PURPOSE
The purpose of this policy is to outline the acceptable use of computer and electronic equipment within the Mont Alto campus and its facilities. Inappropriate use exposes everyone to risks including virus attacks, compromise of network systems and services, and possible litigation. Campus computing systems are for business purposes in serving the administrative, academic, and research activities of the Campus, University, faculty, staff, and students.
Effective security is a team effort involving the participation and support of every Mont Alto campus employee and affiliate who deals with information and/or information systems. It is the responsibility of each computer user to familiarize themselves with this policy and conduct their activities accordingly.
SCOPE
This policy applies to faculty, staff, students, contractors, consultants, temporaries, and other workers of the Mont Alto campus, including all personnel affiliated with third parties. This policy applies to all equipment that is connected to the Mont Alto campus network.
DEFINITIONS
Device – A computer, electronic tool or communication apparatus with the ability to connect to a data or communication network.
Spam - Unauthorized and/or unsolicited electronic mass mailings.
Internet - A worldwide system of computer networks
Intranet - A private network that is contained within an enterprise.
Extranet - A private network that uses the Internet protocol and the public telecommunication system to securely share part of a business's information or operations with suppliers, vendors, partners, customers, or other businesses.
VPN (Virtual Private Network) – A technology used to allow a user or network to connect in a secure and virtual manner via open or public communication channels. A VPN grants a remote user (e.g. working from home) secure access to local network services as if he/she were sitting in his/her office.
IP Address – A unique network addressed assigned to a device connected to a network.
DHCP (Dynamic Host Configuration Protocol) – A protocol used by network devices to obtain network information such as an IP Address in an automated fashion.
Mont Alto Data Network – The technology infrastructure, hardware, and software installed at the campus which is used to facilitate the flow of digital information between (but not limited to) personal computers, prints, servers, the Internet, etc.
POLICY
General Use and Ownership
- Electronic equipment purchased by the University should be used to support the University’s mission of teaching, learning, research, and service.
- It is a requirement that electronic devices connecting to the campus networks be configured and operate in a manner consistent with campus and University Policies.
- To comply with University Policy, State and Federal Law, the campus must be able to trace a device's network activity to an individual user. Any device attached to the campus network must adhere to the configurations herein.
- Institutional data regardless of classification (public or private) must be used, stored, and archived according to University Policy.
- The Mont Alto campus reserves the right to audit the campus networks and systems on a periodic basis to ensure compliance with campus and University policies and security and network maintenance purposes.
Device and Network Security
- If a device connects to the campus or University via an authenticated network connection (802.1x, wireless VPN, Remote VPN), the user credentials used to "log in" to the authentication mechanism will be considered the "user of record" for all activity generated by the device.
- If the device is connected to an unauthenticated connection (i.e. a "standard" Campus Network connection):
- The device's operating system must be configured to control access to the device with a username *and* password.
- All users of the device *must* be assigned a userid and password that uniquely identifies them. Users must not share their userid and password with anyone.
- Passwords must comply with the Campus Password Policy.
- Shared, or "Group" accounts are permitted only when in compliance with group account policy as specified in University Policy AD-20.
- The ITS Department must maintain a signed End-User Computing Agreement for each campus employee and user account.
- The device must maintain a log containing at a minimum, the login date/time and userid of all users when they log in and log out of the device. This log must be maintained in a readable format for at least 12 months.
- Optionally, the device may participate in a network based Identity Management system (such as Active Directory) to support and provide the appropriate user audit logs.
- Any network device which handles "Institutional Data" (Student Records, Financial Data, Intellectual Property, HR Data, etc.) is required to comply with additional security requirements, including:
- The device *must* be configured to comply with University minimum security standards.
- The content of the device’s Hard Disk drive *must* be encrypted.
- The device *must* be connected to the designated campus network access port on the Mont Alto data network.
- No firewall rule exceptions for inbound traffic, other than IP printing from AIS, will be allowed for the device.
- The device must not allow access to any student, guests or non-campus staff.
- The device must not have installed file sharing.
- The device *must* be configured and operated according to University minimum security standards and "Best Security Practices" (e.g. NIST SP800-12).
- Where applicable, the device must have anti-virus software installed and configured to obtain automatic updates. The anti-virus software must also be enabled and active.
- Where applicable, the device must be configured to obtain OS updates automatically. It is recommended that the device also be configured to install OS updates automatically. If the device does not auto-install updates, a process must be in place to ensure that all security updates are installed within a reasonable time after release (e.g. less than 2 weeks).
- AD-20 states that any device connected to the College's network may be investigated for violations of University Policy or Law whether it is owned by the University or a Private Citizen. During an investigation, the College or University may search and/or seize a device regardless of ownership.
- University Policy requires users operate a University computer with the least privileged account required to perform required tasks. If a user believes additional system privileges are required to perform his/her employment duties, refer to campus procedure PSU-MA-IT-00Q (Computer Administrative Access Request Procedure). If an exception is granted, The user should operate under a system user (limited user) account at all times unless required to elevate his/her privileges to perform a task.
- The University is concerned about Intellectual Property Rights. The campus's network is maintained to support the teaching, research, and outreach missions of the campus and University. Use of Peer to Peer (P2P) file sharing software should be limited to those occasions where it supports the mission of the University. Routine network maintenance activities occasionally result in the detection of devices participating in P2P networks. Any device found participating in an unauthorized P2P network may be disconnected from the network without prior notice. Any violations of Intellectual Property Rights discovered during routine maintenance activities will be reported to ITS Security Operations and Services.
- All systems connected with the Mont Alto campus network infrastructure may only use IP addresses assigned by the campus or its delegates. Internet Protocol (IP) addresses provided via Dynamic Host Configuration Protocol (DHCP) must employ a mechanism to ensure that only the intended host receives the IP address or are authenticated and logged so that the user of that IP address during a given period of time can be determined in the event of a security incident.
- Purchasing of electronic devices (e.g. computers, printers, A/V equipment) must be coordinated with the campus ITS staff to assure equipment is compatible with the campus infrastructure and purchased within university guidelines. Departments interested in purchasing equipment should contact the ITS staff.
- The relocation of a device(s) with the exclusion of laptop computer, from a classroom or office in which it is assigned is prohibited without approval of an ITS staff member.
Information and Data Security
- Because information contained on portable and remote computers is especially vulnerable, special care must be exercised. Portable and computer systems containing sensitive university data are required to utilize hard drive encryption techniques to protect the data in the event of unauthorized physical access to the system. The hard disks of all University-owned laptop computers must be fully encrypted.
- To maintain proper data encryption, all systems storing or utilizing sensitive administrative data, and using a wireless connection must also utilize a campus approved VPN (virtual private network). Systems transferring sensitive university data over non-secure networks (wired or wireless) must encrypt that data during transmission.
- Sensitive university data may not be stored on a non-encrypted portable storage device (i.e. portable hard drive, USB key). If the use of a portable storage device is required, consult the Director of Information Technology regarding an approved storage device.
- Sensitive University data is prohibited from being stored on a personally owned computer. Refer to University policy AD23.
- If a computer is left unsupervised, access to the device console must be locked by depressing the “Window” & “L” key simultaneously. Laptop computers must be secured with a physical lock provided by the campus when unsupervised.
Unacceptable Use
The following activities are prohibited. Employees may be exempted from these restrictions during the course of their legitimate job responsibilities (e.g., systems administration staff may have a need to disable the network access of a host if that host is disrupting production services).
Under no circumstances is an employee of the Mont Alto campus authorized to engage in any activity that is illegal under local, state, federal or international law while utilizing campus owned resources.
The lists of prohibited activities presented below are by no means exhaustive, but attempt to provide a framework for activities which fall into the category of unacceptable use.
System and Network Activities
The following activities are strictly prohibited, with no exceptions:
- Violations of the rights of any person or entity protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by the Mont Alto campus.
- Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which the Mont Alto campus or the end user does not have an active license is strictly prohibited.
- It is illegal to export software, technical information, encryption software or technology, in violation of international or regional export control laws. The Director of Information Technology should be consulted prior to export of any material that may be of question.
- Introduction of malicious programs into the campus data network or servers (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.).
- Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home.
- Using a campus computing asset to engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user's local jurisdiction.
- Making fraudulent offers of products, items, or services originating from any university access or email account. Or, offers of products, items, or services for personal profit from any university access or email account.
- Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which the employee is not an intended recipient or logging into a server or account that the employee is not expressly authorized to access. The only exception to this is when access is part of a security analysis performed by an authorized campus or university individual. For purposes of this section, "disruption" includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information.
- Port scanning or security scanning is expressly prohibited unless prior approval is obtained from the Campus Information Technology Services office.
- Executing any form of network monitoring which intercepts data not intended for the employee's host, unless this activity is a part of the employee's normal job/duty.
- Circumventing user authentication or security of any host, network or account apart from assigned duties performed by ITS Staff.
- Interfering with or unsanctioned denying of service to any user other than the employee's host (for example, denial of service attack).
- Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user's terminal session, via any means, locally or via the Internet/Intranet/Extranet apart from assigned duties performed by ITS Staff.
- Providing information about, or lists of, the Mont Alto campus employees or students to parties outside the University (excluding the campus directory).
Email and Communications Activities
- Sending unsolicited email messages, including the sending of "junk mail" or other advertising material to individuals who did not specifically request such material (email spam).
- Any form of harassment via email, telephone or paging, whether through content, language, frequency, or size of messages.
- Unauthorized use, or forging, of email header information.
- Solicitation of email for other email address, other than that of the poster's account, with the intent to harass or to collect replies.
- Creating or forwarding "chain letters" or "pyramid" schemes of any type.
- Use of unsolicited email originating from within The Mont Alto campus data network or other Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service hosted by the Mont Alto campus or connected via The Mont Alto campus data network.
- Posting identical or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam).
Enforcement
Violations of these policies may result in any of the following without prior notice to the user:
- Limitation of access to some or all campus and University technology services.
- Initiation of legal action by the University.
- Requirement of the violator to provide restitution for any improper use of service.
- Disciplinary sanctions, which may include dismissal.
CROSS REFERENCE
ADG01 - Glossary of Computerized Data and System Terminology
ADG02 - Computer Facility Security Guideline
AD19 - Use of Penn State Identification Number and Social Security Number
AD20 - Computer and Network Security
AD22 - Health Insurance Portability and Accountability Act (HIPAA)
AD23 - Use of Institutional Data
PSU-MA-ITS-000 – End User Computer Agreement
PSU-MA-ITS-001 – Personal Computer Use in Conjunction with the University Data Network
PSU-MA-ITS-005 – Password Policy
PSU-MA-ITS-006 – Anti-Virus Policy
PSU-MA-ITS-009 – Firewall rule and Exception Policy
PSU-MA-ITS-012 – Data Backup and Retention Policy
PSU-MA-ITS-00Q – Computer Administrative Access Request Procedure
POLICY HISTORY
Ratified June 5, 2009