Introduction to the Capital College
AD20 Guidelines
These Penn State Harrisburg
Guidelines supplement the computing policies of Penn State University.
The policy here is developed for Penn State Harrisburg but the overall
University Policy AD20
(Computer and Network Security) applies.
These guidelines are intended to create a more controlled environment
for the conduct of the College’s teaching and research missions. They
should not affect the ability of faculty and staff to perform critical
communications and computing activities. For more information about the
University’s computing policies, see
ITS Policies and Guidelines and Laws.
- Networking and computing security are of paramount
concern for the Penn State Harrisburg community because open networking
environments are subject to compromise, theft of service and intellectual
property espionage.
- IIT will recommend hardware and software for the
College in consultation with System Users. IIT will support equipment that it recommends.
- AD20 mandates that “Deans and Administrative Officers –
are responsible for: Developing and implementing additional security
policies specific to their Colleges or administrative units in
coordination with the Security Operations and Services Director, and in
consonance with this policy.” Such policies are designed “to guide
System Administrators within the Colleges and administrative units in the
formulation of detailed security procedures…” These local guidelines
establish the policies and practices applicable to Penn State Harrisburg.
- Finding 1. Internal security documentation, dated 3 June 2005, the Penn State Auditing Department
reminded the Penn State Harrisburg administration that System
Administrators are responsible for “Preparing and maintaining security
procedures that implement University and College/Unit security policies in
their local environment and that address such details as access control,
backup and disaster recovery mechanisms and continuous operation in case
of power outages.”[i]
- Control of these local guidelines is vested with the
Chancellor and Senior Associate Dean for Academic Affairs, Capital College
of the Pennsylvania State University.
- Faculty, staff and students are required to review AD20
guidelines annually to ensure continued awareness and understanding.
- Broad consultation for these guidelines has been
conducted with the Penn State Harrisburg Academic Council, Information
Systems and Technology Committee of the College Faculty Senate, Penn State
Internal Auditing, Security Operations and Services (a division of
Information Technology Services), IIT staff and the Office of Human Resources.
- Enforcement will be a joint responsibility of IIT
staff, in coordination with other Penn State offices, Safety and Police
Services, Security Operations and Services and the Office of Human
Resources.
- The minimum acceptable and secure configuration for a
Penn State Harrisburg /Capital College computer must include:
- Spyware, antivirus ware and firewall installed in
accordance with applicable polices and practices.
- User installed personal firewall, such as Zone Alarm
or use the firewall with Windows XP Professional Service Pack two.
Windows XP, Unix/Linux and Mac OS/X firewall instructions are at: http://its.psu.edu/takecontrol/firewalls.php.
- Current minimum hardware and software standards as
published in the Frequently Asked Questions section of IIT’s web page at http://www.hbg.psu.edu/iit.
- The minimum configuration is based on the assumption
that a user logs on to the IIT local area network domain so that security
updates, antivirus ware definitions, and for future plans, spyware
definitions, are automatically installed by IIT servers.
- A strong password must be used to log on to the local
area network domain. Instructions on how to create a strong password
can be found in the Password Guideline for the Local Area Network and on
IIT's Frequently Asked questions under the Passwords section for Access
Accounts.
- The important data files on the machine are backed up
to IIT servers. IIT will provide the backup service.
- Faculty and staff will provide IIT with the location of
documents and email files on the PC’s they are using so that the backup
service can be properly configured.
- IIT is not responsible for loss of data on local PC’s
or peripheral devices, such as floppy disks and thumb drives or external
drives and will support only recommended backup methods.
With the implementation of these guidelines, the College is
embracing the philosophy of security in depth.
The following is a list of Capital College communications
and computing guidelines.
· Acceptable
Computer Use
· Audit
· Backup
· Password
· Remote
Access
· Server
Security
· Scheduling
and Management of Computer-Assisted Classrooms
· Software
Acquisition
· Software
Use and Data Destruction
· Firewall
Exceptions Guidelines
· Virtual
Private Network
· Wireless
Communications
· Acceptable
Audio Visual Use (under review)
Disaster recovery for Administrative Computing (currently in
Phase II. Business Impact Analysis and
Risk Assessment are completed). Guideline has yet to be written.
Definitions:
IIT will service equipment that it
supports. Service for equipment not recommended by IIT is the
responsibility of the user. Some examples of support issues
include equipment purchased with non University funds for personal use
(such as bringing in equipment from home) or equipment purchased that
IIT did not recommend. IIT encourages consultation and questions
concerning our support guidelines. IIT offers a "pink slip" of
recommended service providers for service of non supported technologies.
Revision history 3/6/2004, 8/1/2005, ryb2, 1/5/2006, wjm2 (written by
wjm2), 2/6/2007, ryb2 (changed title of file from Guideline36 to
Introduction. 4/12/2007 ryb2, added paragraph 2 concerning
support. 12/19/07 ryb2, added paragraph 6 as per recommendations
of the IPAS team during it’s 12/18/07 visit.
OFFICIAL APPROVAL: 1-17-08 MSK5