Security Guidelines and Procedures

Introduction

Colorado State University-Pueblo collects information of a sensitive nature to facilitate and enable its business functions. Unauthorized access to such information may have many severe negative consequences, including adversely affecting the reputation of the University. Protection of such personally identifiable information from unauthorized access is required by various federal and state mandates, including among others the Health Insurance Portability and Accountability Act (HIPAA), the Graham-Leach-Bliley (GLB) Act, and the Family Educational Rights to Privacy Act (FERPA), which require various classes of sensitive information to be protected from unauthorized access. The campus' Chief Information Officer is responsible for oversight of the following IT security measures, policies, and procedures.

Definitions

Application is a computer software program run on a computer for the purposes of providing a business function.

Computer server systems (Servers) are computers accessed by multiple individuals and/or computers. 

Local Area Network (LAN) is an internal network within an institution, e.g. at Colorado State University-Pueblo. 

Personal computers are comprised of desktop, laptop, tablet, personal digital assistants and other such devices of all brands, used principally by one individual at a time. 

Sensitive information includes social security information, personally identifiable health information, personally identifiable financial information, personnel and student performance information, proprietary research and academic information, and any other information that through disclosure would adversely affect the integrity of an individual or detract from the reputation of the University. 

Virtual Private Network (VPN) is a mechanism for encrypting the information sent from an individual computer to a VPN concentrator that typically exists in a "secure" network location. Alternatively, VPNs may be implemented between subnetworks (subnets) to encrypt all of the traffic flowing between the subnets, in other words from LAN to WAN to LAN. 

Wide Area Network (WAN) is an external network that provides connectivity between two LANs. 

Other Resources


The Information Technology Services (ITS) web page (see http://www.colostate-pueblo.edu/its/) provides a variety of information regarding IT security that is useful in the implementation of these policies. Two particularly valuable resources that exist as clickable links on that page are the Server Policy, the IT Security Guidelines and Procedures. The various user policies identify the security risks and measures required by all campus constituents that use the campus IT resources. 

Applicability


These policies encompass best practices that are in general to be applied comprehensively in the University's IT environment. However, common sense judgment is used in their application regarding the balance between security and reasonable access. 

IT Security Policies


1. Servers 
Servers that contain sensitive information in aggregate form, for example that encompassing many individuals, are subject to the policies of this section. Personal computers are covered by the policies in the next section. ITS is responsible for all servers in the Central Computer Center and for oversight of any decentralized server that resides on the campus. ITS is responsible for ensuring that servers containing sensitive information are secured in accordance with these policies. Such servers shall be protected as follows:

  1. Such servers shall be housed in a physically secure facility where access is limited to only those individuals requiring access to perform routine or emergency maintenance on the system.
  2. To the degree practicable, only operating systems and applications that provide high levels of security shall be used, and security updates (patches) shall be applied in a timely manner.
  3. Campus virus protection shall be implemented and kept up to date. In particular, where practicable, server side virus protection should be implemented, to complement client-side virus protection programs.
  4. Services and applications offered shall be the minimum necessary to accomplish the required business functions. Periodically, services and applications shall be reviewed to be in conformance with this aspect of the policy.
  5. Network access shall be limited to only those services necessary. Periodically, network access shall be reviewed to be in conformance with this aspect of the policy.
  6. Individual access shall be limited to only those needing access for legitimate business purposes. Individual access shall be reviewed to be in conformance with this aspect of the policy on an ongoing basis.
  7. The amount of sensitive information collected and stored shall be the minimum amount required for the efficient and effective conduct of business.
  8. Sensitive data will be isolated from open access; for example, on a separate back-end database server accessible only from a front-end web server that has been diligently protected.
  9. To the degree practicable, only secure connections and file transfers shall be allowed.
  10. Server files shall be backed up on a regular schedule, and off-site storage of back-ups in a secure location shall be performed on a regular schedule.
  11. To the degree practicable, network access to such servers shall be secure, for example encrypted, especially when access is from external (non-CSU) networks.
  12. To prevent the inadvertent release of sensitive information stored on hard drives, all drives must be sanitized prior to removal from service or release to other agencies. The University has determined that one pass of rewriting the drive is adequate protection. 

2. Personal Computers 
Personal computers as defined above shall be protected in accordance with a balance between the risks of not protecting them, the cost (effort and expense) of protecting them, and the required functionality. ITS and the departments owning the personal computers are responsible for ensuring that personal computers containing sensitive information are secured in accordance with these policies. In general, personal computers are subject to the following policies: 

  1. Only operating systems and applications that provide high levels of security shall be used, and security updates (patches) shall be applied in a timely manner.
  2. Campus virus protection shall be implemented and kept up to date.
  3. Services and applications offered shall be the minimum necessary to accomplish the desired business or instructional functions.
  4. Network access shall be limited to only those services necessary, and to only those requiring access for legitimate business purposes.
  5. To prevent the inadvertent release of sensitive information stored on hard drives, all drives must be sanitized prior to release to other agencies or disposal. The University has determined that one pass of rewriting the drive is adequate protection. 

3. Passwords
Strong passwords that are difficult for others to obtain shall be employed as permitted by the operating system and/or application. Prudent measures are to be used to ensure that strong passwords are employed by the user. This is especially so for administrative accounts, and password refresh on every account is required by the system every three months. 

An example of a rule set for passwords that is currently accepted as effective in preventing unauthorized access is: 

  1. Avoid using words in either English or foreign language dictionaries.
  2. Passwords shall be at least six characters in length, and
  3. Passwords shall conform to the three following conditions:
    1. Contain one or more upper case characters
    2. Contain one or more lower case characters
    3. Contain one or more numerals (0, 1, 2… 9). 

Other rule sets that are generally recognized by experts to protect unauthorized access are also permissible. 

4. Files and File Storage
 In general, users are responsible for their own files, including the information contained in those files and ensuring that files containing critical data are backed up and/or stored in multiple locations. Sensitive data in individual's files should be kept to a minimum, and reasonable and prudent protection of those files shall be implemented by the server/system administrator. It is the responsibility of the owner of files containing sensitive data that are transmitted via the network to ensure that the files are reasonably protected against unauthorized access. 

5. Personally-owned Computers 
Personally-owned computers that use University IT resources, including access to University networks, servers and/or other IT resources, and/or that contain sensitive University information are subject to the same policies as those computers owned and operated by the University. 

6. Wireless Networks 
Access to wireless networks shall not be via clear text, but instead all transmissions shall be encrypted so as not to be accessed or easily decoded by others. The administrator of the wireless access point is responsible for reasonably ensuring that unauthorized access to traffic will not be possible, for example through the implementation of encryption methods that are judged to be robust relative to the current state of the art. Unauthorized wireless access points shall not be installed on the University's LAN. 

7. Primary Identifiers 
Social security numbers (SSNs) shall not be used as the primary numeric identifier for individuals. The personal identification (PID) number shall be used for access to all forms of individual information, both electronic and non-electronic, including identification cards. 

8. Communications Rooms
Communications rooms housing telephone networks, data networks, servers, security systems including surveillance, alarm and card access systems, and other similar electronic devices and systems shall be physically secure, and access shall be limited only to those personnel directly responsible for operating and maintaining those systems. 

Governance of IT Security Guidelines and Procedures


The Information Technology Services department and the Chief Information Officer are responsible for these guidelines and procedures with comment from campus constituencies as well as the Administrative Computing Committee and the Instructional Technology Advisory Committee.