Document Overview
Objectives And Scope—A large portion of Misericordia University business is conducted with personal computers, including Macintoshes, UNIX workstations, portable computers, handheld computers, personal digital assistants, and similar computers dedicated to a single employee’s activity. Protection of personal computers and the information handled by these systems is an essential part of doing business at Misericordia University. To this end, this policy provides information security instructions applicable to all employees who use Misericordia University personal computers. This policy applies whether personal computers are standalone or connected to a network such as a local area network or the intranet. Violations of the University Personal Computer Security Policy are treated like any other ethical violation as outlined in relevant contractual agreements, and applicable faculty and staff handbooks. Penalties may include but are not limited to, restricted access, no access, suspended access, or other University actions as deemed necessary. Violators may also be subject to prosecution under applicable Federal and Commonwealth of Pennsylvania statutes.
Business and Education Use Only
Business and Education Use Only—In general, Misericordia University computer and communication systems are intended to be used for business and educational purposes only. Incidental personal use is nonetheless permissible if the use does not consume more than a trivial amount of resources that could otherwise be used for business or educational purposes, does not interfere with employee productivity, does not preempt any business or educational activity, and does not cause distress, legal problems, or morale problems for other employees. Permissible incidental use of a personal computer would, for example, involve responding to an electronic mail message about a luncheon, purchasing a gift online, and paying bills through the Internet. Offensive material that might cast Misericordia University in a bad light, including sexist, racist, violent, or other content, is strictly forbidden from all computer devices on Misericordia University campus.
Changes To Application Software—Misericordia University has a standard list of permissible software packages that employees can run on their personal computers. Employees must not install other software packages on personal computers without obtaining advance permission from the Information Technology Department. Employees must not permit automatic software installation routines to be run on Misericordia University personal computers unless these routines have been approved by the Information Technology Department. Unless separate arrangements are made with the Personal Computer group, upgrades to authorized software will be downloaded to personal computers automatically. Unapproved software may be removed without advance notice to the involved employee.
Changes To Operating System Configurations—On Misericordia University-supplied computer hardware, employees must not change operating system configurations, upgrade existing operating systems, or install new operating systems. If such changes are required, they must be performed by Misericordia University Information Technology personnel, in person or with remote system maintenance software.
Changes To Hardware—Computer equipment supplied by Misericordia University must not be altered or added to in any way without the prior knowledge of and authorization from the Information Technology Department.
Access Control Package—Employees must set the time frame for their screensaver. The period of no activity, at which point the contents of the screen are obscured, should be set to 15 minutes or less. If sensitive information resides on a personal computer, the screen must immediately be protected with the password protected screen saver, or the machine turned off, whenever an employee leaves the location where the personal computer is in use.
Choice Of Passwords—The employee-chosen passwords employed by access control software packages, and the keys employed by encryption packages, must be at least 8 characters in length. These passwords and keys must be difficult to guess. Words in a dictionary, derivatives of user IDs, and common character sequences such as “123456” must not be employed. Personal details such as spouse’s name, license plate, social security number, and birthday must not be used unless accompanied by additional unrelated characters. Employee-chosen passwords and keys must not be any part of speech including, proper names, geographical locations, common acronyms, and slang. A user who has reason to believe that a password is being used by an unauthorized person should promptly notify the Information Technology Department.
Storage Of Passwords—Employees must maintain exclusive control of their personal passwords. They must not share them with others at any time. Passwords must not be stored in readable form in batch files, automatic logon scripts, software macros, terminal function keys, in computers without access controls, or in any other locations where unauthorized persons might discover them.
Encryption Of Critical Information—All computerized critical information must be encrypted when not in active use, for example, when not manipulated by software or viewed by an authorized employee. The use of physical security measures such as safes, locking furniture, and locking office doors is recommended as a supplementary measure to protect critical information. All documents containing passwords, or any personal information (especially Social Security numbers) must be viewed as critical information.
Logging Of Events Related To Critical Information—Personal computers handling critical information must securely log all significant computer security relevant events. Examples of computer security relevant events include password guessing attempts, attempts to use privileges that have not been authorized, modifications to production application software, and modifications to system software.
Virus Program Installed—All personal computers must continuously run the current version of virus detection package approved by the Information Technology department (either Trend Micro or Symantic Antivirus). The current version of this virus package must be automatically downloaded to each personal computer when the machine is connected to the Misericordia University internal network. Employees must not abort this download process. At a minimum, this package must execute whenever external storage media is supplied.
Decompression Before Checking—Externally-supplied floppy disks, CD-ROMs, and other removable storage media must not be used unless they have been checked for viruses. Attachments to electronic mail must not be executed or opened unless they have been checked for viruses. Externally-supplied, computer-readable files, software programs, databases, word processing documents, and spreadsheets must be decompressed prior to being subjected to an approved virus-checking process. If the files have been encrypted, they must be decrypted before running a virus-checking program. Symantic performs the scans specified if configured with default settings.
Eradicating Viruses—Employees must not attempt to eradicate a virus without expert assistance. If employees suspect infection by a virus, they must immediately stop using the involved computer, physically disconnect from all networks, and call the Information Technology Help Desk. If the suspected virus appears to be damaging information or software, employees must immediately turn off the personal computer.
Playing With Viruses—Employees must not intentionally write, compile, copy, propagate, execute, or attempt to introduce any computer code designed to self-replicate, damage, or otherwise hinder the performance of any Misericordia University computer system.
Backup
Archival Copies—All personal computer software that is not standard Misericordia University software must be copied prior to its initial usage, and such copies must be stored in a safe and secure location. These master copies, perhaps the media issued by the vendor, must not be used for ordinary business activities, but must be reserved for recovery from virus infections, hard disk crashes, and other computer problems. Documentation about the licenses for such software must be retained to get technical support, qualify for upgrade discounts, and verify the legal validity of the licenses. Storage of originals must be stored in a different building; thus, the systems can be rebuilt should a catastrophic event occur.
Periodic Backup—All sensitive, valuable, or critical information residing on Misericordia University computer systems which contain data that would be too time consuming or costly to reproduce should be periodically backed up. Such backup processes should be performed at least weekly. Unless automatic backup systems are known to be operational, all employees are responsible for making at least one current backup copy of sensitive, critical, or valuable files of their computer. These separate backup copies should be made each time that a significant number of changes are saved. Employee-generated backups should be periodically stored in a different physically secure location. Selected files from backups should be periodically restored to demonstrate the effectiveness of every backup process. Department managers should verify that proper backups are being made on all personal computers used for production business activities. Help Desk technical support is available for those employees that are having difficulty specifying, configuring, or otherwise establishing backup systems.
Reporting Software Purchases—All employee department purchases of personal computer software that have not been handled through the Personal Computer group must promptly be reported to the Personal Computer group.
Copyright Protection—Making unauthorized copies of licensed and copyrighted software, even if for “evaluation” purposes, is forbidden. Misericordia University permits reproduction of copyrighted materials only to the extent legally considered fair use or with the permission of the author or Owner. If employees have any questions about the relevance of copyright laws, they must contact the Personal Computer group. Unless they receive information to the contrary, employees must assume that software and other materials are copyrighted.
Deletion of Old Information—Employees must delete information from their personal computers if it is clearly no longer needed or potentially useful unless said information is critical or contractual. Use of an erase feature is not sufficient for sensitive information because the information may be recoverable. Sensitive information should be deleted by an overwrite program approved by the Information Technology department.
Destruction Of Information—Prior to disposal, defective or damaged electronic media such as floppy disks, compact disks, or other media containing sensitive information must be destroyed. Electronic media in need of destruction can be sent to the Information Security Manager for proper destruction (i.e. shredding). Any paper copies containing sensitive information must be disposed of in the locked destruction bins found in Misericordia University offices. All hardcopy containing sensitive information must be disposed of in these bins or through a cross-cut paper shredder.
Documentation For Production Systems—Every employee who develops or implements software or hardware to be used for Misericordia University production business activities must document the system in advance of its deployment.
Production System Development Conventions—Misericordia production applications that run on a personal computer must adhere to the Information Technology Department’s Network Worthiness requirements, which are available from the Network Manger. These abbreviated requirements have been specifically prepared for personal computers and require much less effort than the requirements for multi-user systems. These requirements include a risk assessment, a quick check to ensure that the involved production system is in compliance with existing technical standards, and the use of standardized file names.
Contingency Plans—Whenever a personal computer is used as a critical part of any production business application, it must have a documented and tested contingency plan. Contingency plans must be prepared in accordance with the guidelines issued by the Information Technology Department.
Consistent Classification Marking—If information is sensitive, from the time when it is created until it is destroyed or declassified, it must be labeled with an appropriate data classification designation. Such markings must appear on hardcopy versions of the information, and the labels for storage media containing this information. Further information about data classification and marking can be found in the Data Classification section in the Misericordia University Internet Security Policy .
Modems—Modems inside or attached to Misericordia University office desktop personal computers are not permitted. Mobile and telecommuting personal computers are an exception to this rule. Communications software must always employ a password with at least 8 characters that has been constructed according to the section with the heading “Choice of Passwords” in this document. When in Misericordia University offices, employees needing to make outbound connections with remote computers must route their connections through the campus firewall.
Internet—As a matter of policy, inbound Internet connections to Misericordia University personal computers is forbidden unless these connections employ an approved virtual private network (VPN) software package approved by the Information Security Manager. These VPN systems must employ both user authentication features with at least fixed passwords and data interception prevention features, such as encryption. VPN access and software is available upon request through the Information Technology Networking Department.
Downloading Sensitive Information—Sensitive Misericordia University information may be downloaded from a multi-user system to a personal computer only if a clear business or educational need exists, adequate controls to protect the information are currently installed on the involved personal computer, and advance permission from the information Owner has been obtained. This policy is not intended to cover electronic mail or memos, but does apply to databases, master files, and other information stored on mainframes, minicomputers, servers, and other multi-user machines. This applies regardless of the media on which information is stored, the locations where the information is stored, the systems technology used to process the information, the people who handle it, or the processes by which information is handled.
Installation Of Communications Lines—Employees and vendors must not make arrangements for, or actually complete the installation of voice or data lines with any carrier. If lines are needed they can be provided by the Information Technology Networking Department.
Establishing Networks—Employees must not establish electronic bulletin boards, local area networks, modem connections to existing internal networks, Internet commerce systems, or other multi-user systems for communicating information without the specific approval of the Information Network Department.
Equipment Theft—All critical office desktop personal computers in open areas, i.e not in a locked area such as an office, except portables must be physically secured to desks. All personal computer equipment must be marked with visible identification information that clearly indicates it is Misericordia University property. Periodic physical inventories must be completed to track the movement of personal computers and related equipment. Portables must be locked in a secure drawer or secure office when not in use.
Donation, Sale, or Reallocation Of Equipment—Before personal computer equipment or storage media that has been used for Misericordia University business is provided to any third party, the equipment or media must be physically inspected by the Information Technology department to determine that all sensitive information has been removed. This policy does not apply when a non-disclosure agreement has been signed by the third party. Simple deletion of files or records is unacceptable tools must be deployed to assure information is permanently deleted.
Lending Personal Computers To Others—Employees must never lend a Misericordia University personal computer containing sensitive information to another person unless that other person has received prior authorization from the owner of the sensitive information to access such information.
Owner of Equipment—The primary user of a personal computer is considered an Owner of the equipment. If the equipment has been damaged, lost, stolen, borrowed, or is otherwise unavailable for normal business activities, an Owner must promptly inform the involved department manager. With the exception of portable machines, personal computer equipment must not be moved or relocated without the knowledge and approval of the involved department manager.
Use Of Personal Equipment—Employees must not bring their own computers, computer peripherals, or computer software into Misericordia University facilities without prior authorization from Information Technology Department.
Positioning Display Screens—The display screens for all personal computers used to handle sensitive or valuable data must be positioned such that the information cannot be readily viewed through a window, by persons walking in a hallway, or by persons waiting in reception and related areas. Care must also be taken to position keyboards so that unauthorized persons cannot readily see employees enter passwords, encryption keys, and other security-related parameters. Sensitive information should not be sent to printers located in public areas.
Locking Sensitive Information—When not being used by authorized employees, or when not clearly visible in an area where authorized persons are working, all hardcopy sensitive information must be locked in file cabinets, desks, safes, or other furniture. When not being used, or when not in a clearly visible and attended area, all computer storage media containing sensitive information must be locked in similar enclosures.
Environmental Considerations—All personal computers in Misericordia University offices must use surge suppressors. Those personal computers running production applications must also have uninterruptible power systems approved by the Information Technology Department.
Static Discharges And Electromagnetic Fields—Because weather and building conditions pose a significant risk of static electricity discharge, personal computers must be outfitted with static protection equipment that has been approved by the Information Technology Department, such as a surge suppressor. Magnetic storage media such as floppy disks and magnetic tapes must be kept at least several inches away from electric fields, such as those generated by magnets and a telephone when it rings.