Division of Student Affairs
Information Security Policy
- Purpose
- Scope
- Specific Information Security Measures
- Security Incident Reporting
- Changes to this Policy
I. PURPOSE
The primary mission of the Division of Student Affairs is to provide services to students that support and enhance their educational experience at San Diego State University. To an increasing extent, the Division relies on computer networks and electronic information resources to manage the large amount of information necessary to help students. Both computer hardware and the information maintained by the Division are at continual risk due to various threats including, but not limited to, criminal and malicious conduct, natural disasters, accidents, and employee error.
This Policy has been designed to address the various threats facing the Division with regards to information security and to provide general guidance for "risk mitigation". Realistically, no security policies or practices can completely eliminate the risks inherent in maintaining computer systems with large amounts of sensitive data. However, the Division recognizes its responsibility to secure its systems, establish preventive measures, and protect student data to the greatest extent possible. The Division Office of Technology Services will, as the need arises, release standards and guidelines necessary to implement this divisional information security policy.
II. SCOPE
This Information Security Policy applies to all departments and employees (permanent, temporary, and student) within the Division of Student Affairs. This policy is not intended to supersede or contradict any existing San Diego State University information security policy or guideline. In the event that the terms of this information security policy are inconsistent with another campus security policy, this policy shall be amended as appropriate.
While some departments in the Division have dedicated IT staff to assist with the implementation of a security policy, most departments do not have such resources. Departments without IT support shall consult with Technology Services to implement the procedures outlined herein.
III. SPECIFIC INFORMATION SECURITY MEASURES
In general, there are two types of information security strategies: 1) modifying personnel and business practices to improve security and 2) configuring computers and networks and utilizing new technology to harden systems against threats. Technology alone cannot secure the Division's computer and information assets to an acceptable degree. An increasing number of threats exploit employees' lack of knowledge regarding basic security principles and take advantage of human nature, e.g. curiosity, desire for financial gain, etc., to "trick" employees into taking inappropriate action. The success of the Division in protecting its information technology resources depends on the commitment of all Divisional employees to understand fundamental security issues and to modify their behavior to protect the Division as much as possible.
A. Security Measures Related to Business Practices and Personnel Procedures
- Designation of Department IT Support and Security Contact
In order to respond quickly to emerging security threats and to efficiently disseminate information related to information technology throughout the Division, each department shall designate an IT Support and Security contact and provide this person's phone number and email address to Technology Services. In the event a department chooses to, or needs to, designate an alternate IT Support and Security contact, the department shall promptly notify the Technology Services. - Classification of Information
The type of safeguards and security measures used to protect information depend on the sensitivity of the data in question. Each Department shall inventory and classify the information that it maintains in the normal course of business to determine the risks involved in maintaining the data and the proper level of security measures necessary to adequately protect the information.
When reviewing information, departments shall classify it as one of the following types:
- Restricted - the information contains sensitive, personal student or staff data protected by law. Compromise of such data could jeopardize a student or staff member's identity, reputation, or privacy. Examples of such data include Social Security Numbers (SSNs) in conjunction with names and/or birthdays, medical records (including psychological records), financial records of students and/or parents, records regarding assistance to students with disabilities, information regarding university disciplinary action, etc. Restricted information must be protected to the utmost extent possible by each department.
- Limited - information for internal use by a department that while not restricted is not intended for the public at large. Examples of limited data include budget information, department policies, internal memoranda, email messages, etc.
- Unrestricted - information that may be openly shared with the campus and/or public at large. Examples of unrestricted information include student publications, publicity materials, frequently asked questions (FAQs), etc.
- Files containing restricted or limited information should be stored on departmental file servers that are protected by firewalls and managed by properly trained technical staff. The practice of storing restricted or limited information on desktop PCs should be discouraged.
- Access to servers containing restricted or limited information must be strictly controlled.
Limiting access to such systems decreases the risk of unauthorized access. The IT
support and security contact from each department shall work with Technology Services
to ensure that access to sensitive data is effectively managed.
– Departments should harden servers containing restricted and limited data against intrusion attempts through the use of IP filtering, closing unused ports, and stopping unnecessary services. Open ports and services running on a server provide hackers with additional means of intrusion and should be limited. - Develop and implement procedures for archiving data that is not essential for daily operations of the department. If it is not absolutely necessary to maintain the data on a department computer or server, it should be archived to CD, DVD, tape, or disk and physically secured. By archiving data and removing it from a networked computer, the chances of data compromise are greatly reduced.
- If keeping a copy of the data on a department computer or server is necessary, the data should be encrypted to minimize the risks associated with unauthorized access to the computer. It is important to note that under State law, if a system that contains encrypted data is compromised, no notice must be given to the person(s) whose data was stored on the computer system. Encryption serves a dual purpose. It protects data stored on a system while at the same time minimizing the legal obligations of a department in the event of a security breach. The Windows operating systems include basic file encryption options, and there are numerous other encryption programs available on the market.
- Social Security Numbers should not be stored except where required by law. While many departments in the Division are required to use SSNs for Federal and state reporting purposes, these departments should use SDSU Red IDs for internal reporting to minimize security risks. SDSU Red IDs are not considered restricted information.
- Transfer of restricted information across the campus network and the Internet should only be initiated using a secure connection utilizing encryption to protect the data as it passes across the network. Restricted information should never be transmitted via email.
- Control of Staff Access to Information and Data
Each department shall assess the work requirements of its staff, including student employees, and determine the level of access necessary for the employee to perform his / her job duties. Only those employees who legitimately need to have access to restricted and /or limited information should be given access. By limiting the number of employees with such access, the chance that sensitive information is inadvertently disclosed or compromised is reduced.
ALL employees, regardless of whether they are classified or student employees, must agree to the terms of and execute an SDSU Confidentiality Agreement in accordance with the existing Center for Human Resources policy. Departments shall maintain a copy of confidentiality agreements for each employee for internal records and forward the original to the Center for Human Resources for permanent retention. - Physical Security Measures
Departments shall take measures to reasonably protect their computer hardware from theft, vandalism, and tampering. Department offices should be locked when not in use. Ideally, computer hardware should be secured to workstations to prevent theft.
Computers and servers containing restricted and/or limited data should be physically separated from other equipment if at all possible. Access to room(s) containing such computers and/or servers should be limited to essential department staff with door(s) remaining closed and locked as much as possible.
To prevent unauthorized access to department computers, password-protected screen savers should be enabled to lock systems that have not been used for over 15 minutes. - Acceptable Use of Student Affairs Computer Assets
The success of the Division depends on an established culture of openness, trust, and integrity between various departments and offices within the Division. Creating an ideal and secure work environment is a team effort and is the responsibility of every staff member of the Division. Computer equipment, software, operating systems, storage media, and network accounts providing e-mail, Internet browsing, and file transfer are the property of SDSU and the Division. Misuse of these information technology assets by staff creates significant security risks and also has the potential of damaging the professional reputation of the Division.
While the Division desires to provide a reasonable level of privacy, users should be aware that the data they create on Division systems remains the property of SDSU. Because of the need to protect SDSU's network, the Division cannot guarantee the confidentiality of information stored on any network device. For security and network maintenance purposes, authorized individuals may monitor equipment, systems and network traffic at any time.
Employees are responsible for exercising good judgment regarding the reasonableness of personal use. Individual departments are responsible for creating guidelines concerning personal use of computer systems. If a staff member in the Division has any uncertainty about the propriety of his or her intended use of a Division information technology asset, he or she should consult a supervisor or manager.
Under no circumstances is an employee of the Division authorized to engage in any activity that is illegal under local, state, federal or international law while utilizing SDSU information technology resources.
The following activities are strictly prohibited, with no exceptions (the list below is not exhaustive, but merely an attempt to provide a framework for activities which fall into the category of unacceptable use. Division employees are also bound by SDSU acceptable use policies in effect. In the event the Division's acceptable use policy contradicts an SDSU policy, the campus policy shall take precedence.):
- Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by SDSU.
- Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which SDSU or the end user does not have an active license.
- Introduction of malicious programs onto any desktop computer, server or the network (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.).
- Launching a Denial of Service attack or running any program that denies access to a system's services from legitimate users.
- Revealing an account password to others or allowing use of an account by others.
- Using a Division computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws.
- Viewing pornography or other material that can be objectively classified as obscene.
- Sending unsolicited e-mail messages, including the sending of "junk mail" or other material to individuals who did not specifically request such material (e-mail spam).
- Creating or forwarding "chain letters", "Ponzi" or other "pyramid" schemes of any type.
- Authentication and Passwords
User authentication through the use of passwords is a cornerstone of computer security. Poorly chosen passwords unnecessarily expose the Division to compromise of restricted data and exploitation of its resources. Hackers have numerous "password cracking" tools at their disposal to gain easy access to systems whose users have chosen weak passwords. Division employees are responsible for selecting strong passwords and securely maintaining them.
Departments must ensure that system-level passwords (NT admin, application administration accounts, root, etc.) are changed on a quarterly basis. User-level passwords must be changed every six months.
Division staff should NOT select passwords that have the following characteristics:
- The password is less than ten characters
- The password is a word found in a dictionary (English or foreign)
- The password is a common usage word such as:
– Names of family, pets, friends, co-workers, fantasy characters, etc.
– Computer terms and names, commands, sites, companies, hardware, software.
– Birthdays and other personal information such as addresses and phone numbers.
– Word or number patterns like aaabbb, qwerty, zyxwvuts, 123321, etc.
– Any of the above spelled backwards.
– Any of the above preceded or followed by a digit (e.g., secret1, 1secret)
- Contain both upper and lower case characters (e.g., a-z, A-Z)
- Have digits and punctuation characters as well as letters e.g., 0-9, !@#$%^&*()_+|~-=\`{}[]:";'<>?,./)
- Are at least ten alphanumeric characters long.
- Are not words in any language, slang, dialect, jargon, etc.
- Are not based on personal information, names of family, etc.
- Can be easily remembered. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase might be: "This May Be One Way To Remember" and the password could be: "TmB1w2R!" or "Tmb1W>r~" or some other variation.
Some applications, e-mail programs, and Internet browsers have a "Remember Password" option that allows the user to circumvent the usual login process. These options should never be used as they may possibly compromise the user's password.
If a Division employee has any reason to suspect that his or her password has been compromised, the employee shall immediately notify his or her supervisor and departmental IT Support and Security contact for investigation and prompt password change. - Hardening Against "Social Engineering"
As technological options make systems more and more secure, hackers rely increasingly on "social engineering" to gain illegal access to computer resources and to inject malicious code into otherwise secure systems. By appealing to an employee's desire to help, curiosity, or greed, hackers are able to elicit sensitive information and to install malware on computer systems.
Social engineering is not a technological issue. The simplest and most straightforward way to defeat hackers using social engineering is to educate staff regarding common- sense security practices. Each department is responsible for training staff on how to detect and defeat attempts at social engineering.
Two of the most common social engineering attacks involve the impersonation of help desk personnel and the impersonation of legitimate company personnel via email.
As a general practice, Division staff should
- Be extremely wary of any unsolicited request for information by an unknown person
- Refer the person requesting information to a manager or other supervisor for clearance before volunteering information
- Never provide password information, username, account, or other technical information regarding Divisional computer assets to an unknown person
- Never open any files or macros attached to an email from an unknown, suspicious or untrustworthy source. Delete these attachments immediately and then "empty the trash" on your e-mail application
- Delete spam, chain, and other junk email without forwarding
- Never download files from unknown or suspicious sources
- Never install unauthorized software / freeware
- Never follow a hyperlink in a document or e-mail message from an untrusted source
- Never disable malware scanning and other security software as it is the best line of defense against malicious code being loaded to a Division system
- Prompt Deactivation of Accounts Upon an Employee's Separation from the Division
Network and system accounts of retired or former Division employees if left active become "backdoors" for hackers seeking unauthorized access to computer assets. It is the directors' responsibility to notify division and campus offices so that former employees' accounts can be deactivated upon separation from the university through retirement or otherwise. In addition, for those employees who had access to Federal, State, or other systems, the department shall notify the owner(s) of the other system(s) that the employee is no longer in the service of the Division and request deactivation of the account(s). - Disaster Recovery and Regular Backup of Critical Data
While beyond the scope of this Divisional Security Policy, it is critical that each department plan for various contingencies, both natural and man-made, that may have an adverse effect on the department's operations. Each department will work with Technology Services to ensure that adequate backup measures are in place to facilitate recovery of mission critical data in the event of a disaster or security breach. - Regular Security Assessments Regarding Policy Compliance
Each department will ensure that employees have read and understand applicable SDSU and Division information security policies and acceptable use policies. In addition, authorized individuals may monitor equipment, systems and network traffic at any time.
B. System and Network Management Security Measures
- Connection and Port Control
In general, academic computing assets at SDSU and other universities have remained easily accessible to facilitate exchange of large amounts of information. Due to the current security climate and the sensitive nature of information maintained by the Division, this is no longer a viable option.
Only trusted persons or entities, whether on or off campus, with an operational requirement to access Divisional systems will be allowed to connect. The IT support and security contact from each department will work closely with Technology Services to integrate systems into the Division network architecture and provide rules governing access to data. Successful control depends on a careful balance between operational requirements (access for other departments on campus and outside entities) and security concerns. - Active Directory and Windows Group Policies
Group Policies in a Windows network environment enable configuration management of all users and computers within a department's domain. Administrators can specify settings for registry-based policies, security, software installation, and remote installation services. Departments should work with Technology Services to implement group policies that enforce security to the maximum extent possible. - Vulnerability Management (Malware Protection and Operating System Updates)
Malwares are an ever-increasing security threat to users of networked computers. Infections may result in loss of data, clogged network resources, and a variety of other problems that consume limited IT staff time and resources. While staff education goes a long way in defeating common malwares, writers of malicious code have attained a level of sophistication that allows the infection of a machine without any user intervention. Worms, as they are known in the IT community, can infect a vulnerable machine that is simply connected to a network with Internet access. Anti-malware software is the frontline defense against machine infection and therefore should never be disabled. However, the software is only effective if it has been updated with the latest malware definition files (DATs) and scanning engine. New malicious code is released with increasing frequency sometimes requiring updates multiple times a day.
In addition to malwares, and other malicious code, operating systems, especially Windows, present significant security risks. Windows is designed and marketed as an easy-to-use, convenient operating system for both home and business users and is by far the most prevalent operating system on the market. Because Windows offers numerous user features, the operating system starts a host of services and opens many ports on the systems running it. This makes Windows a challenge to secure in an open environment and prone to intrusion. Microsoft frequently releases patches and service packs to resolve security issues which must be installed to shore up vulnerable systems.
Emerging malware threats and operating system vulnerabilities place a constant strain on Division IT staff. While both malware DATs and Windows updates can be partially automated, users can inadvertently prevent the updates from being successfully installed leaving the machine vulnerable. This has required IT staff to manually check each computer or server to verify the malware protection and patch level.
Departments will work with Technology Services to ensure that malware protection and patch management software is installed and running on all divisional computing systems, that updates are installed daily, and that all unnecessary services and ports are disabled. - Spyware
Spyware has become a major security and system maintenance issue. The term spyware is used to generally describe any program that monitors a user's actions without his or her knowledge. Spyware is often hidden in free software that users download from the Internet and installed without the users knowledge; thus the term spyware. At its worst, spyware can be used by hackers to compromise a system. In most cases the software is used surreptitiously by businesses to obtain data about Internet users and customers. By its very nature, spyware creates security vulnerabilities regardless of the author's intent in writing the code.
As necessary, Technology Services will assist departments in detecting and deleting spyware. - Operating System Security Settings
Operating systems, including Windows, offer a variety of security settings and group policies to harden a domain. These include password complexity requirements, account locking, storage of passwords using reversible encryption, limiting network access by day and time, etc.
Technology Services shall establish guidelines and best practices for utilizing various security options in operating systems in use in the Division. - New Project/Hardware Acquisition Clearance from Technology Services
As the Division works to automate existing manual tasks and realize increased levels of efficiency, new technological solutions are explored. While a department may only be considering the benefits of new software or hardware, a security and compatibility analysis must also be done to protect the Division from potential security threats and to ensure that the proposed action does not cause unforeseen maintenance issues.
In deciding whether to acquire a new hardware or software component, develop a new database, or create a new Web application, the IT security and support contact on behalf of his or her department shall notify Technology Services in writing and provide sufficient details on the proposed project to enable Technology Services to make a determination as to the project security and feasibility. If there is any doubt as to whether to consult Technology Services, departments are strongly encouraged to do so. Departments implementing new technology solutions that fail to consult with Technology Services do so at their own risk. - Logon Banners
The Division shall develop, and all departments display a logon banner containing the following information:- The system is a restricted system only for use by the SDSU Division of Student Affairs.
- Unauthorized use will be punished to the full extent of the law.
- A summary of the Division's acceptable use policy as contained in this document.
- A statement that the network is subject to monitoring for security purposes.
- Accountability and Auditing
Departments shall develop internal procedures to ensure that all applicable Divisional information security standards are adopted and followed.
IV. SECURITY INCIDENT REPORTING
In the event that a Division staff member has reason to believe that a Division computer resource has been compromised, tampered with, or accessed without authorization, he or she shall immediately notify the Department IT Security and Support Contact. The IT Security and Support Contact shall in turn take immediate steps to remove the affected system(s) from the network to prevent further compromise, restrict staff access to the machine to preserve evidence for forensic examination by SDSU IT staff and possibly State and Federal law enforcement agencies and notify Technology Services. Technology Services will notify the office of the Vice President for Student Affairs and the SDSU Information Technology Security Office for further action and instructions.
V. CHANGES TO THIS POLICY
This information security policy may be amended by Technology Services as necessary to address new security threats and take advantage of new countermeasures as needed. Amendment of the policy will require the approval of the Director, Technology Services and the Vice President of Student Affairs Office.