9.8 Policy on Information Resource Access and Security

I. Purpose

It is the policy of Illinois State University that information used to support the University's operations be accurate and available for use when appropriate; that the information be used in a manner which protects the integrity of the data and the privacy of those associated with it; and that confidential, sensitive, proprietary information be protected from corruption, loss, unauthorized access and disclosure.

Furthermore, it is the University's policy to promote an open computing environment that allows access for all individuals to computing resources. In order to protect its information assets, the University relies heavily on its computerized information systems and recognizes that all computerized resources, including software programs, data, hardware, and networks, must be protected from misuse and operated and maintained in a secure environment.

Access to information resources and the information technology environment is a privilege and must be treated as such by all users of University computing and network resources. Access to University information and the sharing and security of that information requires that each user accept responsibility to protect the rights of the University and the University community. Any user of University computerized resources who, without authorization, distributes, accesses, uses, destroys, alters, dismantles, disfigures or disables University information resources is a threat to the secure environment of the University community. These actions will be regarded as unethical and unacceptable conduct, and will be subject to the appropriate disciplinary actions.

II. Scope

The Information Resource Access and Security Policy applies to all University information resources and the access to those resources.

III. Policy

Definitions

Individual - An employee, emeritus or retired staff, student, agent, consultant, or any other person whose services are procured by a contract, appointment or through a temporary personnel agency.

Information Resources - Computer facilities, electronic media, communications networks, software programs of all types, administrative and academic systems, hardware of all types and data. These information resources include, but are not limited to, on-line and batch administrative and academic systems and applications, application software, operating system software, operating support software, security software, data files and databases, mainframe, mini, micro or personal computers, printers, data storage devices and media, video monitors, communications controllers, monitoring equipment, modems, transmission media of all types, gateways, networks (local area, backbone, wide area, etc.) and networks used to communicate to other state, national, and international computerized resources.

Data - Any and all information, regardless of form, that is contained in or processed by the University's information resources.

Data Custodians and LAN Coordinators - Individuals delegated by University management to provide the means for controlling the information resources within their units. Data Custodians are responsible for authorizing access and LAN Coordinators are responsible for administering access.

Computer virus - A computer program that destroys or alters data.

RACF - Resource Access Control Facility.

ISPF - Interactive System Productivity Facility.

NVAS - NetView Access Services.

TSO - Time Sharing Option.

SYSM - Product to support e-mail.

E-mail - Electronic Mail.

Access and Security

The intent of this policy is to ensure the confidentiality, availability, and integrity of University data; reduce the risk of data loss by accidental or intentional modification, disclosure or destruction; prevent the unauthorized use of information for commercial gain or malicious purposes; and to preserve the University's rights and remedies in the event of such a loss. Each individual in the University community is responsible for understanding this policy and complying with its terms.

Criteria

The University will exercise information resource security precautions based on the following criteria:

1. Sound business judgment.
2. The value of the information resources being protected.
3. The risk associated with the protected data.

Implementation

Specific precautions and resulting standards and procedures shall be consistent with, and conform to, this policy and the University Policy Manual.
The University will implement information resource security precautions in such a way as to:

1. Hold individuals accountable for their use of University information resources.
2. Authorize access to information resources on a need-to-know basis; access will be granted only to that set of resources necessary to accomplish authorized endeavors.
3. Ensure the timely recovery of data and provide appropriate back-up processing capabilities in the event of a loss.

Access

Information Systems reserves the right to deny any request, restrict access or remove a person's account for reasons of data security or failure to comply with the policies and procedures of the University. By issuing an account for an individual, Information Systems is not implying that the person should have access to any application, transaction or data on any given computer system(s). Such access must further be granted by the custodian of the application, transaction or data. (See Section 5.0)

The following individuals will be permitted to have user accounts on the computer systems maintained by Information Systems, provided that they complete the appropriate application:

Faculty, Staff, and Students

Full or part-time faculty, staff and students of the University will be permitted to have accounts on Illinois State computer systems as long as they maintain their status as employees or students.

Faculty, Staff and Students Affiliated with Other Institutions

Any faculty, staff and students affiliated with another academic institution, working in collaboration with a faculty or staff member of Illinois State, may request an account. That request must be in writing on the Project Number Request Form (Appendix J) initiated by the Illinois State faculty or staff member. Each application will be reviewed and approval or disapproval noted on the form.

Emeritus Faculty and Retired Administrative/Professional

Emeritus faculty and retired Administrative/Professional personnel of Illinois State may have an account if the request is submitted to and approved by the Provost's Office.

Civil Service Staff

Retired Civil Service staff of Illinois Statemay have an account if the request is submitted to and approved by the Office of Human Resources.

Contracted Employees, Vendors and Commercial Accounts

Access will be granted, on a case-by-case basis, by the faculty or staff member associated with Illinois State.

Responsibilities for University Information Resource Security

It is the responsibility of all members of the University community to protect its information assets. Specific responsibilities are listed below.

Individuals

Individuals who use University information resources are responsible for adhering to all policies, standards, and procedures for securing data, including the following:

1. Maintaining data confidentiality.
2. Maintaining the confidentiality of data security controls and passwords.
3. Reporting to management any suspected security violations.
4. Executing a confidentiality or ownership agreement, if requested by the University.
5. Accessing and using only that information which is authorized by management
6. Using Internet resources in accordance with "Guidelines for Appropriate Use of the Internet.”

Data Security Administrator

The Data Security Administrator shall be an ex-officio member of the University Computing Policy Committee. It is the responsibility of the Data Security Administrator to:

1. Administer University policy with regard to information resource access and security.
2. Develop standards and procedures to maintain compliance with all University policies related to information resource access and security.
3. Coordinate access to data resources with Data Custodians.
4. Review data security reports and security processes.
5. Work with LAN Coordinators and other staff to ensure computer resource equipment is physically secure.

Questions regarding access and security issues and requests for staff training should be directed to the Data Security Administrator.

University Management

University management personnel responsible for controlling the acquisition, use, change and deletion of data are responsible for establishing and maintaining security for information resources within their areas of responsibility, which includes the following:

1. Implementing adequate controls to secure data.
2. Authorizing an individual within their unit to access University information resources through approval from appropriate Data Custodians.
3. Excluding unauthorized individuals from access to University information resources.
4. Guarding against the unlawful, unauthorized, or inappropriate acquisition or use of University information resources.
5. Preventing the unauthorized use of information for commercial gain or malicious purposes.
6. Providing an appropriate back-up system or alternate means of preserving data and maintaining operations.

Data Custodians

Departmental Data Custodians are delegated by University management the responsibility for controlling the information resources within their areas. Their responsibilities include the following:

1. Controlling data definitions to ensure data conform to consistent definitions over the life of the data.
2. Approving requests for access to information submitted by authorized individuals.
3. Authorizing all computer Project Work Orders. (See Appendix K)

LAN Coordinators

Departmental LAN Coordinators are delegated by University management the responsibility for coordinating the LAN access within their departments. Their responsibilities include the following:

1. Providing training for departmental LAN users by maintaining manuals and offering training sessions.
2. Developing policies and procedures for the operation and use of the departmental LAN.
3. Acting as a liaison between the departmental management, LAN users and Information Systems.
4. Installing file servers, workstations, and applications software as required by the departmental users.

Information Systems

Information Systems maintains information resources for many automated functions throughout the University and is responsible for the following:

1. Designing and implementing systems with adequate security and internal controls.
2. Supporting the University in the design, installation, maintenance, training, and use of information resource access and security controls, both automated and manual.
3. Maintaining a secure and safe environment for information resources.
4. Developing and maintaining an information systems contingency plan that provides for data redundancy, alternative processing capability, timely data recoverability, and appropriate insurance against data loss.

Internal Auditing

Internal Auditing is responsible for evaluating controls and procedures; testing compliance with security policies, standards, and procedures; and for reporting to University management the adequacy of information resource access and security controls.

University Police

University Police is responsible for investigating instances of computer abuse.

Code of Responsibility for Security and Confidentiality of Data

In accordance with the family Educational Rights and Privacy Act of 1974, Illinois State has established the following policy to insure the security and confidentiality of information.

Personal Computers

All users of personal computers are responsible for adhering to all policies, standards, and procedures for the use of information resources, including implementing security practices necessary to protect the data stored on the personal computer.

Violations

Violations of this Information Resource Access and Security Policy may include, but are not limited to, the following:

1. Any act that compromises information resource security.
2. Intentional unauthorized access, use, destruction, alteration, dismantling, disfiguring,or disabling of any University information resource, including but not limited tointentional introduction of a virus.
3. The disclosure of secret or confidential information. This includes the sharing of passwords and leaving a terminal unattended while logged on such that unauthorized transactions could be submitted.
4. The use of data or other information resources for illicit purposes.
5. Unauthorized copying, storage or use of any software on any University computer in violation of the software licensing agreement.
6. Unauthorized personal use of any software which has been purchased by, or developed for, the University and considered intellectual property of the University.This policy applies regardless of the form or format of the software (or copies), and includes source code.
7. Unauthorized use of University information for financial gain or malicious purposes. Suspected violations of the Information Resource Access and Security Policy shouldbe directed to the Data Security Administrator, Julian Hall 101, phone 438-3611.

Penalties for Policy Non-Compliance

Noncompliance or violation of the Information Resource Access and Security Policy will result in revocation of the privilege to access information resources and may also include the following: suspension, termination, civil and/or criminal prosecution, and other disciplinary action, pursuant to all rules and regulations of Illinois State University and State and Federal Laws.

Appeal Process for Non-compliance

Individual appeals of any of the above University related actions should be made to the University Computing Policy Committee. If the matter cannot be satisfactorily resolved, it will then go through "due-process" systems in place for academic personnel, civil service and students.

Additional Information

Inquiries related to the Information Resource Access and Security Policy or its application shall be referred to the Data Security Administrator or to the University Computing Policy Committee.

Form Descriptions

Access to information resources requires that specific forms be submitted. Listed below are the forms required to gain access to the different platforms available. Each person should consult with their Data Custodian to determine which forms are required for that unit.

Appendix A: Access to CICS. Must be completed prior to using Appendix B. Technical Contact: Information Systems Access Administrator.

Appendix B: Request for CICS transactions. May be submitted multiple times for additional CICS transactions. Technical Contact: Information Systems Access Administrator.

Appendix C: Access to NetView Access Services, which enables departments to tailor a menu of accessible platforms through one sign-on. This is one step towards good security in the department. Technical Contact: Information Systems Access Administrator.

Appendix D: Access to ISPF CICS. Technical Contact: Information Systems Access Administrator.

Appendix E: Access to TSO, must be submitted before Appendix F. Technical Contact: Information Systems Access Administrator.

Appendix F: Access to datasets or prefixes for generic access in TSO. May be submitted numerous times. Similar to Appendix B. Technical Contact: Information Systems Access Administrator

Appendix G: Application to RS/6000. Technical Contact: UNIX Support Manager.

Appendix H: Faculty and student application for E-mail. Technical Contact:
Academic E-mail Administrator.

Appendix I: Administrative application for E-mail. Technical Contact: Information Systems Accounting/Billing Services.

Appendix J: Project number request. Technical Contact: Information Systems Accounting/Billing Services.

Appendices K and L: Requests for work on current or new administrative systems. Technical contact: Director of Administrative Computing.

Forms may be picked up and dropped off at Administrative Information Systems, Julian 101.

IV. Compliance

Any employee, emeritus or retired staff, student, agent, consultant, or any other person whose services are procured by a contract, appointment or through a temporary personnel agency shall comply with the provisions of the Policy on Information Resource Access and Security.

V. Approval & Review

The President of Illinois State University has approved the Policy on Information Resource Access and Security.  This policy will be periodically reviewed by the Information Technology Policy and Planning Council and changes or additions to this policy will be recommended by this Council to the President of the University. Information technology resources and systems are changing rapidly both in terms of technology and application, and the University reserves the right to amend this policy at any time. The version posted on the web at www.policy.ilstu.edu/ is the governing policy.

Last Review: April 2000