Security Policy Analysis Exercise

Security Policy Analysis Exercise

Research UNH’s Office of Information Technology Acceptable Usage Policy found at http://www.newhaven.edu/317429.pdf (A copy has also been uploaded to Blackboard) and answer the following questions

1) Identify which of the following topics this policy addresses and how the topics are addressed within the policy:

? The scope and purpose of the policy.
? The relationship of the security objectives to the organization’s legal and regulatory obligations, and its business objectives.
? IT security requirements in terms of confidentiality, integrity, availability, accountability, authenticity, and reliability, particularly with regards to the views of the asset owners.
? The assignment of responsibilities relating to the management of IT security and the organizational infrastructure.
? The risk management approach adopted by the organization.
? How security awareness and training is to be handled.
? General personnel issues, especially for those in positions of trust.
? Any legal sanctions that may be imposed on staff. and the conditions under which such penalties apply.
? Integration of security into systems development and procurement.
? Definition of information classification scheme used across the organization.
? Contingency and business continuity planning.
? Incident detection and handling processes
? How and when this policy should be reviewed
? The method for controlling changes to this policy

2) If possible, identify any legal or regulatory requirements that apply to the organization.

3) Do you believe the policy appropriately address all relevant issues?

4) Are there any topics the policy should address, but does not.

Note: use the readings, McBride et al.: The Information Security Program and Developing an Information Security Policy
Policy No.: 7000, Rev.: 0 (Acceptable Usage Policy)

Scope
The goals of this policy are to outline appropriate and inappropriate use of the University of New
Haven’s network resources.

Policy Statement
This policy is designed to guide students, faculty, staff and other authorized users in the
acceptable use of computers, information systems and networks provided by the University of
New Haven according to the mission of the University.

Reason for the Policy
The University of New Haven community is encouraged to make innovative and creative use of
information technologies in support of education and research. This policy is intended to respect
the rights and obligations of Academic Freedom, and recognizes that the educational mission of
the university is served in a variety of ways.
Access to a University of New Haven computer system or network is not in itself a right, but a
privilege granted with the understanding that there are responsibilities to ensure fairness to all
users. Inappropriate use may result in withdrawal of this privilege, academic discipline and/or
prosecution through the appropriate civil or criminal justice system.

Definitions
Bandwidth
Refers to how much data you can send through a network connection. It is usually measured in
bits per second.
Network
A group of two or more computer systems linked together.
Information Systems
A system for managing and processing information, usually computer-based.

University of New Haven Policy

Page 2 of 6

Policy No.: 7000, Rev.: 0 (Acceptable Usage Policy)

Policy Sections
7000.1 General Policy
All computing resources must be used in an ethical and responsible manner. All
computing resources provided by the university are intended to further the mission of the
university. Equipment, supplies, bandwidth and accounts are to be used for university
related work. Downtime and equipment failures are costly to the university and do not
promote an efficient learning environment.
The computing and network facilities of the university are limited and should be used
wisely and carefully with consideration for the needs of others. Computers and network
systems offer powerful tools for communication among members of the community and
of communities outside the university. When used unlawfully or inappropriately,
however, these tools can infringe on the rights of others.
7000.2 Statement of Responsibility
General responsibilities pertaining to this policy are set forth in this section. The
following sections list additional specific responsibilities.
7000.2.1 Manager Responsibilities
Managers and supervisors must:
1. Ensure that all appropriate personnel are aware of and comply with this
policy.
2. Create appropriate performance standards, control practices, and
procedures designed to provide reasonable assurance that all employees
observe this policy.
7000.2.2 Office of Information Technology (OIT) Responsibilities
The OIT must:
1. Develop and maintain written standards and procedures necessary to
ensure implementation of and compliance with these policy directives.
2. Provide appropriate support and guidance to assist employees to fulfill
their responsibilities under this directive.
3. Supply users with appropriate computer accounts. Information pertaining
to accounts will be emailed to users with password information contained

University of New Haven Policy

Page 3 of 6

Policy No.: 7000, Rev.: 0 (Acceptable Usage Policy)

in a separate email as to ensure security. Users are strongly encouraged to
change passwords according to the university’s password policy.
7000.2.3 Users Responsibilities
You are responsible for adhering to the guidelines below to ensure the integrity of
the University of New Haven’s data and systems. The following precautions are
strongly recommended:
Computer accounts, passwords and other types of authorization that are assigned
to individual users SHOULD NOT be shared with others.
All users should adhere to the university’s password policy.
Users should never leave a terminal or computer unattended without first logging
out.
You should not give your login name and password to anyone. You are
responsible for all activity occurring from your account.
Diskettes and portable storage devices should be stored out of sight when not in
use. If they contain highly sensitive or confidential data, they must be locked up.
Diskettes should be kept away from environmental hazards such as heat, direct
sunlight, and magnetic fields.
Environmental hazards to hardware such as food, smoke, liquids, high or low
humidity, and extreme heat or cold should be avoided.
Employees should exercise care to safeguard the valuable electronic equipment
assigned to them. Employees who neglect this duty may be accountable for any
loss or damage that may result.
7000.2.4 Supervisor’s Responsibility
Managers and supervisors should notify OIT and Human Resources promptly
whenever an employee leaves the university or transfers to another department so
that his/her access can be revoked and/or modified. Involuntary terminations
must be reported concurrent with the termination.
7000.2.5 Human Resources Responsibility
The Human Resources department will notify OIT monthly of associate transfers
University of New Haven Policy

Page 4 of 6

Policy No.: 7000, Rev.: 0 (Acceptable Usage Policy)

and terminations. Involuntary terminations must be reported concurrent with the
termination.
7000.3 Appropriate Use
Individuals at the University of New Haven are encouraged to use the network to further
the goals and objectives of the university. The types of activities that are encouraged
include:

Communicating with fellow employees, students, business partners, and clients of
the University of New Haven within the context of an individual’s assigned
responsibilities.

Acquiring or sharing information necessary or related to the performance of an
individual’s assigned responsibilities.

Participating in educational or professional development activities.

7000.4 Inappropriate Use
Individual’s network use is not to interfere with others’ use of the network. Users will
not violate the network policies of any network accessed through their account. Network
use at the University of New Haven will comply with all Federal and State laws, all
University of New Haven policies and all University of New Haven contracts. This
includes, but is not limited to, the following:
The network may not be used for illegal or unlawful purposes, including, but not limited
to, copyright infringement, obscenity, libel, slander, fraud, defamation, plagiarism,
harassment, intimidation, forgery, impersonation, illegal gambling, soliciting for illegal
pyramid schemes, and computer tampering (i.e., spreading computer viruses).
Individuals using the network are not permitted to copy, transfer, rename, add, or delete
information or programs belonging to others unless given express permission to do so by
the owner. Failure to observe copyright or license agreements may result in disciplinary
action by the University and/or legal action by the copyright owner. Please refer to the
Office of Information Technology Copyrights and License Agreements Policy for more
information.
Individuals should limit their personal use of the network. The University of New Haven
allows limited personal use for communication with family and friends, independent
learning, and public service. The University of New Haven prohibits use of network
resources for mass unsolicited mailings, access for non-employees to University of New
Haven resources or network facilities, commercial activity unless pre-approved by the
University of New Haven Policy

Page 5 of 6

Policy No.: 7000, Rev.: 0 (Acceptable Usage Policy)

University of New Haven and the dissemination of chain letters.
Individuals may not view, copy alter, or destroy data, software, documentation, or data
communications belonging to the University of New Haven or another individual without
authorized permission.
In the interest of maintaining network performance, users should limit the size of
electronic mail attachments.
The network is not to be used for downloading personal applications or files, including
but not limited to, music files, movies, games and any other file types deemed
inappropriate by the University.
As stated in the Email Usage and Retention Policy #7010, “all messages and attachments,
created, sent or retrieved over the network are the property of the university and may be
regarded as public information. The University of New Haven reserves the right to
access the contents of any messages sent over its facilities if the university believes, in its
sole judgment, that it has a business need to do so. All communications, including text
and images, can be disclosed to law enforcement or other third parties without prior
consent of the sender or the receiver.”
7000.5 Enforcement
Failure to comply with the Acceptable Usage Policy may result in disciplinary action by
the University and/or legal actions.

University of New Haven Policy

Page 6 of 6