Security Policy Analysis Exercise

Security Policy Analysis Exercise Research UNH’s Office of Information Technology Acceptable Usage Policy found at http://www.newhaven.edu/317429.pdf (A copy has also been uploaded to Blackboard) and answer the following questions 1) Identify which of the following topics this policy addresses and how the topics are addressed within the policy: ? The scope and purpose of the policy. ? The relationship of the security objectives to the organization’s legal and regulatory obligations, and its business objectives. ? IT security requirements in terms of confidentiality, integrity, availability, accountability, authenticity, and reliability, particularly with regards to the views of the asset owners. ? The assignment of responsibilities relating to the management of IT security and the organizational infrastructure. ? The risk management approach adopted by the organization. ? How security awareness and training is to be handled. ? General personnel issues, especially for those in positions of trust. ? Any legal sanctions that may be imposed on staff. and the conditions under which such penalties apply. ? Integration of security into systems development and procurement. ? Definition of information classification scheme used across the organization. ? Contingency and business continuity planning. ? Incident detection and handling processes ? How and when this policy should be reviewed ? The method for controlling changes to this policy 2) If possible, identify any legal or regulatory requirements that apply to the organization. 3) Do you believe the policy appropriately address all relevant issues? 4) Are there any topics the policy should address, but does not. Note: use the readings, McBride et al.: The Information Security Program and Developing an Information Security Policy Policy No.: 7000, Rev.: 0 (Acceptable Usage Policy) Scope The goals of this policy are to outline appropriate and inappropriate use of the University of New Haven’s network resources. Policy Statement This policy is designed to guide students, faculty, staff and other authorized users in the acceptable use of computers, information systems and networks provided by the University of New Haven according to the mission of the University. Reason for the Policy The University of New Haven community is encouraged to make innovative and creative use of information technologies in support of education and research. This policy is intended to respect the rights and obligations of Academic Freedom, and recognizes that the educational mission of the university is served in a variety of ways. Access to a University of New Haven computer system or network is not in itself a right, but a privilege granted with the understanding that there are responsibilities to ensure fairness to all users. Inappropriate use may result in withdrawal of this privilege, academic discipline and/or prosecution through the appropriate civil or criminal justice system. Definitions Bandwidth Refers to how much data you can send through a network connection. It is usually measured in bits per second. Network A group of two or more computer systems linked together. Information Systems A system for managing and processing information, usually computer-based. University of New Haven Policy Page 2 of 6 Policy No.: 7000, Rev.: 0 (Acceptable Usage Policy) Policy Sections 7000.1 General Policy All computing resources must be used in an ethical and responsible manner. All computing resources provided by the university are intended to further the mission of the university. Equipment, supplies, bandwidth and accounts are to be used for university related work. Downtime and equipment failures are costly to the university and do not promote an efficient learning environment. The computing and network facilities of the university are limited and should be used wisely and carefully with consideration for the needs of others. Computers and network systems offer powerful tools for communication among members of the community and of communities outside the university. When used unlawfully or inappropriately, however, these tools can infringe on the rights of others. 7000.2 Statement of Responsibility General responsibilities pertaining to this policy are set forth in this section. The following sections list additional specific responsibilities. 7000.2.1 Manager Responsibilities Managers and supervisors must: 1. Ensure that all appropriate personnel are aware of and comply with this policy. 2. Create appropriate performance standards, control practices, and procedures designed to provide reasonable assurance that all employees observe this policy. 7000.2.2 Office of Information Technology (OIT) Responsibilities The OIT must: 1. Develop and maintain written standards and procedures necessary to ensure implementation of and compliance with these policy directives. 2. Provide appropriate support and guidance to assist employees to fulfill their responsibilities under this directive. 3. Supply users with appropriate computer accounts. Information pertaining to accounts will be emailed to users with password information contained University of New Haven Policy Page 3 of 6 Policy No.: 7000, Rev.: 0 (Acceptable Usage Policy) in a separate email as to ensure security. Users are strongly encouraged to change passwords according to the university’s password policy. 7000.2.3 Users Responsibilities You are responsible for adhering to the guidelines below to ensure the integrity of the University of New Haven’s data and systems. The following precautions are strongly recommended: Computer accounts, passwords and other types of authorization that are assigned to individual users SHOULD NOT be shared with others. All users should adhere to the university’s password policy. Users should never leave a terminal or computer unattended without first logging out. You should not give your login name and password to anyone. You are responsible for all activity occurring from your account. Diskettes and portable storage devices should be stored out of sight when not in use. If they contain highly sensitive or confidential data, they must be locked up. Diskettes should be kept away from environmental hazards such as heat, direct sunlight, and magnetic fields. Environmental hazards to hardware such as food, smoke, liquids, high or low humidity, and extreme heat or cold should be avoided. Employees should exercise care to safeguard the valuable electronic equipment assigned to them. Employees who neglect this duty may be accountable for any loss or damage that may result. 7000.2.4 Supervisor’s Responsibility Managers and supervisors should notify OIT and Human Resources promptly whenever an employee leaves the university or transfers to another department so that his/her access can be revoked and/or modified. Involuntary terminations must be reported concurrent with the termination. 7000.2.5 Human Resources Responsibility The Human Resources department will notify OIT monthly of associate transfers University of New Haven Policy Page 4 of 6 Policy No.: 7000, Rev.: 0 (Acceptable Usage Policy) and terminations. Involuntary terminations must be reported concurrent with the termination. 7000.3 Appropriate Use Individuals at the University of New Haven are encouraged to use the network to further the goals and objectives of the university. The types of activities that are encouraged include: • Communicating with fellow employees, students, business partners, and clients of the University of New Haven within the context of an individual’s assigned responsibilities. • Acquiring or sharing information necessary or related to the performance of an individual’s assigned responsibilities. • Participating in educational or professional development activities. 7000.4 Inappropriate Use Individual’s network use is not to interfere with others’ use of the network. Users will not violate the network policies of any network accessed through their account. Network use at the University of New Haven will comply with all Federal and State laws, all University of New Haven policies and all University of New Haven contracts. This includes, but is not limited to, the following: The network may not be used for illegal or unlawful purposes, including, but not limited to, copyright infringement, obscenity, libel, slander, fraud, defamation, plagiarism, harassment, intimidation, forgery, impersonation, illegal gambling, soliciting for illegal pyramid schemes, and computer tampering (i.e., spreading computer viruses). Individuals using the network are not permitted to copy, transfer, rename, add, or delete information or programs belonging to others unless given express permission to do so by the owner. Failure to observe copyright or license agreements may result in disciplinary action by the University and/or legal action by the copyright owner. Please refer to the Office of Information Technology Copyrights and License Agreements Policy for more information. Individuals should limit their personal use of the network. The University of New Haven allows limited personal use for communication with family and friends, independent learning, and public service. The University of New Haven prohibits use of network resources for mass unsolicited mailings, access for non-employees to University of New Haven resources or network facilities, commercial activity unless pre-approved by the University of New Haven Policy Page 5 of 6 Policy No.: 7000, Rev.: 0 (Acceptable Usage Policy) University of New Haven and the dissemination of chain letters. Individuals may not view, copy alter, or destroy data, software, documentation, or data communications belonging to the University of New Haven or another individual without authorized permission. In the interest of maintaining network performance, users should limit the size of electronic mail attachments. The network is not to be used for downloading personal applications or files, including but not limited to, music files, movies, games and any other file types deemed inappropriate by the University. As stated in the Email Usage and Retention Policy #7010, “all messages and attachments, created, sent or retrieved over the network are the property of the university and may be regarded as public information. The University of New Haven reserves the right to access the contents of any messages sent over its facilities if the university believes, in its sole judgment, that it has a business need to do so. All communications, including text and images, can be disclosed to law enforcement or other third parties without prior consent of the sender or the receiver.” 7000.5 Enforcement Failure to comply with the Acceptable Usage Policy may result in disciplinary action by the University and/or legal actions. University of New Haven Policy Page 6 of 6