 |
University Business Policies and Procedures Manual |
2520
COMPUTER SECURITY CONTROLS AND GUIDELINES
Effective Date: July 1, 2001
University Business Policies and Procedures Manual
2520
COMPUTER SECURITY CONTROLS AND GUIDELINES
Effective Date: July 1, 2001
1. General
The University provides computing services to the University community in accordance with "Acceptable Computer Use" Policy 2500, UBP. University management of these services must ensure the rights and responsibilities provided for in Policy 2500 while ensuring system and data availability, reliability, and integrity. Therefore, all departments operating University owned computers, including those operated by faculty, staff, and students, must develop departmental security practices which comply with the security practices listed below. In addition, departments must have environment-specific management practices for business functions such as maintenance, capacity planning, software licensing and copyright protection, training, documentation, power, and records management for computing systems under their control. This may be done by either hiring a qualified employee or sharing resources with other departments, i.e. a LAN administrator. The Computer and Information Resources and Technology (CIRT) organization is available to assist and advise departments in planning how they can carry out compliance with this and other computer technology-related policies. Departments must document and periodically review established practices.
2. Security Practices
Department heads are responsible for computer security awareness and for ensuring reasonable protection of departmental computing systems against breaches of security, through methods such as virus protection, firewalls, and password usage. Department heads should ensure users of their systems have the necessary training for appropriate use of the system. A portion of available resources is listed at http://its.unm.edu/training/. Prior to gaining access to departmental computers, all users must sign a Computer Use Access Agreement (Exhibit A.), which the department keeps on file.
2.1. Access Control
There are two types of access to University computing systems: access to systems and access to information.
2.1.1. System Access
Access to systems must be authorized by the cognizant department head or designee. To ensure confidentiality, special attention should be taken when authorizing system access to vendors and/or contractors, including those repairing and/or maintaining departmental computers. When possible, it is advisable to have vendors and/or contractors sign a confidentiality agreement. Computer access control also includes physical security to UNM equipment and information, such as: locks on doors/windows for equipment and storage, locking paper files, and paper shredders. The department head or designee ensures proper management of computer accounts and user identification by:
- handling system user authentication securely (e.g. passwords, PIN numbers, access codes);
- terminating an account in a timely manner when an individual's affiliation with the University is terminated or completed;
- providing guidelines for computer account locking, unlocking and appeal (e.g. CIRT's procedures are at http://its.unm.edu/accts/locking_policy.html); and
- following established policies and procedures and legal due process when violations are detected or suspected.
2.1.2. Network Access
CIRT provides guidelines for attaching and detaching to UNM network resources at http://its.unm.edu/network/policy.html.
2.1.3. Access to University Information
Data custodians or owners grant access to information found in University applications such as the Financial Reporting System (FRS). Such access is granted or denied according to established procedures. For example: FRS maintains University accounting data and records, and produces monthly reports on each account. The University Controller is the data custodian for FRS. Data custodians for CIRT maintained systems are listed at http://www.unm.edu/accts/bsas.html.
2.2. System Protection
Department heads are responsible for protecting the systems under their control from system intrusion, compromise, or data loss.
2.2.1. Virus Protection
Virus detection and elimination software is essential to protect University data and systems. Department heads or designees are responsible for maintaining the latest version of an antiviral software and current updates on their computers. Systems must have active virus protection turned on with each system scanned regularly. Assistance with virus protection and software are available from CIRT at http://its.unm.edu/security/virus.html .
2.2.2. Privacy and Confidentiality
Department heads or designees must take appropriate measures to ensure privacy and confidentiality of system data in accordance with applicable laws and policies such as:
- UNM Student Records Policy
- Family Educational Rights and Privacy Act of 1974
- Department of Health and Human Services, Health Information Privacy,
- New Mexico Inspection of Public Records Act,
- University policies found in the Regents Policy Manual, in the Faculty Handbook, Student Pathfinder and the University Business Policies and Procedures Manual.
2.2.3. System Integrity
Department heads or designees may monitor and investigate systems or jobs under their control for appropriate use of resources, to protect or improve system performance, or in compliance with audit or legal requests. Jobs, procedures, and/or functions may be restricted or limited to ensure system integrity. Departments should maintain current versions of system software and security patches, especially when there are known security issues.
2.2.4. Data Loss Protection
Department heads or designees are responsible for developing, maintaining and executing backup, off-site storage and disaster recovery procedures for computerized University information.
2.2.5. Records Management
Department heads or designees are responsible for computerized data retention and backup procedures that comply with University Records Management requirements for classification and retention of University information.
2.3. Security Violation Handling
Department heads or designees should detect and correct any non-compliance with this and other University computer policies. If they detect serious security violations they should report their findings to UNM Police. All investigations should follow proper investigative procedures to ensure confidentiality and due process. Any employee who detects or suspects non-compliance should report such conduct to the department head. Misconduct should be reported in accordance with "Reporting Misconduct and Retaliation" Policy 2200, UBP.
3. Sanctions
Use of University computing services in violation of applicable laws or University policy may result in sanctions, including
withdrawal of use privilege such as detaching from the network; disciplinary action, up to and including, expulsion from the
University or discharge from a position; and legal prosecution under applicable federal and/or state law.
4. Attachments
Exhibit A. - CIRT Computer Use Access Agreement
Comments may be sent to UBPPM@UNM.edu
http://www.unm.edu/~ubppm
| Contents | Section 2000 Contents | Policy Listing | Forms | Index | UBP Homepage | UNM Homepage |