Penn State Harrisburg --- Acceptable Computer Use guideline: HG–local guideline–AD20

1.0 Purpose
The purpose of this guideline is to outline the acceptable use of computer equipment for Penn State Harrisburg.  Inappropriate computer use exposes everyone to risks including virus attacks, compromise of network systems and services, and possible litigation. College computing systems are for business purposes in serving the administrative, academic and research activities of the College, University, faculty, staff and students.  Effective security is a team effort involving the participation and support of every Penn State Harrisburg employee and affiliate who deals with information and/or information systems. It is the responsibility of every computer user to know these guidelines and conduct their activities accordingly.  It is the responsibility of the Director, IIT that computer users are educated in acceptable computer use and security plans.

The policy here is developed for Penn State Harrisburg but the overall University Policy AD20 (Computer and Network Security) applies.

2.0 Scope
This guideline applies to faculty, staff, students, contractors, consultants, temporaries, and other workers in the Penn State Harrisburg, including all personnel affiliated with third parties. This guideline applies to all equipment that is connected to the Penn State Harrisburg network.

3.1  General Use and Ownership

1.     The College recommends that any information that users consider sensitive or vulnerable be encrypted.  In the absence of encryption, a security plan is required for the transmission of sensitive electronic information.  The Chief Privacy Officer, SOS and IIT must all be consulted in the development of this plan.  Appropriate users will be educated on the plan.

2.     For security and network maintenance purposes, individuals in IIT authorized by the Senior Associate Dean and recognized by Security Operations and Services within Penn State Harrisburg may remotely access equipment, systems and network traffic.

3.     Penn State Harrisburg reserves the right to audit networks and systems on a periodic basis to ensure compliance with this guideline and University policies.   See the Audit Guidelines for more information.

4.     All employees using Penn State owned computer systems are required to establish an IIT Local Area Network account.  Authority for this requirement is the Internal Audit documentation of 2004/2005 page six and University policy AD20 which states “Deans and Administrative Officers are responsible for: Authorizing access to computer systems, including the purpose of the account and issuance of passwords, or designating in writing the individual (s) who will exercise this responsibility for the for the various systems and networks within the College or administrative unit.  Ensuring mechanisms are in place to obtain acknowledgment from System Users that they understand, and agree to comply with University and College/Unit security policies.  Such acknowledgment must be written unless an exception is approved in accordance with the Exceptions and Exemptions section of this guideline.”

5.     Applicable forms are available at IIT's office, East Olmsted room 302 or on IIT's web page.

3.1.1        Exceptions and Exemptions 

 

1.     Exception to or exemptions from any provision of this guideline must be approved by the Senior Associate Dean for Academic Affairs in consultation with Director, Instructional and Information Technologies or designee, which will normally be Contacts of the Director, Security Operations and Services at Information Technology Services.  Those contacts are listed at:  ITS Contacts.  Similarly, any questions about the contents of this policy, or the applicability of this policy to a particular situation should be referred to the Instructional and Information Technologies Director.  If there is an issue that also bears on AD20,  the local level cannot grant an exception to any AD20 provision.  The issue must be referred to SOS.  The IIT Director will liaison to SOS.

 

3.2   Security and Proprietary Information  

 

1.     The user interface for information contained on Internet/Intranet/Extranet-related systems should be classified as either confidential or not confidential, as defined by University confidentiality guidelines, details of which can be found in Human Resources policies, the Registrar and policy AD11.  Examples of confidential information include but are not limited to: University private, University strategies, competitor sensitive, trade secrets, specifications, student lists, and research data. Employees should take all necessary steps to prevent unauthorized access to this information.

2.     Keep passwords secure and do not share accounts. Do not use your access or local area network account to logon to a Penn State Harrisburg computer for another user.  System users are responsible for the security of their passwords and accounts. Refer to the Penn State Harrisburg Password guideline for specific information.

3.     All PCs, laptops and workstations should be secured with passwords for all accounts in compliance with the Penn State Harrisburg’s Password guideline. Use additional settings as deemed necessary to prevent unauthorized access to resources and data that resides either locally or remotely.[i]

4.     PCs should be locked when not in use.

5.     All PCs, laptops and workstations that have security logging capabilities must have basic OS level auditing (the event log) turned on to facilitate tracking of user accounts in the event of a security breach or other unauthorized access.

1.     Use only the machine that your supervisor has assigned to you.  Only the System User assigned to a PC may log on to that PC.   System Administrators performing technical service duties or computer and network security incidence response authorized by the SOS Director may log on to any machine.[ii]

2.     Because information contained on portable computers is especially vulnerable, special care should be exercised.

3.     While it is currently not required, postings by employees from a Penn State Harrisburg email address to newsgroups should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of The Penn State Harrisburg or the University, unless posting is in the course of business duties.

4.     All hosts used by the employee that are connected to the Penn State Harrisburg Internet/Intranet/Extranet, whether owned by the employee or the Penn State Harrisburg, should be continually executing approved virus-scanning software with a current virus database.

3.3     Local Area Network accounts

1.     As per the Internal Audits report of 3 June, 2005, IIT is required to comply with University guideline AD20 and issue a formal request document for LAN accounts.  Such requests cannot be processed verbally.  This LAN account application form will be implemented no later than the middle of the Fall 2005 semester.  From that date onward all Penn State Capital College LAN accounts will be in writing.

2.     This document will be required of all new hires at the Capital College beginning with the first day of classes, Spring semester 2006.

3.     Faculty and staff do not automatically receive Local Area Network Accounts.  Come to E-302 and fill out an application or see your staff or administrative assistant or print and fill out the online application.

4.     Forgotten passwords can be reset at E-302 Olmsted.  Passwords are reset to a predefined generic password.  Visit or call E-302 to obtain this generic password.   The password, once reset to the generic password will force an immediate change to a secure password.

5.     Every administrative network machine will log onto the Local Area Network domain – for example PSH or CAPTL.

a.     Beginning with the next version of Windows, code named “Vista”, formerly “Longhorn” System Administrators will have administrative access to administrative machines logging onto the Local Area Network domain.

b.     System users will have access to install software (power user access).  If Windows requires administrative access, a System Administrator can remotely log on to the machine to provide such access temporarily.

c.     Administrator accounts are required by AD20 to be kept at a minimum.  So, two or three system administrators with root/admin would be OK. 40 would not.  (We do have incidents that involve sys admins and we want those at the minimum level absolutely necessary to keep things up and running).

d.     Administrator accounts for local machines on a domain will be created in a consistent manner to ensure that the user logs into the domain.

6.     Wireless Users

a.     Currently no method exists for IIT to remotely push out virus or OS updates and track inventory via the Administrative Local Area Network Domain.  Updating of such machines is currently the users' responsibility.

b.     When such a method of management exists, all wireless users will be required to login to the Administrative Local Area Network domain.

 

3.4       Administrative Information Services (AIS) accounts

1.     As per the Internal Audits report of 3 June, 2005, IIT is, effective immediately, to place expiration of such accounts at the end of the semester.

2.     Employees having accounts on the AIS CA-ACF2 database and campus network systems have been reviewed with the Manager, Network and Information Systems, IIT, and the Capital College ASR.

3.     As a general rule, the Access and Security Representative (ASR), upon notification from the IIT authorized security personnel or AIS, should ensure that AIS mainframe computer access rights are suspended or deleted from the CA-ACF2 databases when a user's employment status changes.

4.     The ASR should periodically obtain and review a current list of Harrisburg Campus employees having accounts on the AIS CA-ACF2 database or any of the Campus network systems.  Such review may be conducted with IIT authorized security personnel.

5.     IIT may, at it's discretion conduct such account reviews more frequently than once a semester depending on personnel appointment status.

6.     Areas having computers that access the AIS mainframe via the data backbone must comply with AIS Security Office specifications.

a.     AIS Security Officer will “certify” IP addresses.  These IP addresses are entered into a filter that “front ends” the mainframe.  As per the internal audit of 3 June, 2005, IIT is required to file the current configuration of the network with AIS security office.

b.     Subnets will be removed from the Contact List that are no longer needed and IP addresses with the AIS filter will be removed by the AIS security office.

c.     The College will submit incorrect subnet locations to TNS for change.

d.     IIT Management will conduct periodic reviews.

 

7.     IIT Management is responsible for ensuring that IIT authorized security personnel obtain an understanding of the AIS document titled “Specifications for Networks Connected to the Administrative Information Services through the High-Speed Data Backbone as per requirements of Internal Audits 3 June 2005.

8.     Employees must use extreme caution when opening unsolicited e-mail attachments, which may contain viruses, e-mail bombs, or Trojan horse code.  Employees at Penn State Harrisburg sometimes use Instant Messenger or P2P; both of these are also frequent vectors for attack,  as are embedded hypertext links that go to sites hosting malware.  Not opening attachments is a good idea but also don't click on links in email or IM messages that you were not expecting and don't download and execute files from unknown/untrusted sites.

9.     All systems connected with the Penn State Harrisburg’s network infrastructure may only use IP addresses assigned by the College or its delegates. Any departments providing IP addresses via DHCP must employ a mechanism to ensure that only the intended host receives the IP address or are authenticated and logged so that the user of that IP address during a given period of time can be determined in the event of a security incident.

10.   To maintain proper data encryption, all systems storing or utilizing sensitive administrative data, and using a wireless connection must also utilize a College approved VPN (virtual private network).  

3.5  Access Accounts

1.     Access accounts are needed for internet, PASS, ANGEL, email, software downloads.

2.     Faculty and staff do not automatically receive Access Accounts.  Come to E-302 and fill out an application or see your staff or administrative assistant.

3.     Forgotten passwords can be reset at the helpdesk in the Olmsted basement or E-302 Olmsted.  Passwords are reset to the original.  If you forget the original password you will not be able to login.  Visit a signature station to obtain original password.

4.     Passwords are not permitted to be given over the phone.

3.6  Short Term Access Accounts (STAA)

Short term access accounts are provided for students, faculty or staff  visiting Penn State to access Network Resources to take or teach a class.  It is the responsibility of the sponsoring department to keep their own STAA pool of accounts.  Examples of usage of STAA.

·         Continuing Education “kids college”

·         Library classes

·         Outreach students taking a certificate course

·         Visiting faculty or corporate entities participating in a conference

1.     STAA are not to be used as a substitute for a forgotten access account password.   In this case visit or call the IIT helpdesk and have the password reset.

2.     STAA accounts are NOT permitted to be given out in advance of the event.  If the event has large numbers of students, then the STAA system will allow multiple STAA administrators to issue accounts at the event.  Sponsors should plan time for the issuance of STAA accounts.

3.     STAA are to be used for a duration of 45 days or less.

4.     STAA will be billed to budget authorized by the departmental budget administrator.

5.     Generally only SLIM STAA will be provided.  SLIM STAA access account is activated immediately.   No signature station visit is required or needed.  Users will be required to change their passwords immediately.  The difference between SLIM and FULL STAA can be found here: http://aset.its.psu.edu/accounts/staa.html.

6.     If a student forgets their password only an STAA administrator can log back in and see the password.

7.     Requests for FULL short term access accounts should be discussed with an IT manager. http://aset.its.psu.edu/accounts/cost.html for details.  One week’s advance notice is required

8.     A paper “AD20 Agreement” will be completed and signed by the applicant.

9.     Call IIT for more details.

 

3.7. Unacceptable Use

The following activities are prohibited. Employees may be exempted from these restrictions during the course of their legitimate job responsibilities, however, such an exemption must be approved by the School Director or Administrative Head of the Department.  If the exemption is a provision that
is also reflected in AD20, the local level cannot approve such an exemption.

 (e.g., systems administration staff may have a need to disable the network access of a host if that host is disrupting production services).

3.8  System and Network Activities:
Under no circumstances is an employee of the Penn State Harrisburg authorized to engage in any activity that is illegal under local, state, federal or international law or violates any provision of AD20 while utilizing Penn State Harrisburg-owned resources.  The following are examples.

 

1.     Violations of the rights of any person or entity protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by the Penn State Harrisburg.

2.     Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which the Penn State Harrisburg or the end user does not have an active license is strictly prohibited.

3.     It is illegal to export software, technical information, encryption software or technology, in violation of international or regional export control laws. The appropriate College security officer should be consulted prior to export of any material that is in question.   Call IIT for names of authorized security contacts.

4.     Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.).

5.     Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home.

6.     Using a Penn State Harrisburg computing asset to engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user's local jurisdiction.

7.     Making fraudulent offers of products, items, or services originating from any Penn State Harrisburg account. Or, offers of products, items, or services for personal profit from any Penn State Harrisburg account.

8.     Making statements about warranty, expressly or implied, unless it is a part of normal job duties.[iii]

9.     Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access. The only exception to this is when access is part of a security analysis performed by an authorized individual within the College or University. For purposes of this section, "disruption" includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information.

10.   Port scanning or security scanning.  Any such activity cannot be authorized by any College level personnel.  Explicit permission must be obtained from SOS.  Such approval will be obtained by the College Network Security contacts in IIT.   Call IIT for names of authorized security contacts.

11.   Executing any form of network monitoring which intercepts data not intended for the employee's host.  It's not a part of any employee's normal job/duty to monitor the intellectual content of network transmissions. The only exception regarding monitoring in AD20 is for diagnosing a network problem or for a security issue (which must be coordinated with SOS). Routine monitoring would violate both AD20 and AD53. Monitoring will only be undertaken for purposes of diagnosing network problems or in the event of a security incident (and in the latter case only when coordinated with SOS).[iv]

12.   Accessing a wired network with a non-university owned machine.

13.   Circumventing user authentication or security of any host, network or account.

14.   Interfering with or unsanctioned denying of service to any user other than the employee's host (for example, denial of service attack).

15.   Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user's terminal session, via any means, locally or via the Internet/Intranet/Extranet.

16.   Providing information about, or lists of, the Penn State Harrisburg employees to parties outside the University.

17.   Unauthorized changes to classroom computer wiring or software.  This includes unplugging of equipment.

 

3.9 Email and Communications Activities:

1.     Sending unsolicited email messages, including the sending of "junk mail" or other advertising material to individuals who did not specifically request such material (email spam).

2.     Any form of harassment via email, telephone or paging, whether through content, language, frequency, or size of messages.

3.     Unauthorized use, or forging, of email header information.

4.     Solicitation of email for other email address, other than that of the poster's account, with the intent to harass or to collect replies.

5.     Creating or forwarding "chain letters" or "pyramid" schemes of any type.

6.     Use of unsolicited email originating from within The Penn State Harrisburg's networks or other Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service hosted by the Penn State Harrisburg or connected via The Penn State Harrisburg's network.

7.     Posting identical or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam)

 

4.0 New Computer equipment

 

4.01 With the goal of standardizing computer Operating Systems (OS) and hardware and in order to improve the efficiency and support service IIT provides to the Penn State Harrisburg  communities, guidelines will be implemented for NEW computer systems owned by Penn State.

 

·       IIT will provide technical support to users of NEW computers that were purchased from vendors who are listed on the http://www.computerstore.psu.edu Preferred Provider list.

·       This guideline is aimed at those departments who may be contemplating the imminent purchase of new systems ONLY.  Additionally, the operating system (OS) for all NEW equipment must be Windows XP Professional or its successor (Windows 98, Windows ME or Linux are not supported Operating Systems under this guideline).  Again this guideline is for NEW systems not existing systems that are the property of Penn State's Capital College.

·       Users and Departments may, of course, elect to order any non-supported OS or any hardware that is not part of the MOC's Preferred Provider list, however, service and support arrangements will be the sole responsibility of those users and departments.

·       These guidelines have been approved, in principle, by the Information Systems and Technology Committee, and the Academic Council.  As a service, IIT will provide assistance in selecting systems that meet the above guidelines and to answer questions users may have.

 

5.0  Hardware/Software Installation & Repairs for Faculty/Staff PCs

 

·     The Computer Center can assist faculty and staff with the installation or repair of hardware or software on their office PCs.  This service is provided only for hardware and software that is purchased and owned by Penn State. No personal software will loaded onto the College's PCs by Computer Center staff. An expanded list of excellent vendors who provide local service for non Penn State computers is here. If you would like the Computer Center to install or repair hardware or software, contact the staff assistant so that a work order can be issued. Please refer to IIT’s guidelines when purchasing NEW computer equipment.  In addition, the faculty or staff member making the request must provide the Computer Center staff member (who is loading the software) with an original set of disks, a blank set of disk for making a working copy (which will be returned), and an original set of documentation.  Faculty and staff must also provide a copy of the College's purchase form for the software or a signed letter from the software author permitting the faculty or staff member to use the software on their office PC.

5.0.1 Hardware/Software Purchases via the Computer Store

·     Penn State faculty, staff, administration, and students receive discounts on PC hardware and software purchases from a variety of vendors. The discount program is coordinated by the Computerstore at University Park. Price lists, product information, and ordering instructions may be obtained from the staff assistant in the Penn State-Capital Computer Center and computerstore home page   If you need further information or have any questions about this discount program, you may contact the Computer Center or MOC.  (MOC may be contacted by phone:  800-252-9281 for calls within PA or 814-865-2100 or by electronic mail).

 

5.0.2 Hardware/Software Trouble-shooting for Student PCs

·     The Helpdesk at U.P. can be contacted to assist students with hardware/software problems on PCs.  Please send email to helpdesk@psu.edu or call them at 888-778-4010 or 814-863-1035.

 

 

6.0 Enforcement
Any employee found to have violated this guideline may be subject to disciplinary action by their Administrative unit, the College, or the University and/or billing on a time and materials basis to the department that used the resource.  All sanctions identified in University Policy AD20 may also apply, up to expulsion for students and termination for employees plus civil or legal action.

 

Definitions

 

ASR - Access Security Representative

ADMINISTRATIVE NETWORK - The network of employee machines at Penn State Harrisburg

DOMAIN - A group of computers and devices on a network that are administered as a unit with common rules and procedures. Within the Internet, domains are defined by the IP address. All devices sharing a common part of the IP address are said to be in the same domain.   Courtesy of Webopedia

HOME DEPARTMENT– the School or department with which the staff or faculty member is associated

IDS - Intrusion Detection System

IIT - Instructional and Information Technologies, Capital College

MACHINE - a computer