Please comment by June 30 to: Dave Millar, University Information Security Officer, firstname.lastname@example.org. Note that material sent to this address is readable by Data Administration staff.
Scope: This policy pertains to all University administrative systems. Administrative systems are defined as any University computer systems used in planning, managing, or operating a major administrative function of the University, excluding those systems directly supporting instruction or research. This policy also pertains to any associated administrative data that resides on end-users' local desktop computers, and/or departmental servers.
Policy: Penn administrative systems are for use by authorized Penn faculty and staff, and by selected staff members at the Hospital and the Clinical Practices of the University of Pennsylvania. Limited access is also granted, in some cases, to students to view and maintain limited personal information. When students are to be given access to administrative systems for purposes other than viewing/updating limited personal information, and when part -time, temporary or contract workers, and University of Pennsylvania vendors are to be given access to administrative systems, written authorization is required (renewed annually) from Penn faculty or staff. All use of administrative systems and data must be consistent with the requirements specified by the individual ultimately responsible for the data, the Data Steward.
User Responsibilities: Accounts are for the owner's use only, and must not to be shared, since shared use often leads to abuse. User accounts must be protected with passwords. Passwords must be at least seven characters long, must not be simple, dictionary words, and must contain a mix of alphabetic, numeric and special characters (e.g. "*&^%$%$#"). Passwords must not be written down or scripted, and must be changed every sixty days.
Users must be sure that critical data on their personal computers are backed up and stored remotely. No one else is familiar enough with what's really important and needs to be backed up.
Computer viruses can waste time and can destroy data. The user must be sure that the most current anti-virus software is running on his or her computer.
The user must see to it that any restricted information (as defined in Data Stewardship policy) stored on his/her personal computer is safeguarded, through either physical security (locked offices, or keyboards), access control software, or encryption.
When a computer is left signed onto an account, it is easy for someone to gain unauthorized access. Users must either sign off of their account before they leave their computer, or restrict access by some other means (locked office/keyboard, desktop access control, or a password-protected screen saver)
Users must abide by the terms of all software licenses.
Data Steward Responsibilities: Data Stewards are responsible for defining the security and integrity requirements of their respective categories of data. All uses of data must be approved by the respective Data Steward.
Application Steward Responsibilities: Application Stewards are responsible for ensuring that computing applications conform to the Data Steward's requirements for all categories of data used by the application.
System Administrator Responsibilities: Systems administrators are responsible for enforcing restrictions specified by Data Stewards and Application Stewards.
Since passwords can sometimes be compromised without the user knowing about it, the system must require users to change their password minimally every sixty (60) days. This also minimizes the harm from shared passwords.
Since short passwords, or dictionary words are easy to guess using automated password crackers, passwords must be at least seven characters long, must not be simple, dictionary words, and must contain a mix of alphabetic, numeric and special characters (e.g. "*&^%$%$#").
Dormant (unused) accounts make attractive targets to intruders, since no-one will likely notice the activity. Accounts must be regularly reviewed for inactivity, and any dormant accounts suspended. Temporary accounts for students, contractors/temps/part-timers and vendors must be created with an expiration date at most one year in the future, and may only be created and renewed with written authorization from a Penn faculty or staff member.
Special care should be taken with privileged accounts, commensurate with the privileges afforded the account. Systems administrators should never allow a re-usable password for the most privileged accounts to travel over the network un-encrypted. Passwords for privileged accounts should be shared with only people with a need to know the password.
Vendor- or author-provided security patches must be evaluated for compatibility, and installed as soon as practical.
Wherever feasible, a login banner, stating that the system is for authorized use only, must be displayed for anyone attempting to connect to the system.
Logs of user activity must be retained for a period of at least six months.
Systems administrators are responsible for taking proactive steps to assure the security of the server. Examples include regularly checking for weak user passwords and checking the system for common security vulnerabilities.
Systems administrators must implement backup procedures consistent with the requirements of the Data Steward. (See Data Stewardship policy)
Systems administrators are responsible for compliance with campus operating-system-specific security standards.
Management Responsibilities: Within reason, management (School/Unit/Department management) must make available the resources that users and systems administrators need to carry out the responsibilities above.
Management must retain copies of the original software licenses for commercial software used in their department. For site-licensed software, management must retain a copy of the site license. Management must ensure compliance with the terms of all commercial software licenses. Management must also ensure respect for copyright law and be prepared to demonstrate compliance.
Management must ensure the physical security of servers. It is strongly recommended that departmental and central servers be kept in a locked area. Servers must be protected from power surges, water damage, overheating, fire, and other physical threats.
Management must approve all external modem connections to computers in their department.
Management of departments/units providing University administrative information systems must ensure that all users have viewed a confidentiality statement at the time the account is issued, and annually thereafter (sample statement attached).
Management/supervisors must ensure that access to administrative systems is revoked or modified as appropriate upon employee resignation, termination, job changes, or when grants or contracts expire.
Exceptions: Exceptions to this policy must be approved in writing by the Vice Provost for Information Systems and Computing (VPISC).
Enforcement: Facilities, departments/units, or individuals in violation of this policy may be denied access at the discretion of the VPISC.
Sanctions for violation of this policy may include termination/expulsion and legal recourse, and will be applied consistent with the respective policies for faculty, students and staff (e.g. Terms and Conditions for Faculty Appointments, Charter of the University Judicial System, Termination Policy)
Management or supervisors may be required to resolve violations by members of their staff.
Sample Confidentiality Notice
As an individual whose position requires interaction with any or all of the University's administrative information systems, You may be provided with direct access to confidential and valuable data and/or use of data/voice systems. In the interest of maintaining the integrity of these Systems and of ensuring the security and proper use of University resources; you must:
Understand that any abuse of access to the University's systems and their data, any illegal use or copying of software, any misuse of the University's equipment may result in disciplinary action, loss of access to the University's systems, and possible sanctions up to and including dismissal from the University.
Volume 42 Number 34
June 18, 1996
Return to Almanac's homepage.
Return to index for this issue.