procedures on the multi-user computer systems and departmental servers are designed to protect against data losses caused by hardware failures and other disasters. The frequency and timing of these backups may not provide sufficient protection to meet end-user requirements for data backup. Therefore, it is strongly recommended that end-users include a data backup step in their information processing procedures, and not to depend on single backup procedure to provide all protection.

Contingency Planning

Contingency plans, or disaster control plans, specify actions management have approved in advanced to achieve each of three objectives: to identify and respond to disasters; to protect personnel and systems; and to limit damage. The backup plan specifies how to accomplish critical portions of the mission in the absence of a critical resource such as computers. The recovery plan directs recovery of full mission capability.

Appendix D - Personnel Security and Security Awareness

In any organization, people are the greatest asset in maintaining an effective level of security. At the same time, people represent the greatest threats to information security. No security program can be effective without maintaining employee awareness and motivation.

Employee Requirements

Every employee is responsible for systems security to the degree that the job requires the use of information and associated systems. Fulfillment of security responsibilities is mandatory and violations of security requirements may be cause for disciplinary action, up to and including dismissal, civil penalties, and criminal penalties.

Positions in Sensitive Locations or of Special Trust or Responsibility

Individual positions must be analyzed to determine the potential vulnerabilities associated with work in those positions. The WIU Internal Auditing office, working in cooperation with the various electronic services administrators, has designated specific computer positions (both Civil Service and Administrative/Professional) as requiring background checks prior to employment, due to the sensitive and/or extensive access personnel in these positions have to our computerized information systems. It may also be appropriate for certain divisions to designate locations as sensitive and to require appropriate procedures and safeguards for all employees whose duties include access to those areas (e.g. the Morgan Mainframe Center).

Security Awareness and Training

An effective level of awareness and training is essential to a viable information security program. Employees who are not informed of risks or of management's policies and interest in security are not likely to take steps to prevent the occurrence of violations. As of January 1, 2001, all new employees at WIU must have computer security awareness training provided by the Vice President for Administrative Services office. Employees are informed of this when they finish with their initial benefit training and are then sent to Administrative Services to schedule this training.

The University shall also provide an ongoing awareness and training program in information security and in the protection of computer resources for all personnel whose duties bring them into contact with critical or sensitive university computer resources.

Upon termination of a person who occupies a position of special trust or responsibility, or is working in a sensitive area, management shall immediately revoke all access authorizations to Computer resources.