IS&T

Minimum Information Security Environment Policy

Policy
Rationale
Standards & Procedures
Revisions
Approval Dates
(Summary of Changes/Additions/Deletions)

Policy

The university has both the right and the obligation to manage, protect, secure and control the electronic information resources of the university.

Rationale

The Associate Provost for Information Systems and Technology, as Chief Information Officer, is responsible for ensuring that Georgia State University has adequate information security in order for system and data to be available for appropriate purposes. The basic standards and guidelines described in this policy provide for the minimum acceptable environment for operating and accessing information systems.

Standards & Procedures

Standards

Authorized Access to Information Systems (Accounts). Authorized access to the university’s information systems is the granting of authority to approach, enter, make use of, and exit the university’s information systems. Access is accomplished via an account, which is a record kept by operating systems for each authorized user of information systems for the purpose of identification, administration and security. Users are required to obtain proper authorization prior to accessing the university’s information systems.

Guidelines establishing eligibility to receive authorized access:

  1. Every university employee or student eligible to register may be granted access to university information systems
  2. Users shall not be granted access in excess of the level required to perform their job responsibilities
  3. Individuals providing services to the university may with appropriate authorization be granted access to university information systems
  4. Users shall not misrepresent their identify or relationship to the university when accessing the information systems
  5. Users shall not access information systems that they are not authorized to access

Configuration for Network Connection. Configuration refers to the version of operating system that is installed on your workstation, desktop or laptop computer. As each operating system version may handle other applications in a different manner, users must ensure that they check the current procedure for securing each device to determine the correct accompanying versions of Novell NetWare, GroupWise, AntiVirus and  VPN client needed for access to the Georgia State Network. Users should be aware that a local decision to continue use of a non-supported version of operating system could result in denial of network connection due to increased risk of new security holes that will not be addressed by the software vendor.

Passwords and Userids (Authentication Methods). A userid and password is one method (and the one most commonly recognized by the average user) of authentication. A userid is the name by which the person is known and addressed on the University’s information systems. The password – used in conjunction with the userid – is a unique string of characters that a user enters as an identification code. Users must follow standards for creating passwords as defined in the "Create or Change a Password" document (see link in Procedures section). Other recognized forms of authentication include, but are not limited to, smart cards, swipe cards, one-time passwords, digital signatures, and/or digital keys and biometrics. Users must have a valid method of authentication before they will be authorized to access the information systems.

Guidelines regarding the use of userids and passwords:

  1. Users must not use accounts or passwords that they have not been authorized to use, or have not been assigned to them
  2. Users shall not give passwords to unauthorized users
  3. Users shall not share userids and passwords
  4. Users must effectively control the creation, use and maintenance of passwords in order to prevent unauthorized access and destruction, modification or deletion of sensitive data
  5. Users are responsible for securing their passwords from inadvertent disclosure
  6. Users are responsible for any activity carried out under their account identification

Secure Disposal or Re-use of Information Systems Equipment. Prior to disposal or re-use, equipment containing storage media should be cleansed to prevent unauthorized exposure of data. Disposal of equipment shall be done in accordance with all applicable state or federal surplus property and environmental disposal laws, regulations or policies.

Software Licensing.  Valid licenses are required for each end user for all commercially developed software operating on systems used by that user.  Responsibility for centrally managed and distributed software lies with IS&T.  Colleges and operating departments are responsible for approving and retaining documentation on software (other than centrally managed) installed on devices within their areas of responsibility.  As a minimum, colleges and operating departments should be able to show original licensing materials (packaging, hologram software seal, authorization codes, etc.), date of installation and serial number of equipment (or Georgia State University inventory number) that the software was installed on. Colleges and operating departments are responsible for developing and managing their own procedures for collecting and maintaining licensing records.

Physical Security. Physical security refers to the protection from harm or loss of the pieces of equipment that constitute an information system environment or personal computing device. Information systems must be safeguarded in a way that minimizes the risk of abuse, theft and destruction.

Guidelines regarding physical security:

  1. Users must implement appropriate protection measures including physical barriers, environmental detection and protection, insurance and/or other risk management techniques
  2. Users must not leave mobile computer systems unattended for extended periods of time and shall utilize locking devices responsibly
  3. Users shall protect information systems by utilizing protective measures such as locked screens and password-protected screen savers

Securing University Information Systems. Securing systems refers to the protection of a computer system and its data from harm or loss, particularly the prevention of access by unauthorized individuals. Users are responsible for properly securing their information systems.

Guidelines for securing systems:

  1. Users shall not knowingly defeat or attempt to defeat the security of information systems
  2. Users must take reasonable precautions in ensuring that they do not disseminate viruses and malicious programs to other users
  3. Users must configure University mail servers to prevent them from being used as third party mail relays
  4. Users are responsible for monitoring the security of their own information systems
  5. Users who are permitted to provide network or computer-based services are required to take reasonable precautions to ensure that information systems being used for this purpose are not compromised or used by unauthorized users; see the Sensitive Information Protection Policy for guidelines

University Information Security Officer (ISO). The Information Security Officer (ISO), as designated by the Associate Provost for Information Systems and Technology, has responsibility for developing and publicizing university information security policies as well as monitoring compliance with those policies and all applicable laws, rules and regulations. The ISO coordinates the standards, procedures and guidelines necessary to administer access to university information resources. The ISO works in conjunction with information resource owners, the university data administrators and functional users to develop this material.

Procedures

Create or Change a Password
Erase Data Prior to Equipment Surplus or Re-Purposing
Request Access to University Information Systems
Secure Your Workstation

Note: To view a list of university supported user devices and operating systems, link to the Version Matrix for Supported User Device Operating Systems.

Revisions

Revised for compliance with ISAT Senate Committee recommended formatting
(January 2003)

 

Approval Date(s)

Reviewed by IST:
Reviewed by Information Security Subcommittee:
Reviewed by ISAT Senate Committee:
Approved by: Administrative Approval
Approved on: January 6, 2004
Version number: 2.0.0
Effective Date: January 6, 2004

Summary of Changes/Additions/Deletions

This policy was originally approved by the University Administrative Council on March 3, 1999. This revision re-validates the intent of the policy. This revision places the original policy into the ISAT Senate Committee recommended format for clarity and ease of reference and update. As a result of this reformatting, sections on Purpose, Scope, Policy Awareness, Violations, and Revisions have been deleted as those areas are covered by the University Information Systems Use Policies document. Section on Access to Data has been incorporated into the Data Stewardship and Access to University Information policy.  The revision also incorporates specific standards relating to the configuration of network devices and for the management of software licenses.
Secure Disposal or Re-use of Information Systems Equipment standard and procedures added January 3, 2005.