Information Security Standard Practices

Acceptable Use Agreement — Personal Computer & Network Security Procedures

1.0 Overview

Personal computing devices, such as PCs, Laptops, PDAs and similar devices, are vulnerable to incidents that compromise security and cause the destruction or loss of data, including data stored on the network, as well as damage to the equipment. The physical loss of a personal computer is costly, but the loss of computing power and the data stored on the computer or the network can be disastrous.

This document details procedures to protect your equipment and data. It is the responsibility of every computer user to know these procedures and implement them accordingly.

2.0 Purpose

A large portion of Mt. San Antonio College's business is conducted with personal computing devices. Protection of these devices and the stored data is of critical importance to the College. These procedures apply whether the devices are stand-alone or connected to a network such as a LAN (Local Area Network) or the intranet.

3.0 Choice of Passwords

The user-chosen passwords employed by access control software packages, as well as the keys employed by encryption packages, should be at least eight characters in length unless restricted by the software. These passwords and keys must be difficult-to-guess. Words in a dictionary, derivatives of user-IDs, and common character sequences such as '123456' must not be employed. Likewise, personal details such as spouse's name, license plate, social security number, and birthday must not be used unless accompanied by additional unrelated characters.

4.0 Periodic Back-Up

All sensitive, valuable, or critical information resident on College computer systems must be backed-up periodically. Information and Educational Technology (IET) provides a facility for backing up computers or departmental servers over the campus network to a secure storage area. No special hardware is required and the software is provided by IET. Contact the Help Desk to schedule installation or to request additional information. All end-users are responsible for making at least one current back-up copy of sensitive, critical, or valuable files. These separate back-up copies should be made each time that a significant number of changes are made. Selected files from back-ups must be restored periodically to demonstrate the effectiveness of every back-up process. Department managers must verify that proper back-up procedures are followed.

5.0 Viruses

All college issued computer equipment will have anti-virus software installed and configured by IET. If you believe that your system does not have this software installed, contact the help desk for assistance. Virus definitions will be updated via an automatic process. Employees must not abort this download process or disable the software. The virus definition update frequency must be at least weekly.

If employees suspect infection by a virus, they should immediately stop using the involved computer, and call the IET Help Desk.

6.0 Handling Alerts About Security

Users must report all information security alerts, warnings, and reported vulnerabilities to abuse@mtsac.edu as soon as possible. IET is the only organizational unit authorized to determine appropriate action in response to such notices. Users are discouraged from forwarding these notices to other users as many of these notices are hoaxes.

7.0 Tools That Compromise System Security

Unless specifically authorized by IET, employees must not acquire, possess, trade, or use hardware or software tools that evaluate or compromise information systems security, Examples of such tools include those which defeat software copy-protection, discover secret passwords, identify security vulnerabilities, examine or intercept network traffic (sniffer) or decrypt encrypted files.

8.0 Configuration Control

IET has a standard list of supported software packages that users can run on a College owned computing device. Documentation about the licenses for software obtained by users must be retained to receive technical support, qualify for upgrade discounts, and verify the legal validity of the licenses. Documentation for software purchased and installed by IET is retained by IET.

Employees must obtain permission from a department manager or computing facilities supervisor before installing software on a College owned device.

Employees must not permit automatic software installation routines, such as internet file sharing software, to be run on College computers unless these routines have first been approved by IET. Software may be removed without advance notice to the employee if it is suspected of causing a technical problem.

9.0 Changes to Operating System Configuration

Employees must not change operating system configurations, upgrade existing operating systems, or install new operating systems. If such changes are required contact the IET Help Desk.

10.0 Changes to Hardware

Computer equipment supplied by the College must not be altered or added to in any way (e.g., upgraded processor, expanded memory, or extra circuit boards.) If such changes are required contact the Help Desk.

11.0 Use Of Encryption Programs

Employees are reminded that electronic mail is not encrypted by default. If sensitive information must be sent by electronic mail, encryption or similar technologies to protect the information must be employed. The IET Help Desk is available to assist with the installation and configuration of software to protect data transmission.

12.0 Responsibility for Equipment

Employees are responsible for any computer equipment provided to them. If the equipment has been damaged, lost, stolen, borrowed, or is otherwise unavailable for normal business activities, the employee must promptly inform their department manager. With the exception of portable machines, computer equipment must not be moved or relocated without the approval of the involved department manager. Portable computer users accept liability for the computer plus the College-supplied software and its repair or replacement through their own personal property insurance should the computer be lost or stolen or severely damaged. Where no insurance coverage is applicable, the user agrees to repay the College the full amount required to replace the lost, stolen, or damaged computer or to pay for its repair if severly damaged but repairable. In the event of loss, theft, or severe damage, the computer will be replaced or repaired at the sole discretion of the College.

13.0 Transportation of Portable Equipment

Employees in the possession of portable, laptop, notebook, palmtop, personal digital assistant, and other transportable computers containing sensitive information must take reasonable precautions to ensure the security of the device and the information it contains. Likewise if sensitive data is to be transported in computer-readable storage media, reasonable precautions must be made to ensure the security of the media and the information it contains. (such as magnetic tapes, floppy disks, or CD-ROM's).

14.0 Equipment Theft

All computer equipment is marked with visible identification information which clearly indicates it is College property. Periodic physical inventories are used to track the movement of computers and related equipment. Immediately report any equipment theft to Campus Security, extension 4299.

15.0 Positioning Display Screens

The display screens for all computers used to handle sensitive or valuable data must be positioned such that the information cannot be readily viewed through a window, by persons walking in a hallway, or by persons waiting in reception and related areas. Care should also be taken to position keyboards so that unauthorized persons cannot readily see employees enter passwords, encryption keys, and other security related parameters.

16.0 Locking Sensitive Information

When not being used by authorized employees, or when not clearly visible in an area where authorized persons are working, all hardcopy sensitive information must be locked in file cabinets, desks, safes, or other enclosures. Likewise, when not being used, or when not in a clearly visible and attended area, all computer storage media containing sensitive information must be locked in similar enclosures.

17.0 Business Use Only

Mt. San Antonio College computer devices generally should be used only for College activities. These devices can only be used by authorized users. Incidental personal use is permissible so long as: (a) it does not consume more than a trivial amount of system resources, (b) it does not interfere with productivity, and (c) it does not preempt any College activity. Mt. San Antonio College computer devices must not be used for political advocacy efforts, private business activities, or non-College related charitable fundraising campaigns. Employees are reminded that the use of College computing devices should never create either the appearance or the reality of inappropriate use. When a user's relationship with Mt. San Antonio College comes to an end, all privileges on College computing devices will also come to an immediate end.

18.0 Rights to Programs & Materials Developed

Without a specific written exception, all computer programs and documentation generated by, or provided by employees for the benefit of the College are property of the College. All other material developed by College employees using College computers is considered a 'work for hire' and is accordingly the property of the College. This material includes patents, copyrights, and trademarks.

19.0 Copyright Protection

Violations of the rights of any person or entity protected by a copyright, patent, trademark or similar law, or regulation is strictly prohibited. Violations include, but are not limited to, the unauthorized reproduction of any copyrighted material, including but not limited to software, text, images, audio, and video. Also included are the installations, distribution or use of 'pirated' software, as well as the display or distribution of copyrighted materials over computer networks without the author's permission.

NOTE:The 'fair use' provisions of the copyright law, section 107 of the U. S. Copyright Law, may permit the reproduction of copyrighted work for purposes such as 'criticism, comment, news reporting, teaching (including multiple copies for classroom use) scholarship or research.'

20.0 Environmental Considerations

To reduce the damage done by electrical power problems, all computers in College offices should use surge suppressers. Those computers running production applications must also have uninterruptible power supplies (UPSs) approved by IET.

21.0 Static Discharges and Electromagnetic Fields

Static discharges can be harmful to computers and storage media. Magnetic storage media such as floppy disks and magnetic tapes must be kept at least several inches away from electric fields, such as those generated by magnets and a telephone when it rings.

22.0 Smoking, Eating & Drinking

Employees are strongly advised not to smoke, eat, or drink when using desktop or laptop computers. Storage media such as floppy disks are damaged by the particles in tobacco smoke; food and drink can also damage electronic equipment such as keyboards.

23.0 Virtual Private Network

Mt. SAC will provide a Virtual Private Network (VPN) service as one mechanism for authorized users to access College computing and network resources from remote locations. All VPN users will authenticate to the VPN server using their Mt. SAC network account user ID and password. Any faculty or staff member may request VPN access by contacting the Help Desk. A Mt. SAC Administrator may request VPN access for a vendor to enable remote support of internal Mt. SAC systems.

All users of Mt. SAC's VPN service will be required to install and maintain firewall and virus protection software. Users must apply regular software updates and follow other standard practices to keep their VPN client system(s) secure against unauthorized access. Users may not share their VPN account or password with others. Mt. SAC reserves the right to audit all VPN client systems, and all communications between VPN client systems and Mt. SAC's network, for compliance with all applicable security requirements.