Security of Electronic Information Resources

RULE:

1.    GENERAL

1.1       Tarleton State University’s electronic information resources are vital academic and administrative assets which require appropriate safeguards. Computer systems, networks, and data are vulnerable to a variety of threats. These threats have the potential to compromise the integrity, availability, and confidentiality of the information.
1.2       Effective security management programs must be employed to appropriately eliminate or mitigate the risks posed by potential threats to the University’s information resources. Measures shall be taken to protect these resources against unauthorized access, disclosure, modification or destruction whether accidental or deliberate.
1.3       Tarleton State University, as a state university, is required to comply with the Texas Administrative Code (TAC) on “Information Security Standards”. The Texas Administrative Code assigns responsibility for protection of informational resources to the President. For the purposes of this rule, the authority and responsibility regarding the University’s compliance with the Texas Administrative Code on Information Security Standards has been delegated by the President to the Executive Director of Information Resources (EDIR).

2. DEFINITIONS

2.1       Confidential Information - Information that is excepted from disclosure requirements under the provisions of the Texas Public Information Act or other applicable state or federal laws. Most student records as well as employee records are considered confidential information.
2.2       Mission Critical Information - Information that is defined by Tarleton State University or any division thereof (department, etc.), to be essential to its function(s) and would cause severe detrimental impact if the data/system were lost and unable to be restored in a timely fashion.
2.3       Owner - A person responsible for a University function and for determining controls and access to electronic information resources supporting that University function.
2.4       Custodian - A person (or department) providing operational support for an information system and having responsibility for implementing owner-defined controls and access privileges.
2.5       User - The user of the data or record has the responsibility to use the resource only for the purpose specified by the owner; comply with controls established by the owner; and prevent disclosure of confidential or sensitive information.

3. RESPONSIBILITIES

3.1       The Information Security Officer has been designated as the individual responsible for administering the provisions of this rule and the TAC Information Security Standards.
3.2       The head or director of a department shall be responsible for ensuring that an appropriate security program is in effect and that compliance with this rule and TAC Standards is maintained for information systems owned and operationally supported by the department.
3.3       The head or director of a department which provides operational support (custodian) for information systems owned by another Tarleton State University department shall have the responsibility for ensuring that an appropriate security program is in effect and that compliance with TAC Standards is maintained for the supported information systems.
3.4       Operational responsibility for compliance with TAC Standards may be delegated by the department head or director to the appropriate information system support personnel (e.g. System Administrators) within the department.
3.5       Mission Critical or Confidential Information maintained on an individual workstation or personal computer must be afforded the appropriate safeguards stated in the TAC Standards. It is the responsibility of the operator, or owner, and/or departmental Systems Administrator of that workstation or personal computer to insure that adequate security measures are in place.

4.  PROCEDURES

4.1       The procedures determining the electronic security of University information resources are addressed in the following University Rules/SAPs:

SAP - Acceptable Use.doc

OFFICE OF RESPONSIBILITY: Department of Information Resources

CONTACT: Executive Director of Information Resources

REFERENCES: TAC 202 as amended or supplemented

PROCEDURE: Information Resources – Acceptable Use

GENERAL
Under the provisions of the Information Resources Management Act, information resources are strategic assets of the State of Texas that must be managed as valuable state resources. Tarleton State University has developed rules and procedures that address acceptable use of information resources. The purpose of this Standard Administrative Procedure (SAP) is to identify those relevant policies and procedures.

APPLICABILITY
This SAP applies to all University information resources.

The purpose of the implementation of this SAP is to provide a set of measures that will mitigate information security risks associated with acceptable use of University information resources. There may also be other or additional measures that will provide appropriate mitigation of the risks. The assessment of potential risks and the application of appropriate mitigation measures will be determined by the information resource owner or their designee. In accordance with Texas Administrative Code 202 - Information Security Standards, each department and/or resource owner may elect not to implement some or all of the risk mitigation measures provided in this SAP based on information security risk management decisions and business functions. Such risk management decisions must be documented and reported to the designated Information Security Officer.

The intended audience for this SAP includes, but is not limited to, all information resources management personnel, owners, system administrators, and users of University information resources.

DEFINITIONS
Information Resources (IR): the procedures, equipment, and software that are designed, employed, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information or data.

Information Security Officer (ISO):  responsible for administering the information security functions within Tarleton State University and reports to the Information Resources Manager (IRM).

RULES and PROCEDURES

21.99.10.T1.01 - Licensed Commercial Software Procedures

24.99.99.T1.01 - Acceptable Use
24.99.99.T1.02 - Account Management
24.99.99.T1.03 - Administrator/Special Access
24.99.99.T1.04 - Backup Recovery
24.99.99.T1.05 - Email Use
24.99.99.T1.06 - Intrusion Detection
24.99.99.T1.07 - Malicious Code
24.99.99.T1.08 - Network/Wireless Access
24.99.99.T1.09 - Network Configuration
24.99.99.T1.10 - Password Authentication
24.99.99.T1.11 - Physical Access
24.99.99.T1.12 - Privacy
24.99.99.T1.13 - Security Awareness and Training
24.99.99.T1.14 - Security Monitoring
24.99.99.T1.15 - Server Hardening
24.99.99.T1.16 - Vendor Access

25.99.08.T1.01 - Communication Allowances
27.99.01.T1.01 - Procedure for Purchase of Information Technology
27.99.99.T1.01 – Computer Use

OFFICE OF RESPONSIBILITY: Department of Information Resources

CONTACT: Executive Director of Information Resources

Information Resources – Account Management

1. GENERAL
   University information resources are strategic assets which, being property of the State of Texas, must be managed as valuable state resources. Access to University information resources is normally controlled by a logon ID associated with an authorized account. Proper administration of these logon IDs is very important to ensure the security of confidential information and the normal business operation of University managed and administered information resources.
   
   
2. APPLICABILITY
   This Standard Administrative Procedure (SAP) applies to University information resources that store or process mission critical and/or confidential information.
   
   The purpose of the implementation of this SAP is to provide a set of measures that will mitigate information security risks associated with account management. There may also be other or additional measures that will provide appropriate mitigation of the risks. The assessment of potential risks and the application of appropriate mitigation measures are to be determined by the information resource owner or their designee. In accordance with Texas Administrative Code 202 - Information Security Standards, each department and/or resource owner may elect not to implement some or all of the risk mitigation measures provided in this SAP based on information security risk management decisions and business functions. Such risk management decisions must be documented and reported to the designated Information Security Officer.
   
   The intended audience for this standard administrative procedure includes, but is not limited to, all information resources data/owners, management personnel, and system administrators.
   
   
3. DEFINITIONS
   Account: information resource users are typically assigned logon credentials which include, at the minimum, a unique user name and password.
   
   Confidential Information: information that is excepted from disclosure requirements under the provisions of applicable state or federal law, e.g. the Texas Public Information Act.
   
   Information Resources (IR): the procedures, equipment, and software that are designed, employed, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information or data.
   
   Information Security Officer (ISO): responsible for administering the information security functions within Tarleton State University and reports to the Information Resources Manager (IRM).
   
   Logon ID: a user name that is required as the first step in logging into a secure system. Generally, a logon ID must be associated with a password to be of any use.
   
   Mission Critical Information: information that is defined by the University or information resource owner to be essential to the continued performance of the mission of the University or department. Unavailability of such information would result in more than an inconvenience. An event causing the unavailability of mission critical information would result in consequences such as significant financial loss, institutional embarrassment, failure to comply with regulations or legal obligations, or closure of the University or department.
   
   Owner of an Information Resource: an entity responsible for a business function and for determining controls and access to information resources supporting that business function.
   
   
4. PROCEDURES
   An approval process is required prior to granting access authorization for an information resource. The approval process shall document the acknowledgement of the account holder to follow all terms of use and the granting of authorization by the resource owner or their designee.
   
   Each person is to have a unique logon ID and associated account for accountability purposes. Role accounts (e.g., guest or visitor) are to be used in very limited situations, and must provide individual accountability when used to access mission critical and/or confidential information.

1. Account creation processes are required to ensure that only authorized individuals receive access to information resources.
2. Processes are required to disable logon IDs that are associated with individuals that are no longer employed by, or associated with, the University.
3. In the event that the access privilege is to remain active, the department (e.g., owner, department head) shall document that a benefit to the University exists.
4. All new logon IDs that have not been accessed within a period of six months from the date of creation will be disabled.
5. All logon IDs having access to mission critical and/or confidential resources that have not been used/accessed within a period of six months, shall be disabled. Exceptions can be made where there is an established departmental procedure. These actions shall be reviewed and approved by the department head or director. Documentation shall be maintained by the system administrator or other designated responsible university official.
6. Passwords associated with logon IDs shall comply with the University Standard Administrative Procedure Password Authentication, 24. 99.99.T1.10
7. System Administrators or other designated staff:

1. Shall have a documented process for removing the accounts of individuals who are no longer authorized to have access to Tarleton State University information resources.
2. Shall have a documented process to modify a user account to accommodate situations such as name changes, accounting changes and permission changes.
3. Shall have a documented process for periodically reviewing existing accounts for validity.

OFFICE OF RESPONSIBILITY: Department of Information Resources

CONTACT: Executive Director of Information Resources

Information Resources – Administrator/Special Access

1. APPLICABILITY
   This Standard Administrative Procedure (SAP) applies to all information resources managed by the University.
   
   The purpose of the implementation of this SAP is to provide a set of measures that will mitigate information security risks associated with the administrator’s special access. There may also be other or additional measures that will provide appropriate mitigation of the risks. The assessment of potential risks and the application of appropriate mitigation measures are to be determined by the information resource owner or their designee. In accordance with Texas Administrative Code 202 - Information Security Standards, each department and/or resource owner may elect not to implement some or all of the risk mitigation measures provided in this SAP based on information security risk management decisions and business functions. Such risk management decisions must be documented and reported to the designated Information Security Officer (ISO).
   
   The intended audience is all University staff responsible for information resources.
   
   
2. DEFINITIONS
   1. Descriptive data (e.g., logs): Information created by a computer system or information resource that is electronically captured and which relates to the operation of the system and/or movement of files, regardless of format, across or between a computer system or systems. Examples of captured information are dates, times, file size, and locations sent to and from.
   2. Information Resources (IR): the procedures, equipment, and software that are   designed, employed, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information or data.
   3. Information Security Officer (ISO):  responsible for administering the information security functions within Tarleton State University and reports to the Information   Resources Manager (IRM).
   4. User data: User-generated electronic forms of information that may be found in the content of a message, document, file, or other form of electronically stored or transmitted information.
      
      
3. PROCEDURES
   1. Tarleton State University departments shall maintain a list or lists of personnel who have administrator, or special access accounts for departmental information resources systems. The list(s) shall be reviewed at least annually by the appropriate department head, director, or their designee.
   2. All users of Administrator and Special Access accounts must have account management instructions, training, and authorization.
   3. Each individual that uses Administrator and Special Access accounts must do investigations only under the direction of the ISO.
   4. Each individual that uses Administrator and Special Access accounts must use the account privilege most appropriate with work being performed (i.e., user account vs. administrator account).
   5. Each account used for Administrator and Special Access must meet the Tarleton State University Standard Administrator Procedure Password Authentication.
   6. The password for a shared Administrator and Special Access account must change when an individual with the password leaves the department or Tarleton State University or upon a change in the vendor personnel assigned to the Tarleton State University contract.
   7. In the case where a system has only one administrator there must be a password escrow procedure in place so that someone other than the administrator can gain access to the administrator account in an emergency situation.
   8. When Special Access accounts are needed for internal or external audit, software development, software installation, or other defined need, they:
      • must be authorized,
      • must be created with a specific expiration date, and
      • must be removed when work is complete

OFFICE OF RESPONSIBILITY: Department of Information Resources

CONTACT: Executive Director of Information Resources

Information Resources – Backup Recovery

1. GENERAL
   Routine electronic backups of data and systems are a requirement to enable the recovery of data and applications in case of events such as natural disasters, system disk drive failures, corruption, data entry errors, or system operations errors. The purpose of the University backup/recovery procedure is to establish the process for the backup and storage of electronic information.
2. APPLICABILITY
   This Standard Administrative Procedure (SAP) applies to University information resources that contain mission critical information.
   
   The purpose of the implementation of this SAP is to provide a set of measures that will mitigate information security risks associated with the backup/recovery of information. There may also be other or additional measures that will provide appropriate mitigation of the risks. The assessment of potential risks and the application of appropriate mitigation measures are to be determined by the information resource owner or their designee. In accordance with Texas Administrative Code 202 - Information Security Standards, each department and/or resource owner may elect not to implement some or all of the risk mitigation measures provided in this SAP based on information security risk management decisions and business functions. Such risk management decisions must be documented and reported to the designated Information Security Officer (ISO).
   
   The intended audience is all University staff responsible for the support and operation of University information resources which contain mission critical information.
3. DEFINITIONS
   3.1       Information Resources (IR): the procedures, equipment, and software that are designed, employed, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information or data.
   3.2       Information Security Officer (ISO):   responsible for administering the information security functions within Tarleton State University and reports to the Information Resources Manager (IRM).
   3.3       Mission Critical Information: information that is defined by the University or information resource owner to be essential to the continued performance of the mission of the University or division/unit. Unavailability of such information would result in more than an inconvenience. An event causing the unavailability of mission critical information would result in consequences such as significant financial loss, institutional embarrassment, failure to comply with regulations or legal obligations, or closure of the University or division/unit.
4. PROCEDURES
   4.1       The frequency and extent of backups shall be determined by the importance of the information, potential impact of data loss/corruption, and risk management decisions by the data owner.
   4.2       Mission critical information backup and recovery processes for each system, including those for offsite storage, shall be documented and reviewed periodically. Additionally, mission critical data shall be backed up on a scheduled basis and stored off-site in a secure, environmentally-safe, locked facility.
   4.3       Physical access controls implemented at offsite backup storage locations shall meet or exceed the physical access controls of the source systems. Additionally, backup media must be protected in accordance with the highest sensitivity level of information stored.
   4.4       Processes must be in place to verify the success of the information resource backups.
   4.5       Backups shall be periodically tested to ensure that they are recoverable.
   4.6       Backup media must have, at a minimum, the following identifying criteria that can be readily identified by labels and/or a bar-coding system:
             (1)        system name;
             (2)        creation date;
             (3)        sensitivity classification of mission critical or confidential information based on applicable electronic record retention regulations; and
             (4)        departmental information resource contact information.

OFFICE OF RESPONSIBILITY: Department of Information Resources

CONTACT: Executive Director of Information Resources

Information Resources – Email Use

PROCEDURE:

1. GENERAL
   University information resources are strategic assets and as such must be managed as valuable state resources. Since a large portion of University business is conducted using email, it is important that email services function in an efficient and reliable manner. This Standard Administrative Procedure (SAP), therefore, addresses expected standards for University email usage.
2. APPLICABILITY
   This SAP provides procedures regarding the use of email through University owned information resources.
   
   The purpose of the implementation of this SAP is to provide a set of measures that will mitigate information security risks associated with email use. There may also be other or additional measures that will provide appropriate mitigation of the risks. The assessment of potential risks and the application of appropriate mitigation measures are to be determined by the information resource owner or their designee. In accordance with Texas Administrative Code 202 - Information Security Standards, each department and/or resource owner may elect not to implement some or all of the risk mitigation measures provided in this SAP based on information security risk management decisions and business functions. Such risk management decisions must be documented and reported to the designated Information Security Officer (ISO).
   
   The intended audience of this SAP is any University employee, student, guest, or visitor that may use any University information resource that has the capacity to send, receive or store email.
3. DEFINITIONS
   1. Information Resources (IR): the procedures, equipment, and software that are designed, employed, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information or data.
4. PROCEDURES
   1. The following activities are prohibited:
      • Sending email that is intimidating or harassing
      • Using email for conducting personal business
      • Using email for purposes of political lobbying or campaigning
      • Violating copyright laws by inappropriately distributing protected works
      • Posing as anyone other than oneself when sending email, except when authorized to send messages for another when serving in an administrative support role
      • The use of unauthorized email software
   2. The following activities are prohibited because they impede the functioning of network communications and the efficient operations of electronic mail systems:
      • Sending or forwarding chain letters
      • Sending unsolicited messages to large groups except as required to conduct Tarleton State University business
      • Sending excessively large messages
      • Sending or forwarding email that is likely to contain computer viruses
   3. All sensitive and/or confidential Tarleton State University material transmitted over external network should be encrypted.
   4. All user activity on Tarleton State University information resources assets is subject to logging and review.
   5. Electronic mail users must not give the impression that they are representing, giving opinions, or otherwise making statements on behalf of Tarleton State University or any unit of Tarleton State University unless appropriately authorized (explicitly or implicitly) to do so.  Where appropriate, an explicit disclaimer will be included unless it is clear from the context that the author is not representing Tarleton State University.  An example of a simple disclaimer is:  “the opinions expressed are my own, and not necessarily those of my employer.”
   6. Individuals must not send, forward or receive confidential or sensitive Tarleton State University information through non-Tarleton State University email accounts.  Examples of non-Tarleton State University email accounts include, but are not limited to: Hotmail, Yahoo mail, AOL mail, and email provided by other Internet Service Providers (ISP).

OFFICE OF RESPONSIBILITY: Department of Information Resources

CONTACT: Executive Director of Information Resources

 Information Resources – Intrusion Detection

PROCEDURE:

1. GENERAL
   Intrusion detection plays an important role in implementing and enforcing an organizational security policy. As information systems grow in complexity, effective security systems must evolve. With the proliferation of the number of vulnerability points introduced by the use of distributed systems, some type of assurance is needed that the systems and network are secure. Intrusion detection systems can provide part of that assurance. Intrusion detection provides two important functions in protecting information resources:
   1. Feedback is information that addresses the effectiveness of other components of a security system. If a robust and effective intrusion detection system is in place, the lack of detected intrusions is an indication that other defenses are working.
   2. A trigger is a mechanism that determines when to activate planned responses to an intrusion incident.
2. APPLICABILITY
   This Standard Administrative Procedure (SAP) applies to University information resources that store, process, or transmit mission critical and/or confidential information.
   
   The purpose of the implementation of this SAP is to provide a set of measures that will mitigate information security risks associated with intrusion detection. There may also be other or additional measures that will provide appropriate mitigation of the risks. The assessment of potential risks and the application of appropriate mitigation measures are to be determined by the information resource owner or their designee. In accordance with Texas Administrative Code 202 - Information Security Standards, each department and/or resource owner may elect not to implement some or all of the risk mitigation measures provided in this SAP based on information security risk management decisions and business functions. Such risk management decisions must be documented and reported to the designated Information Security Officer.
   
   The intended audience for this standard administrative procedure includes, but is not limited to, all information resources management personnel, owners, and system administrators.
3. DEFINITIONS:
   1. Confidential Information: information that is excepted from disclosure requirements under the provisions of applicable state or federal law, e.g. the Texas Public Information Act.
   2. Information Resources (IR): the procedures, equipment, and software that are designed, employed, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information or data.
   3. Information Security Officer (ISO): responsible for administering the information security functions within Tarleton State University and reports to the Information Resources Manager (IRM).
   4. Mission Critical Information: information that is defined by the University or information resource owner to be essential to the continued performance of the mission of the University or department. Unavailability of such information would result in more than an inconvenience. An event causing the unavailability of mission critical information would result in consequences such as significant financial loss, institutional embarrassment, failure to comply with regulations or legal obligations, or closure of the University or department.
   5. Owner of an Information Resource: an entity responsible for a business function and determining controls and access to information resources supporting that business function.
4. PREVENTION AND DETECTION
1. Operating system, user accounting, and application software audit logging processes shall be enabled on all host and server systems where resources permit.
2. Alarm and alert functions, as well as audit logging of any firewalls and other network perimeter access control systems shall be enabled.
3. Audit logs from the network perimeter access control systems shall be monitored/reviewed as risk management decisions warrant.
4. Audit logs for servers and hosts on the internal, protected network shall be reviewed as warranted based on risk management decisions. The system administrator will furnish any audit logs as requested by appropriate University personnel.
1. Host-based intrusion tools will be tested on a routine schedule.
2. Reports shall be reviewed for indications of intrusive activity.
5. All suspected and/or confirmed instances of successful intrusions shall be immediately reported to the ISO. Information resource users are encouraged to report any anomalies in system performance and/or signs of unusual behavior or activity to their departmental system administrator or the Information Resources Help Desk.
6. System administrators shall keep abreast of industry best practices regarding current intrusion events and methods to detect intrusions. Intrusion detection methods shall be utilized as needed.
5. RESPONSE AND RECOVERY
   1. Based on the assessment of risk, appropriate action should be taken to protect Tarleton State University’s information resources.

OFFICE OF RESPONSIBILITY: Department of Information Resources

CONTACT: Executive Director of Information Resources

Information Resources – Malicious Code

PROCEDURE:

1. APPLICABILITY
   This Standard Administrative Procedure (SAP) applies to all Tarleton State University network information resources.
   
   The purpose of the implementation of this SAP is to provide a set of measures that will mitigate information security risks associated with malicious code. There may also be other or additional measures that will provide appropriate mitigation of the risks. The assessment of potential risks and the application of appropriate mitigation measures are to be determined by the information resource owner or their designee. In accordance with Texas Administrative Code 202 - Information Security Standards, each department and/or resource owner may elect not to implement some or all of the risk mitigation measures provided in this SAP based on information security risk management decisions and business functions. Such risk management decisions must be documented and reported to the designated Information Security Officer (ISO).
   
   The intended audience for this SAP includes all owners, managers, system administrators, and users of University information resources.
2. DEFINITIONS
   1. Information Resources (IR): The procedures, equipment, and software that are designed, employed, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information or data.
   2. Information Security Officer (ISO): responsible for administering the information security functions within Tarleton State University and reports to the Information Resources Manager (IRM).
   3. Malicious code: Software that is designed to operate in a manner that is inconsistent with the intentions of the user and which typically results in annoyance or damage to the user's information systems.
      Examples of such software include:
      a.         Viruses: Pieces of code that attach to host programs and propagate when an infected program is executed.
      b.         Worms: Particular to networked computers to carry out pre-programmed attacks that jump across the network.
      c.         Trojan Horses: Hidden malicious code inside a host program that appears to do something useful.
      d.         Attack scripts: These may be written in common languages such as Java or ActiveX to exploit weaknesses in programs; usually intended to cross network platforms.
      e.         Spyware: Software planted on a system to capture and reveal information to someone outside an individual’s system. It can do such things as capture keystrokes while typing passwords, read and track e-mail, record the sites visited, pass along credit card numbers, and so on. It can be planted by Trojan horses or viruses, installed as part of freeware or shareware programs that are downloaded and executed, installed by an employer to track computer usage, or even planted by advertising agencies to assist in feeding targeted ads.
   4. Owner of an Information Resource: an entity responsible for:
      a.         a business function; and,
      b.         determining controls and access to information resources supporting that business function.
3. PREVENTION AND DETECTION:
   1. For each computer connected to the University network, security updates from the manufacturer of the appropriate operating system, and/or application software, must be kept current (e.g, patched and updated).
   2. Where feasible, personal firewall software or hardware shall be installed to aid in the prevention of malicious code attacks/infections.
   3. Email attachments and shared files of unknown integrity shall be scanned for malicious code before they are opened or accessed.
   4. Diskettes and mass storage devices will be scanned for malicious code before accessing any data on the media.
   5. Software to safeguard against malicious code shall be installed and functioning on susceptible information resources that have access to the University network.
   6. Software safeguarding information resources against malicious code shall not be disabled or bypassed.
   7. The settings for software that protect information resources against malicious code should not be altered in a manner that will reduce the effectiveness of the software.
   8. The automatic update frequency of software that safeguards against malicious code shall not be altered to reduce the frequency of updates.
4. RESPONSE AND RECOVERY:
   1. All reasonable efforts shall be made to contain the effects of any system that is infected with a virus or other malicious code. This may include disconnecting systems from the network or disabling email.
   2. If malicious code is discovered, or believed to exist, an attempt should be made to remove or quarantine the malicious code using current anti-virus or other control software.
   3. If malicious code cannot be automatically quarantined or removed by anti-virus software, the system shall be disconnected from the network to prevent further possible propagation of the malicious code or other harmful impact. The presence of the malicious code shall be reported to IR personnel so that they may take appropriate actions in removing the malicious code and protecting other systems.
   4. Personnel responding to the incident should have the necessary system access privileges and authority to affect the necessary measures to contain/remove the infection.
   5. If possible, identify the source of the infection and the type of infection to prevent recurrence.
      
   6. Utilize anti-viral, anti-spyware, etc. software to execute a complete system scan including the boot sector and all physical drives, to eradicate all malicious code that may be identified.
      
   7. Any removable media (including diskettes, mass storage cards, etc.) recently used on an infected machine shall be scanned prior to opening and/or executing any files contained therein.
   8. IR personnel should thoroughly document the incident noting the source of the malicious code (if possible), resources impacted, and damage or disruption to information resources.

OFFICE OF RESPONSIBILITY: Department of Information Resources

CONTACT: Executive Director of Information Resources

Information Resources –Network/Wireless Access

PROCEDURE:

1. GENERAL
   The information resources network infrastructure in Stephenville, Texas is provided by Tarleton State University for tenants of University facilities. It is important that the infrastructure, which includes media, active electronic equipment (i.e., multiplexers, hubs, routers, etc.) and supporting software, be able to meet current performance requirements while retaining the flexibility to allow emerging developments in high speed networking technology and enhanced user services. The purpose of the Tarleton State University network access procedures is to establish the process for the access to the network infrastructure.
2. APPLICABILITY
   This Standard Administrative Procedure (SAP) applies to all university network information resources.
3. PURPOSE
   The purpose of the implementation of this SAP is to provide a set of measures that will mitigate information security risks associated with network access. System administrators are the primary audience for this SAP.
4. DEFINITIONS
   4.1       Anonymous write capability - the ability of people to save (on Tarleton State University computers) information they create without their identity being known (to system administrators).
   4.2       Anonymously originating network traffic - causing a (Tarleton State University) computer system to send traffic via the network where the custodian/owner is not known.
   4.3       Information Resources (IR): the procedures, equipment, and software that are designed, employed, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information or data.
5. PROCEDURES
   5.1       Network aggregation devices (e.g., hubs, switches, routers) shall not be connected to network infrastructure without prior approval by Information Resources.
   5.2       Management of network addresses and name space may be delegated to system administrators. Users are permitted to use only those network addresses issued to them by their designated system administrator.
   5.3       Network scans and network vulnerability scans of devices attached to the Tarleton State University network as well as the appropriate remediation are occasionally necessary to ensure the integrity of Tarleton State University computing systems. Network scans and network vulnerability scans may only be conducted by University employees designated by the organizational unit head responsible for the information resource.
   5.4       Individuals controlling right-to-use for systems attached to the network infrastructure will ensure only authorized persons are granted access.
   5.5       Allowing anonymous write capability to University systems or anonymously originating network traffic requires Information Resources permission.
   5.6       Users shall not alter University-owned network hardware in any way.
   5.7       Airspace Guidelines for Using the 2.4 and 5.0 GHz Radio Frequency.
               Link to: AirspacePolicy3.doc for complete guidelines.

OFFICE OF RESPONSIBILITY: Department of Information Resources

CONTACT: Executive Director of Information Resources

Information Resources –Network Configuration

PROCEDURE:

1. GENERAL
   The information resources network infrastructure in Stephenville, Texas is provided by Tarleton State University for tenants of University facilities. It is important that the infrastructure, which includes media, active electronics and supporting software, be able to meet current performance requirements while retaining the flexibility to allow emerging developments in high speed networking technology and enhanced user services. The purpose of the network configuration procedure is to establish the process for change of the network infrastructure.
   Tarleton State University owns and is responsible for the University network infrastructure and will continue to manage further developments and enhancements to this infrastructure.

2. APPLICABILITY
   This Standard Administrative Procedure (SAP) applies to all University network infrastructure information resources.

3. PURPOSE
   The purpose of the implementation of this SAP is to provide a set of measures that will mitigate information security risks associated with network configuration. There may also be other or additional measures that will provide appropriate mitigation of the risks. The assessment of potential risks and the application of appropriate mitigation measures are to be determined by the information resource owner or their designee. In accordance with Texas Administrative Code 202 - Information Security Standards, each department and/or resource owner may elect not to implement some or all of the risk mitigation measures provided in this SAP based on information security risk management decisions and business functions. Such risk management decisions must be documented and reported to the designated Information Security Officer (ISO).

   The intended audience is all network system administrators of University information resources.

4. DEFINITIONS
   4.1       Information Resources (IR): the procedures, equipment, and software that are
                           designed, employed, operated, and maintained to collect, record, process, store,
                           Procedure 24.99.99.T1.09 retrieve, display, and transmit information or data.
   4.2       Information Security Officer (ISO): responsible for administering the information security functions within Tarleton State University and reports to the Information Resources Manager (IRM).

5. PROCEDURES
   5.1       All network connected equipment must be configured to a specification approved by Tarleton State University Information Resources.
   5.2       All hardware connected to the Tarleton State University network is subject to its Information Resources management and monitoring standards.
   5.3       Changes to the configurations of active network management devices must not be made without the approval of Information Resources.
   5.4       The University network infrastructure supports a well-defined set of approved networking protocols.  Any use of non-sanctioned protocols must be approved by Information Resources.
   5.5       The network addresses for the supported protocols are allocated, registered and managed centrally by Texas A&M University and Tarleton State University Information Resources.
   5.6       All connections of the network infrastructure to external third party networks is the responsibility of Tarleton State University Information Resources.  This includes connections to external telephone networks.
   5.7       Tarleton State University Information Resources firewalls must be installed and configured following the University Firewall Implementation Standard documentation.
   5.8       The use of departmental firewalls is not permitted without the written authorization from Information Resources.
   5.9       Users must not extend or re-transmit network services in any way.  Devices such as routers, switches, hubs, or wireless access points cannot be installed on the Tarleton State University network without approval from Information Resources.
   5.10     Users must not install network hardware or software that provides network services without Tarleton State University Information Resources approval.
   5.11     Users are not permitted to alter network hardware in any way.

OFFICE OF RESPONSIBILITY: Department of Information Resources

CONTACT: Executive Director of Information Resources

Information Resources –Password Authentication

1. GENERAL
   User authentication is a means to control who has access to an information resource system. Controlling the access is necessary for any information resource. The confidentiality, integrity, and availability of information can be lost when access is gained by a non-authorized entity. This, in turn, may result in loss of revenue, liability, loss of trust, or embarrassment to the university. There are several ways to authenticate a user. Examples are: password, university identification number (UIN), Smartcard, fingerprint, iris scan, or voice recognition.
   
   The purpose of the university password/authentication procedure is to establish the process for the creation, distribution, safeguarding, termination, and reclamation of the university user authentication mechanisms.
2. APPLICABILITY
   This Standard Administrative Procedure (SAP) applies to all university information resources.
3. PURPOSE
   The purpose of the implementation of this SAP is to provide a set of measures that will mitigate information security risks associated with password authentication. There may also be other or additional measures that will provide appropriate mitigation of the risks. The assessment of potential risks and the application of appropriate mitigation measures are to be determined by the information resource owner or their designee. In accordance with Texas Administrative Code 202 - Information Security Standards, each department and/or resource owner may elect not to implement some or all of the risk mitigation measures provided in this SAP based on information security risk management decisions and business functions. Such risk management decisions must be documented and reported to the designated Information Security Officer.
   
   The intended audience is any university employee, staff, faculty, student, guest or visitor that uses information resources requiring authentication.
4. DEFINITIONS
   4.1       Confidential Information: information that is excepted from disclosure requirements under the provisions of applicable state or federal law, e.g., the Texas Public Information Act.
   4.2       Information Resources (IR): the procedures, equipment, and software that are designed, employed, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information or data.
   4.3       Owner of Information Resources: an entity responsible for:
         (1)        a business function; and  
         (2)        determining controls and access to information resources supporting that business function.
   4.4       Mission Critical: information that is defined by the university or information resource owner to be essential to the continued performance of the mission of the university or department. Unavailability of such information would result in more than an inconvenience. An event causing the unavailability of mission critical information would result in consequences such as significant financial loss, institutional embarrassment, failure to comply with regulations or legal obligations, or closure of the university or department.
5. PROCEDURES
   All passwords shall be constructed and implemented according to the following criteria:
   5.1       Servers that are mission critical and/or maintain confidential information shall have passwords that conform to this SAP.
   5.2       Passwords must be treated as confidential information. Passwords shall only be revealed to Tarleton State University Information Resources personnel (e.g., Help desk) if contact has been initiated by end user/system owner; and, such information is absolutely necessary to conduct routine maintenance on information resources.
   5.3       Passwords shall be routinely changed (no longer than 120 day intervals for systems processing/storing mission critical and/or confidential data).
   5.4       Where feasible, owners of systems that maintain mission critical and/or confidential information shall establish a reasonable period of time for passwords to be maintained in history to prevent their reuse.
   5.5       Passwords shall not be anything that can be easily associated with the account owner such as: user name, social security number, UIN, nickname, relative’s name, birth date, telephone number, etc.
   5.6       Passwords shall not be dictionary words or acronyms regardless of language of origin.
   5.7       Stored passwords shall be encrypted.
   5.8       There shall be no more than seven tries before a user is locked out of an account. Delay, or progressive delay, helps to prevent automated “trial-and-error” attacks on passwords.
   5.9       Changes to access controls on security tokens (e.g., TexanCard) must be reported immediately when there has been a change in job duties which no longer require restricted access, or upon termination of employment.
   5.10     If the security of a password is in doubt, the password shall be changed immediately. If the password has been compromised, the event shall also be reported to the appropriate system administrator(s).
   5.11     Users should not circumvent password entry with auto logon, application remembering, embedded scripts, or hard-coded passwords in client software for systems that process/store mission critical and/or confidential data. Users should always enter “no” when asked to have a password “remembered”.
               5.11.1  Exceptions may be made for specific applications (like automated backup) with the approval of the information resource owner. In order for an exception to be approved, there must be a procedure in place for the user to change passwords.
   5.12     Computing devices shall not be left unattended in unsecured areas without enabling a password-protected screensaver or logging off device.
   5.13     Forgotten passwords shall be replaced, not reissued.
   5.14     Procedures for setting and changing information resource passwords include the following:
               5.14.1 The user must verify his/her identity before the password is changed;
               5.14.2 The password must be changed to a “strong” password – (see section 6 below of Password Guidelines); and,
               5.14.3 The user must change password at first log on – where applicable.
   5.15     Where possible, passwords that are user selected shall be checked by a password audit system that adheres to the established criteria of the system or service.
               5.15.1  Automated password generation programs must use non- predictable methods of generation.
               5.15.2  Systems that auto-generate passwords for initial account establishment must force a password change upon entry into the system.
   5.16     Password management and automated password generation must have the capability to maintain auditable transaction logs containing information such as:
               5.16.1 Time and date of password change, expiration, administrative reset;
               5.16.2 Type of action performed; and,
               5.16.3 Source system (e.g., IP and/or MAC address) that originated the change request.
6. PASSWORD GUIDELINES
   Guidelines for creating a “strong” password:
   6.1       Make the password difficult to guess, but easy to remember.
   6.2       Passwords should contain:
               6.2.1    A mix of upper (A-Z) and lower case (a-z) characters.
               6.2.2    At least 2 special characters – as permitted by computing systems (such as !@#$%^&*<>).
               6.2.3    Numeric characters placed after the first, but before the last, character of the password.
   6.3       Substitute numbers or special characters for letters.
               6.3.1    For example: “livefish” is a “weak” password; “l!v3f1$h” is better – i.e., the capitalization and substitution of characters is not predictable.
   6.4       Create an acrostic from the first letters of a favorite poem, song, or saying.
               6.4.1    For example: “LbP*H!h$” is an 8-character password created from “Little Bo Peep has lost her sheep.”
   6.5       Passwords should not be easily guessed or “weak.” Avoid choosing passwords that are:
               (1)        Less than 8 characters long;
               (2)        Your username;
               (3)        Names of family, pets, friends, co-workers, etc.;
               (4)        Words associated with your school, school mascot, etc. (such as, “tarleton” and “texanriders”);
               (5)        Other personal information easily obtained such as: birthdays, addresses, phone numbers, and license plate numbers;
               (6)        Word or number patterns (e.g., aaabbb, qwerty, 123321);
               (7)        Any of the above spelled backwards;
               (8)        Any of the above preceded or followed by a digit (e.g., secret1, secret); and,
               (9)        Certain devices (such as voice mail access from a telephone) require password entry through numeric keypad. In this case, users shall avoid using telephone numbers in any format (5 digit such as 5-3211, 7 digit such as 845-3211 or 10 digit such as 979-845-3211) as the password.

OFFICE OF RESPONSIBILITY: Department of Information Resources

CONTACT: Executive Director of Information Resources

 Information Resources – Physical Access

1. GENERAL
   Technical support staff, system administrators, and others may have information resource physical facility access requirements as part of their function. The granting, controlling, and monitoring of the physical access to information resource facilities is extremely important to an overall security program. The purpose of the Tarleton State University physical access procedure is to establish the process for the granting, control, monitoring, and removal of physical access to information resource facilities.
2. APPLICABILITY
   This procedure applies to facilities that house multi-user systems (i.e., “data centers”) that process or store mission critical and/or confidential information.
   
   The purpose of the implementation of this SAP is to provide a set of measures that will mitigate information security risks associated with physical access. There may also be other or additional measures that will provide appropriate mitigation of the risks. The assessment of potential risks and the application of appropriate mitigation measures are to be determined by the information resource owner or their designee. In accordance with Texas Administrative Code 202 - Information Security Standards, each department and/or resource owner may elect not to implement some or all of the risk mitigation measures provided in this SAP based on information security risk management decisions and business functions. Such risk management decisions must be documented and reported to the designated Information Security Officer.
   
   Responsibility for ensuring secure physical access to information resources may be part of the job function for departmental staff which may include, but not be limited to, information technology staff, system administrators, supervisors, managers, and others.
3. DEFINITIONS
   3.1       Confidential Information: Information that is excepted from disclosure requirements under the provisions of applicable state or federal law, e.g. the Texas Public Information Act.
   3.2       Information Resources (IR): the procedures, equipment, and software that are designed, employed, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information or data.
   3.3       Mission Critical Information: information that is defined by the University or information resource owner to be essential to the continued performance of the mission of the University or department. Unavailability of such information would result in more than an inconvenience. An event causing the unavailability of mission critical information would result in consequences such as significant financial loss, institutional embarrassment, failure to comply with regulations or legal obligations, or closure of the University or department
4. PROCEDURES
   4.1       All physical security systems shall comply with applicable regulations such as, but not limited to, building codes and fire prevention codes.
   4.2       Physical access procedures to all information resources facilities shall be documented and managed.
   4.3       All information resource facilities shall be physically protected in proportion to the criticality or importance of their function at Tarleton State University.
   4.4       Access to information resources facilities shall be granted only to departmental personnel, vendors, or other authorized personnel whose job responsibilities require access to that facility.
   4.5       There shall be an approval and documentation process for granting and revocation/return of security codes, access cards, and/or key access to information resources facilities.
   4.6       Individuals who are granted access rights to an information resource facility must sign appropriate access agreements. Facilities users should also receive information regarding appropriate physical security practices and emergency procedures.
   4.7       Security access codes, access cards and/or keys to information resource facilities shall not be shared or loaned to others.
   4.8       Appropriate departmental personnel responsible for the physical security of information resources shall review access rights for the facility on a periodic basis and revoke access for individuals that no longer require such access.
             4.8.1    Access cards or keys must not be reallocated to another individual, bypassing the return process.
             4.8.2    Access cards and/or keys must not have identifying information other than a return mail address.
   4.9       Visitors must be escorted in restricted access areas of information resource facilities.
   4.10     Physical access records shall be maintained as appropriate for the criticality of the information resources being protected. Such records shall be reviewed as needed by organizational unit heads or their designees.

OFFICE OF RESPONSIBILITY: Department of Information Resources

CONTACT: Executive Director of Information Resources

Information Resources – Privacy

1. GENERAL
   Privacy policies are mechanisms used to establish the responsibilities and limits for system administrators and users in providing privacy in university information resources. The University has the right to examine information on information resources which are under the control or custody of the University. The general right to privacy is extended to the electronic environment to the extent possible. However, there should be no expectation of privacy beyond that which is expressly provided by applicable privacy laws. Privacy is limited by the Texas Public Information Act, administrative review, computer system administration, and audits.
2. APPLICABILITY
   This Standard Administrative Procedure applies to electronic information created, sent, received, or stored on information resources owned, leased, administered, or otherwise under the custody and control of the University.
   
   The purpose of the implementation of this SAP is to provide a set of measures that will mitigate information security risks associated with privacy issues. There may also be other or additional measures that will provide appropriate mitigation of the risks. The assessment of potential risks and the application of appropriate mitigation measures are to be determined by the information resource owner or their designee. In accordance with Texas Administrative Code 202 - Information Security Standards, each department and/or resource owner may elect not to implement some or all of the risk mitigation measures provided in this SAP based on information security risk management decisions and business functions. Such risk management decisions must be documented and reported to the designated Information Security Officer.
   
   The audience is all users and administrators of university information resources.
3. DEFINITIONS
   3.1       Confidential Information: information that is excepted from disclosure requirements under the provisions of applicable state or federal law, e.g., the Texas Public Information Act. 
   3.2       Information Resources (IR): the procedures, equipment, and software that are designed, employed, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information or data.
   3.3       File Owner: Holder (assignee) of the computer account which controls a file; not necessarily the owner in the sense of property.
4. PROCEDURES
   4.1       Privacy of information shall be provided to users of university information resources consistent with obligations of Texas and Federal law and/or secure operation of university information resources.
   4.2       In the normal course of their duties, system administrators may examine user activities, files, electronic mail, and printer listings to gather sufficient information to diagnose and correct problems with system software or hardware.
              4.2.1    In order to protect against hardware and software failures, backups of all data stored on university information resources may be made. System administrators have the right to examine the contents of these backups to gather sufficient information to diagnose and correct problems with system software or hardware. It is the user's responsibility to find out retention policies for any data of concern.
              4.2.2    The organization unit head may designate certain individuals or functional areas that may monitor user activities and/or examine data solely to determine if unauthorized access to a system or data is occurring or has occurred. If files are examined, the file owner will be informed as soon as practical, subject to delay in the case of an on-going investigation.
              4.2.3    Files owned by individual users are to be considered as private, whether or not they are accessible by other users. The ability to read a file does not imply consent to read that file. Under no circumstances may a user alter a file that does not belong to him or her without prior consent of the file's owner. The ability to alter a file does not imply consent to alter that file.
              4.2.4    Some individually owned files are by definition open access. Examples include Unix plan files, Web files made available through a system-wide facility and files made available on an anonymous ftp server. Any authorized user that can access these files may assume consent has been given.
   4.3       If access to information is desired without the consent and/or knowledge of the file owner or if inappropriate use of Tarleton State University information resources is suspected, files may be reviewed without the consent and/or knowledge of the file owner if that review is part of the process of Rule 24.99.99.T3, Electronic Information Resource Complaints.
   4.4       If criminal activity is suspected, the University Police Department or other appropriate law enforcement agency must be notified. All further access to information on university information resources must be in accordance with directives from law enforcement agencies.
   4.5       Information resource owners or custodians will provide access to information requested by auditors in the performance of their jobs. Notification to file owners will be as directed by the auditors.
   4.6       Other than exceptions in 4.2, 4.3, 4.4 and 4.5, access to information by someone other than the file owner requires the owner’s explicit, advance consent.
   4.7       Unless otherwise provided for, individuals whose relationship with the university is terminated (e.g., student graduates; employee takes new job; visitors depart) are considered to cede ownership to the information resource custodian. Custodians should determine what information is to be retained and delete all other.
   4.8       The university collects and processes many different types of information from third parties. Much of this information is confidential and shall be protected in accordance with all applicable laws and regulations (e.g., Gramm-Leach-Bliley Act, Texas Administrative Code 202).
   4.9       Individuals who have special access to information because of their position have the absolute responsibility to not take advantage of that access. If information is inadvertently gained (e.g., seeing a copy of a test or homework) that could provide personal benefit, the individual has the responsibility to notify both the owner of the data and the organizational unit head.
   4.10     Users of Tarleton State University information resources shall call the Information Resources Helpdesk to report any compromise of security which could lead to divulging confidential information including, but not limited to, posting social security numbers to the internet.

OFFICE OF RESPONSIBILITY: Department of Information Resources

CONTACT: Executive Director of Information Resources

 Information Resources – Security Awareness and Training

1.  GENERAL
   Understanding the importance of information security and individual responsibilities and accountability pertaining to information security are paramount to achieving organization security goals. This can be accomplished with a combination of general information security awareness training and targeted, product-specific training. The security awareness and training information needs to be ongoing and updated as needed. The purpose of the security training procedure is to describe the requirements to ensure each user of university information resources receives adequate training on information security issues.
2. APPLICABILITY
   This Standard Administrative Procedure (SAP) applies to all users of Tarleton State University information resources.
   The intended audience is all users of information resources.
3. DEFINITIONS
   Information Resources (IR): the procedures, equipment, and software that are designed, employed, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information or data.
4. PROCEDURES
   4.1       All Tarleton State University personnel who use information resources are required to comply with the procedures outlined in this SAP. A method to accomplish the requirements listed below is provided through the use of the Information Security Awareness (ISA) training module. This web based training module is accessed via Single Sign-On (SSO). The module is one of the offerings listed in the Training section.
   Requirements:
             4.1.1    All new employees shall complete security awareness training prior to, or at least within 30 days of, being granted access to any Tarleton State University information resources. This shall be part of the new employee’s orientation training session.
             4.1.2    All users must acknowledge they have read, understand, and will comply with university requirements regarding computer security policies and procedures.
             4.1.3    All users shall acknowledge completion of university security awareness training on an annual basis.
   4.2       Departments may require additional incidental training and require acknowledgement as determined by the department.
   4.3       Departmental information technology personnel shall establish and maintain a process to communicate new security program information, security bulletin information, and security items of interest to departmental personnel.

OFFICE OF RESPONSIBILITY: Department of Information Resources

CONTACT: Executive Director of Information Resources

Information Resources – Security Monitoring

1. GENERAL
   Security Monitoring is a method used to confirm that the security practices and controls in place are being adhered to and are effective. Monitoring consists of activities such as the review of: user account logs, application logs, data backup and recovery logs, automated intrusion detection system logs, etc.
   
   The purpose of the security monitoring policy is to ensure that information resource security controls are in place, are effective, and are not being bypassed. One of the benefits of security monitoring is the early identification of wrongdoing or new security vulnerabilities.
   
2. APPLICABILITY
   This Standard Administrative Procedure (SAP) applies to all university managed information resources containing mission critical information, confidential information, and other information resources as may be managed by Tarleton State University.
   
   The purpose of the implementation of this SAP is to provide a set of measures that will mitigate information security risks associated with security monitoring. There may also be other or additional measures that will provide appropriate mitigation of the risks. The assessment of potential risks and the application of appropriate mitigation measures are to be determined by the information resource owner or their designee. In accordance with Texas Administrative Code 202 - Information Security Standards, each department and/or resource owner may elect not to implement some or all of the risk mitigation measures provided in this SAP based on information security risk management decisions and business functions. Such risk management decisions must be documented and reported to the designated Information Security Officer (ISO).
   
   The intended audience is all individuals that are responsible for the installation of new information resources, the operations of existing information resources, and individuals charged with information resources security.
3. DEFINITIONS
   3.1       Confidential Information: information that is excepted from disclosure requirements under the provisions of applicable state or federal law, e.g., the Texas Public Information Act.
   3.2       Information Resources (IR): the procedures, equipment, and software that are designed, employed, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information or data.
   3.3       Mission Critical Information: information that is defined by the university or information resource owner to be essential to the continued performance of the mission of the university or department. Unavailability of such information would result in more than an inconvenience. An event causing the unavailability of mission critical information would result in consequences such as significant financial loss, institutional embarrassment, failure to comply with regulations or legal obligations, or closure of the university or department.
   3.5       Owner of Information Resources: an entity responsible for:
               (1)        a business function; and
               (2)        determining controls and access to information resources supporting that business function
    
4. PROCEDURES
   4.1       Automated tools will provide real-time notification and appropriate response as necessary of detected wrongdoing and vulnerability exploitation.  Where possible a security baseline will be developed and the tools will report exceptions.  These tools will be deployed to monitor:
   • Internet traffic
   • Electronic mail traffic
   • LAN traffic, protocols, and device inventory
   • Operating system security parameters
   4.2       The following files shall be checked, as appropriate, for signs of wrongdoing and vulnerability exploitation at a frequency determined by risk:
   • Automated intrusion detection logs
   • Firewall logs
   • User account logs
   • Network scanning logs
   • System error logs
   • Application logs
   • Data backup and recovery logs
   • Help desk trouble tickets
   • Telephone activity – Call Detail Reports
   • Network printer and fax logs
   4.3       The following checks will be performed at least annually by assigned individuals:
   • Password strength
   • Unauthorized network devices
   • Unauthorized personal web servers
   • Unsecured sharing of devices
   • Unauthorized modem use

   4.4       Any security issues discovered will be reported to the ISO for follow-up investigation.

OFFICE OF RESPONSIBILITY: Department of Information Resources

CONTACT: Executive Director of Information Resources

Information Resources – Server Hardening

1.  GENERAL
   Servers are relied upon to deliver data in a secure, reliable fashion. There must be assurance that data integrity, confidentiality and availability are maintained. One of the required steps to attain this assurance is to ensure that the servers are installed and maintained in a manner that prevents unauthorized access, unauthorized use, and disruptions in service.
   
   The purpose of the Tarleton State University server hardening procedures is to describe the requirements for installing a new server in a secure fashion and maintaining the security integrity of the server and application software.
2. APPLICABILITY
   This Standard Administrative Procedure (SAP) applies to all University information resources that store or process mission critical and/or confidential information.
   
   The purpose of the implementation of this SAP is to provide a set of measures that will mitigate information security risks associated with server hardening. There may also be other or additional measures that will provide appropriate mitigation of the risks. The assessment of potential risks and the application of appropriate mitigation measures are to be determined by the information resource owner or their designee. In accordance with Texas Administrative Code 202 - Information Security Standards, each department and/or resource owner may elect not to implement some or all of the risk mitigation measures provided in this SAP based on information security risk management decisions and business functions. Such risk management decisions must be documented and reported to the designated Information Security Officer (ISO).
   
   The intended audience includes, but is not limited to, computing system managers and administrators who manage University information resources that store or process mission critical and/or confidential information.
3. DEFINITIONS
   3.1       Confidential Information: information that is excepted from disclosure requirements under the provisions of applicable state or federal law, e.g., the Texas Public Information Act.
   3.2       Information Resources (IR): the procedures, equipment, and software that are designed, employed, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information or data.
   3.3       Information Security Officer (ISO): responsible for administering the information security functions within Tarleton State University and reports to the Information Resources Manager (IRM).
   3.4       Mission Critical Information: information that is defined by the University or information resource owner to be essential to the continued performance of the mission of the University or department. Unavailability of such information would result in more than an inconvenience. An event causing the unavailability of mission critical information would result in consequences such as significant financial loss, institutional embarrassment, failure to comply with regulations or legal obligations, or closure of the University or department.
   3.5       Security Patch: a fix to a program that eliminates a vulnerability exploited by malicious hackers.
4. PROCEDURES
   4.1       Departmental information technology personnel will test security patches prior to implementation (where practical). Departmental information technology personnel are encouraged to have hardware resources available for testing security patches in the case of special applications.
   4.2       System Administrators shall ensure that vendor supplied patches are routinely acquired, systematically tested, and installed promptly based on risk management decisions.
   4.3       System Administrators shall remove unused software, system services, and drivers as needed.
   4.4       System Administrators shall enable security features included in vendor supplied systems including, but not limited to, firewalls, virus scanning and malicious code protections, and other file protections (see SAP Malicious Code). Audit logging shall also be enabled. User privileges shall be set utilizing the least privileges concept of providing the minimum amount of access required to perform job functions. Privileges may be added as need is demonstrated by the user. The use of passwords shall be enabled in accordance with SAP Password/Authentication.
   4.5       System Administrators shall disable or change the password of default accounts.
   4.6       Servers, especially, shall be tested periodically by system administrators (or their designee) for known vulnerabilities.
   4.7       System Administrators shall seek and implement best practices for securing their particular system platform(s).

OFFICE OF RESPONSIBILITY: Department of Information Resources

CONTACT: Executive Director of Information Resources

Information Resources – Vendor Access

1.  GENERAL
   Vendors play an important role in the support of hardware and software management, and operations for customers. Vendors may have the capability to remotely view, copy, and modify data and audit logs. They might remotely correct software and operating systems problems; monitor and fine tune system performance; monitor hardware performance and errors; modify environmental systems; and, reset alarm thresholds. Setting limits and controls on what can be seen, copied, modified, and controlled by vendors will eliminate or reduce the risk of liability, embarrassment, and loss of revenue and/or loss of trust to the university.
2. APPLICABILITY
   This Standard Administrative Procedure (SAP) applies to vendor-accessible university mission critical and confidential information.
   
   The purpose of the implementation of this SAP is to provide a set of measures that will mitigate information security risks associated with vendor access. There may also be other or additional measures that will provide appropriate mitigation of the risks. The assessment of potential risks and the application of appropriate mitigation measures are to be determined by the information resource owner or their designee. In accordance with Texas Administrative Code 202 - Information Security Standards, each department and/or resource owner may elect not to implement some or all of the risk mitigation measures provided in this SAP based on information security risk management decisions and business functions. Such risk management decisions must be documented and reported to the designated Information Security Officer (ISO).
   
   The procedures described herein apply to all departments, administrators, and vendors who are responsible for vendor supplied information resources.
3. DEFINITIONS
   3.1       Confidential Information: information that is excepted from disclosure requirements under the provisions of applicable state or federal law, e.g., the Texas Public Information Act.
   3.2       Information Resources (IR): the procedures, equipment, and software that are designed, employed, operated, and maintained to collect, record, process, store, retrieve, display, and transmit information or data.
   3.3       Information Security Officer (ISO): responsible for administering the information security functions within Tarleton State University and reports to the Information Resources Manager (IRM).
   3.3       Mission Critical Information: information that is defined by the university or information resource owner to be essential to the continued performance of the mission of the University or department. Unavailability of such information would result in more than an inconvenience. An event causing the unavailability of mission critical information would result in consequences such as significant financial loss, institutional embarrassment, failure to comply with regulations or legal obligations, or closure of the University or department.
4. PROCEDURES
   4.1       Personnel who provide vendors access to university mission critical or confidential information resources shall obtain formal acknowledgement from the vendor of their responsibility to comply with all applicable University policies, rules, standards, practices and agreements, including but not limited to: safety policies, privacy policies, security policies, auditing policies, software licensing policies, acceptable use policies, and nondisclosure as required by the providing entity.
   4.2       Tarleton State University employees who are procuring the services of vendors who are given access to mission critical and/or confidential are expected to define the following with the vendor:
              4.2.1    The university information to which the vendor should have access; 
              4.2.2    How university information is to be protected by the vendor;
              4.2.3    Acceptable methods for the return, destruction, or disposal of university information in the vendor's possession at the end of the contract;
              4.2.4    That use of Tarleton State University information and information resources are only for the purpose of the business agreement; any other university information acquired by the vendor in the course of the contract cannot be used for the vendors’ own purposes or divulged to others; and,
              4.2.5    Vendors shall comply with terms of applicable non-disclosure agreements.
   4.3       Tarleton State University shall provide an information resources point of contact for the vendor. The point of contact will work with the vendor to make certain the vendor is in compliance with university policies.
   4.4       Appropriate access authorization for each on-site vendor employee (i.e., university affiliate) shall be specified by the resource owner according to the criticality of the information resource.
   4.5       Vendor personnel shall report all security incidents directly to appropriate university personnel.
   4.6       The responsibilities and details of any vendor management involvement in university security incident management shall be specified in the contract.
   4.7       The vendor must follow all applicable university change control processes and procedures. Regular work hours and duties shall be defined in the contract. Work outside of defined parameters must be approved in writing by appropriate university management.

OFFICE OF RESPONSIBILITY: Department of Information Resources

CONTACT: Executive Director of Information Resources

RULE: Incidental Computer Use       

1. GENERAL
   Incidental personal use of computing resources at Tarleton State University is an exception to the general prohibition against the use of University equipment for anything other than official state business.
2. GUIDELINES
   1. Incidental personal use of computing resources facilitates the user’s proficiency. Incidental Computer Use is defined as:
      1. occasional use for personal purposes,
      2. of minimal time and duration, and
      3. results in no additional cost to the University. 
      4. must not interfere with assigned job responsibilities or be in violation of existing security/access rules.
   2. Except in circumstances where incidental personal use of Tarleton State University computer resources for outside employment/consulting has been approved, incidental personal use must not:
      1. result in financial gain for the user,
      2. be for business purposes where the business is owned by the employee or the work is done for another business.
3. Personal use of University computing resources for consulting or outside employment, or which cannot be categorized as incidental should be guided by System Regulation 33.04.01: Use of System Resources for External Employment.
   

OFFICE OF RESPONSIBILITY: Department of Information Resources

CONTACT: Executive Director of Information Resources

RULE:   Electronic Information Resource Complaints
SUBJECT:

1. GENERAL
   1.1       Tarleton State University provides a wide variety of electronic information resources
               for the use of faculty, students, and staff.
   1.2       These resources play an essential role in the teaching, research, and service missions of
               the University.
   1.3       Appropriate use of these resources is outlined in federal and state law and in System
               policy and University rules and procedures.
   
   The following is provided so that suspected incidents of inappropriate use can be investigated.
2. REPORTING
   2.1       The Chief Information Officer (CIO) of the University or his/her designee will process complaints about the use of electronic information resources. Complaints should be reported to this individual and should include the type of electronic information service that was involved, specific information as to the location of the information, and the type of violation that is suspected. The CIO or designee will acknowledge the receipt of each complaint.
   2.2       After review of the complaint by the CIO or designee and others within the Department of Information Resources, the CIO or designee will make a determination as to whether there is sufficient cause to suspect a violation of System policy and University rules and procedures. If there appears to be cause, the complaint and factual data gathered by the office will be referred to appropriate University authorities for further action [student--Department of Student Life; staff--supervisor and/or department head, appropriate vice president/executive director (dependent upon level of violation); and faculty--department head, academic dean, and Provost (dependent upon level of violation).
    
   Appropriate University authorities will communicate the procedural disposition of the matter to the person reporting the incident within 30 working days of the initial report. Violations of System policy and University rules and procedures may result in formal disciplinary action. Suspected violations of the law will be referred to law enforcement authorities.

OFFICE OF RESPONSIBILITY: Department of Information Resources

CONTACT: Executive Director of Information Resources