Computer and Network Security Policy
University Technology Services
University Technology Services
Worcester State networking and computing resources are vital assets that must be protected.
Access to all Worcester State networking and computing resources must be based upon strong identification and authentication.
- Users must be positively identified and authenticated prior to being permitted access to any Worcester State network or computing resource.
- Remote access to Worcester State messaging systems from home or for mobile users, using personal or college-owned computers, over public networks (PSTN, Internet) is permitted under restricted conditions. Remote users must use strong authentication in accessing computer or network resources.
- Users will be required to re-login to their workstations if their systems have been idle for 15 minutes.
- Whenever possible, user workstations will have an active personal firewall configured by the University.
- Attempting to access another user’s accounts is prohibited. This includes access through e-mail system client software or through capture of data traversing the network.
- Users will have no more than 8 login attempts (4 for Community System/Blackboard, 5 for Datatel/Colleague) prior to being locked out out of WSU system resources for a period of 30 minutes.
- Creation of all accounts must be performed only by authorized system administrators and only after receiving documented management approval for each new account.
- Accounts will be disabled immediately upon termination or transfer of employment of the user. All messages will be permanently deleted from the user’s mailbox (but may be archived elsewhere), and delivery of any further messages to the account will be disabled within two weeks of employee's termination or transfer. Account retention or forwarding, after termination of employment, is not permitted without prior written management approval.
- By default, ports for firewalls and edge devices are set to closed, excluding port 80; additional ports may be opened based upon specific service protocols, which must be approved by the College's security officer or CIO. Port configuration for firewalls and switches will be documented on a regular basis.
- Access to core networking devices is available only by secure radius authentication.
- Worcester State reserves the right to monitor the content and traffic patterns and/or electronically screen networking and computing resources, including activity and traffic originating remotely. Purposes for such monitoring and/or screening include, but are not limited to, system maintenance, detection and elimination of contamination, detection and prevention of unauthorized disclosures of Worcester State confidential or proprietary information, detection of unauthorized access to computing and network resources, and determination of compliance with Worcester State policies.
- Worcester State reserves the right to intercept and/or quarantine any networking or computing resources that may pose a threat to Worcester State, including, but not limited to, data, messages, and network traffic. If such monitoring, screening, interception, and/or quarantine reveal possible evidence of criminal activity, Worcester State may provide the evidence of such monitoring to law enforcement officials.
- Worcester State reserves the right to scan for unauthorized devices (eg., access points, servers, etc.) connected to the College's network. The College will scan its network for such devices on a quarterly basis, at minimum.
- Users must report any suspected violation of these policies to the Data Security Officer. All reports of alleged violations of this policy will be investigated on a case-by-case basis. During the course of the investigation, access privileges will be monitored and may be suspended. Violations of policy may result in disciplinary action including, but not limited to, permanent loss of access privileges and/or termination of employment.
- Administrators must maintain tables, diagrams, and other records of baseline system and security configuration, and any configuration changes for all user hardware and software system components. Inventories must be kept of all the hardware with type, model, purpose, and location. A software inventory with version, patch level, installation options, purpose, location, license numbers, and keys must kept and provided to the Data Security Officer. Any time there is a relocation of personnel, equipment, or software the inventory list must be updated and a copy provided to the Data Security Officer.
- Any changes, adds or updates to Worcester State owned or managed servers, hardware or software must be catalogued utilizing the IT Change Management format available on the IT Project site. The change management process includes detailing problems, determining effective dates, notification status and detailed debrief that includes a multi-level approval process.
- Each server will be used for one primary function.
- The Infrastructure team regularly monitors the Educause security listerv to identify newly discovered security vulnerabilities.
- Assignment of Privileges is based on individual personnel's job classification and function
- Access rights are restricted to the least privileges necessary to perform job responsibilities.
- Users with system privileges are required to use non-privileged accounts while accessing the Internet.
- Access control systems use default "deny all" setting.
- Intrusion detection systems are in use and kept up-to-date.
- A formal risk assessment performed on an annual basis.
- Security policies are updated at least on an annual basis.
- There is a formal security Awareness program in place, employees are educated annually, Employees acknowledgement of compliance with security polices is obtained on an annual basis.
In accordance with the Incident Reporting and Response Policy, security incidents must be reported to the next higher entity on the security point of contact list created by the Data Security Officer. The point of contact list should include information about how to contact them: (home phone number, office phone number, cell phone number, home and office email address, and pager numbers).