Addendum A
(see DCSMT minutes for October 5, 2001)

The following lists proposed changes to UNT Computer Resources Security Standards Policy 3.7.  Proposed changes are in italics.

 

UNT Computer Resources Security Policy 3.6

1. PURPOSEEstablish the associated sanctions for loss, corruption, misuse, virus infection and/or            unauthorized disclosure of University computer resources.

2. SCOPE: centrally administered computer systems, departmental computer systems, and personal computers, including all means of accessing the preceding; for example, installation of server software even on a personal computer

3. DEFINITION OF TERMS:

5. Centrally administered computer system - a computer system, including the supporting data communications network, used for capturing, storing, maintaining, and accessing digital institutional data under the direct management of the Computing Center. This includes campus-wide data communications networks such as the broadband and fiber optics networks which span departmental computer systems.

9. Computerized institutional data application - a specialized automated system used by an office/ department for administrative purposes. It does not include software tools for microcomputers such as word processing, data base, and spreadsheet software, but does include specialized administrative applications developed using these tools to capture, store, maintain, and/or access computerized institutional data.

10. Owner of an Information Resource - A person responsible for a business function and for determining controls and access to information resources supporting that business function.

11. User of an Information Resource - An individual or automated application authorized to access an information resource in accordance with the owner-defined controls and access rules.

12. Custodian of an Information Resource - The person charged with technical implementation of security policies and procedures for the computer installation.

13. Department Head - An employee of the university with budgetary authority over users of an information resource.

15.Access - to approach, view instruct, communicate with, store data in, retrieve data from, or otherwise make use of information resources.

16. Confidential Information - Information that is excepted from disclosure requirements under the provisions of the Texas Public Information Act or other applicable state or federal law.

4. GENERAL POLICY STATEMENTS: 4.1. University computer resources -- general:

1. University computer resources shall be used solely for legitimate University-related purposes as stated in the university Computer Use Policy

4. GENERAL POLICY STATEMENTS: 4.2. Access to University computer resources:

2. Access to a University computer resource of any computer system must be approved by the management of that computer system. (Policy 3.10)

4. GENERAL POLICY STATEMENTS: 4.4. Copying of computer software, data, and manuals:

1. The owner of an information resource will take appropriate and reasonable steps to inhibit attempts to obtain unauthorized copies of computer software, computer data, and/or software manuals.

4. GENERAL POLICY STATEMENTS 4.5. Code of Ethics: All persons given broader-than-normal access to any resources on university computer systems and any persons who authorize such access will abide by the System Administrator Code of Ethics approved by the Information Resources Council and reviewed by the Information Resources Steering Committee.

5. GENERAL RESPONSIBILITIES: 5.1. Information Resources Council:

1. The Information Resources Council will review and make recommendations to the Information Resources Steering Committee concerning proposed changes to this policy.

5. GENERAL RESPONSIBILITIES: 5.2. Computer Resources Security Coordinator:

1. The Associate Vice President for Computing and Communication Services or his/her designee will function as computer resources security coordinator for the University.

2. Among the responsibilities of the Computer Resource Security Coordinator will be:

1. Ensuring that adequate security procedures, including backup, disaster recovery, and contingency planning, have been formulated for the centrally administered computer systems.

2. Coordinating the implementation of security procedures, including backup, disaster recovery, and contingency planning, for the departmental computer systems and personal computers.

3. Establishing mechanisms for monitoring compliance with and violations of University computer resource security policies and standards. Establish procedures for investigation, logging, and management reporting and follow-up of access violations.

4. Performing periodic risk assessments and security audits of existing and proposed systems.

5. Overseeing the development and maintenance of a comprehensive Computer Resource Security Policy Manual to include security procedures to implement University computer resource security policies and standards.

6. Overseeing the development of training courses for training employees in University computer resource security policies, standards, and procedures.

7. Gathering information from the Information Resource Custodians and reporting as necessary and appropriate.

5. GENERAL RESPONSIBILITIES: 5.4. Department Heads

5. Department heads will ensure that computer resource security responsibilities are included in the performance evaluation criteria of appropriate personnel, including the custodians, owners and users of an information resource.

6. Department heads will inform appropriate custodians of an information resource when employees have terminated so that the terminated employee's access to University computer resources may be disabled.

7. Department heads will identify custodians, owners, and users of an information resource for their departments.

5. GENERAL RESPONSIBILITIES: 5.5. Owners of an Information Resource

1. Owners of an information resource shall establish the rights to access specific data elements, files, and/or administrative applications via University computer resources.

2. Owners of an information resource shall ensure that the access rights they have designated are enforced by the security mechanisms of the computer system(s) on which the data resides.

3. Owners of an information resource shall establish the guidelines for dissemination of the data on machine- and human-readable forms within their purview of responsibility and within the context of University policy and State and federal regulations and laws.

5. GENERAL RESPONSIBILITIES: 5.6. Users of an Information Resource

Users of an information resource shall ensure that any computerized institutional data in their custody, whether in machine- or human-readable form, is disseminated and/or disclosed in accordance with University policy and the guidelines established by the data owner.

5. GENERAL RESPONSIBILITIES: 5.7. Custodians of an Information Resource

1. Custodians of an information resource shall ensure that procedures are put in place for the computer installation to implement University computer resource policies and standards.

2. Custodians of an information resource shall ensure that, if possible, the process by which a user accesses the resources of their computer installation displays a message advising users of their responsibility to comply with the provisions of this policy.

3. Custodians of an information resource are responsible to enforce compliance with provisions of licensing agreements and other computer resource contracts for the computer installation.

5. GENERAL RESPONSIBILITIES: 5.8. Individual Employees/Students

1. All individuals, whether faculty/staff employees or students, must sign a confidentiality agreement upon receiving the privilege of using University computer resources.

4. All individuals who use wide-area network services (such as the Internet) provided via University computer resources must abide by the policies of those networks.

6. Any individual who connects a machine to the campus network is responsible for maintaining security on that machine system and for performing appropriate security updates so as to prevent security breaches to the campus network.