IT Security Policy
- To enable all ACK members to achieve their academic or administrative work objectives through the use of a secure, efficient, and reliable technology environment.
- To protect academic, administrative, and personal information from current and future threats by safeguarding its confidentiality, integrity, and availability.
- To establish appropriate policies and procedures to protect information resources from theft, abuse, misuse, or any form of significant damage while still enabling ACK members to fulfill their roles.
- To establish responsibility and accountability for information technology security within ACK.
- To encourage and support ACK members to maintain an appropriate level of awareness, knowledge, and skill to enable them to minimize the occurrence and severity of information technology security incidents.
- To ensure ACK is able to effectively respond to, contain, and address significant security incidents, while being able to continue its instructional and administrative activities.
- This policy applies to all members of ACK, including students, faculty, staff, vendors, volunteers, contractors, consultants, and any others having access to ACK institutional information or technology resources. It applies to all electronic information system resources, including technology hardware and software owned, leased, or licensed. This includes hardware and software used to process, store, retrieve, and display and transmit electronic representations of data, voice, and video content.
- Personally owned equipment is also covered if it is used to process ACK institutional information or is connected, directly or indirectly, to ACK network. ACK will not access or modify software or information stored on personally owned equipment without permission of the owner; however, access to ACK network may be denied or limited unless these policies are complied with fully.
- ACK conducts significant portions of its operations via wired and wireless networks. The confidentiality, integrity, and availability of the information systems, applications, and data stored and transmitted over these networks are critical to ACK reputation and success. All staff, and students are responsible for ensuring that computing and communication facilities are used in an effective, efficient, ethical and lawful manner.
- Production systems, operating systems, and externally sourced applications must have the most recently available and appropriate software security patches.
- Applications must be designed, implemented, and managed to minimize the risk from malicious or accidental misuse of the application and any associated data.
- Adequate authentication and authorization functions must be provided, to follow a least privileges model, in which privileged users of a system are granted the least amount of privilege necessary to fulfill their responsibilities.
- Controls must be in place to control and manage the origins, targets, and allowable connections to ACK server and desktop systems.
- System monitoring must be designed to detect configuration changes and intrusions commensurate with acceptable risk.
- System logs must be kept and examined as required to detect unusual behavior and conduct forensics for incident analysis and reporting (following a principle of least privilege necessary for such detection and analysis).
- Appropriate controls must be employed to protect physical access to resources following an identified level of acceptable risk. These may range in scope and complexity from extensive security installations to protect a room or facility, to simple measures taken to protect a staff member’s laptop from theft.
Privacy and Confidentiality
- Applications must be designed and systems must be used so as to protect the privacy and confidentiality of the various types of electronic data they process.
- ACK has no interest to abridge academic freedom or personal speech rights, not to monitor or track personal behavior for reasons unrelated to technical operations or compliance with this policy. Automated procedures are used to assess and process potentially relevant activity, thereby limiting the degree of individual staff involvement.
Network User Names and Passwords
- Logical access controls can prevent or discourage unauthorized access to information resources and help ensure individual accountability. Therefore, users must be identified and granted appropriate level of access to network devices by means of a unique username coupled with a password or other form of secure authentication process.
- Default manufacturer passwords must be changed. Replacement passwords must be composed in accordance with ACK Password Standard.
- In order for a device to communicate with the Internet or other devices attached to ACK network, to ensure that the device is not in a state which could result in disruption to the network or exposure of sensitive information, and establishes a measure of individual accountability it must first:
- Be associated with an authorized individual;
- Have its device identifying characteristics registered with the IT department;
- Be automatically examined and modified if necessary to ensure compliance with these policies.
Assignment of Network Identifiers
- To ensure reliable network operation, all devices must be configured to accept the assigned Internet Protocol (IP) numeric address, ACK generated identifying name, and other network parameters which are automatically assigned each time a network connection is established.
- When a third-party is used to provide services, security requirements should be considered and made part of any contractual agreements. Such vendor agreements must include appropriate safeguards for the security of ACK information and resources and audit rights.
- Vendors and independent contractors may only have access to the minimum necessary information to perform the assigned tasks. Vendors must be required to return or destroy all sensitive information, and surrender all ACK identification badges, access cards, equipment and supplies immediately after completing or terminating the agreements.
- When connecting to ACK network from remote location, an encrypted communication channel must be used in order to protect the confidentially of transmitted data. This is also necessary when using the on-campus wireless network. In addition, relevant system and network activities logs must be kept and examined for possible infringements.
- Sensitive academic or administrative information is likely to be present on storage media associated with obsolete or surplus equipment intended for disposal. ACK owned technology equipment must therefore be disposed of as defined in IT Disposal Policy.
Secure Data Storage
- Sensitive personal information must be stored within ACK systems using an approved method of encryption to help secure the data in the event of unauthorized access. This requirement is especially important when information is stored on portable devices.
- IT resources infected with viruses or malicious code can jeopardize information security by contaminating, damaging, and destroying data. Therefore, antivirus software must be installed and operating with the most current list of virus definitions. The IT department must maintain campus-wide antivirus software for use by every student, faculty, or staff using the network.
- Software installed on any ACK computer system must be legally licensed. The IT department is responsible for ensuring that no software license usage exceeds purchased levels and arranging for additional licensed copies when needed to support instructional or administrative activities.
Software Patch Updates
- All currently available security patches for operating systems and application software must be installed.
- Software for which security patches are not routinely made available should not be used on ACK network.
End Point Health Check
- All computers connected to ACK network are required to undergo an automated evaluation to determine if certain software settings and applications are correctly installed and operational. As a result, the computer device may be required to install new software, or reconfigure existing software before unlimited network access is granted.
Incident Detection & Reporting
- Properly and efficiently detecting and responding to suspicious network activities and unauthorized system use requires that users report unusual and suspicious activity surrounding the use of information system resources. Users should report possible incidents to the IT Helpdesk email firstname.lastname@example.org or call extension 6000.
Consequences of Violations
- A violation of this policy may result in disciplinary action up to and including termination.
TERMS AND DEFINITIONS
- Access: The ability or means necessary to read, write, modify, or communicate data/information or otherwise use any system resource.
- Administrative Safeguards: Actions, policies, and procedures to manage the selection, development, implementation, and maintenance of security measures.
- Authentication: Corroboration that a person is who he says he is.
- Encryption: Use of an algorithmic process to transform data into a form in which there is a low probability of assigning meaning without the use of a confidential process or key.
- Information Systems: Interconnected set of information resources under the same direct management control that shares common functionality. Typically includes hardware, software, information, data, applications, communications, and people.
- Malicious Software: Software such as a virus that is designed to damage or disrupt an Information System.
- Physical Security: Physical measures, policies, and procedures designed to protect electronic information systems from natural and environmental hazards and unauthorized access.
- Risk: The likelihood that a specific threat will exploit certain vulnerability, as well as the resulting impact of that event.
- Risk Analysis: The process of identifying, estimating, and prioritizing risks to ACK assets, individuals, and information systems.
- Security Incident: An intentional or accidental occurrence affecting information or related technology in which there is a loss of data confidentiality or integrity, or a disruption and/or denial of availability.
© Copyright 2017. ACK. All Reserved.