INTRODUCTION 

Access to information resources and the information technology infrastructure is a privilege and must be treated as such by all users of University of New Mexico Valencia Campus computing and network resources. The Information Security Policy recognizes that not all communities within UNMVC are the same and that data is used differently by various units within UNMVC.  Unless explicitly noted, these policies apply to all units within the UNMVC campus community. Each unit within UNMVC should apply this policy to meet their information security needs. The Policy is written to incorporate current technological advancements.  The technology installed at some units may limit immediate compliance with the Policy.  Instances of non-compliance must be reviewed and approved as indicated below. This policy serves as a supplement and covers specific areas that affect users at UNM Valencia Campus.  It augments UNM UBP 2500 Acceptable Computer Use, UNM UBP 2510 Computer Use Guidelines, and UNM UBP 2520 Computer Security Controls and Guidelines.

CSS Home

• The Director of Campus Resources is responsible for implementing this policy.
• Computer Support Services (CSS) will ensure that:
• The information security policy is reviewed and updated on a regular basis and published as appropriate.


• Supervisors provide appropriate training to assigned staff, data custodians and users.

 

• CSS is responsible for security implementation, incident response, periodic user access reviews, and notification of users of network operations including information about virus infection risks.
• UNMVC users are responsible for the safe handling, storage, and disposal of University data.
• Unit administrators are responsible for establishing procedures to implement these policies within their areas of responsibility and compliance monitoring. Administrators also have the responsibility to arrange for the appropriate level of training for subordinates.

• Violation of the Information Security Policy may result in disciplinary actions authorized by the University.

GENERAL POLICY

While UNMVC does not routinely monitor individual usage of its computing resources, the normal operation and maintenance of the University's computing resources require the backup and storage of data and communications, the logging of activity, the monitoring of general usage patterns, and other such activities that are necessary for the rendering of services.

UNM or UNMVC may also specifically access and examine the account of an individual user if necessary to comply with federal or state law or if there is reasonable suspicion that a law or policy has been violated and examination of the account is needed to investigate the apparent violation as allowed in UBP 2500.  When an employee separates from the UNMVC, work-related files remain the property of the University.

Communications and other documents made by means of University computing resources are generally subject to New Mexico's Inspection of Public Records Act to the same extent as they would be if made on paper. Information stored electronically may also be made available in administrative or judicial proceedings; therefore, all employees are urged to use the same discretion and good judgment in creating electronic documents as they would use in creating written paper documents. The University will disclose illegal or unauthorized activities to appropriate University personnel and/or law enforcement agencies.

    
• UNMVC will use a layered approach of overlapping controls, monitoring and authentication to ensure overall security of University data, network and system resources.
• Vulnerability and risk assessment tests of external network connections should be conducted by CSS on a regular basis.  At a minimum, testing should be performed annually.
• Security reviews of servers, firewall(s), router(s) and monitoring platforms for breaches of security will be conducted by CSS on a regular basis. These reviews will include monitoring access logs and results of intrusion detection software, where used.

USE OF INFORMATION RESOURCES

• The use of computing resources at UNM Valencia Campus is a privilege and should not be taken for granted.  The misuse or intentional destruction of computing resources is not acceptable use.  If a computer or network resource in not functioning properly the user or supervisor should contact CSS Help Desk for assistance. 

DATA CLASSIFICATION

• It is essential that the University’s critical data be protected.  All data should be reviewed on a periodic basis and classified according to its use, sensitivity, and importance.  We have specified two classes below:
• Secured - Information assets that would cause severe damage to the University or its customers if disclosed or modified.  Data covered by federal and state legislation, such as FERPA, are in this class.  Payroll, personnel, and financial information is also in this class because of privacy requirements. This also includes data such as source code, data, logs, etc. that would not expose University to loss if disclosed, but should be protected to prevent unauthorized disclosure.
• Unsecured - Information that may be freely disseminated.   This may include instructional data files that instructors make available, web data, or other non-sensitive information.

• CSS and the Director of Campus Resources will establish an appropriate level of security (protection) for each data classification.
• All information resources should be categorized and protected according to the requirements set for each classification, and the data classification and its corresponding level of protection should be consistent when the data is replicated and as it flows through the University system.
• CSS has the responsibility for the backup of VMIS data.  The individuals entrusted with the data are responsible for protecting the data consistent with the security requirements defined by the data custodian.
• Users may not store information classified as secured from the Valencia MIS System on their local machines.
• Backups of secure data will be handled by CSS and the Database Administrator.  Data backed up on removable media must be handled with the same security precautions as the data itself. When systems are disposed of or reallocated, data should be certified deleted or disks destroyed consistent with industry best practices for the security level of the data.
• Secured data must be encrypted during transmission.
• No UNMVC system may have a connection to the Internet without the means to protect the information consistent with its confidentiality classification. 

ACCESS CONTROL

• Data security policies are designed to allow the appropriate authorized user the appropriate system access.  UNMVC recognizes that there is a delicate balance between protecting the data and permitting access to those who need to use the data for authorized purposes.
• Access to the network and servers and systems will be achieved by individual and unique logins which will require authentication.
• Users must not share usernames and passwords, nor should they be written down or recorded in unencrypted electronic files or documents. All users shall secure their username or account name, password, and system from unauthorized use.
• All users of systems with access to networked resources will comply with the Information Security Policy.  Users of the Valencia Management Information System (VMIS) must follow VMIS procedures for system access in addition to the following.
• Logins and passwords will not be coded into programs or queries. 
• Passwords will not be placed in emails unless they have been encrypted.  If this is not possible, then another secure means must be used to communicate the password to the user.
• Passwords will be complex and at least 6 characters in length. Passwords will not be shared.  Unless approved by the Valencia Campus Associate Director of Business and Finance, users will be granted only 1 concurrent login.
• Passwords will expire every 180 days.
• Accounts of part-time faculty/employees, student employees/work-studies who have met access criteria, will be terminated after each semester unless arrangements have been made with CSS or the Associate Director of Business and Finance.
•  Default passwords on all systems are prohibited.  All administrator accounts will be given a password that conforms to the CSS password selection criteria when a system is installed, rebuilt, or reconfigured.
• Systems logging into secured data must have a password protected screen saver set at no longer than 10 minutes.
• Intruder detection must be implemented on all servers and workstations containing data classified as “secured” by UNMVC. Accounts will be locked after a pre-specified number of invalid attempts and will remain locked until reset consistent with this policy.
• Upon employee transfer notification must be made to CSS by the manager of the transferring unit so that access may be reviewed and adjusted as necessary.
• Security policies must be implemented on all sensitive systems (that support monitoring) to record items such as logon attempts, failures, and successful logons (date and time of logon and logoff).
• Terminated employees should have their accounts disabled upon transfer or termination.  Since there could be delays in reporting changes in user responsibilities, periodic user access reviews should be conducted by CSS personnel in coordination with Human Resources.

 

VIRUS PREVENTION

All UNMVC servers and workstations will be protected with a CSS approved and properly licensed anti-virus software product that will be updated to the current CSS recommended level.

       
• All incoming data including electronic mail will be scanned for viruses where such products exist and are financially feasible to implement. Outgoing electronic mail will be scanned where such capabilities exist.  

UNMVC considers all unauthorized file sharing using University resources to be virus-like activity     

Intentionally accessing web sites that are known to contain virus-like activity without prior authorization is prohibited.      

System or network administrators will inform users when a virus has been detected if the software does not.      

Virus scanning logs will be maintained by

CSS.     

The willful introduction of computer viruses or disruptive/destructive programs into the University environment is a crime, and violators are subject to prosecution.

ACCEPTABLE USE

• University computer resources will be used in a manner that is compliant with University of New Mexico policies (University Business Policies and Procedures 2500, 2510, 2520) as well as State and Federal laws and regulations. It is against university policy to install or run software requiring a license on any university computer without a valid license.
• Uses that interfere with the proper functioning or the ability of others to make use of the University's networks, computer systems, applications and data resources are not permitted.
• Decryption of passwords is not permitted, except by authorized staff performing security reviews or investigations.  Use of network “sniffers” shall be restricted to system administrators who have prior authorization from CSS who must use such tools to solve network problems.  Auditors or security officers in the performance of their duties may also use them.
• Copyright for acceptable software use and software copyright infringements are thoroughly covered in UNM UBP 2510.  The office of University Council has published numerous policies (http://www.unm.edu/~counsel/research/copyinfo.html) and information regarding copyrights on intellectual rights but the area that most affects us in the illegal downloading of music and videos.  To make things clear please refer to http://www.unm.edu/~counsel/research/copyinfo/cyberspace.html for Copyright in Cyberspace information on Peer-to-Peer File Sharing and The Digital Millennium Copyright Act (DMCA).
• Student, faculty and staff demographic, personal or identifying data will not be stored on campus laptops or portable flash memory devices.

WIRELESS NETWORK SECURITY 

• UNM Valencia Campus Wireless Access Policy is posted at http://www.unm.edu/~vchelp/wireless.htm which covers access to the campus wireless architecture.

• All connections to an approved wireless access point or the campus physical network will go through a properly secured connection point to ensure the network is protected regardless of the data classification level.

EMAIL

• UNM Valencia Campus does not host public email services.  However all users must ensure that they are aware of possible threats that could compromise University systems.  Some of these could include viruses, phishing attempts, and social engineering.  Supervisors should make every effort to keep assigned staff and students up to date on new emerging threats.

INTRUSION DETECTION     

• Operating system and application software logging processes must be enabled on all host and server systems.  Where possible, alarm and alert functions, as well as logging and monitoring systems must be enabled. 
• System integrity checks of host and server systems housing critical data should be performed on a regular basis
.
• Intrusion tools should be installed where appropriate and checked on a regular basis.       
• CSS must monitor appropriate sources for security related information, relevant threats, vulnerabilities, incidents and relevant service patches, upgrades, or updates.

COMMERCIAL USE

• The University systems should not be used to host or generate data whose sole purpose is for commercial use.  University hosted web sites fall under this same category and should not host commercial endeavors. 

ACCEPTABLE INTERNET USE

• Due to limited bandwidth and computing resources at UNM Valencia Campus users should be considerate of others using the campus resources.  There have been numerous network slowdowns for Wide Area Network connections in the past and the Administrative Council has decided to block some internet sites.  As new resources are made available it could be possible to allow access to these sites in the future.  Please refer to the copyright section on the acceptable use of music, video and any file sharing that could fall under the intellectual property area. 

POLICY VIOLATION

Noncompliance or violation of the UNMVC Information Security Policy will result in revocation of the privilege to access information resources and may also include other disciplinary action, pursuant to all Policies of the University of New Mexico. Violations of Information Security Policy may include, but is not limited to, the following:        

• Any act that compromises information resource security.     
• Intentional unauthorized access, use, destruction, alteration, dismantling, disfiguring, or disabling of any University information resource, including but not limited to intentional introduction of a virus.     
• Disclosure of confidential information. This includes the sharing of passwords or leaving a terminal unattended while logged on in such a way that unauthorized transactions could be submitted.    
• Disclosure of confidential or secured information in violation of FERPA or other state or federal rules or regulation. 
• The use of data or other information resources for illicit purposes.       
• Unauthorized copying, storage or use of any software on any University computer in violation of the software licensing agreement.

APPEAL PROCESS FOR NON-COMPLIANCE

      Individual appeals of any of the above for administrators, academic personnel, staff, and students must be made by the following steps:

• A written memo from the user’s department head must be provided to the Associate Director of Business and Finance detailing the circumstances and the remedy to the policy violation.
     
• The Associate Director of Business and Finance will obtain a written memo from the CSS department or VMIS database administrator detailing the policy violation and recommendations for remedy.
       
• The Associate Director of Business and Finance will make the decision to reinstate the user’s access privileges

EXCEPTIONS

In certain cases, compliance with specific policy requirements may not be immediately possible.  Reasons include, but are not limited to, the following:       

• Required commercial or other software in use is not currently able to support the required features;
  
• Legacy systems are in use which do not comply, but near-term future systems will, and are planned for;
• The cost for reasonable compliance is prohibitive.

VC Home

  University Of New Mexico Valencia Campus   280 La Entrada Rd   Los Lunas, NM   87031   (505) 925-8500