The purpose of this policy is to ensure that USF - Lakeland Campus experiences uninterrupted access to data and systems, trusts the integrity of data and systems, trusts that sensitive information is treated with care, and to establish guidelines for the appropriate and responsible use of information technology resources by University students, faculty and staff. Information technology resources shall be interpreted to include all University computing and telecommunications facilities, equipment, hardware, software, systems, networks and services which are used for the support of the teaching, research and administrative activities of the University.

II SCOPE

This policy pertains to all University of South Florida - Lakeland Campus systems. Systems are defined as any University computer systems used in planning, managing, or operating a major administrative function of the University. This policy also pertains to any associated administrative data that resides on end-users' local desktop computers, and/or departmental services.

III STATEMENT OF POLICY

USF-Lakeland information technology resources are for use by authorized staff and faculty, students and by selected faculty and staff of the USF - Lakeland. It is the responsibility of all University students, faculty and staff to use these resources in a responsible, ethical and lawful manner. Any member of the University community who abuses these resources has engaged in unacceptable conduct. Activities which intentionally damage or interfere with the work of other users are especially inappropriate and may constitute violations of state law.

Limited access can be granted, in some cases, to students to view and maintain limited personal information. When students are to given access to administrative systems for purposes other than viewing/updating limited personal information, and when part-time, temporary or contract workers, and USF-Lakeland vendors are to be given access to administrative systems, written authorization is required from USF-Lakeland staff or faculty. Students, faculty and staff are responsible for all actions taken using any computer logon ID assigned to them. Appropriate use of a logon ID includes proper password protection for the logon ID, not allowing anyone else to use the logon ID, not using someone else's logon ID and not abusing the privileges granted to the logon ID.

Confidential (or sensitive) information is that information which is confidential by law, including information which requires protection from unauthorized access by virtue of its legal exemption from the Public Records Act, Section 119, Florida Statutes.

Critical information, networks, applications, systems, or data, are those resources determined by management to be essential to USF-Lakeland network's critical functions.
Copyrighted software must only be used in accordance with its license or purchase agreement and must not be copied or altered except as permitted by law or by the software licensing agreement. Unauthorized copying, distribution or use of such software is a violation of state law and the University as well as individuals may be held legally liable for these actions.

Other examples of inappropriate actions under this policy include, but are not limited to, the following:

• Unauthorized access, alteration or destruction of another user's data, programs, electronic mail or voice mail.
  
• Attempts to obtain unauthorized access to either local or remote computer systems or networks.
  
• Attempts to circumvent established security procedures or to obtain access privileges to which the user is not entitled.
  
• Attempts to modify computer systems or software in any unauthorized manner.
  
• Unauthorized use of computing resources for private purposes.
  
• Transmitting unsolicited material such as repetitive mass mailings, advertising or chain messages.
  
• Release of confidential information
  
• Unauthorized release of informationv

IV PROCEDURES

Individual colleges and departmental units shall advise users in their areas of these policies and may also issue additional "conditions of use" for facilities under their control. Such conditions must be consistent with this University policy but may provide additional detail, guidelines, restrictions and/or enforcement mechanisms appropriate to their area. Units may require signatures of individuals acknowledging an understanding of these policies and conditions before providing access.

Violations of this policy may lead to suspension of the user's computer logon ID and/or disciplinary action (including termination or expulsion) to be handled by Student Affairs, deans or directors as appropriate. In any investigation of misuse of information technology resources, the system administrator may inspect, without notice, the contents of computer files, system output, electronic mail and other related materials.

Chapter 815, Florida Statutes, the "Florida Computer Crimes Act," describes offenses which are crimes under Florida law. These offenses include unauthorized modification of programs or data, unauthorized disclosure or use of confidential data, unauthorized access to computer systems or networks and denial of computer system services to an authorized user. Offenses under the Florida Computer Crimes Act shall be investigated by the appropriate law enforcement agencies. Some offenses may require investigation by federal law enforcement agencies.

USER RESPONSOBILITIES

Personal computers or terminals should not be left unattended when the power is on and confidential or critical information is being accessed. The use of this information is to be restricted to authorized personnel only and only for authorized functions.

ERDC must be notified as soon as possible when an employee is terminated or transferred. This should be done by notifying ERDC Help desk (ext. 77040).

The user must ensure that any restricted information stored on his/her personal computer is safeguarded, through either physical security (locked offices, or keyboards), access control software, or encryption.

When a computer is left signed on, it is easy for someone to gain unauthorized access. Users must either sign off of accounts before they leave their computer, or restrict access by some other means (locked office/keyboard, desktop access control, or a password-protected screen saver). Note, however, that many access control packages and screen savers can be easily bypassed.

Managing Passwords

USF-Lakeland systems and data are for use only by the individual granted access. Access must not be shared, since shared use often leads to abuse. User accounts must be protected with passwords.

The objective when choosing a password is to make it as difficult as possible for a cracker to make educated guesses about what you've chosen.

Picking good passwords:

• It should contain at least one upper case letter (A-Z), digit (0-9), or punctuation character (such as ',' '.' or '-').
  
• It should not be simply a word or a name in nay language -- crackers have online dictionaries, and names relevant to you can be obtained from publicly available records.
  
• The password should be more than 6 characters long.
  
• It should be easy to remember, so you don't have to write it down.
  
• Users should be able to type the password quickly, without having to look at the keyboard. This makes it harder for someone to steal users' password by watching over shoulder.

• Misspelling a word.
  
• Taking two short words, capitalizing one or more letters and putting them together with punctuation marks or numbers in between.
  
• Choosing a line or two from a song or poem and use the first letter of each word.
  
• Creating words that mimic easily remembered sounds.
  
Password security:

• Users should change password every 6-12 months.
  
• Users shall never tell anyone their password. User should not share his/her account with other people -- if he/she shares his/her account, then he/she will be responsible for whatever is done with that account.
  
• User should not write password down on anything in work area, and especially not online in a file.
  
• Employees who access external computer resources (e.g. other Regional Data Centers, INTERNET...) are required to follow the security rules and procedures required by those data centers, networks, etc.

A computer virus, Trojan or worm is a software program or portion of a program that has been introduced into a computer or computer system, or network. The purpose of a virus is to damage data files, expand to utilize available space, delete data, or other harmful actions. Computer viruses can waste time and can destroy data. Computer virus, Trojan or worms are becoming more common everyday, and the number of these being detected has increased. The loading or copying of unauthorized software onto PC's or other machines is one of the easiest ways for virus, Trojan or worm to invade a computer, system, or network. Just using an infected diskette on PC can spread the virus. User must be sure that the most current anti-virus software available from East Regional Data Center (ERDC) is running on the computer.

User must

• Always run the USF - Lakeland standard, supported anti-virus software.
  
• Never open any files or macros attached to an email from an unknown, suspicious or untrustworthy source. User must delete these attachments immediately, then "double delete" them by emptying Trash.
  
• Delete spam, chain, and other junk email without forwarding, in with USF- Lakeland's acceptable e-mail use policy.
  
• Never download files from unknown or suspicious sources.
  
• Avoid direct disk sharing with read/write access unless there is absolutely a business requirement to do so.
  
• Always scan a floppy diskette from an unknown source for viruses before using it.
  
• Back-up critical data and system configurations on a regular basis and store the data remotely.
  
• Avoid running any applications that could transfer a virus, e.g., email or file sharing, when the anti-virus software is disabled,
  
• Periodically check for anti virus updates since new viruses are discovered almost every day.
  
• Every diskette containing data coming into or leaving the office should first be checked for viruses to guard against these viruses spreading. Several offices have copies of virus checking software. Ask your supervisor or the ERDC Help Desk (ext. 77040) for the location of the nearest virus checking software.

Software

All USF Lakeland software for personal computers is licensed. Software agreements specify the terms under which software can be copied. You must comply with these restrictions. Contact Help Desk (ext. 77040) to find out about these terms and conditions.

Licensed software purchased by USF Lakeland is not to be installed on personal computers (i.e., personal computers not belonging to USF). Special conditions may arise (e.g., testing of non-USF software on a university's machine) in which case you should consult with your supervisor and ERDC first.

Installing of software on personal computers at USF is the responsibility of ERDC. Only software approved by ERDC shall be supported.
It is suggested that departments consult with ERDC Help Desk (ext. 77040) before installing or copying any software on personal computers.

Files which are confidential or sensitive are not to be stored on a hard disk. Users must make sure that critical data on their personal computers are backed up and stored remotely. These files are to be backed up periodically and kept in locked storage when not in use. Users must abide by the terms of all software licenses.

Hardware

Computer equipment (including monitors, system units, printers, keyboards, external disk drives, scanners, key pads, mouse, cables, etc.) shall be located where they will be as free as reasonably possible from damage by water, fire, or other disasters.

User should not have food, drinks or other foreign objects placed near PC's (this applies to all liquids including plant holders that contain water). Crumbs and liquids can cause damage to monitors, keyboards, and other related equipment

Removable Disks

When not in use, all disks (3 1/2" diskettes, CDs and ZIP disks) are to be stored in locked storage if the data they contain is critical or confidential. Loss of data can occur if removable disks are stored near magnetic fields (telephones or monitors).

Follow instructions provided with diskettes and ZIP disks for safe and proper use. As with other computer equipment, foreign objects such as food, liquids and dust can cause damage to diskettes. Excessive heat and direct sunlight may also cause damage to diskettes. Valuable data can be lost if diskettes are not handled safely.

E-Mail

All electronic messages are the property of the State of Florida, unless otherwise protected by statute, as State property is used to send, store and receive this form of communication.

In the performance of its duties to the state, USF Lakeland may monitor or spot check the contents of electronic messages or methods used by employees. This may include a check on production, efficiency or signs of misconduct.

Electronic mail is to be restricted to official use only.

Data Integrity

Only allowed information shall be entered into USF computers. The input of sensitive or critical information must be accurate and complete and shall be subject to error checking.

The input of sensitive or critical information shall be verified for accuracy by comparing what was actually processed against what was supposed to have been processed.

SYSTEM/SECURITY ADMINISTRATORS RESPONSIBILITIES

Each system shall have a designated System Administrator who is responsible for the operation, security, management, and user support functions for the system.

The System Administrator shall ensure that all software residing on the system has been properly purchased and licensed.
The scope of the privileges granted to the System Administrator and the resulting high level of access to data may present serious exposures. ERDC shall insure that System Administrators are sufficiently trained and that the nature of their appointment (student, OPS, etc.) does not present an unacceptable risk to the University.

The System Administrator shall be responsible for implementing security procedures, and support of the office's/division's campus network operation. The System Administrator must implement appropriate hardware and/or system maintenance schedules that are necessary to ensure the uninterrupted operation of the campus network. Included in the campus network

System Administrator's duties are:

• Set-up and administer accounts and passwords on the file servers.
  
• Set-up and administer network addresses.
  
• Set-up and administer local mail servers (if any) and associated accounts and passwords.
  
• Keep systems software, virus protection software, etc. for the campus up to date.
  
• Serve as a resource person for departmental staff, especially for questions related to the management/security of the network.
  
• Assist office personnel in the set up and maintenance of their computers, and in the installation of new software and software updates.
  
• Perform/coordinate backups of computers.
  
• Assist ERDC in investigating security breaches
  
• System Administrator is responsible for enforcing restrictions specified by East Regional Data Center (ERDC) security policies.
  

System administrator shall make sure that since short passwords or dictionary words are easy to guess using automated password crackers, any reusable passwords must be more than six characters long; must not be simple, dictionary words; must contain a mix of alphabetic, numeric and special characters (e.g. "*&^%$%$#"); and must change at least every 6-12 months. To prevent password sniffing, systems administrators are encouraged to implement one-time or encrypted password authentication.

Unused accounts make attractive targets to intruders, since no one will likely notice the activity. Accounts must be regularly reviewed for inactivity, and any unused accounts suspended.

Temporary access privileges granted to students, contractors/temps/part-timers and vendors must be for a period no longer than one year or until the end of the contract term, whichever is sooner, and may only be created and renewed with written authorization from a USF-Lakeland faculty or ERDC.

Special care should be taken with privileged accounts (including, e.g., but not limited to "root" for UNIX), commensurate with the privileges afforded the account. Systems administrators must never allow a reusable password for the most privileged accounts to travel over the network un-encrypted. Passwords for privileged accounts should be given only to people with a need for privileged access.

Vendor - or author - provided security patches must be evaluated for compatibility, and installed as soon as practical.

Wherever feasible, a login banner, stating that the system is for authorized use only, should be displayed for anyone attempting to connect to the system.

Where feasible, all operating system, version/release numbers, and vendor information provided in login/sign-on banners should be limited or disabled. Providing this information makes attacks easier by allowing intruders to pinpoint hosts with known security vulnerabilities.

Wherever feasible, login restrictions (by time of day, by system address, etc.) should be implemented.

Logs of user activity must be hold for a period of at least six months. Knowledge that logs are kept acts as a deterrent to abuse. Logs are also essential in investigating incidents after the fact. Logs should include (where feasible) the time and date of activities, the user ID, commands (and command arguments) executed, ID of either the local terminal or remote computer initiating the connection, associated system job or process number, and error conditions (failed/rejected attempts, failures in consistency checks, etc.)

System Administrator is responsible for taking proactive steps to assure the security of the server. Examples include regularly checking for weak user passwords and checking the system for common security vulnerabilities.

System Administrator must implement backup procedures consistent with the requirements of ERDC.

System Administrator is responsible for compliance with each relevant campus operating-system-specific security standard.

Each fully-authorized user of a system shall have a unique logon ID. Users who should no longer have access shall have their logon IDs suspended or deleted in a timely manner. Any ID which is used to access a system, and which does not provide an unique user identification, shall have access only to specific restricted system resources.

Access control procedures shall be used to authenticate all users who access each system. Such controls shall include, at a minimum, a logon ID and a response mechanism (such as a password) for each user. The operating system shall be configured to encourage a periodic expiration of all passwords as well as to establish a suitable minimum length for passwords.

Logon ID's which have supervisor or root privileges shall be highly secured. Such IDs shall be reserved for system management tasks and shall not be used as the IDs for normal day-to-day work by the users having these privileges.

Access rights and privileges for all authorized users shall be maintained and managed so as to secure access to data in a manner appropriate to the needs of the user and the value of the data.

Confidential data shall be protected against unauthorized access regardless of form, computing environment or location. Serious access control problems can be created when confidential University data is downloaded or otherwise transferred from a secure environment to a less secure environment.

Procedures shall be established for the management of data residing on the hard drives of any equipment that is transferred or surplused. If equipment is transferred to another University department, then all University and department data shall be removed from the equipment hard drive prior to the transfer. Special care shall be taken to remove all data from the hard drive of equipment that is being surplused or donated.

At the time of termination of employment from a department or from the University, an employee shall certify as part of the department's termination processing that all University or department data has been removed from the employee's personally-owned home equipment.

Server Access

Security for log on access to the network and access to file and applications on the server will be implemented via a user ID and password. Each campus network user will be assigned a user ID. Each account must be password protected and password history and password aging must be implemented. Only authorized personnel (students, staff, faculty, and affiliated personnel) shall have accounts assigned. A remote user who does not know a correct ID/password pair should not be able to access the network. User authentication via associated user ID and password might not be possible in some locations, such as computer labs. In such cases, security must be maintained by other mechanisms. Passwords must be chosen by and known only to the individual user responsible for the user ID.

Default passwords shipped with servers, operating system software, or applications must always be changed when the hardware or application is installed or implemented. ID/password files on servers must be encrypted. If possible, passwords should not be transmitted over the network in clear text. It is important to maintain the ID/password directory with current data. LAN access for terminating or transferred employees must be removed immediately.

Directory and file security is accomplished via access control rights. These rights should be administered for each LAN user.

File Access

There are several levels of file access: Read, Write, Execute, Delete and Add. File access levels should be administered appropriately for users or groups of users depending on what application is being invoked.

Software Integrity

Appropriate procedures shall be established and documented for the management of computer and system software. These procedures shall address the processes by which such software is acquired, installed, tested, documented, changed, and maintained.

All proprietary software installed on University equipment shall be administered in accordance with each individual software license agreement. Software that is surplused or donated must be removed from the equipment to which it is currently licensed.

Procedures shall be established and maintained to insure prior approval is obtained for the installation of employee-owned software on University equipment. Employee-owned software must be removed from University equipment when the equipment is no longer being used by that employee, or upon that employee's termination of employment with the department or the University. Procedures shall be established to ensure that any employee-owned software installed on University equipment has been legally obtained by the employee.

At the time of termination of employment from a department or from the University, an employee shall certify as part of the department's termination processing that all University or department software has been removed from the employee's personally-owned home equipment and that all original software diskettes or copies have been returned to the University.
Procedures shall be established for the management of proprietary software purchased for an employee's use in a telecommuting arrangement. The procedures shall ensure that the software is removed from any non-University equipment at the conclusion of the telecommuting arrangement or at the termination of the employee's employment with a department or with the University.

Physical Security

The System Administrator has responsibility for the physical security of the LAN hardware. The LAN servers should be located in a physically secure area, such as a locked closet or room. The server should not be used as a workstation, except by the System Administrator for purposes of server administration or in exceptional situations. All cable connections and the cable itself must be in a secure location to lower the risk of inadvertent or mischievous damage to the physical equipment.

Security awareness should be an important part in administering a campus network environment. It is important to remember that the most vulnerable security risk in any office could be leaving confidential papers, clearly-named diskettes, and listings in full view in an empty office. Also, walking away from a logged on workstation invites trouble.

It is the System Administrator's responsibility to monitor access to the data on the network, based on the relative risk and the user's "need to know". Authorization requires careful thought. Campus network passwords and the resources to which they provide access may be adequate for sharing documents and data collections, such as mailing lists; however, for more complex databases with confidential contents, more definition is required. In such cases, the application programs should provide the appropriate level of security. This is an application and/or database administration function.

Backups

Servers with software, data files, and/or backup data for workstations on the campus network need to have an effective backup procedure on a regularly scheduled basis. System Administrator is responsible for backing up the LAN and is required to implement a tested and auditable process. This is crucial for recovery from power or hardware failure, data and/or network problems, and physical disasters. If possible, procedures for backup should not require operator intervention. They should be automatic. Backups should be stored on site for quick recovery from data or network problems. LAN backups for critical business functions should also be stored off site. Backups shall be stored on-site in a secured area which would not be subject to the same disruption of services as the location in which the system is located. Recovery procedures must be documented and tested. Software installation and upgrade must be done by the System Administrator or the backup System Administrator. Procedures shall also address periodic testing to ensure the ability to successfully restore data from these backups.

All data considered mission-critical to the operation of the department shall also be maintained in an alternate backup location.

Viruses, Trojans, and Worms

The System Administrator is responsible for regular scans of each server and computers with hard disks for viruses, Trojans, worms and security violations.

System Login Security Administration
All accounts must be created by the system administration group. Accounts should be set up with passwords, with the possible exception of lab accounts, or special usage accounts which can be station restricted for security. Passwords must have a minimum of eight (8) characters, be unique and non-repeatable, with periodic expiration. All password accounts should be set up with an expiration date parameter in addition to having several other security options enabled, such as intruder lockout and change password at next login.

Sensitive Utilities

Only the system administration group has rights to implement any of the security policies that are part of the User Manager for Domains utility. The ability to administer users and groups in other domains is controlled by trust relationships which are set up by the administrator. Access rights should be set up on Windows NT server so that only the administration group has rights to other sensitive areas, such as the registration database, Server Manager and all other management utilities.

In a campus network, there would need to be a central administration group to administer trust relationships and file permissions across domains, in addition to managing other enterprise operations. ERDC shall implement a central administration group to administer the campus network at USF Lakeland. A disaster recovery plan should be formulated that includes a definition of what constitutes a disaster and a set of procedures to deal with recovering from various failures.

Confidentiality Notice
As an individual whose position requires interaction with any or all of the University's administrative information systems, you may be provided with direct access to confidential and valuable data and/or use of data/voice systems. In the interest of maintaining the integrity of these Systems and of ensuring the security and proper use of University resources, you must:

• Maintain the confidentiality of your password for all systems to which you have access. Maintain in strictest confidence the data to which you have access. Any confidential information must not be shared in any manner with others who are unauthorized to view such data.
  
• Use your access to the University's systems for the sole purpose of conducting official business of the University. Understand that the use of these systems and their data for personal purposes is prohibited.
  
• Understand that any abuse of access to the University's systems and their data, any illegal use or copying of software, any misuse of the University's equipment may result in disciplinary action, loss of access to the University's systems, and possible sanctions consistent with the University Policy on Adherence to University Policy.
  

Security Investigations

At the demand of the office/departmental, or System Administrator, ERDC will help out in the investigation of any security violation. To aid ERDC in their investigation, the office/departmental manager/security officer must supply ERDC with the following:

• Timely notice of the violation.
  
• Super user privileges on the machines involved.
  
• Pertinent logs documenting the violation, if available.
  
• Written logs of the installations/updates of system and application software.

LAN Administration

Each LAN shall have a designated LAN administrator who is responsible for the operation, security, management, and user support functions for the LAN.

The LAN administrator shall ensure that all software residing on the LAN server has been properly purchased and licensed.

The LAN administrator shall be responsible for implementing procedures to protect the LAN from virus attacks and for removing a virus if one is found.

The scope of the privileges granted to the LAN administrator and the resulting high level of access to data may present serious exposures. Consequently, only regular position staff should be assigned duties as a LAN administrator.

LAN administrators shall carry out the college or department procedures for backup of its LAN data and software.

It is required that ERDC assign a permanent staff member to be the System Administrator to set and enforce local policies and procedures governing the campus LAN. A second permanent staff member must be appointed as the System Administrator's backup who will fulfill the positions functions when the administrator is not available. If the existing LAN administrator or backup plans to resign from her/his position in the office or from the University, this person should be made responsible for training a replacement to assume the LAN administrator duties.

Within reason, ERDC must make available the resources that users and systems administrators need to carry out the responsibilities above.

ERDC must keep copies of the original software licenses for commercial software used in their department. For site-licensed software, management must retain a copy of the site license. ERDC must make sure compliance with the terms of all commercial software licenses.

ERDC must ensure the physical security of servers. It is strongly recommended that departmental and central servers be kept in a locked area. Servers must be protected from power surges, power failures, water damage, overheating, fire, and other physical threats.

ERDC must ensure that all users have viewed a confidentiality statement at the time that access is granted.
ERDC/supervisors must ensure that access to administrative systems is revoked or modified as appropriate upon employee resignation, termination, job changes, or when grants or contracts expire.

Incident plans are alternative steps to take when information technology support is interrupted. Incident plans assure that users can continue to perform essential functions in the event that access to data and equipment are lost resulting from a number of reasons (theft, equipment failure, fire/water damage, unauthorized access, etc). Recovery plans shall be developed and maintained for the restoration and continuation of critical services in the event of a significant disruption of normal computer and system operations. These shall include plans for interim manual processing, as well as plans for resuming operations in an alternate location should that be necessary to maintain the mission-critical functions of the college or department.

ERDC must be contacted for assistance in obtaining alternate means of computing in case of an emergency. ERDC shall establish a minimum arrangement for hardware usage in the event that an interruption occurs at USF Lakeland offices.

ERDC must establish a routine whereby backup copies of removable media are made on a regular basis and stored in a location other than the computer workstation or files are copied to the permanent storage network drive.

These plans shall address areas such as replacement of hardware and software, restoration of data, relocation of personnel and so on, as appropriate to the needs of the college or department.

Training

Programs shall be developed and maintained for training employees in the proper use and protection of computing resources. Appropriate training areas should include logon ID and password management, detection and prevention of viruses, backup procedures for client data, proper uses of proprietary software, system administrator training and general security awareness. Programs shall also include the provision and availability of appropriate hardware and software reference materials for employees.

Equipment Protection

Procedures shall be developed and maintained for protecting computer equipment and components from theft and physical damage. Equipment shall be located only in areas that have sufficient physical access controls; servers, in particular, shall be in a secure area with access permitted only by authorized persons. Protective measures shall include power surge protection, fire or smoke detection, alarm systems and other devices as appropriate.