Addendum B
(see DCSMT minutes for October 5, 2001)

The following lists proposed changes to UNT Computer Resources Security Standards Policy 3.7.  Proposed changes are in italics.

 

UNT Computer Resources Security Standards Policy 3.7

4. STANDARDS:

4.1. Physical Security 4.1.1. Computer System

a. The custodian of an information resource will provide and implement reasonable security measures to protect the computer system against natural disasters, accidents, and deliberate attempts to damage the system.

b. The custodian of an information resource will take action to provide reasonable protection against such environmental threats as flooding, lightning, extreme temperatures, and loss or fluctuation of electrical power, as well as riot and sabotage, and will provide adequate disaster recovery plans and procedures, including use of off-site storage for critical systems data.

c. The custodian of an information resource will provide an environment which restricts physical access to the computer system to the appropriately authorized users.

d. As appropriate, the custodian of an information resource will have defined procedures for maintaining data integrity during hardware repair, will set up a schedule of preventive maintenance for the computer system, and will maintain a log of hardware malfunctions.

e. The university data communications department will document the university data communications network configuration and make it available as needed to the custodians of an information resource.

4.1. Physical Security 4.1.2. Workstations

b. Users of personal computers (PCs) should be familiar with and shall comply with the provisions of the Microcomputer Data Integrity Policy (Policy 3.8).

c. Any individual who connects a machine to the campus network is responsible for maintaining security on that machine system and for performing appropriate security updates so as to prevent security breaches to the campus network.

4.2. Access Control 4.2.1. User Logon IDs

a. The custodian of an information resource will, where reasonable, assign each user of the computer system a unique identification (i.e., a logon ID). In cases where public access requirements necessitate provision for guest accounts, justification for such access must be submitted in writing to the department head. Any access points to other facilities from the computer installation should be protected, where reasonable, by requiring a logon ID and password.

b. Each user of a logon ID will establish a password, known only to the user. The procedure for changing passwords should be published by the custodian of an information resource. Individual users will be responsible for any breaches of security due to failure to maintain confidentiality of their passwords.

c. The custodian of an information resource will, where possible, develop a mechanism to assure that each user of a logon ID changes his/her password at appropriate intervals or, when an intitial password is assigned and should be changed, assure that only the user knows that password.

d. The custodian of an information resource will maintain lists of persons authorized to access the various administrative computer system applications.

e. The custodian of an information resource using logon IDs will, where appropriate, provide a mechanism which allows user logon IDs to be active only during specific hours.

f. The custodian of an information resource using logon IDs and running administrative applications will, where possible, provide a mechanism that records and logs off a user logon ID after a specified period of time of inactivity.

g. The custodian of an information resource using logon IDs and running administrative applications will, where possible, provide a mechanism that locks a user logon ID after multiple unsuccessful attempts to log on.

h. The custodian of an information resource will establish a mechanism for disabling access to University computer resources in cases of job termination or change.

4.3. Applications Security 4.3.1. Data/Data Bases

a. The owner of an information resource will provide the mechanisms to identify the data/application owner for that installation.

 b. The owner of an information resource is that department head who has been given administrative responsibility to gather and maintain the specific data items. If the responsibility is unclear, the information resource owner will be the department head that updates the specific data items.

c. Data classifications with corresponding levels of security will be maintained by the custodian of an information resource. The data owners will determine and assign protection levels for their own data.

d. The owner of an information resource will authorize other users to access or update the data owned by them. If the information resource owner reduces or denies the access level requested by the user, the user may appeal such action through the data owner's normal administrative hierarchy.

4.3. Applications Security 4.3.2. Administrative Programs and Applications

a. The custodian of an information resource will maintain a mechanism to, where appropriate, restrict access to administrative programs and applications based on users' logon identifications (IDs).

b. The owner of an information resource will designate which users are authorized to access the administrative program or application. If the information resource owner reduces or denies the access level requested by the user, the user may appeal such action through the owner's normal administrative hierarchy.

c. The custodian of an information resource will set up a method of tracking requests for, progress on, testing of, and implementation of new administrative programs and applications and of changes to existing administrative programs and applications.

d. Only the owner of an information resource has the authority to approve the installation of a modification to an administrative program or application.

e. The custodian of an information resource will maintain a mechanism that restricts the installation of software into production status to the owner of an information resource or his/her designee. The custodian will also have an established procedure for installation of software into production status.

f. Testing of software before installation into production shall be the ultimate responsibility of the custodian of an information resource. The custodian must assure that adequate testing has been done and/or that backups of computerized institutional data has been done before authorizing the installation of software into production status.

g. Where staffing permits and the scope and criticality of the administrative application warrants, the owner of an information resource will separate the responsibilities for programming, operations, clerical/data control, and data maintenance. This particularly applies to any application that involves methods of payment or that has direct or indirect fiduciary implications.

 h. All externally acquired software for microcomputer platforms (either LANs or standalone workstations) shall be handled in accordance with Microcomputer Data Integrity Policybefore installation or use on University computer resources.

4.4. Auditing Requirements

a. The owner of an information resource will inform the Office of Internal Audits of each new administrative application installed.

b. The custodian of an information resource will maintain archives of critical data stored in the computer sufficient for audit purposes.

c. The custodian of an information resource will maintain source documents for backup, recovery, and audit purposes in accordance with the institution's retention schedule.

4.5. Records Management and Media Control

a. Retention and disposal of computerized institutional data will be governed by the University Records Retention Schedule Policy and the State of Texas Records Retention Schedule.

b. When data is physically accepted by another individual/ department in either a machine- or human-readable form, the recipient of the data becomes the user of the data now within his/her purview in accordance with the requirements established by the owner of an information resource.

d. The custodian of an information resource will take reasonable steps to ensure that hard copy documents printed under his supervision are accounted for and distributed only to appropriate personnel.

e. The custodian of an information resource must take reasonable steps to ensure that confidential information is read and/or used only by authorized personnel.