• I. Introduction
• II. Information Resources Security Procedures
  • A. Procedure Applicability
  • B. Procedure Statements
    • B. 1. Use of Information Resources
    • B. 2. Violation of the Electronic Communications Policy and Security Procedures
    • B. 3. Notification of the Electronic Communications Policy and Security Procedures
    • B. 4. Logon IDs and Passwords
    • B. 5. Confidential Information and Privacy Expectations
    • B. 6. Physical Security
    • B. 7. Workstations Security
    • B. 8. Application Development Controls
    • B. 9. Internet / Intranet / Extranet Access
    • B.10. Virus Scanning
  • C. Policy Administration
  • D. Management Responsibility
  • E. Data Ownership
  • F. Data Custodian Responsibilities
  • G. Data Service Providers Responsibilities
  • H. Data User Responsibilities
  • I. Auditor Access
  • J. Disclosure of Security Information
• Appendix A - Terms and Definitions
• Appendix B - Password Management
  • Password Changing
  • Password Selection
  • Password Handling
• Appendix C - Personnel Security and Security Awareness
  • Employee Requirements
  • Security Awareness and Training
  • Acknowledgment of Rights and Responsibilities

The UA Fort Smith Information Resources Security Procedures were developed to assist in the education of authorized users in the need for and means of protecting the University's information resources. The following topic areas of cyber security have been identified and procedures established to administer the Electronic Communications and Web Site Policy. Copies of this policy can be found in the UA Fort Smith Employee Handbook or on the UA Fort Smith Web site.

I. Introduction

Information technology has brought new administrative concerns, challenges, and responsibilities. Information assets must be protected from natural and human hazards. Practices must be established to ensure that hazards are eliminated or their effects minimized.

The focus of Information Resources Security is on ensuring protection of information and continuation of program operations. Providing efficient accessibility to necessary information is the impetus for establishing and maintaining automated information systems. Protecting that information and the surrounding investment is the impetus for establishing an Information Resources Security program.

Protecting information assets requires the physical protection of information processing facilities and equipment, to include:

1. Maintenance of application and data integrity.
2. Assurance that automated information systems perform their critical functions correctly, in a timely manner, and under adequate controls.
3. Protection against unauthorized disclosure of information.
4. Assurance of the continued availability of reliable and critical information.

Many program operations that traditionally were manual or partially automated are today fully dependent upon the availability of automated information services to perform and support their daily functions. The disruption or loss of information support services may adversely affect the University's ability to administer programs and provide services. The effects of such risks must be eliminated or minimized.

Additionally, information entered, processed, stored, generated, or disseminated by automated information systems must be protected from internal data or programming errors and from misuse by individuals inside or outside of UA Fort Smith. Specifically, the information must be protected from unauthorized or accidental modification, destruction, or disclosure. Otherwise, we risk compromising the integrity of UA Fort Smith programs, violating individual rights to privacy, violating copyrights, and/or facing criminal penalties.

An effective and efficient security management program requires active support and ongoing participation from all areas of the University.

Responsibilities include:

1. Identifying vulnerabilities that may affect information assets.
2. Implementing cost-effective security practices to minimize or eliminate the effects of the vulnerabilities.

The procedures in this document apply to all applications and resources operated by UA Fort Smith. All authorized users are mandated to adhere to the standards within this document. University data can be better protected if all areas work together. In the remainder of this document, Information Resources will refer to:

1. Network Resources - the University computer network.
2. Hardware Resources - all computing resources operated by the University.
3. Software Resources - all applications owned by or licensed to the University.

II. Information Resources Security Procedures

A. Procedure Applicability

The Information Resources Security Procedures applies to all University personnel, students, and guests accessing applications or computer systems within the University. The Information Resources Security Procedures also apply to contract personnel when they access applications in use for the University or computer systems operated within the University.

The procedures in this document are intended to allow for the proper use of all University computing and network resources, effective protection of individual users, equitable access, and proper management of those resources. The procedures presented are intended to supplement-not replace-all existing laws, regulations, agreements, and contracts which currently apply to these services

B. Procedure Statements

It is the policy of UA Fort Smith that...

B. 1. Use of Information Resources

1. Appropriate use of Information Resources includes independent and supervised study, authorized research, independent research, communications, and official work of the University and recognized student campus organizations. (See Electronic Communications and Web Site Policy)
2. Intellectual property rights will be upheld.
3. Rights to the use of software purchased by, owned by, or licensed to the University are the property of the University and shall be protected as such.
4. Individuals who believe they have experienced computer generated harassment or illegal discrimination are encouraged to contact the appropriate administrative office to file a complaint. (See Electronic Communications Policy)

B. 2. Violation of the Electronic Communications Policy and Security Procedures

1. Violations of these policies and procedures will be reported to the appropriate senior staff.
2. Violations of these policies and procedures that may be violations of state and federal laws will be reported to the proper authorities.
3. Persons violating these policies and procedures will be subject to appropriate administrative and criminal sanctions.
4. Information Resources are valuable assets and unauthorized use, alteration, destruction, or disclosure of these assets is a computer- related crime, punishable under Arkansas statutes and federal laws.
5. Attempting to circumvent security or administrative access controls for Information Resources is a violation of these policies and procedures. Assisting someone else or requesting someone else to circumvent security or administrative access controls is a violation of these policies and procedures.
6. See Electronic Communications Policy

B. 3. Notification of the Electronic Communications Policy and Security Procedures

1. The University Electronic Communications Policy and Security Procedures will be included in the University Employee Handbook and a hardcopy provided to all employees. Reference will be made to the Electronic Communications Policy and Security Procedures in the student handbook, and students will be directed to the University Web site.
2. Employees and contractors will be notified of any modifications made to these policies and procedures.
3. All employees accessing a mission critical administrative application must receive appropriate training for using the application and must acknowledge the security and privacy requirements for the data contained in the application.
4. Appendix C - Personnel Security and Security Awareness contains additional information.

B. 4. Logon IDs and Passwords

1. Logon IDs and passwords must control access to all Information Resources except for those specific resources identified as having public access such as the University's Internet Web Site.
2. See Appendix B - Password Management, for password and password management requirements.

B. 5. Confidential Information and Privacy Expectations

1. Information, which, by law, is confidential, must be protected from unauthorized access or modification. Confidential information shall be accessible only by personnel who are authorized by the owner on a basis of strict "need to know" in the performance of their duties. Data containing any confidential information shall be readily identifiable and treated as confidential in its entirety.
2. An auditable, continuous chain of custody shall record the transfer of confidential information. When confidential information from a department is received by another department in connection with the transaction of University business, the receiving department shall maintain the confidentiality of the information in accordance with the conditions imposed by the providing department.
3. UA Fort Smith is a public institution subject to the requirements of the Arkansas Freedom of Information Act (FOIA). The FOIA provides that all records maintained in public offices or by public employees within the scope of their employment shall be presumed to be public records, which shall be open to inspection and copying, by any citizen of the State of Arkansas. Therefore, University employees should have no expectation of privacy in any of their written or electronic correspondence conducted within the scope of their employment with the University.

B. 6. Physical Security

1. All information processing hardware that contains, or can be used to access confidential information must be located in areas that are secured from access. This includes printers.
2. Physical access to these areas shall be restricted to authorized personnel.

B. 7. Workstations Security

1. Workstations used for sensitive or critical tasks must have adequate physical and electronic controls to provide continued confidentiality, integrity, and availability of data stored on the system.
2. All workstations must have updated virus protection software installed and enabled.
3. Users with workstations running Windows NT/2000/XP must execute the "Lock Workstation" function anytime they leave their immediate work area unless the workstation is running a password protected screen saver or is in a "locked-down" environment.
4. Users with workstations running Windows 95/98 must execute the "Shutdown - Log on as another user" function anytime they leave their immediate work area unless the workstation is running a password protected screen saver or is in a "locked-down" environment.
5. All other workstations will employ similar security procedures.

B. 8. Application Development Controls

1. All information technology services and systems developed by or acquired by the University must be approved by the Associate Vice Chancellor for MIS or his designee. This will allow an appropriate analysis of security risks and the ability to recommend controls (including access control systems and contingency plans).
2. Should the system be developed, in house, then the developer should first try and utilize the current University-wide security system. (Example: If the system is PC based then the system should utilize the Network security; if the system is to work in conjunction with Banner then the security should come from Banner). Should the current security system not be viable, then the developer should work in conjunction with the security team to develop and implement a security system that is comparable to the Network security and/or Banner Security. (The design, testing, and implementation of systems should follow the general guidelines of System Analysis and Design.)
3. All software installed on University equipment must be approved by the Associate Vice Chancellor for MIS or his designee to ensure the required hardware is available and the software is acceptable to current computing standards and security policies. Once the software has been received, a member of the MIS staff must load software and ensure security controls are in place.

B. 9. Internet / Intranet / Extranet Access

1. System vulnerabilities must be identified, and security solutions that effectively balance risk exposure, expense, functionality, and usability must be sought. (See Electronic Communications Policy)
2. People and processes that are granted access will be given the minimum access sufficient to perform their job tasks.
3. All services, protocols, and ports that are not required must be disabled.
4. All entry points must be hardened.
5. All ability for inbound modem traffic must be documented and be granted by the Associate Vice Chancellor for MIS, or his designee.
6. All ability for using remote control software (such as PCAnywhere and VNC) must be documented and be granted by the Associate Vice Chancellor for MIS, or his designee.
7. All physical access points into the network, either wired or wireless, must adhere to all security requirements and must be authorized by the Associate Vice Chancellor for MIS or his designee.
8. All personnel must be educated on the nature, purpose, and importance of security measures.
9. Periodic checks must be performed on University information technology resources to detect intrusions.
10. All confidential information traveling over an insecure medium must be encrypted.
11. Password/access and identifications for former users must be revoked. Access permissions for employees who change roles must be reviewed.
12. System security measures must be audited periodically by the Associate Vice Chancellor for MIS, or his designee. Audits can be internal, peer-to-peer, or professional.

B.10. Virus Scanning

1. All workstations and servers attached to the University network must have updated virus protection software installed and enabled.
2. At a minimum, virus definitions must be updated weekly.
3. Incoming mail and attachments must be filtered with different virus scan software from those used on desktops.

C. Policy Administration

The Associate Vice Chancellor for MIS, or his designee, has the responsibility to:

1. Monitor Information Resources Security issues;
2. Receive and research all reported security trouble tickets;
3. Coordinate all security measures which could be used to protect resources (such as a firewall);
4. Keep users aware of Information Resources Security issues through briefings and other mechanisms;
5. Monitor compliance with this policy by performing assessments of users;
6. Research and recommend the best practices and procedures in the IT security area.

D. Management Responsibility

UA Fort Smith Responsibilities UA Fort Smith may allocate resources in ways it deems fit to achieve its overall mission. It may control access to its information and the devices on which it is stored, manipulated, and transmitted in accordance with the laws of Arkansas, the United States, and the policies of the University and the UA System Board of Trustees. UA Fort Smith may impose sanctions and punishments on anyone who violates the policies of the University regarding computer and network usage. Students violating these policies can expect to be reprimanded, have restrictions imposed, or be denied the right to continue as a student. Employees violating these policies can expect to be reprimanded, have restrictions imposed, be required to compensate the University for monetary damages, or be subject to dismissal. Guests of the University who violate these policies can expect to have privileges revoked and be subject to state and federal laws. (See Electronic Communications Policy)

1. System Administration Access — A system administrator may access other user's files for the maintenance of networks and computer systems. However, all individuals' privileges and rights of privacy are to be preserved to the greatest extent possible.
2. Monitoring of Usage and Inspection of Files — The Associate Vice Chancellor for MIS or his designee may routinely monitor and log usage data such as session connection times and end-points, CPU and disk utilization for each user, security audit trails, network loading, etc., for each UA Fort Smith computer and network. The Associate Vice Chancellor for MIS or his designee may review these data for evidence of violation of law or policy. When necessary, the Associate Vice Chancellor for MIS or his designee may monitor all the activities of and inspect the files of specific users on their computers and networks. In all cases, all individuals' privileges and right of privacy are to be preserved to the greatest extent possible.
3. Suspension of Individual Privileges — The Associate Vice Chancellor for MIS may suspend computer and network privileges of individuals for reasons relating to their physical or emotional safety and well-being or for reasons relating to the safety and well-being of other individuals or of property. Access may be promptly restored when safety and well-being can be reasonably assured, unless it is to remain suspended as a result of disciplinary action imposed by the Office of Student and Academic Support Services (for students) or the employee's supervisor in consultation with the Office of Human Resources (for employees).
4. Security Procedures — UA Fort Smith has the responsibility to develop, implement, maintain, and enforce appropriate security procedures to ensure the integrity of individual and institutional information, however stored, and to impose appropriate penalties when security is purposefully abridged or attacked.
5. Anti-Harassment Procedures — The University has the responsibility to develop, implement, maintain, and enforce appropriate procedures to discourage harassment by use of its computer networks and to impose appropriate penalties when such harassment takes place.
6. Upholding Copyrights and License Provisions — The University has the responsibility to uphold all copyright laws governing access and use of information and rules of organizations supplying information resources to members of the community (see Electronic Communications Policy).

E. Data Ownership

Data is owned by the unit(s) having primary responsibility for creation and maintenance of the data content. The Arkansas Freedom of Information Act (Arkansas Code 25-19-103) defines "custodian" as the person having administrative control of that record.

F. Data Custodian Responsibilities

The data custodian is responsible for:

1. Maintaining the information in the data file.
2. Determining how the data may be used within existing policies.
3. Authorizing who may access the data.

G. Data Service Providers Responsibilities

The data service provider is the unit assigned to supply services associated with the data. The data service provider is the administrator of a computer system, server, workstation, or network of workstations.

The data service provider provides services in accordance with the directions from the owner and is responsible for:

1. Implementing owner specified controls over the data.
2. Providing a general security access system.
3. Ensuring compliance of its employees with security procedures.

H. Data User Responsibilities

The data user is the person who has been granted explicit authorization to access the data by the owner. This authorization must be granted according to established procedures. The user must:

1. Use the data only for purposes specified by the owner.
2. Comply with security measures specified by the owner or custodian.
3. Not disclose information in the data nor the access controls over the data unless specifically authorized in writing by the owner.

I. Auditor Access

There will be occasions when auditors require access to Information Resources and data files. State and Federal auditors will be granted access to Information Resources and data files on an as needed basis after coordination with the Internal Auditors and data owners, and after proper training requirements are met.

J. Disclosure of Security Information

University employees, contractors and vendors must not discuss organizational operating systems, servers, policies, procedures and/or other security programs with those without a "need to know" or written permission. Such permission may be requested from the Associate Vice Chancellor for MIS or his designee.

---

Appendix A - Terms and Definitions

1. Hardened: Application — An application where all configuration options have been reviewed and understood in relation to security within reason.
2. Hardened: Operating System — Operating system where all configuration options have been reviewed and understood in relation to security within reason. Only needed hardened applications are running.
3. Authorized Use — Authorized use of UA Fort Smith owned or operated computing and network resources use is consistent with the education, research, and service mission of the University and with these policies and procedures.
4. Authorized Users — Authorized users are: a. current faculty, staff, and students of the University; b. anyone connecting to a public information service; c. others whose access furthers the mission of the University and whose usage does not interfere with other users' access to resources. In addition, a user must be specifically authorized to use a particular computing or network resource by the campus unit responsible for operating the resource.

Appendix B - Password Management

Information handled by computer systems must be adequately protected against unauthorized modification, disclosure, or destruction. Effective controls for logical access to information resources minimize inadvertent employee error and negligence, and reduce opportunities for computer crime. Each user of a mission critical automated system is assigned a unique personal identifier for user identification. User identification is authenticated before the system may grant access to automated information.

Password Changing

At a minimum, passwords must be changed every 90 days and should not be reused within six password changes.

Password Selection

At a minimum, the user password should be eight characters in length and be a mixture of alpha and non-alpha characters.

Some rules for choosing a good password are:

1. Use both uppercase and lowercase letters.
2. Include digits and special characters as well as letters.
3. Choose something easily remembered so it does not have to be written down.
4. Passwords must be at least eight characters in length.
5. Use two short words and combine them with a special character or a number, like ROBOT4ME or EYE-CON.
6. Put together an acronym that has special meaning to you.

Password Handling

1. Do not write down your password.
2. Do not type in your password while someone is watching.

Appendix C - Personnel Security and Security Awareness

Employee Requirements

Every employee is responsible for systems security to the degree that the job requires the use of information and associated systems. Fulfillment of security responsibilities is mandatory and violations of security requirements may be cause for disciplinary action, up to and including dismissal, civil penalties, and criminal penalties.

Security Awareness and Training

An effective level of awareness and training is essential to a viable Information Resources Security program. Employees who are not informed of risks or of management's policies and interest in security are not likely to take steps to prevent the occurrence of violations.

All personnel must complete Security Awareness Training in accordance with their access privileges.

Acknowledgment of Rights and Responsibilities

Employees with access to mission critical application systems acknowledge the security requirements of the systems and their responsibility to maintain the security of the systems before access to the system is granted. This acknowledgment occurs by signing the application statement of security responsibility during mandatory training sessions, and by presentation of an online statement when the application is accessed.