PURPOSE:
The purpose of this policy is to establish administrative direction, procedural requirements, and technical guidance to ensure the appropriate protection of Idaho College of Osteopathic Medicine (ICOM) information handled by computer networks.
SCOPE:
This policy applies to all who access ICOM computer networks. Throughout this policy, the word “user” will be used to collectively refer to all such individuals. The policy also applies to all computer and data communication systems owned by or administered by ICOM or its partners.
DEFINITIONS:
• Data Steward: Data stewards are college officials having direct operational-level responsibility for information management - usually department directors. Data stewards are responsible for data access, user roles & responsibilities, and policy implementation. Procedures for performing data validation should be developed and implemented by data stewards in responsible departments.
• Data Custodian: Information Technology (IT) is the data custodian. The custodian is responsible for providing system access and a secure infrastructure in support of the data, including, but not limited to, providing physical security, backup, and recovery processes, granting access privileges to system users as authorized by data Owners or their designees (usually the data stewards), and implementing and administering controls over the information.
POLICY:
All information traveling over ICOM computer networks that has not been specifically identified
as the property of other parties will be treated as though it is an ICOM asset. It is the policy of
ICOM to prohibit unauthorized access, disclosure, duplication, modification, diversion,
destruction, loss, misuse, or theft of this information. In addition, it is the policy of ICOM to
protect information belonging to third parties that have been entrusted to ICOM in a manner
consistent with its sensitivity in accordance with the ICOM Data Security Policy.
SYSTEM ACCESS CONTROL:
End-User Passwords:
ICOM has an obligation to effectively protect the intellectual property and personal and financial information entrusted to it by students, employees, partners and others. Using passwords that are difficult to guess and change periodically is a key step toward effectively fulfilling that obligation.
For more information about password procedures, refer to the ICOM Password Policy
SYSTEM PRIVILEDGES:
Limiting System Access:
The computer and communications system privileges of all users, systems, and independently
operating programs such as agents, must be restricted based on the need to know. This
means that privileges must not be extended unless a legitimate academic/business-oriented
need for such privileges exists.
Users with personally owned computers are responsible for administering a screen saver
program, providing appropriate malware/virus protection, securing access to their machine’s
hard disk drive, and setting passwords for all applications and systems software that provide
the capability of connecting to ICOM resources.
ICOM computer and communications systems must restrict access to the computers that
users can reach over ICOM networks. These restrictions can be implemented through routers,
gateways, firewalls, wireless access points, and other network components. These restrictions
must be used, for example, to control the ability of a user to log on to a certain computer then
move from that computer to another.
Granting System Privileges:
Requests for new user IDs and changed access privileges must be in writing and evaluated &
approved by the user’s supervisor and the Chief Information Officer or Information Security
Authority before a Data Custodian fulfills these requests.
Individuals who are not ICOM employees, students, or partners may not be granted a user ID or
be given privileges to use ICOM computers or networks unless the written approval of a current
employee has been obtained and the employee agrees to full responsibility for all activities
carried out by the individual(s) she or he is sponsoring.
Special privileges, such as the default ability to write to the files of other users, must be restricted
to those responsible for systems administration or systems security. An exception to this policy
may be made if there is a justified business/academic need and permission has been acquired.
Configuration changes, operating system changes, and related activities that require system
privileges must be performed by system administrators.
Third-party vendors must not be given Internet or remote privileges to ICOM computers or
networks unless the system administrator determines that they have a legitimate
business/academic need. These privileges must be enabled only for the time-period required to
accomplish the approved tasks, such as remote maintenance. If a perpetual or long-term
connection is required, then the connection must be established by approved user authentication
methods.
All users wishing to use ICOM internal networks or multi-user systems that are connected to
ICOM internal networks signify their agreement to comply with all applicable policies by their
logon to the network.
Revoking System Privileges:
If a computer or communication system access control subsystem is not functioning properly, it
should default to denial of privileges to users. If access control subsystems are malfunctioning,
the systems should remain unavailable until such time as the problem has been rectified.
Users must not test or attempt to compromise computer or communication system security
measures unless specifically approved in advance and in writing by the Chief Information Officer.
Incidents involving unapproved system hacking, password guessing, file decryption, bootleg
software copying, or similar unauthorized attempts to compromise security measures may be
unlawful and will be considered serious violations of ICOM policy. Customer/student requests
that ICOM security mechanisms be compromised must not be satisfied unless the Chief
Information Officer approves in advance or ICOM is compelled to comply by law. Short-cuts
bypassing systems security measures, pranks, and practical jokes involving the compromise of
systems security measures are absolutely prohibited.
The privileges granted to users, based on their role within the organization, should be reevaluated
by administration annually. In response to feedback from executives, department chairs, the
Human Resources department, or the Chief Information Officer, system administrators must
promptly revoke all privileges no longer needed by users.
Department chairs/Directors must report all significant changes in employee duties or
employment status promptly to the Information Technology department. For all terminations, the
Human Resources department must issue a notice of status change to the Information
Technology department.
ESTABLISHMENT OF ACCESS PATHS:
Changes to ICOM internal networks include loading new software, changing network addresses,
reconfiguring routers, and adding remote lines. With the exception of emergency situations, all
changes to ICOM computer networks must be approved in advance by the Chief Information
Officer except as delegated. Emergency changes to networks must be made by persons who are
authorized by Information Technology. This process prevents unexpected changes from leading to
denial of service, unauthorized disclosure of information, and other problems. This process
applies not only to employees, but also to vendor personnel.
Employees must not establish local area networks, FTP servers, web servers, modem connections
to existing local area networks, illegal Peer-to-Peer sharing or other multi-user systems for
communicating information without the specific approval of the Chief Information Officer. New
types of real-time connections between two or more in-house computer systems must not be
established unless such approval is obtained.
Participation in external networks as a provider of services that external parties rely on is
prohibited unless ICOM legal counsel has identified the legal risks involved and the Chief
Information Officer has expressly accepted these and other risks associated with the proposal.
Acquisition of technology services or relying on an external party for network or computing
services is prohibited unless ICOM legal counsel has identified the legal risks involved, the Chief
Information Officer has expressly accepted these and other risks associated with the proposal, and the service provider meets the security and technology requirements identified by the
Information Technology department.
All ICOM computers that connect to an internal or external network must employ password-
based access controls. See ICOM Password Policy
Multi-user systems should employ software that restricts access to the files of each user when
appropriate, logs the activities of each user when appropriate, and has special privileges granted
to a system administrator. Single-user systems should employ access control software approved
by the Information Technology department that includes an automatic screen blanker that is invoked after a certain period of no input activity. Portable computers and home/personally-owned computers that contain ICOM information are also covered by this policy, as are network devices such as firewalls, gateways, routers, and bridges.
Remote maintenance ports for ICOM computer and communication systems must be disabled
until the time they are needed by the vendor. These ports must be disabled immediately after
use. Portable devices (smartphones, tablet computers, etc.) using WiFi or commercial data
networks should not be used for data transmissions containing confidential personal information
unless the connection is encrypted. Such links may be used for electronic communications as long
as users understand that confidential personal information must not be transmitted using this
technology.
COMPUTER VIRUSES, MALWARE, AND TROJAN HORSES:
Users are responsible for damage occurring because of viruses on computer systems under their
control. As soon as a virus is detected, the involved user must immediately call the Information
Technology department to assure that no further infection takes place and that any experts
needed to eradicate the virus are promptly engaged.
ICOM computers and networks must not run software that comes from sources other than
business/academic partners, knowledgeable and trusted user groups, well-known systems
security authorities, computer or network vendors, or commercial software vendors. Software
downloaded from electronic bulletin boards, shareware, public domain software, and other
software from untrusted sources must not be used unless it has been subjected to a testing
regimen approved by the Chief Information Officer.
PRIVACY:
Unless contractual agreements dictate otherwise, messages sent over ICOM computer and
communications systems are the property of ICOM. Administration reserves the right to examine
all data stored in or transmitted by these systems.
When providing computer-networking services, ICOM does not provide default message
protection services such as encryption. No responsibility is assumed for the disclosure of
information sent over ICOM networks, and no assurances are made about the privacy of
information handled by ICOM internal networks. In those instances where session encryption or
other special controls are required, it is the user’s responsibility to ensure that adequate security
precautions have been taken. Nothing in this paragraph must be construed to imply that ICOM policy does not support the controls dictated by agreements with third parties, such as
organizations that have entrusted ICOM with confidential information.
HANDLING NETWORK SECURITY INFORMATION:
From time to time, the Chief Information Officer and/or Information Security Authority will
designate individuals to audit compliance with this and other computer and network security
policies. At the same time, every user must promptly report any suspected network security
problem, including intrusions and out-of-compliance situations, to the Chief Information Officer
or his/her designee.
Provided that no intent to damage ICOM systems existed, if users report a computer virus
infestation immediately after it is noticed, even if their negligence was a contributing factor, no
disciplinary action should be taken.
All network or systems software malfunctions must be reported immediately to the Information
Technology department or the involved external service provider.
Information about security measures for ICOM computer and communication systems is
confidential and must not be released to people who are not authorized users of the involved
systems unless the permission of the Chief Information Officer has been obtained. For example,
publishing system access information in directories is prohibited.
RESPONSIBLE OFFICIALS:
All Faculty, Staff, and Students
The Chief Information Officer and/or Information Security Authority is responsible for
establishing, maintaining, implementing, administering, and interpreting organization-wide
information systems security policies, standards, guidelines, and procedures. While responsibility
for information systems security on a day-to-day basis is every employee’s duty, specific
guidance, direction, and authority for information systems security is centralized for all of ICOM in
the Information Technology department. This department will perform information systems risk
assessments, prepare information systems security action plans, evaluate information security
products, and perform other activities necessary to ensure a secure information systems
environment. The Director of Campus Security (person in charge of physical security and
individual safety) is responsible for coordinating investigations into any alleged computer or
network security compromises, incidents, or problems, with the Chief Information Officer and
Information Security Authority. All compromises or potential compromises must be immediately
reported to the Information Technology department.
The Chief Information Officer or Information Security Authority is responsible for contacting the
Director of Campus Security in the case of a system compromise or network security event. Data
Stewards are responsible for acting as local information systems security coordinators. Data
Stewards, with the assistance of Data Custodians, are also responsible for establishing
appropriate user privileges, monitoring access control logs, and performing similar security
actions for the systems they administer. They also are responsible for reporting all suspicious
computer and network-security-related activities to the Chief Information Officer. Data Stewards
also implement the requirements of this and other information systems security policies,
standards, guidelines, and procedures.
Directors and Deans are responsible for ensuring that appropriate computer and communication
system security measures are observed in their areas. Besides allocating sufficient resources and
staff time to meet the requirements of these policies, departmental Chairs are responsible for
ensuring that all employee users are aware of ICOM policies related to computer and
communication system security.
The Associate/Assistant Dean for Student Services is responsible for ensuring that appropriate
computer and communication system security measures are observed by students. The
Dean/CAO is responsible for ensuring that all student users are aware of ICOM policies related to
computer and communication system security.
Users are responsible for complying with this and all other ICOM policies defining computer and
network security measures. Users also are responsible for bringing all known information security
vulnerabilities and violations that they notice to the attention of the Information Technology
department.
PRIMARY POLICY OWNER:
Chief Information Officer/Information Security Authority
APPROVAL:
Effective: 8/23/21
Last Reviewed: 1/25/24
Review Requirement: Annual