Computing Policy

Purpose:  Procedures for departmental computing are designed to provide accountability for computer usage in accordance with accepted standards of internal controls.
References:  SAM 07.A.02, SAM 07.A.03, MAPP 10.03.01, MAPP 10.03.02, IT Reference Guide, IT Support Center Standards, Information Technology General Computing Policies, Information Technology Network Safety, Appropriate Use of Computing Resources, IT Security Handbook - Fall 2009, NSM-IT Security Policies
Procedures: 
PT. I: General Statement
PT. II: Policy Provisions
PT. III: Password Control
PT. IV: Violations
PT. V: Risk Assessment Policy
Review and Responsibility: 
  • Responsible Party: Director, NSM Business Operations
  • Review: Every two years, on or before August 31
Approval: 
  • Director, NSM Business Operations - Fred McGhee
  • Dean, NSM - John Bear
  • Date of Dean's Approval: 09/01/2008

I: General Statement

Procedures for departmental computing are designed to provide accountability for computer usage in accordance with accepted standards of internal controls. All employees of the College of Natural Sciences and Mathematics are responsible for complying with the policies and procedures described below. Failure to adhere to these policies and procedures may result in disciplinary action being taken against the employee. Compliance with these procedures will protect employees when questions arise and protect the University from criticism by auditors and other reviewing officials.

All employees have an obligation to report any suspected misuse, abuse, or security violations related to computer use. Employees who are aware of criminal activity and fail to report such may be subject to disciplinary action. Employees are required to cooperate with any police or audit investigation, and they may be requested to keep their knowledge of the investigation confidential.

II: Policy Provisions

  • All computer systems requiring log-on and password shall have an initial screen banner reinforcing security requirements and reminding users of their need to use computing resources responsibly.
  • Users shall not seek or reveal information on, obtain copies of, or modify files, tapes, or passwords belonging to other users, nor may the user misrepresent others.   Each computer account will be assigned to a single individual who is accountable for the activity on that account.
  • Users must abide by the laws protecting copyright and licensing of programs and data. In no case will copies be made of a licensed computer program to avoid paying additional license fees or to share with other users.
  • System Administrators and other custodians of computers are responsible for the physical security of university hardware, software, and data entrusted to their use.  This security includes the following provisions:
    • Ensuring doors to areas with computer equipment are locked and/or that computer security devices to secure computers to desks are installed
    • Ensuring that computer equipment is protected from weather, chalk dust, and other foreign materials
    • Securing floppy disks and floppy drives
    • Backing up all critical data files and storing back-up date in a secure, separate area
    • Ensuring that data storage/disk space on computers is adequate for departmental usage
    • Ensuring that the latest version of anti-virus software is installed on computers and is being used
    • Use of surge protectors or uninterrupted power supply (UPS) to protect and save data in case of electrical failure
    • Responsible for taking all possible precautions to protect the programs and operating systems under their care against security violations by network intruders

III: Password Control

  • Passwords are to be assigned to the individual employee or issued on an individual employee basis if computerized records are being accessed as part of their responsibility.
  • Distribution of passwords should be handled with the strictest confidentiality.
  • Passwords shall be changed on a regular basis (at least once every 90 days).
  • Passwords that are obvious, such as nicknames and dates of birth, should not be allowable.
  • Passwords should never be shared with another user. Employees are formally notified as to their role in protecting the security of the user ID and password. Counter accounts, for view only, are an exception to this rule.
  • Passwords should have a minimum length of five characters.
  • Passwords stored on a computer should be encrypted in storage.
  • System software should enforce the changing of passwords and the minimum length and format.
  • The non-printing, password-suppression feature should be used on all terminals to prevent the display of a user ID or password at log-on.
  • System software should disable the user identification code if more than three consecutive invalid passwords are given.
  • System software should maintain a history of at least two previous passwords and prevent their reuse.
  • Procedures for forgotten passwords should require that Support Services personally identify the user.

IV: Violations

Threats to computing, network, or telecommunications security, whether actual or potential or illegal activities involving the use of university equipment, shall be reported to NSM IT Security (or designee). In his absence, to the Information Technology security officer or the Chief Information Officer. Illegal activities may also be reported directly to a law enforcement agency. See MAPP 10.03.03 - Security Violations Reporting.

V: Risk Assessment Policy

System administrators should conduct a risk assessment program consisting of the following:

  • Identification of assets
  • Estimation of asset values
  • Identification of threats
  • Identification of vulnerabilities
  • Calculation of risk

Risk Assessment policy will be updated based on changes which have occurred since the previous review.