To establish and maintain security requirements necessary to protect University information, computing and network resources, and minimize susceptibility to attacks on K-State resources or from K-State locations against other sites.
This procedure and accompanying requirements apply to all University locations and all system users at any location, including those faculty, students and staff using privately owned computers or systems to access University information, computing and network resources.
Security requirements shall be in place for the protection of the privacy of information, protection of against unauthorized modification of information, protection of systems against the denial of service, and protection of systems against unauthorized access.
University information, computing and network resources may be accessed or used only by individuals authorized by the University. To the greatest extent possible in a public setting individuals' privacy should be preserved. However, there is no expectation of privacy or confidentiality for documents and messages stored on University-owned equipment.
The University reserves the right to inspect or check the configuration of University information, computing and network resources for compliance with this procedure and stated requirements in the following situations:
The extent of the access will be limited to what is reasonable necessary to acquire the information.
* The system administrator will need approval from the Vice-Provost for Academic Services and Technology or the appropriate designee to access specific mail and data for these purposes.
Systems that are found to pose a threat to the integrity of the information, computing and network resources may have their access to these resources suspended with the Vice Provost for Academic Services and Technology or the appropriate designee. The suspension of services will continue until the problem has been remedied and the system validated by Departmental Security Officers for operation within the K-State information, computing and network resources environment. The University reserves the right to invoke emergency suspension of services without prior notification if the situation poses a serious threat to the information technology environment.
The following procedures represent the minimum standard system requirements that must be in place in order to establish and maintain security for University information, computing and network resources.
Each system must be capable of passing a test for vulnerabilities to hacker attacks and relaying of unsolicited email prior to being attached to K-State's information, computing and network resources. System testing will be the responsibility of the Departmental/Unit or University Security Officer.
Systems requiring passwords will specify that they must be changed twice annually, on the first of September and February. Passwords must conform to edits specified in the CNS Policy on User ID & Passwords. Systems that allow remote log-ins over the campus network should have passwords on all accounts. Checking passwords for conformance is the responsibility of the University Security Officer.
Each attached system will be required to boot-up with active virus protection. The software used may be either one provided by the University, or one of the user's own choosing. In either case, the virus protection software must be no more than 1 update behind the current version and the virus definition files should be no more than 1 month old (or updated to respond to a specific virus alert). Assuring the validity of virus protection software will be the responsibility of the Departmental/Unit or University Security Officers.
Units or Departments may institute their own distributed computing system, as these provide valuable services to K-State users. These servers, in order to protect the University resources to which they are connected, must be kept no more than 1 update behind the current version of the operating system and application software. Assurance of server protection is the responsibility of the Departmental/Unit Security Officer.
The University employee responsible for protecting information, computing and network resources. Responsibilities include assisting with University-wide policies, controls and procedures; monitoring adherence to policies; coordinating responses to security incidents; and providing education on the ethical use of information, computing and network resources.
Technical personnel in central information technology units who have been assigned the additional responsibility of monitoring the state of information, computing and network security at the University level. Responsibilities include detection of problems, exchange of information about hazards and incidents with organizations outside the University, and communication of alerts and remedies to departmental/unit security representatives.
The key technical personnel in colleges, departments and university support units. Their responsibilities include supporting and maintaining security for computing, networking or database resources for their respective units.
Responsibilities will include authorizing access to computer systems in their units, ensuring that System Users understand and agree to comply with University and unit security policies, and ensuring that the technical and procedural means are in place to assist in maintaining the security procedures outlined above.
Responsibilities include agreeing to and complying with all applicable University and unit security policies and procedures; taking reasonable precautions, including personal password protection, maintenance and file protection measures, to prevent unauthorized use of their accounts, programs or data; representing themselves truthfully in all forms of electronic communication; respecting the privacy of electronic communication; and respecting the physical hardware and network configuration of University-owned networks.