Penn State Harrisburg --- Audit guideline: HG–AG–AD20

1.0 Purpose


To provide the authority for members of the College’s security team[i] as authorized by the University’s Security Office to conduct a security and/or inventory scan[ii] on any system within the Penn State Harrisburg Academic or Administrative Local Area Network, in accordance with University policy AD20. This authority may be delegated to a departmental support team member upon approval by the Security Office.

 

All requests for such approval must originate from the Director IIT to the School Director or their delegate in an email or memorandum addressed to IIT or by verbal approval.  Only approved departmental personnel will be authorized to scan systems within their department.  IIT must consult with staff at security@psu.edu before commencing a security scan.

The policy here is developed for Penn State Harrisburg but the overall University Policy AD20 (Computer and Network Security) applies. 

 

1)    Security and/or Inventory Audits may be conducted to:

a)    Ensure integrity, confidentiality and availability of information and resources

b)    Investigate possible security incidents and ensure conformance to the Penn State Harrisburg security policies

c)    Monitor user or system activity where appropriate and when authorized by the Director of Security Operations in accordance with University Policy AD20

d)    Ensure validity of user accounts.

e)    Plan for life cycle or maintenance of hardware or software

f)     Inventory audits will only report the machine name, monitor type, keyboard and mouse model, BIOS version and date, IP address and network adapter model, printers to which the machine is connected, processor speed, hard drive space, RAM available, Windows drivers and updates installed, system unit service tag, model number, and application file names, versions, vendors and descriptions such as Acrobat.exe, Mathematica.exe, MS Paint.exe or  Norton Antivirus.  Additional information such as content of data files must be obtained in coordination with Security Operations and Services and must be authorized in advance of such activity.

 

2.0  Scope

a)  This guideline covers all computer and network communication devices (such as projectors, card swipe locks and copiers) owned or operated by the Penn State Harrisburg. This guideline also covers any computer and network communications devices that are present on the Penn State Harrisburg premises and network, but which may not be owned or operated by the Penn State Harrisburg such as water or gas meters or HVAC control.  Computers or network communications devices not owned by Penn State and using Penn State owned network resources are covered by this guideline.

b)  Users and/or support personnel must ensure that any hardware or software installed for the purposes of filtering traffic such as a firewall appliance or personal firewall software allow unrestricted traffic to and from all systems authorized to conduct security audits at the departmental, College and University Security Office levels. Any question as to the scope of addresses to be given unrestricted access can be directed to IIT at pshsecurity@iit.psu.edu.

3.0  Security and Proprietary Information

a.   Application files are reviewed.  Institutional data is not reviewed except as provided for in University Policy AD23.  For instance: KaZaA.exe would be found during an internal audit.  Word.exe would be found or Office.exe.  Not mystuff.doc or personal.doc or any data files.

b.   Inventory audits are conducted for the purpose of life cycle and maintenance of equipment.  Such information is never shared and is only accessible by ITS authorized contacts.

c.   Audits and scans could involve the following:

·     User level and/or system level access to any computing or communications device

·     Access to information (electronic, hardcopy, etc.) that may be produced, transmitted or stored on the Penn State Harrisburg equipment or premises

·     Access to work areas (labs, offices, cubicles, storage areas, etc.)

·     Access to interactively monitor and log traffic on the Penn State Harrisburg networks.

·     Access to inventory, data files or application files on faculty, staff and classroom computers

4.0  Enforcement

a.   Anyone found violating this guideline will be subject to disciplinary action by his or her Administrative unit, the College, or the University. College or University

b.   Security Office personnel will be asked by Penn State Harrisburg local security contacts to immediately block network access to any system found to be scanning systems in violation of this guideline. Individuals found to be in violation of local, Commonwealth or Federal regulations or laws will be referred to the University Security Office for case disposition which may involve the Office of Human Resources or University Safety and Police Services.

 

5.0 Definitions

Revision History
11/25/2003, 4/29/2004, 2/04/2004, 3/6/2004, 1/20/2005

Last Updated: 27 February 2007, ryb2

OFFICIAL APPROVAL:  1-17-08 MSK5 


[i] The College security team consists of an administrative, technical and security network contact and varies depending on the subnet as listed on the Pennsylvania State University Integrated Backbone Contact list.  Questions may be addressed to the Director, IIT.  The Director, IIT is the Administrative Contact for all subnets at the Capital College.

[ii] Services offered at SOS can be viewed at:  http://sos.its.psu.edu/services.html.  Services offered at IIT can be viewed at:  http://www.hbg.psu.edu/iit/mw1/compservices.htm.