Information Security Policy

1.1 Concepts

1.2 Classification of information

2. Personnel Security policies

2.1 Ethics

2.2 Password Policy

2.3 General Software Policy

2.4 Networks

2.5 Internet

3. Computer & Network Policy

3.1. System administration policy

3.1.1. Access Control

3.1.2. Logon Policy

3.1.3. Assurance

3.1.4. Accountability and Audit

3.2 Network Policy

3.2.1.1 Network / Distributed Systems Policy

3.2.2. Dial-in access

3.2.3. Dial-out

3.2.4. Information in stu.edu websites

3.2.5. Electronic email and electronic communications

3.2.6. Internet Firewall

4. Enforcement

5. References


General

The Office of Information Technology, OIT, provides a wide variety of IT resources, including
computers, networks, software and computer accounts for use by University students, faculty,
and staff. These resources are administered by OIT and are intended for the legitimate business
of St. Thomas University.
Computer accounts are provided to faculty, staff, and students as a privilege associated with
membership in the University community. When an individual accepts this privilege, a number of
responsibilities must be assumed, including knowledge of appropriate University policies and
procedures.
In recognition of the World Wide Web (WWW) as an important communication medium, OIT
encourages its use as a means of supporting and fulfilling the mission and official work of the
University.
This and all policies and procedures associated with OIT resources are not intended to abridge
academic freedom, constitutional guarantees of free speech, or freedom of expression. The use
of IT resources is available to all members of the University community. While the rights of
academic freedom and intellectual creativity are recognized, the interests of the University,
students, faculty, and staff must be protected. In addition to consideration of legal liability issues,
the institutional image and reputation of St Thomas University as a major research institution are
valuable assets requiring protection.
All uses of University IT resources are subject to applicable rules, policies and procedures of the
University and/or governing boards as well as Florida Statutes governing computer fraud, misuse
of state equipment resources, public information, and related criminal offenses.
To help maintain the proper functioning of computer and networking hardware and software, the
Office of Information Technology will take reasonable steps to ensure its computing resources are
free of deliberately destructive software, such as viruses. Individuals must share responsibility for
protecting University computers and should ensure the integrity of any electronic media they
introduce.
Owners of computer accounts are responsible for all use of the accounts. They should prevent
unauthorized use by others and report intrusions to the system administrators.
The University cannot guarantee that, in all instances, copies of critical data will be retained on
University systems. It is ultimately the responsibility of computer users to obtain secure, backup
copies of essential files for disaster recovery.
Respect for intellectual labor, creativity, and the right to privacy is vital to academic discourse and
enterprise. System integrity is also essential for individual function. Invasion of privacy and
unauthorized access to files can be justified only by real threats to the integrity of the network or
node.

1. Information Security Policy
1.1 Concepts
All major information assets shall have an owner.
The owner shall classify the information into one of the sensitivity levels (listed below),
depending on legal obligations, costs, university policy and business needs. He/she is
responsible for protection of this information.
The owner shall declare who is allowed access to the data.
The owner is responsible for this data and shall secure it or have it secured according to
its sensitivity.
1.2 Classification of information
A classification system is proposed which classifies information into four levels: The
lowest (1), is the least sensitive and the highest (4), is for the most important data /
processes. Each level is a superset of the previous level. For example, if a system is
classified as class 3, then the system must follow the directives of class 1, 2 and 3. If a
system contains data or more than one sensitivity class, it must be classified according
that needed for the most confidential data on the system.
Class 1: Public / non-classified Information:
Description: Data on these systems could be made public without any implications for the
University (i.e. the data is not confidential). Data integrity is not vital. Loss of service due
to malicious attacks is an acceptable danger. Examples: Test services without
confidential data, certain public information services.
Guidelines on storage: none
Guidelines on transmission: none
Guidelines on destruction: none
Class 2: Internal Information:
Description: External access to this data is to be prevented, but should this data become
public, the consequences are not critical (e.g. St Thomas University may be publicly
embarrassed). Internal access is selective. Data integrity is important but not vital.
Examples of this type of data are found in development groups (where no live data is
present), certain production public services, certain Customer Data, "normal" working
documents and project/meeting protocols and internal telephone books.
Guidelines on storage:
Information shall be labeled. i.e. the classification level should be written on documents,
media (tapes, diskettes, disks, CD's etc), electronic messages and files.
IT Systems susceptible to virus attacks should be regularly scanned for viruses. The
integrity of systems should be regularly monitored.
Guidelines on transmission:
For projects involving collaboration with external partners, a project policy document shall
stipulate what information may be shared with the external partners.
This information shall stay within the University, if it must transit public media (e.g. the
Internet), it should be encrypted.
Internal data shall not be transferred outside the University except as in points 1 and 2.
Guidelines on destruction: none
Class 3: Confidential Information

Description: Data in this class is confidential within the University and protected from
external access. Examples: Salaries, Personnel data, Accounting data, very confidential
customer data, sensitive projects and confidential contracts. Data centers normally
maintain this level of security.
Guideline on storage:
Information shall be labeled. i.e. the classification level should be written on documents,
media (tapes, diskettes, disks, CD's etc), electronic messages and files.
IT Systems susceptible to virus attacks should be regularly scanned for viruses. The
integrity of systems should be regularly monitored. IT Systems shall be configured to
protect against unauthorized modification of data and programs.
Information shall be kept under lock and key (e.g. documents in locked cabinets,
computers in locked rooms).
Guidelines on transmission:
Passwords should not be transmitted in clear-text (electronically or on paper).
This information shall stay within the University, if it must transit public media (e.g. the
Internet), it should be encrypted. Encryption algorithms used should be strong.
Guidelines on destruction:
Information shall be securely disposed of when no longer needed (e.g. shredders for
documents, destruction of old disks and diskettes etc.).
Class 4: Secret Information
Description: Unauthorized external or internal access to this data could be critical to the
University. Data integrity is vital. The number of people with access to this data should be
very small. Very strict rules must be adhered to in the usage of this data.
Guideline on storage:
Information shall be labeled. i.e. the classification level should be written on documents,
media (tapes, diskettes, disks, CD's etc), electronic messages and files.
IT Systems susceptible to virus attacks shall be regularly scanned for viruses. The
integrity of systems shall be regularly monitored. IT Systems shall be configured to
protect against unauthorized modification of data / programs and shall be audited yearly.
Information shall be kept under lock and key (e.g. documents in locked cabinets,
computers in locked rooms).
Information shall be stored in encrypted format or on removable disks, which are
physically secured.
Guidelines on transmission:
This information shall be encrypted during transmission outside of secure zones.
Encryption algorithms used shall be strong[4]
Guidelines on destruction: Information shall be securely disposed of when no longer
needed (e.g. shredders for documents, destruction of old disks and diskettes etc.).
Internet pornography: The Internet is now seen as a major carrier of illicit material, from
soft pornography to pedophile information to nazi propaganda. If it is known that such
material is passing over St Thomas Universitys Internet gateways, it should be blocked.
Personnel may not use University computers or infrastructure to access such material.
Users may be disciplined if this directive is contravened.

2. Personnel Security Policies
2.1. Ethics
Users are not allowed to: share accounts or passwords with friends or relatives, run
password checkers on system password files, run network sniffers, break into other
accounts, disrupt service, abuse sys