1. K-State home
  2. »Policies
  3. »PPM
  4. »3400 Computing and Information Technology
  5. »PPM Chapter 3430: Security for Information, Computing and Network Resources

Policies

Questions relating to the information in each chapter of the Policies and Procedures Manual should be directed to the office issuing the chapter.

That information is usually located at the end of each chapter.

For policy update questions, please contact policy@ksu.edu.

Security for Information, Computing and Network Resources

Chapter 3430
Revised/Reviewed September 2, 2010; July 26, 2019; April 17, 2020; August 24, 2022

Table of Contents

.010 Purpose
.020 Scope
.030 General Policy
.040 Consequences for Noncompliance to Requirements
.050 Requirements for Information, Computing and Network Security
.060 Questions

.010 Purpose

To establish and maintain security requirements necessary to protect University information, computing and network resources, and minimize susceptibility to attacks on K-State resources or from K-State locations against other sites.

.020 Scope

This procedure and accompanying requirements apply to all University locations and all system users at any location, including those faculty, students and staff using privately owned computers or systems to access University information, computing and network resources.

Security requirements shall be in place for the protection of the privacy of information, protection against unauthorized modification of information, protection of systems against the denial of service, and protection of systems against unauthorized access. Users are reminded that all usage of K-State's information technology resources is subject to all University policies including the Information Technology Usage Policy.

.030 General Policy

University information, computing, and network resources may be accessed or used only by individuals authorized by the University. The University encourages the use of computing and network resources and respects the privacy of users. Nonetheless, the University may access information stored on the University's network of computers for the following purposes:

For items A-G, the extent of the access will be limited to what is reasonably necessary to acquire the information and/or resolve the issue.

  1. Troubleshooting hardware and software problems.
  2. Preventing unauthorized access and system misuse.
  3. Retrieving University business-related information.*
  4. Investigating reports of violation of University policy or local, state or federal law.*
  5. Complying with legal requests for information.*
  6. Rerouting or disposing of undeliverable mail.
  7. Addressing safety or security issues.

* The system administrator will need approval from the Chief Information Officer (CIO) or the appropriate designee to access specific mail and data for these purposes.

To the greatest extent possible in a public setting individuals' privacy should be preserved. However, there is no expectation of privacy or confidentiality for documents and messages stored on University-owned equipment.

.040 Consequences for Noncompliance to Requirements

Systems that are found to pose a threat to the integrity of the information, computing and network resources may have their access to these resources suspended with the CIO or the appropriate designee. The suspension of services will continue until the problem has been remedied and the system validated by Departmental Security Officers for operation within the K-State information, computing and network resources environment. The University reserves the right to invoke emergency suspension of services without prior notification if the situation poses a serious threat to the information technology environment.

.050 Requirements for Information, Computing and Network Security

The following system requirements represent the minimum standard that must be in place in order to establish and maintain security for University information, computing, and network resources.

  1. Initial Network Hook-up

    Each system must be capable of passing a test for vulnerabilities to hacker attacks and relaying of unsolicited email prior to being attached to K-State's information, computing, and network resources. System testing will be the responsibility of the Departmental/Unit or Chief Information Security Officer (CISO).

  2. Password Specification

    Password Policy: All passwords on any system, whether owned by K-State or by an individual, directly connected to K-State's network must adhere to the following standards when technically possible. This includes devices connected to the campus network with a direct-wired connection, wireless, remote access software (e.g., Windows Remote Desktop), use of a Virtual Private Network (VPN), and the like. This policy applies to all passwords - eID, system, user, database, application, etc. Any system that does not comply may have its network access blocked without prior notification. The password standards are maintained by the CIO or designee. Exceptions must be approved by the CIO or designee.

  3. Unattended Computers

    To protect against unauthorized access to data on computers left unattended, the following precautions are required:

    1. Enable password protection on the screen saver for all university computers with the exception of special-purpose computers designed for public access, such as information or registration kiosks, public computers in the library, or computer labs where locking is undesirable due to the risk of a user monopolizing a shared computer. The length of time before the password-protected screen saver comes on should be set to 20 minutes or less. For lab situations, it is recommended that computers be set to automatically logout after at the most 30 minutes of idle time.
    2. Never leave your computer unattended and unprotected. Before leaving your computer, lock the display or log out in a manner that requires a password to gain access.
  4. Protection from Malicious Software and Intrusions

    Malicious software, or malware, comes in many forms - viruses, worms, Trojan horses, denial of service attacks, botnets, spyware, adware, spam relays, etc. All pose a security risk, some of which are a very serious threat to the confidentiality, integrity, or availability of K-State's information and technology resources. Appropriate precautions must be taken to protect K-State systems and information from compromise by malware. To that end, K-State may require the installation of essential security software on computers connected to the K-State campus network or accessing K-State information and technology resources. The following sections define specific requirements for antivirus, spyware/adware, personal firewalls, and email. Assuring the validity of malware protection software is the responsibility of each user, the department/unit security representative, and the CISO.

  5. Virus Protection

    1. Computers listed below must use the university-supplied antivirus software configured in a managed mode (managed mode allows a server to monitor and configure the antivirus protection on the client computer and push updates to the client on demand). If there is a documented performance issue associated with the use of the university-supplied antivirus software, users will need to have an antivirus on the computer that provides the same security as listed in F 3-8. If a University-owned or managed computer is compromised and is not running an antivirus program, the computer will remain blocked until the system is rebuilt and an antivirus program is installed.
      1. Any university-owned computer.
      2. Users of K-State's wireless or wired network if it is a university-owned computer.
    2. All other computers accessing the K-State campus network or information technology resources must be running active, up-to-date virus protection software. 
    3. Antivirus software must be activated when the computer boots up and remain active at all times during its operation.
    4. Real-time file scanning must be enabled where files are scanned for malicious anomalies before they are written to the hard drive.
    5. The version of the antivirus software (e.g., the antivirus program or engine) must be no more than one version behind the current version offered by the vendor or the version endorsed by K-State, and must be supported by the vendor.
    6. Virus definition files (e.g., the database in the antivirus software that identifies known malware) must be up-to-date with the most current version available from the vendor.
    7. Checking for and installing updates to virus definition files and antivirus software must be automated and performed at least daily.
    8. Comprehensive virus scans of all local hard drives must be performed at least weekly.
  6. Spyware/Adware Protection

    1. All computers connected to the campus network must run active spyware/adware protection software.
    2. Spyware/adware definition/detection rules must be up-to-date with the most current version available from the vendor.
    3. Scans of all local hard drives for spyware/adware must be performed at least weekly.
  7. Personal Firewall Protection

    1. All computers using the university-supplied security software (which includes virus, spyware, intrusion, and firewall protection) must have the firewall enabled.
    2. Any other computer connected to the campus network must run a personal firewall. Microsoft Windows Firewall is an acceptable personal firewall.
  8. Email Protection

    1. All campus email servers must provide antivirus protection that detects and mitigates infected email messages.
    2. Infected messages must be discarded or quarantined, not returned to the sender.
  9. Security Patches

    All systems connected to the campus network and the applications and databases running on those systems must have the latest security patches available from the respective vendors applied. Any system or application with known vulnerabilities for which a patch is not available must take appropriate measures to mitigate the risk, such as placing the system behind a firewall. K-State may block access to the network for systems that have not been patched.

  10. College/Departmental Systems

    Colleges, departments, or other K-State units may institute their own distributed computing system, as these provide valuable specialized services to users. These servers, in order to protect the University resources to which they are connected, must be kept no more than one version behind the current vendor-supported version of the operating system and application software and comply with all security requirements and standards set forth in this policy.

    Campus units with qualified IT support staff may run their own security management environment with the university-supplied security software that provides virus, spyware, intrusion, and firewall protection. The unit security management system must be configured to provide reports to the central security management system to facilitate comprehensive campus-wide reporting. In the absence of qualified IT support staff, units must use the central security management services for malware protection.

    Assurance of server protection is the responsibility of the Departmental Security Representative.

  11. Enforcement

    Enforcement of these policies and associated standards is the responsibility of the CIO or designee. Any system that does not comply with security policies and standards, is susceptible to a known vulnerability, or is compromised may have its network access blocked immediately and without prior notification to protect the integrity of other systems and data.

    Any device directly connected to the campus network (e.g., with a direct wired or wireless connection, remote access software like Windows Remote Desktop, use of a Virtual Private Network (VPN), and the like) may be scanned and assessed by designated CIO information technology or security staff at any time to determine compliance with security policies and standards, or detect anomalous activities, vulnerabilities, and security compromises. Firewalls must be configured to permit this remote scanning function. Scanning may only be performed to the extent necessary to detect and assess the risk.

    K-State's Security Incident Response Team (SIRT) has defined procedures for restoring network access after the vulnerable or compromised system has been repaired. The CISO will determine whether the repair will require the computer to be reformatted and the operating system and all software and data re-installed, depending on the nature of the compromise.

  12. Security Personnel Responsibilities

    Chief Information Security Officer
    The University employee who leads the IT security program to protect K-State's information, computing, and network resources. Responsibilities include assisting with university-wide IT security policies, controls and procedures; developing and maintaining security architecture, standards, and guidelines; monitoring compliance with IT security policies and standards; risk assessment; coordinating responses to security incidents; communication with organizations outside the University; chairing the Security Incident Response Team (SIRT); and promoting training and awareness of the secure use of information, computing and network resources.
    IT Security Analyst
    Technical personnel in central information technology units assigned with responsibility for the secure operation of information, computing and network security at the enterprise level. Responsibilities include monitoring the state of information, computing and network security; detection and remediation of security incidents, implementation of preventative measures, configuration and management of security technology (e.g., firewalls and intrusion detection systems), and communication of alerts and remedies to departmental/unit security representatives.
    Security Incident Response Team (SIRT)
    A team with representatives from each academic college and major administrative unit that provides advisory, proactive, and reactive support for K-State's IT security program. Responsibilities include coordinating the campus-wide response to major security incidents; coordinating implementation of preventative measures in their colleges/units; communicating threats and best practices to their colleges/units; approving requests for restoring network access to vulnerable or compromised computers; participating in the development of IT security policies, standards, guidelines, and procedures; and assisting with IT security training and awareness efforts. SIRT duties should constitute no more than 30% of an individual's job responsibilities.
    Departmental Security Representatives
    The primary point of contact for departments for IT security matters. The departmental security representative serves as a liaison between SIRT and the department by assisting with communication, facilitating implementation of preventative measures in the department, and coordinating the response to security incidents involving technology or data within the department.
    Deans and Department Heads
    Responsibilities include authorizing access to computer systems in their units, ensuring that System Users understand and agree to comply with University and unit security policies, and ensuring that the technical and procedural means and resources are in place to assist in maintaining the security policies and procedures outlined above.
    System Users
    Responsibilities include agreeing to and complying with all applicable University and unit security policies and procedures; taking appropriate precautions to prevent unauthorized use of their accounts, software programs, and computers; protecting university data from unauthorized access, alteration, or destruction; representing themselves truthfully in all forms of electronic communication; and respecting the privacy of electronic communication.

.060 Questions

Questions regarding this policy should be sent to the Vice President for Information Technology and Chief Information Officer (CIO).