PURPOSE:
The purpose of this policy is to establish administrative direction, procedural requirements, and technical guidance to ensure the appropriate protection of Idaho College of Osteopathic Medicine (ICOM) information handled by computer networks.
SCOPE:
This policy applies to all who access ICOM computer networks. Throughout this policy, the word “user” will be used to collectively refer to all such individuals. The policy also applies to all computer and data communication systems owned by or administered by ICOM or its partners.
POLICY:
All information traveling over ICOM computer networks that has not been specifically identified as the property of other parties will be treated as though it is an ICOM asset. It is the policy of ICOM to prohibit unauthorized access, disclosure, duplication, modification, diversion, destruction, loss, misuse, or theft of this information. In addition, it is the policy of ICOM to protect information belonging to third parties that have been entrusted to ICOM in a manner consistent with its sensitivity in accordance with the ICOM Data Security Policy.
RESPONSIBLE OFFICIALS:
All Faculty, Staff, and Students
The Director of Information Technology and/or Information Security Authority is responsible for establishing, maintaining, implementing, administering, and interpreting organization-wide information systems security policies, standards, guidelines, and procedures. While responsibility for information systems security on a day-to-day basis is every employee’s duty, specific guidance, direction, and authority for information systems security is centralized for all of ICOM in the Information Technology department. This department will perform information systems risk assessments, prepare information systems security action plans, evaluate information security products, and perform other activities necessary to assure a secure information systems environment. The Director of Facilities (person in charge of physical security and individual safety) is responsible for coordinating investigations into any alleged computer or network security compromises, incidents, or problems, with the Director of Information Technology and Information Security Authority. All compromises or potential compromises must be immediately reported to the Information Technology department.
The Director of Information Technology or Information Security Authority is responsible for contacting the Director of Facilities. System administrators are responsible for acting as local information systems security coordinators. IT responsible for establishing appropriate user privileges, monitoring access control logs, and performing similar security actions for the systems they administer. They also are responsible for reporting all suspicious computer and network-
security-related activities to the Director of Facilities. System administrators also implement the requirements of this and other information systems security policies, standards, guidelines, and procedures. In the event that a system is managed or owned by an external party, the Systems Analyst performs the activities of the system administrator.
Directors and Deans are responsible for ensuring that appropriate computer and communication system security measures are observed in their areas. Besides allocating sufficient resources and staff time to meet the requirements of these policies, departmental Chairs are responsible for ensuring that all employee users are aware of ICOM policies related to computer and communication system security.
The Assistant Dean for Student Services is responsible for ensuring that appropriate computer and communication system security measures are observed by students. The Dean is responsible for ensuring that all student users are aware of ICOM policies related to computer and communication system security.
Users are responsible for complying with this and all other ICOM policies defining computer and network security measures. Users also are responsible for bringing all known information security vulnerabilities and violations that they notice to the attention of the Information Technology department.
PROCEDURES:
ICOM shall identify an IT Security Authority to monitor and report data security risks to the administration, address any data security breaches as required by law and ICOM, and to serve as a resource to the College for data security and regulatory requirements.
SYSTEM ACCESS CONTROL:
End-User Passwords:
ICOM has an obligation to effectively protect the intellectual property and personal and financial information entrusted to it by students, employees, partners and others. Using passwords that are difficult to guess and change periodically is a key step toward effectively fulfilling that obligation.
For more information about password procedures, refer to the ICOM Password Policy
SYSTEM PRIVILEDGES:
Limiting System Access:
The computer and communications system privileges of all users, systems, and independently- operating programs such as agents, must be restricted based on the need to know. This means that privileges must not be extended unless a legitimate academic/business-oriented need for such privileges exists.
Users with personally-owned computers are responsible for administering a screen saver program securing access to their machine’s hard disk drive, and setting passwords for all
applications and systems software that provide the capability of connecting to ICOM resources.
ICOM computer and communications systems must restrict access to the computers that users can reach over ICOM networks. These restrictions can be implemented through routers, gateways, firewalls, wireless access points, and other network components. These restrictions must be used, for example, to control the ability of a user to log on to a certain computer then move from that computer to another.
Process for Granting System Privileges:
Requests for new user IDs and changed privileges must be in writing and approved by the user’s manager and the Director of Information Technology/IT Security Authority before a system administrator fulfills these requests. Documents reflecting these requests must be retained for a period of at least one year.
Individuals who are not ICOM employees, students, or partners may not be granted a user ID or be given privileges to use ICOM computers or networks unless the written approval of a current employee has been obtained and the employee agrees to full responsibility for all activities carried out by the individual(s) she or he is sponsoring.
Special privileges, such as the default ability to write to the files of other users, must be restricted to those responsible for systems administration or systems security. An exception to this policy may be made if there is a justified business/academic need and permission has been acquired. Configuration changes, operating system changes, and related activities that require system privileges must be performed by system administrators.
Third-party vendors must not be given Internet or remote privileges to ICOM computers or networks unless the system administrator determines that they have a legitimate business/academic need. These privileges must be enabled only for the time-period required to accomplish the approved tasks, such as remote maintenance. If a perpetual or long-term connection is required, then the connection must be established by approved user authentication methods.
All users wishing to use ICOM internal networks or multi-user systems that are connected to ICOM internal networks signify their agreement to comply with all applicable policies by their logon to the network.
Process for Revoking System Privileges:
If a computer or communication system access control subsystem is not functioning properly, it should default to denial of privileges to users. If access control subsystems are malfunctioning, the systems should remain unavailable until such time as the problem has been rectified.
Users must not test or attempt to compromise computer or communication system security measures unless specifically approved in advance and in writing by the Director of Information Technology. Incidents involving unapproved system hacking, password guessing, file decryption, bootleg software copying, or similar unauthorized attempts to compromise
security measures may be unlawful, and will be considered serious violations of ICOM policy. Customer/student requests that ICOM security mechanisms be compromised must not be satisfied unless the Director of Information Technology approves in advance or ICOM is compelled to comply by law. Short-cuts bypassing systems security measures, pranks, and practical jokes involving the compromise of systems security measures are absolutely prohibited.
The privileges granted to users, based on their role within the organization, should be reevaluated by administration annually. In response to feedback from executives, department chairs, the Human Resources department, or the Director of Information Technology, system administrators must promptly revoke all privileges no longer needed by users.
Department chairs/Directors must report all significant changes in employee duties or employment status promptly to the Information Technology department. For all terminations, the Human Resources department must issue a notice of status change to the Information Technology department.
ESTABLISHMENT OF ACCESS PATHS:
Changes to ICOM internal networks include loading new software, changing network addresses, reconfiguring routers, and adding remote lines. With the exception of emergency situations, all changes to ICOM computer networks must be approved in advance by the Director of Information Technology except as delegated. Emergency changes to networks must be made by persons who are authorized by Information Technology. This process prevents unexpected changes from leading to denial of service, unauthorized disclosure of information, and other problems. This process applies not only to employees, but also to vendor personnel. Employees must not establish local area networks, FTP servers, web servers, modem connections to existing local area networks, illegal Peer-to-Peer sharing or other multi-user systems for communicating information without the specific approval of the Director of Information Technology. New types of real-time connections between two or more in-house computer systems must not be established unless such approval is obtained.
Participation in external networks as a provider of services that external parties rely on is prohibited unless ICOM legal counsel has identified the legal risks involved and the Director of Information Technology has expressly accepted these and other risks associated with the proposal.
Acquisition of technology services or relying on an external party for network or computing services is prohibited unless ICOM legal counsel has identified the legal risks involved, the Director of Information Technology has expressly accepted these and other risks associated with the proposal, and the service provider meets the security and technology requirements identified by the Information Technology department.
All ICOM computers that connect to an internal or external network must employ password- based access controls. See ICOM Password Policy
Multi-user systems should employ software that restricts access to the files of each user when appropriate, logs the activities of each user when appropriate, and has special privileges
granted to a system administrator. Single-user systems should employ access control software approved by the Information Technology department that includes boot control and an automatic screen blanker that is invoked after a certain period of no input activity. Portable computers and home/personally-owned computers that contain ICOM information are also covered by this policy, as are network devices such as firewalls, gateways, routers, and bridges.
Remote maintenance ports for ICOM computer and communication systems must be disabled until the time they are needed by the vendor. These ports must be disabled immediately after use. Portable devices (smartphones, tablet computers, etc.) using WiFi or commercial data networks should not be used for data transmissions containing confidential personal information unless the connection is encrypted. Such links may be used for electronic communications as long as users understand that confidential personal information must not be transmitted using this technology.
COMPUTER VIRUSES, MALWARE, AND TROJAN HORSES:
Users are responsible for damage occurring because of viruses on computer systems under their control. As soon as a virus is detected, the involved user must immediately call the Information Technology department to assure that no further infection takes place and that any experts needed to eradicate the virus are promptly engaged.
ICOM computers and networks must not run software that comes from sources other than business/academic partners, knowledgeable and trusted user groups, well-known systems security authorities, computer or network vendors, or commercial software vendors. Software downloaded from electronic bulletin boards, shareware, public domain software, and other software from untrusted sources must not be used unless it has been subjected to a testing regimen approved by the Director of Information Technology.
PRIVACY:
Unless contractual agreements dictate otherwise, messages sent over ICOM computer and communications systems are the property of ICOM. Administration reserves the right to examine all data stored in or transmitted by these systems.
When providing computer-networking services, ICOM does not provide default message protection services such as encryption. No responsibility is assumed for the disclosure of information sent over ICOM networks, and no assurances are made about the privacy of information handled by ICOM internal networks. In those instances where session encryption or other special controls are required, it is the user’s responsibility to ensure that adequate security precautions have been taken. Nothing in this paragraph must be construed to imply that ICOM policy does not support the controls dictated by agreements with third parties, such as organizations that have entrusted ICOM with confidential information.
HANDLING NETWORK SECURITY INFORMATION:
From time to time, the Director of Information Technology and/or Information Security Authority will designate individuals to audit compliance with this and other computer and network security policies. At the same time, every user must promptly report any suspected
network security problem, including intrusions and out-of-compliance situations, to the Director of Information Technology or his/her designee.
Provided that no intent to damage ICOM systems existed, if users report a computer virus infestation immediately after it is noticed, even if their negligence was a contributing factor, no disciplinary action should be taken.
All network or systems software malfunctions must be reported immediately to the Information Technology department or the involved external service provider.
Information about security measures for ICOM computer and communication systems is confidential and must not be released to people who are not authorized users of the involved systems unless the permission of the Director of Information Technology has been obtained. For example, publishing system access information in directories is prohibited.
POLICY VIOLATIONS:
Employees who violate this policy are subject to disciplinary action, up to and including
termination.
PRIMARY POLICY OWNER:
Chief Information Officer
APPROVAL: