Executive Summary
Upcoming SlideShare
Loading in...5
×
 

Executive Summary

on

  • 663 views

 

Statistics

Views

Total Views
663
Views on SlideShare
663
Embed Views
0

Actions

Likes
0
Downloads
5
Comments
0

0 Embeds 0

No embeds

Accessibility

Categories

Upload Details

Uploaded via as Microsoft Word

Usage Rights

© All Rights Reserved

Report content

Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

Cancel
  • Full Name Full Name Comment goes here.
    Are you sure you want to
    Your message goes here
    Processing…
Post Comment
Edit your comment

Executive Summary Executive Summary Document Transcript

  • IT Appropriate Use Policy Document Table of Contents I. Executive Summary......................................................................................................................2 II. Overview.....................................................................................................................................3 III. Purpose.......................................................................................................................................4 IV. Appropriate Use of IT Systems.................................................................................................4 A. Interference with Normal Network Operation........................................................................4 B. Harassing or Threatening Use.................................................................................................4 C. Unauthorized Access...............................................................................................................4 D. Disguised Use.........................................................................................................................5 E. Modifying the Network Infrastructure....................................................................................5 V. Security of Physical Equipment..................................................................................................5 VI. Data Security.............................................................................................................................5 A. Local Data...............................................................................................................................5 1. Local Data Destruction........................................................................................................5 2. Local Data Storage...............................................................................................................6 3. Local Data Backup and Recovery........................................................................................6 B. Network Data .........................................................................................................................7 1. Provision of Network Data Storage.....................................................................................7 2. Network Data Storage Backup and Recovery Policy..........................................................7 C. Administrative Data Security..................................................................................................7 VII. E-mail Security.........................................................................................................................7 A. Data Security (Backup)...........................................................................................................7 1. PC ........................................................................................................................................7 2. Macintosh ............................................................................................................................8 B. Virus Protection.......................................................................................................................8 1. Server Protection..................................................................................................................8 2. Workstation Protection (Attachments)................................................................................8 C. E-mail Signature......................................................................................................................8 VIII. Virus Protection .....................................................................................................................9 IX. Remote Access.........................................................................................................................10 A. Dial-in to Network ...............................................................................................................10 B. Dial-in to Workstation ..........................................................................................................10 C. Virtual Private Network (VPN).............................................................................................10 X. Network Security......................................................................................................................10 A. Servers...................................................................................................................................10 B. Web Pages.............................................................................................................................10 C. Attaching Personal Computers/Laptops................................................................................10 D. Undocumented ports.............................................................................................................11 E. Password Security.................................................................................................................11 F. Sharing of IDs........................................................................................................................11 G. Generic Accounts..................................................................................................................12 H. Multiple Logins.....................................................................................................................12 XI. Workstation Security...............................................................................................................12 A. Microsoft Operating System and Browser Updates..............................................................12 B. Netscape Updates..................................................................................................................13 C. Network Client Updates........................................................................................................13
  • D. Software Updates..................................................................................................................13 E. Unattended Workstations .....................................................................................................13 XII. Reporting Security Breaches..................................................................................................13 XIII. Violations..............................................................................................................................13 XIV. Acknowledgements...............................................................................................................14 I.Executive Summary SDSU Information Technology Security Policy In order to provide the SDSU community the type of connectivity and support it expects, and in light of recent events, security has become one of the top priorities of this institution. In the following statements the SDSU Security Committee conveys the basic tenets that need to be followed by all in our community. 1. Passwords to access technology assets are a very necessary part of security. Please take this seriously. Hackers have published booklets on common types of passwords that are used such as “password”, “family member’s names” “telephone, street address, birth dates, Social Security number”. The other thing users often do is tape their passwords to their monitor, slide out drawer in the desk, under the keyboard or on a check sheet on the wall. Please avoid these mistakes and take the use of a password seriously. 2. Each network user on campus is required to have a unique network ID in order to access the network. Generic accounts will not be allowed access to the network. Generic accounts are a security hole and a liability for every user associated with that account. If malicious activity occurs from a generic account, everyone with access to that account is responsible. 3. Leaving your office unlocked and your computer logged in creates an insecure environment. When you leave your office, log out of your computer, have a security screen saver engage if the keyboard is not touched for five minutes, or block access by locking your computer using “Ctrl- Alt –Delete keys and select “Lock Computer”. Locking the physical door to the room also is a great help to security. 4. E-mail security is a significant concern. Contrary to popular thought, E-mail is a public communication tool. Please do not put sensitive information in E-mail that you do not want the public to possibly know. Remember also that this is a public institution and therefore E-mail messages belong to the University. 5. Anti-virus protection is required. It is a fact of modern computing that there are people writing very destructive or at least very time-impacting programs to disrupt everyone’s day. Please make sure you have SDSU’s approved Anti-Virus program installed and running on your computer with the latest update. 6. Data security for desktop data must be considered. This data could be grades, account information, budgets, course materials, or web pages. Having this information secure is important. If the data is very sensitive, investigate file encryption and password protection. A rule of thumb is if you can’t afford to lose data, back it up three times. Once to your machine, once to the network and once to storage that you can secure off site. In all cases make sure you secure your data. Last Updated 6/21/2010 2
  • The full SDSU User Security Policy document is available at http://www.sdstate.edu/fillinaddr/ or in paper copy upon request from Computing Services, 688-6136. It further explains these tenets in greater detail, and other security issues including: Network security Remote Access Equipment Security Workstation Software and Hardware Security Misuse of Computer Resources Reporting Security Breaches Penalty for Violation of Security Policy. Remember technology security is an individual’s responsibility as a contributing member of the SDSU community. If you have a question about the policy contact the CITO. If the question is about security needs or concerns contact the SDSU CTS Help Desk at 688-6776. II.Overview The security of your computer equipment, data files, e-mail and other information and accounts is only as secure as you make it. No matter how many policies and procedures are implemented, if you, the user, don’t follow those policies and procedures, both your system and the university network system are at risk of data loss, as well as attack by hackers both inside SDSU and outside our institution. Do you share your account IDs and passwords with other people? Do you know if they’re using those accounts properly? Are they disabling their accounts if they leave their work area? Do you always know who comes into your work area? What about after-hours access? Do you post your passwords in highly visible areas where anyone can read them? If someone asks for your account name or password over the phone or by e-mail, should you give it to him or her? Do you bring data disks from home to work and vice-versa? Do you open attachments from strangers in e-mail? If you do either of these and don’t keep your anti-virus software updated you may unleash a virus on everyone listed in your personal address book and contact list. You may also suffer severe data loss on your own workstation. Have you installed all the available security patches for your operating system, browser and application software for all the computers you use? Do you dial-in to your work computer from home? If you are not keeping your security patches updated your computer may be remotely accessed and used by a hacker to damage your own data and that of any other computers to which your computer has access on the SDSU network and beyond. It may seem to be a nuisance to follow all these recommendations, but if you don’t, you may very well become another victim of a hacker. Even if you don’t suffer any data loss, your computer may be used to damage someone else’s system. And you may face disciplinary action because your account or workstation was used to cause the damage. In the end, you are responsible for your accounts and any activities initiated by those accounts. Last Updated 6/21/2010 3 View slide
  • III.Purpose The purpose of this policy document is to ensure an information technology infrastructure that promotes the basic missions of SDSU in teaching, learning, research, and administration. In particular, this Policy aims to promote the following goals: • To ensure the integrity, reliability, availability, and superior performance of IT Systems; • To ensure that use of IT Systems is consistent with the principles and values that govern use of other BOR facilities and services; • To ensure that IT Systems are used for their intended purposes; and • To establish processes for addressing policy violations and sanctions for violators. This document supercedes the existing SDSU IT Appropriate Use Policy. IV.Appropriate Use of IT Systems This document supplements the official Information Technology Appropriate Use Policy Manual published by the South Dakota Board of Regents by providing more detailed statements on permitted use and the extent of use that is considered appropriate. In the event of a conflict between IT policies, the BOR Appropriate Use Policy will prevail. IT Systems may be used only for their authorized purposes -- that is, to support the research, education, administrative, and other functions of SDSU. The particular purposes of any IT System as well as the nature and scope of authorized, incidental personal use may vary according to the duties and responsibilities of the User. Sometimes it is easier to define appropriate use by defining what is considered inappropriate use. Following is a list of activities that are expressly prohibited. A.Interference with Normal Network Operation Performing an act that will interfere with the normal operation of computers, terminals, peripherals, or networks. Running or installing on any computer system or network, or giving to another user, a program intended to damage or to place excessive load on a computer system or network. This includes but is not limited to programs known as computer viruses, Trojan horses, and worms. Attempting to circumvent data protection schemes or uncover security loopholes. Activities will not be considered misuse when authorized by SDSU Information Technology Services for security or performance testing. B.Harassing or Threatening Use Using electronic mail, IRC, Chat, or other computer-mediated communication systems to intimidate or harass others in violation of University or Board policy, or state or federal laws. C.Unauthorized Access Using a computer account for which you do not have authorization. Using the campus network to gain unauthorized access to any computer systems. Last Updated 6/21/2010 4 View slide
  • Attempting to monitor or tamper with another user’s electronic communications, or reading, copying, changing, or deleting another user’s files or software without the explicit agreement of the owner. D.Disguised Use Masking the identity of an account or machine. E.Modifying the Network Infrastructure Installing and/or running any type of server services on a workstation or attaching a dedicated server to the SDSU network without authorization from the Chief Information Technology Officer (CITO). V.Security of Physical Equipment The general University policy regarding equipment is to take ordinary care to protect University owned or managed equipment or data against unauthorized use or removal. All employees have a responsibility to refrain from entering restricted areas for which they have no authorization, to refrain from using equipment for which they are not authorized, and to refrain from accessing or removing data or equipment that has not been authorized for access or removal. Equipment is not defined merely as a “computer” (whether desktop, laptop or server). Network infrastructure equipment, such as switches and routers, as well as digital cameras, wireless access points, video recording equipment, and so on, should all be protected from damage, theft or misuse. Specific procedures are outlined in Security of Physical Equipment.doc VI.Data Security When most people think of computer or information security, they focus on protecting equipment and data from damage, theft or misuse. Another aspect of data security is protecting data from degradation or accidental deletion, and protecting data from falling into the wrong hands when the media is being discarded or surplused. The following sections outline policies regarding protecting data media via proper storage techniques, destroying data on media scheduled for surplus, and protecting data via proper backup and recovery routines. A.Local Data 1.Local Data Destruction The state of South Dakota implements and enforces property management procedures. State surplus procedures require that all data be permanently deleted from computer hard drives, diskettes, tapes and CD-ROMs prior to surplus or discarding. The Property Management Office at SDSU issues policy and procedure statements regarding data destruction. This document may be viewed by linking to Data Destruction via Fdisk.doc Media (diskettes, CD-ROMs, tapes) scheduled for surplus should be erased prior to being turned over to Property Management or discarded. If you cannot erase the media and it contains sensitive or confidential information, destroy the media. Last Updated 6/21/2010 5
  • 2.Local Data Storage As users we assume that our data will always be available from whatever media it’s stored on as long as there is no physical damage to the media. We forget that all data is stored in an electro- magnetic format on floppy disks, hard drives, CDs and tapes. SDSU recommends that each department should provide each user with equipment for storing data media (e.g., a diskette or CD case) so that data is protected from damaging electro-magnetic fields (e.g., on top of your monitor, near your printer, speakers or CPU, next to your phone, etc.), direct sunlight and heat, or moisture (e.g., that accidental coffee spill). Furthermore, users must be informed that all data storage medium are subject to physical degradation from magnetic fields, oxidation, and material decay over time. The chances that the electro-magnetic field of the media will have degraded, resulting in data loss, are high. CD-R have an estimated life of 50-100 years IF they are handled and stored properly, compared to 10-20 years for properly handled and stored digital magnetic tape. However, most users do not store their data under optimum conditions – a cool (65 degree F), dry environment shielded from magnetic fields, heat, radiation, and sunlight. Given the temporal nature of data storage devices it is the recommendation of SDSU IT staff that users keep multiple backups of critical data. Furthermore, if data is stored on a floppy disk, it is recommended that the data should be transferred to new media every 3-5 years. 3.Local Data Backup and Recovery Each user is responsible for managing and maintaining the data stored locally on the computer(s) assigned them. This does not mean you have to perform the backup yourself. It does mean you are responsible for ensuring it is done, whether or not you do it or have an IT professional do it for you. The only exception to user responsibility for backup is in the case where a hard drive must be replaced or reformatted, or the operating system reinstalled. It is then the responsibility of the technician to notify the user in advance of the repair so that they have an opportunity to back up their data. If advance notice (minimum of 24 hours) is not given, it is the responsibility of the technician to backup critical data and registry information for the user. Computing Services provides access to a backup utility that stores data on the mainframe via the network (the program is called ADSM). If you utilize a service such as ADSM, be aware that Computing Services is not responsible for the integrity of the data being backed up. If the data is already corrupt, the backup will also be corrupt. Check your data for corruption prior to backing it up. Some departments also provide disk-imaging services. Contact your Computer Support Specialist (CSS) for information about the availability of this service, and/or assistance in backing up or restoring your data. If you backup your data yourself, test the restore function to verify the backup worked properly. If you need assistance in backing up your data, please contact your CSS, IT group or the Help Desk at 6776. Last Updated 6/21/2010 6
  • For information on a recommended backup routine, please follow this link to Recommended backup routine.doc B.Network Data 1.Provision of Network Data Storage It is the policy of ITS to provide 1 megabyte of free data storage space in the home directory for each valid user account (staff, faculty, student employees) on the SDSU1 server. Other IT divisions or departments that own or manage a server may have different policies in place. Contact your support representative for information. 2.Network Data Storage Backup and Recovery Policy Users choosing to store data on a network volume or Home directory will have their data backed up regularly by the IT department hosting the storage server. There may be a charge for storing data on a server (network) volume. Refer to the following link for information about requesting network storage space and pricing policies. Network storage space rental.doc C.Administrative Data Security Faculty, staff and students have a legal right to the protection of both personnel and personal information. Employees are charged with safeguarding the integrity, accuracy, and confidentiality of information as part of the condition of employment. Furthermore, former employees are expected to maintain the confidentiality of any administrative data after termination of employment with the institution. Printers used to print sensitive and confidential information should be located either in a well- monitored area or locally attached to the workstation. Shred or destroy paper copies of sensitive information when no longer needed. Refer to Records Retention and Destruction.doc for information on these procedures. Additional detail on procedures for handling administrative data is available at the following links: Student Records.doc and SDSU Privacy Act and Procedures.doc VII.E-mail Security A.Data Security (Backup) 1.PC Outlook is the supported e-mail client for PC users at SDSU. Information Technology Services (ITS) routinely backs up e-mail stored on the Exchange server. Mail on the Exchange server is backed up incrementally on both a daily and weekly basis. A full backup of all e-mail accounts on the server is performed monthly. Users automatically downloading messages to the Inbox under “Personal Folders” are responsible for backing up their own e-mail. Last Updated 6/21/2010 7
  • 2.Macintosh The currently supported e-mail client for Macintosh users at SDSU is Eudora Pro, but a migration is underway to move users to Outlook 2001. Once the migration is complete Outlook will be the supported e-mail client for Macintosh users, due to its’ support for Exchange, backup capability, and calendaring/scheduling features. Eudora Pro users cannot directly stored mail data on the Exchange server so it cannot be automatically backed up by ITS. Eudora Pro users are encouraged to install and use a backup program, such as ADSM, to backup e-mail folders. B.Virus Protection 1.Server Protection ITS installs, manages and maintains anti-virus software on the Exchange server and routinely scans all messages for viruses. However, users must also install and run anti-virus software on their workstations whether university owned, or personally owned and used for remote access. Contact your CSS or the CTS Help Desk at 6776 for assistance. 2.Workstation Protection (Attachments) As a general security policy, it is recommended that e-mail attachments never be opened directly from e-mail. However, given human nature, SDSU IT staff recognizes that opening work documents sent as e-mail attachments is a timesaving convenience people are loath to give up. Recognizing this, please refer to the following rules when dealing with attachments: When sending attachments, include information about the attachment in either the subject line or body text. Example: “This file, mydocument.doc, is a Word 2000 document. It contains information about blah, blah, and blah.” You might even send e-mail to the recipient prior to sending the attachment notifying them that you are sending a file. Always exercise caution when opening e-mail messages that contain attachments. Do not open attachments while in e-mail from people you know where the message contains a subject line or grammar foreign to that particular sender. If you feel you must open the attachment, save it to your hard drive and scan it for viruses first. Never open attachments from strangers in e-mail. It’s safest to just delete the message. If you feel you must open the attachment, save the attachment to your hard drive first and scan it for viruses before you open it. For assistance in saving attachments and scanning them, please contact your CSS or the CTS Help Desk at 6776. C.E-mail Signature In light of all the recent and on-going events concerning security awareness it is recommended that you identify yourself in all e-mail messages. Last Updated 6/21/2010 8
  • Be sure to "sign" the message with your name, title, and some contact information (phone number or building location). This helps new faculty and staff on campus recognize the message is from a "trusted" source. It also helps identify you to off-campus recipients as well. In order to save time, use the "Tools/Options/Mail Format/Signature" option found at the top tool bar on your Outlook window. You can set up a signature block that appears on every message automatically. VIII.Virus Protection Computer viruses are spreading. Virus protection software saves time, money, and valuable data. Anyone responsible for University owned computer equipment (including Personal Digital Assistants (PDAs)), or users sharing data and files from a home computer with a computer owned by SDSU, must install the virus protection software package supported by the University on each computer used for e-mail, internet browsing, or file sharing. SDSU has licensed and registered Norton Antivirus software from Symantec for PCs and Macintosh computers for all SDSU staff and faculty. The Symantec license agreement provides for installation on home computers used for work purposes. Specifically the licensing agreement reads, "If a single person uses the computer on which the Software is installed at least 80% of the time, then after returning the completed product registration card which accompanies the Software, that person may also use the Software on a single home computer." The University recognizes that no virus protection software will catch or stop all viruses. However, this software will detect most viruses, worms and Trojan horses, assuming the software is updated on a regular basis. Anti-virus vendors update virus definitions as needed, sometimes daily. SDSU recommends that each user, or the departmental CSS, update the anti- virus program virus definition files no less than twice a month, or immediately after the campus security officer sends official notification of a virus attack. Please contact your CSS or the CTS Help Desk at 6776 for assistance in updating anti-virus software. Any individual who has reason to believe that a virus is present in his/her computer should notify their CSS or the CTS Help Desk immediately (688-6776). The CSS or ITS staff will provide assistance in identifying and removing the virus and reconstructing the files, if necessary and possible. Failure to notify IT staff may result in disciplinary action if the virus spreads beyond your computer. SDSU reserves the right to withhold network and Internet service from any faculty or staff who do not conform to this policy. Individuals who knowingly transport and disseminate viral programs will be held responsible under the appropriate civil or university conduct code. Contact your CSS or the CTS Help Desk at 6776 for assistance in obtaining anti-virus software. Last Updated 6/21/2010 9
  • IX.Remote Access A.Dial-in to Network Users must authenticate through a secure system approved by the SDSU Chief Information Technology Officer (CITO). Most users will authenticate through a Novell account. AIT users authenticate through a secured (Cisco) access server. For more information about using this service contact the Help Desk at 6776 or AIT, as appropriate. B.Dial-in to Workstation Direct remote access to a workstation poses a high security risk to the institution due to the lack of direct control of the remote workstation. If security measures are ignored or executed poorly there is a strong possibility that either the user’s remote workstation or another workstation operated by a hacker may be used to illegally access, remove, or disrupt information and data at SDSU and other sites. Virus infections are also more easily transmitted by poorly maintained remote (personal) computers. Consequently, SDSU IT staff has developed a set of procedures that must be strictly adhered to by all SDSU staff and faculty who dial-in directly to a workstation from either home or work, using software such as RAS and pcAnywhere. Click on the following link to obtain a listing of these procedures. Remote dialin procedures.doc Failure to follow these procedures will result in either a loss or restriction of this privilege and/or appropriate disciplinary action as outlined in the appropriate code of conduct. C.Virtual Private Network (VPN) Virtual Private Network availability is in the beta-testing stage. X.Network Security A.Servers Servers of any kind (web, ftp, Novell, Microsoft, etc.) may not be installed, configured, or otherwise managed without express written permission from the CITO. The request may be placed with any member of the DOIT committee (the directors of AIT, Computing Services, ITC, ITS and the Dean of the Library). B.Web Pages Only authorized web pages at SDSU will be accessible from the Internet. Contact the Web Administrator in either ITS or University Relations for more information. C.Attaching Personal Computers/Laptops Faculty, staff and students may connect privately owned computers to the SDSU network with the understanding that those computers must comply with all SDSU IT, Security and Desktop Standards policies and procedures. Failure to comply with these policies and procedures will Last Updated 6/21/2010 10
  • result in immediate loss of network access for the offending computer and possible disciplinary action against the owner of the computer. D.Undocumented ports ITS maintains a master list of all network switch ports that have been requested for use. Any ports not documented as being in use will be disabled to discourage misuse (e.g., hacking or theft) of resources. E.Password Security One of the easiest ways for others to access your computer is to guess the password. The shorter the password, the easier it is to guess. For this reason all network and e-mail accounts have a minimum password length requirement that will be provided to you by your system administrator at the time the account is created. Additional passwords, with different character length requirements, naming conventions and expiration periods will be assigned to programs that access sensitive or confidential information (such as wIntegrate). Procedural documents for accessing these types of programs are given to users when they are granted access to the program by the department managing the system. SDSU IT staff recommends that you deter hacking by internal users by making it difficult to access the password. Do not write down your passwords and leave them attached to the monitor, workstation, CPU, desk, wall, under a keyboard or any easily accessible area. Also avoid creating a "hot" key that can be used to gain access to other computing resources. Passwords should be chosen by and known only to the individual user responsible for the ID or their designated representative (e.g., your departmental CSS). In other words, do not share your passwords with anyone else, unless absolutely necessary (for example, sharing with the technician repairing your computer). Never give out your password over the phone. The only time a password might be given over the phone is to perform a password reset. In this case the Network Administrator or Help Desk staff will call you to tell you the new password. The Network Administrator or Help Desk staff will also make a reasonable effort to validate the identity of any person requesting a password reset. Proof of your identity may be required before passwords are reset to systems accessing sensitive or confidential information. SDSU IT staff recommends you deter password hacking by making it difficult to guess the password. After the first successful login, users must reset the password. It is recommended that the password be alphanumeric. Make the password something easy to remember so you don’t have to write it down (e.g. DrS3uss, Mel0d1e). F.Sharing of IDs Sharing of network/workstation account IDs and passwords is strongly discouraged due to the potential for misuse or abuse of the account. If you share your ID for any account and it is misused, you will be subject to appropriate disciplinary procedures, as you are the party responsible for that account. Last Updated 6/21/2010 11
  • If properly configured, e-mail and calendars can be shared without logging in to another user’s account. If you need to share your e-mail inbox or calendar (for example, with your secretary) please contact your CSS or the CTS Help Desk for information about this e-mail feature. G.Generic Accounts Each network user on campus is required to have a unique network ID in order to access the network. Generic accounts will not be allowed access to the network. Generic accounts are defined as accounts that do not identify a single user or workstation – for example, an account named “workstation”, or “student”. Generic accounts are a security hole and a liability for every user associated with that account. If malicious activity occurs from a generic account, everyone with access to that account will be held responsible for that activity. H.Multiple Logins Users will be allowed 2 concurrent connections to eliminate login problems when the connection is not cleared properly. Users who desire additional concurrent connections must call the Help Desk at 6776 with the request. The need must be clearly documented in the HEAT ticket. Unless a clear need for multiple logins is demonstrated, all requests for multiple logins will be denied. Users with multiple login rights are responsible for the activities of the workstations to which they are connected. It is important to logout workstations that will be unattended. If this is not possible, access to the workstation should be limited (for example, lock the door to the room (best); lock the workstation (ctrl-alt-del; lock workstation). XI.Workstation Security Each department needs to make a commitment to promoting a secure computing environment. If a CSS is available, they should make sure that all published security patches are installed for each workstation they manage for the operating system, browsers, network client and software. Departments without a CSS should contact ITS for assistance or training for users so they are able to maintain their own workstations. ITS publishes security patches at http://sdsu1.sdstate.edu Following are the recommendations of SDSU IT Staff regarding workstation security. Please check with your CSS or other IT professionals before performing product upgrades, in case there are compatibility issues with other programs or other pertinent information. A.Microsoft Operating System and Browser Updates It is recommended that all users check the following URL at least once a month to download and install the most recent security updates and patches for their operating system and the Internet Explorer browser. http://windowsupdate.microsoft.com/ Windows 2000 users may also use the Windows Update feature under the Start menu. Last Updated 6/21/2010 12
  • Contact your CSS or the Help Desk for assistance, or information on compatibility issues (for example, IE 6 blocks the execution of some script types and plug-ins, disabling some web pages). B.Netscape Updates It is recommended that the Netscape browser be updated at least once a month so that the most recent security patches are applied to the workstation. Check for patches at http://browsers.netscape.com/browsers/main.tmpl Contact your CSS or the Help Desk for information prior to upgrading to new versions of Netscape to check for compatibility issues (for example, Netscape 6.x is incompatible with some features of WebCT). C.Network Client Updates It is recommended that the CSS or other designated departmental computer support personnel keep the Novell client updated on each of their user’s computers. D.Software Updates It is recommended that the CSS or other designated departmental computer support personnel install software security updates and patches as they become available (e.g. Microsoft Office products, including Outlook; Eudora Pro). E.Unattended Workstations Workstations should be locked (Press Ctrl-Alt-Del, choose Lock Workstation. To unlock the workstation, follow the instructions on your screen. Use your Novell login/logon password.) or logged off to a point that requires a new log-on whenever employees leave their work area, to prevent unauthorized access of an account or unauthorized access to confidential information. You may be subject to disciplinary action if your workstation is misused or damaged in your absence, as you are the party responsible for the workstation and any open accounts. XII.Reporting Security Breaches If you suspect your computer security has been compromised, contact the CTS Help Desk immediately at 688-6776. The Help Desk staff will put you in contact with the SDSU Security Officer, who will begin working with you to document and correct the problem. It may be necessary to deactivate your network connection while the problem is being investigated. If the security breach occurs after 8pm, Monday-Thursday, after 5pm Friday, or during a week- end, turn your computer off immediately and leave it off until an ITS staff person contacts you. Leave a voicemail message with the CTS Help Desk informing them of the nature of the problem. XIII.Violations Violations of any of these policies and procedures may result in either a loss or restriction of network/Internet access. Failure to observe these guidelines may also result in disciplinary action as outlined in the appropriate SDSU code of conduct. The severity of the disciplinary action will depend upon the type and severity of the violation, whether it causes any liability or loss to the institution, and/or the presence of any repeated violation(s). Last Updated 6/21/2010 13
  • XIV.Acknowledgements These policy statements were formulated using information gained from policy statements prepared by the following universities and organizations: Baylor University University of Colorado University of Nebraska Michigan State University Northern Illinois University Harvard University Arts and Science Computer Services Iowa State University Office for Academic Information Technologies University of Nebraska Brown University. http://www.qualitymag.com/articles/1999/may99/0599qc.html, Jim Hunt, “Fend Off Data Degradation”. SDSU acknowledges the contribution of those institutions in concept development and specific policy language incorporated into this policy. Last Updated 6/21/2010 14
  • Developed by: Date Del Johnson, Director, Computing Services June 21, 2010 Melodie Lichty, ITS Jim Kepford, ITS/Briggs Library Rick Anderson, AIT Jim Lurvey, ITC Andy Conley, ITS Jeff Mahlum, ITS Approved by: Officer or Group Date Date Revised by: Last printed 8/8/2002 03:17:00 PM 15