Security for Information, Computing and Network Resources
Revised September 2, 2010
Table of Contents
.030 General Policy
To establish and maintain security requirements necessary to protect University information, computing and network resources, and minimize susceptibility to attacks on K-State resources or from K-State locations against other sites.
This procedure and accompanying requirements apply to all University locations and all system users at any location, including those faculty, students and staff using privately owned computers or systems to access University information, computing and network resources.
Security requirements shall be in place for the protection of the privacy of information, protection against unauthorized modification of information, protection of systems against the denial of service, and protection of systems against unauthorized access. Users are reminded that all usage of KSU's information technology resources is subject to all University policies including the Information Technology Usage Policy found at http://www.ksu.edu/uauc/docs/usage.html
University information, computing and network resources may be accessed or used only by individuals authorized by the University. The University encourages the use of computing and network resources and respects the privacy of users. Nonetheless, the University may access information stored on the University's network of computers for the following purposes:
For items a-g, the extent of the access will be limited to what is reasonably necessary to acquire the information and/or resolve the issue.
- troubleshooting hardware and software problems,
- preventing unauthorized access and system misuse,
- retrieving University business related information, *
- investigating reports of violation of University policy or local, state or federal law, *
- complying with legal requests for information, *
- rerouting or disposing of undeliverable mail,
- addressing safety or security issues
* The system administrator will need approval from the CIO/Vice Provost for Information Technology Services or the appropriate designee to access specific mail and data for these purposes.
To the greatest extent possible in a public setting individuals' privacy should be preserved. However, there is no expectation of privacy or confidentiality for documents and messages stored on University-owned equipment.
Systems that are found to pose a threat to the integrity of the information, computing and network resources may have their access to these resources suspended with the CIO/Vice Provost for Information Technology Services or the appropriate designee. The suspension of services will continue until the problem has been remedied and the system validated by Departmental Security Officers for operation within the K-State information, computing and network resources environment. The University reserves the right to invoke emergency suspension of services without prior notification if the situation poses a serious threat to the information technology environment.
The following system requirements represent the minimum standard that must be in place in order to establish and maintain security for University information, computing and network resources.
Initial Network Hook-up:
Each system must be capable of passing a test for vulnerabilities to hacker attacks and relaying of unsolicited email prior to being attached to K-State's information, computing and network resources. System testing will be the responsibility of the Departmental/Unit or University Security Officer.
Password Policy: All passwords on any system, whether owned by K-State or by an individual, directly connected to Kansas State University network must adhere to the following standards when technically possible. This includes devices connected to the campus network with a direct wired connection, wireless, dial-in modem, remote access software (e.g., Windows Remote Desktop), use of a Virtual Private Network (VPN), and the like. This policy applies to all passwords - eID, system, user, database, application, etc. Any system that does not comply may have its network access blocked without prior notification. The password standards are maintained by the CIO/Vice Provost for Information Technology Services (VP-ITS) or designee. Exceptions must be approved by the VPIT or designee.
- Passwords must have a minimum of 7 characters.
- Passwords must contain characters from 3 of the 4 following categories:
- Uppercase letters
- Lowercase letters
- Special Characters (for example: !,@,#,$,%,^,&,*, etc. But be aware if traveling outside the U.S. that some symbols, like the U.S. dollar sign, may not be available on international keyboards)
Passwords cannot be the same as the K-State eID and not easily guessed (for example: no variants of the K-State eID, dictionary words, family names, pet names, birthdates, etc.).
Most passwords must be changed every 180 days. Others may need to change more often, depending on access to secure information.
Passwords must be changed significantly and cannot repeat more frequently than every two years.
Passwords that are written down or stored electronically must not be accessible to anyone other than the owner and/or issuing authority.
The same password used to access Kansas State University Systems (for example, your eID password) must not be used for accounts or other forms of access to non-K-State systems or applications such as online shopping, banking, etc.
Passwords must not be shared unless explicitly permitted by the issuing authority. eID passwords must not be shared under any circumstances.
Anyone who believes their password has been compromised must immediately notify their departmental or college IT support, or the IT Help Desk to evaluate possible risks.
Default passwords in vendor-supplied hardware or software must be changed during initial installation or setup.
The eID password must never be transmitted over the network in clear text (i.e., it must always be encrypted in transit). It is also strongly recommended that other types of passwords be encrypted in transit.
To protect against unauthorized access to data on computers left unattended, the following precautions are required:
Enable password protection on the screen saver for all university computers with the exception of special-purpose computers designed for public access, such as information or registration kiosks, public computers in the library, or computer labs where locking is undesirable due to the risk of a user monopolizing a shared computer. The length of time before the password-protected screen saver comes on should be set to 20 minutes or less. For lab situations, it is recommended that computers be set to automatically logout after at the most 30 minutes of idle time.
Never leave your computer unattended and unprotected. Before leaving your computer, lock the display or log out in a manner that requires a password to gain access.
Protection from Malicious Software and Intrusions:
Malicious software, or "malware", comes in many forms - viruses, worms, Trojan horses, denial of service attacks, botnets, spyware, adware, spam relays, etc. All pose a security risk, some of which are a very serious threat to the confidentiality, integrity, or availability of K-State's information and technology resources. Appropriate precautions must be taken to protect K-State systems and information from compromise by malware. To that end, K-State may require the installation of essential security software on computers connected to the K-State campus network or accessing K-State information and technology resources. The following sections define specific requirements for antivirus, spyware/adware, personal firewalls, and e-mail. Assuring the validity of malware protection software is the responsibility of each user, the department/unit security representative, and the K-State Security Officer.
The following computers must use the university-supplied antivirus software configured in a managed mode ("managed mode" allows a server to monitor and configure the antivirus protection on the client computer and push updates to the client on demand):
- Any university-owned computer
- Student-owned computers in K-State residence halls
- Users of K-State's Virtual Private Network (VPN) or dial-up modem service
Users of K-State's wireless or wired network if it is a university-owned computer or one that belongs to a current K-State faculty, staff, or student.
All other computers accessing the K-State campus network or information technology resources must be running active, up-to-date virus protection software. Current K-State faculty, staff, and students may run the university-supplied antivirus software on their home computers at no cost to meet this requirement.
Antivirus software must be activated when the computer boots up and remain active at all times during its operation.
Real-time file scanning must be enabled where files are scanned for malicious anomalies before they are written to the hard drive.
The version of the antivirus software (i.e., the antivirus program or engine) must be no more than one version behind the current version offered by the vendor or the version endorsed by K-State, and must be supported by the vendor.
f. Virus definition files (i.e., the database in the antivirus software that identifies known malware) must be up-to-date with the most current version available from the vendor.
Checking for and installing updates to virus definition files and antivirus software must be automated and performed at least daily.
Comprehensive virus scans of all local hard drives must be performed at least weekly.
All computers connected to the campus network must run active spyware/adware protection software.
Spyware/adware definition/detection rules must be up-to-date with the most current version available from the vendor.
Scans of all local hard drives for spyware/adware must be performed at least weekly.
Personal Firewall Protection
All computers using the university-supplied security software (which includes virus, spyware, intrusion, and firewall protection) must have the firewall enabled.
Any other computer connected to the campus network must run a personal firewall. Microsoft Windows Firewall is an acceptable personal firewall.
- All campus e-mail servers must provide antivirus protection that detects and mitigates infected e-mail messages.
- Infected messages must be discarded or quarantined, not returned to the sender.
All systems connected to the campus network and the applications and databases running on those systems must have the latest security patches available from the respective vendors applied. Any system or application with known vulnerabilities for which a patch is not available must take appropriate measures to mitigate the risk, such as placing the system behind a firewall. Kansas State University may block access to the network for systems that have not been patched.
Colleges, departments, or other K-State units may institute their own distributed computing system, as these provide valuable specialized services to users. These servers, in order to protect the University resources to which they are connected, must be kept no more than one version behind the current vendor-supported version of the operating system and application software and comply with all security requirements and standards set forth in this policy.
Campus units with qualified IT support staff may run their own security management environment with the university-supplied security software that provides virus, spyware, intrusion, and firewall protection. The unit security management system must be configured to provide reports to the central security management system to facilitate comprehensive campus-wide reporting. In the absence of qualified IT support staff, units must use the central security management services for malware protection.
Assurance of server protection is the responsibility of the Departmental Security Representative.
Enforcement of these policies and associated standards is the responsibility of the CIO/Vice Provost for Information Technology Services (VPIT) or designee. Any system that does not comply with security policies and standards, is susceptible to a known vulnerability, or is compromised may have its network access blocked immediately and without prior notification to protect the integrity of other systems and data.
Any device directly connected to the campus network (i.e., with a direct wired or wireless connection, dial-in modem, remote access software like Windows Remote Desktop, use of a Virtual Private Network (VPN), and the like) may be scanned and assessed by designated VP-ITS information technology or security staff at any time to determine compliance with security policies and standards, or detect anomalous activities, vulnerabilities, and security compromises. Firewalls must be configured to permit this remote scanning function. Scanning may only be performed to the extent necessary to detect and assess the risk.
K-State's Security Incident Response Team (SIRT) has defined procedures for restoring network access after the vulnerable or compromised system has been repaired (see /infotech/security/SIRT/Procedures/compromise.html). The Chief IT Security Officer will determine whether the repair will require the computer to be reformatted and the operating system and all software and data re-installed, depending on the nature of the compromise.
Security Personnel Responsibilities:
University IT Security Officer: The University employee who leads the IT security program to protect K-State's information, computing, and network resources. Responsibilities include assisting with university-wide IT security policies, controls and procedures; developing and maintaining security architecture, standards, and guidelines; monitoring compliance with IT security policies and standards; risk assessment; coordinating responses to security incidents; communication with organizations outside the University; chairing the Security Incident Response Team; and promoting training and awareness of the secure use of information, computing and network resources.
IT Security Analyst: Technical personnel in central information technology units assigned with responsibility for the secure operation of information, computing and network security at the enterprise level. Responsibilities include monitoring the state of information, computing and network security; detection and remediation of security incidents, implementation of preventative measures, configuration and management of security technology (for example, firewalls and intrusion detection systems), and communication of alerts and remedies to departmental/unit security representatives.
Security Incident Response Team (SIRT): A team with representatives from each academic college and major administrative unit that provides advisory, proactive, and reactive support for K-State's IT security program. Responsibilities include coordinating the campus-wide response to major security incidents; coordinating implementation of preventative measures in their colleges/units; communicating threats and best practices to their colleges/units; approving requests for restoring network access to vulnerable or compromised computers; participating in the development of IT security policies, standards, guidelines, and procedures; and assisting with IT security training and awareness efforts. SIRT duties should constitute no more than 30% of an individual's job responsibilities.
Departmental Security Representatives: The primary point of contact for departments for IT security matters. The departmental security representative serves as a liaison between SIRT and the department by assisting with communication, facilitating implementation of preventative measures in the department, and coordinating the response to security incidents involving technology or data within the department.
Deans and Department Heads: Responsibilities include authorizing access to computer systems in their units, ensuring that System Users understand and agree to comply with University and unit security policies, and ensuring that the technical and procedural means and resources are in place to assist in maintaining the security policies and procedures outlined above.
System Users: Responsibilities include agreeing to and complying with all applicable University and unit security policies and procedures; taking appropriate precautions to prevent unauthorized use of their accounts, software programs, and computers; protecting university data from unauthorized access, alteration, or destruction; representing themselves truthfully in all forms of electronic communication; and respecting the privacy of electronic communication.
Questions regarding this policy should be sent to the Chief Information Officer at firstname.lastname@example.org.