Computer Security and Usage Guidelines

Computer Security and Usage Guidelines

(Doc. T97-010)

University computers and computer related resources are valuable assets that are relied upon heavily for academic, information and decision-making needs. University students and staff rely on the security of the computer systems to protect instructional, research, personal, operational and other sensitive data maintained in those computer systems. It is essential that these systems be protected from misuse and that both the computer systems and the data stored in them be accessed and maintained in a secure environment.

I. Purpose

These Guidelines are issued pursuant to the Board of Trustees' Policy Statement on Electronic Data Security, Electronic Mail and Computer Policy Development (Doc. T97-010, adopted February 5, 1997) and:

  • Ensure the ethical, legal and responsible use of University of Massachusetts (the University) computing resources;
  • Outline responsibilities related to the accessing and usage of computers at the University;
  • Institute guidelines for the physical safeguarding of computers and their components; and
  • Provide methods for monitoring and enforcing these Guidelines.

II. Scope

Campus procedures regarding computer security and usage shall:

  • Comply with and be based on the laws of the Commonwealth of Massachusetts and the United States and other regulatory agencies. This includes all applicable federal and state laws which govern the use and security of computer systems and data, including the Federal Copyright Law (Title 17 of the U.S. Code); Counterfeit Access Device and Computer Fraud and Abuse Act of 1984 (Title 18 of the U.S. Code); Electronics Communications Privacy Act of 1986 (Public Law 99-474); and the Computer Security Act of 1987 (Public Law 100-235). Additionally, University Guidelines (Data Security & Classification Guidelines, Electronic Mail Guidelines, etc.) and/or campus procedures may impose certain restrictions which are not specifically covered by state and federal law, or other regulations;
  • Apply to all computer systems owned, leased or maintained by the University. This includes: mainframe, mini and microcomputers; servers; networks; and various peripheral equipment including but not limited to printers and modems;
  • Apply to all authorized users of the University's computer systems.

III. Responsibilities

The President, together with the Chancellors, will ensure that:

  • Appropriate and auditable internal controls; and
  • Appropriate and tested business continuity plans;
  • Are in place for the computer systems at the University.

Campus procedures regarding computer usage will establish mechanisms to determine which University department(s) shall be responsible for specific computer systems.

The individual assigned responsibility for specific computer system(s) will assign technical and security responsibilities to a system and/or security administrator. This may be the same person and may be part of the University's or Campuses' computing departments and not part of the specific department responsible for the computer system.

Campus procedures regarding computer security and usage shall require that system and security administrators are responsible for:

  • Developing, implementing and monitoring a computer security plan (e.g. risk analysis, access and environmental controls, physical and operational security, etc.) within the extent of these Guidelines for the system(s) under their control;
  • Developing, implementing and testing a backup plan in order to allow for the recovery of University computer systems in the event of a disaster;
  • Ensuring that audit trails exist for access and modification to critical operating system components;
  • Taking reasonable precautions to guard against the corruption of software, or damage to hardware or computing facilities;
  • Periodically evaluating the level of risk within the computer system (e.g., network, server, mainframe, etc.) and taking action, as needed;
  • Ensuring that all hardware and software license agreements are properly executed on all systems, networks, and servers for which they are responsible;
  • Ensuring that authorized user passwords are changed periodically;
  • Implementing computerized password creation checking on administrative and research computer systems, when technically possible;
  • Implementing "idle time" or "time-out" capabilities on administrative and research computer systems, when technically possible;
  • Deleting all computer access for individuals with logon/operator IDs on University systems when: an authorized user has terminated employment, graduated or withdrawn from the University, or when a "courtesy account" is inactive or no longer needed;
  • Developing, distributing and enforcing procedures, consistent with procedures provided by the appropriate campus Chancellor, for the reporting and follow-up of security violations;
  • Developing, presenting and maintaining security awareness programs and training for authorized users. This includes developing methods to ensure that information regarding computer security, and applicable laws, regulations, policies, and procedures are distributed and available to authorized users.

Campus procedures regarding computer security and usage shall require that authorized users:

  • Follow password security standards including, but not limited to:
    1. Periodically changing their computer system passwords;
    2. Selecting a password that is difficult to guess. Logon/Operator Ids, names, birth date, social security number, repeating characters (e.g., 111111 or ababab), common character sequences (e.g. "123456" or "abcdef"), or common words that can be found in a dictionary are prohibited;
    3. Sharing or giving anyone else permission to use their logon/operator IDs or passwords is prohibited;
    4. Storing access passwords in batch files, in automatic login scripts, in terminal function keys, in computers without access control or in other locations where another person might discover them is prohibited;
    5. Sending access passwords through electronic mail is prohibited.
  • Exercise responsible, ethical behavior when using University computing resources;
  • Safeguard computer resources from theft; destruction; unauthorized alteration or exposure; or any form of compromise resulting from intentional or unintentional sources;
  • Notify the appropriate security/systems administrator of any apparent or actual security violation.

Campus procedures regarding computer security and usage shall require that authorized users will NOT:

  • Intentionally damage or misuse any University computer system including terminals, microcomputers, printers or other associated equipment;
  • Intentionally write, produce, generate, copy, propagate or attempt to introduce any computer code designed to self-replicate, damage, or otherwise hinder the performance of any computer's memory, file system, or software unless such action is part of authorized research or testing. Such software is often referred to as a virus, worm, Trojan Horse, or some similar name;
  • Use University computer systems and their applications in illegal activities;
  • Attempt to intercept any network communication for purposes including, but not limited to: reading message/file content; searching for passwords; rerouting packets; or packet "sniffing";
  • Access or copy files, regardless of media (e.g., paper, diskette, etc.), of another user without prior consent from the file owner. Accessing the "private" files of others without permission, even if those files are unprotected, is prohibited. Altering another user's files or systems files without permission is vandalism and destruction of University property;
  • Attempt to develop or use any mechanism to alter or avoid charges levied by the University for computing resources;
  • Use personally owned software in University microcomputers unless the software is properly licensed for such use;
  • Copy or remove software from University microcomputers in violation of the software license. This includes copying software from or to University microcomputers;
  • Illegally distribute copyrighted software within or outside the University through any mechanism, electronic or otherwise;
  • Unnecessarily or inappropriately use limited computer resources;
  • Use public, lab or departmental equipment for personal entertainment when other authorized users need access to perform University related tasks;
  • Print excessive copies of documents, files, data or programs.

Campus procedures regarding computer security and usage shall require that all University students and employees:

  • Are appropriately oriented and sign a computing awareness and data security compliance statement which includes the language in Attachment 1 of these Guidelines; and
  • Reaffirm annually that they know and understand University policies/guidelines and campus procedures regarding data and computer use.

IV. Computer Systems And Software

Campus procedures regarding computer security and usage shall require that:

  • Only systems/security administrators or their designees can modify the configuration of the University or Campus computing infrastructure by adding or removing network links, computers, or peripherals;
  • Appropriate physical security standards are in place;
  • Administrative and research computer systems contain audit trails to monitor access and modification to critical operating system components;
  • Computer system and application software will be appropriately backed up to allow for recovery if there is a disaster. Multiple generations of operating system, application and data backups should be maintained in both on-site and off-site storage facilities;
  • Passwords are required on all computer systems in which confidential or critical data is stored or maintained. Exceptions to the password requirement are access to gopher or world-wide web products;
  • Pin numbers used to access Private, Restricted or Confidential data, and computer system passwords on administrative or research computers should be a minimum of 6 characters;
  • Computerized password creation checking is implemented for administrative and research computer systems, when technically possible;
  • Computer system "idle time" or "time-out" capabilities are implemented for administrative and research computer systems, when technically possible;
  • Computer systems and networks have software installed that will scan for computer viruses;
  • Copyrighted software is not copied unless explicitly allowed in the software license agreement, except for one backup copy to be made and maintained by the original licensee. The University and its departments license many copies of microcomputer software. The University does not own this software. Employees and students are required to comply with software licenses and the U.S. Copyright Act;
  • Shareware and public domain software are properly used. The University encourages the use of shareware and public domain software however, the use of such software should be predicated on the fact that it has been scanned for computer viruses;
  • System/security administrators evaluate the vulnerability to their computer systems by incoming or outgoing Internet connections or protocols, and take action as needed.

V. Access

Access may be given to: stand-alone micro, mini or mainframe computers; or to networked computer systems. Student access is primarily for work associated with their course of study, activities related to courses, or administrative tasks related to their association with the University (e.g., accessing their own academic/administrative data such as courses, grades). Staff are given access to perform their job functions. Students and staff may however, use their access to University computers to use world-wide networks such as the Internet.

Campus procedures regarding computer security and usage shall require that:

  • Authorized users understand that by using any University computing system, the user agrees to comply with this and all University computing related policies/guidelines such as the Data Security and Classification Guidelines and the Electronic Mail Guidelines. Also, as a condition of obtaining access to any University computer system, all authorized users are required to sign a computing awareness and data security compliance statement (Attachment 1) that they have received a copy of and read these Guidelines, understood them, and will comply with them;
  • Only authorized users have access to University computer systems;
  • Individuals requesting access to University computer systems, will not provide false or misleading information to obtain access to University computing facilities;
  • Authorized users are assigned unique logon IDs or operator IDs, and passwords to access University computers and their application systems. Users accessing non-University systems (e.g., GOPHER, World Wide Web) may be given network logon IDs;
  • Individuals will not attempt to compromise authorized user passwords. This includes, but is not limited to cracking, decoding, copying password files, "sniffing" packets for passwords or otherwise attempting to discover passwords belonging to other individuals;
  • Logon/Operator IDs are only used by the person to whom they were assigned;
  • Logon/operator IDs and passwords are not shared;
  • Authorized user passwords are changed periodically;
  • Passwords are kept confidential and secure. Passwords should not be stored in batch files, in automatic login scripts, in terminal function keys, in computers without access control or in other locations where another person might discover them;
  • Authorized user passwords are not to be sent through electronic mail;
  • All computer access granted to an authorized user will be removed when they transfer or terminate employment, graduate or withdraw from the University, or when a "courtesy account" is inactive or no longer needed. Files of transferred or terminated employees will be reviewed and disposed of by the appropriate manager in a timely and effective manner.

IV. Computer and Software Usage

Campus procedures regarding computer security and usage shall require that:

  • University's computer systems are used for purposes related to its missions of education, research and public service including instruction, research, administrative tasks and collaborative activities with other entities, including but not limited to colleges/universities and private businesses;
  • Authorized users use computing resources for the purposes related to their studies, their instruction, the performance of duties by an employee, or other University sanctioned activities. Use of the computing resources for commercial purposes not related to the University missions is prohibited;
  • Abuse of the networks or of computers at other sites connected to the University's computers or networks by authorized users are treated as abuse of computing resources at the University;
  • Any network traffic exiting the University system is subject to the acceptable use policy/guidelines of the network through which it flows, as well as the guidelines noted herein. Note that the laws of other states may apply depending on the actual location of the computer to which the authorized user is networked (e.g., If you have connected to a computer in California, California computing laws must be adhered to. You can be prosecuted in any state through which your access flows or in which it terminates.);
  • Possible loopholes in computer security systems are not be used to damage computer systems, obtain extra resources, take resources from another user, or gain access to any University computer system or any computer system networked to the University;
  • Programs and files are confidential unless they have explicitly been made available to other authorized users. The University does not routinely examine files of authorized user accounts however, to protect the integrity of the computer systems and to protect legitimate users from the effects of unauthorized or improper use of the University's computing facilities, system/security administrators may inspect, copy, remove or otherwise alter any data, file or resource that may undermine the proper use of the computer system. Such action will be based on reasonable suspicion, authorized by the security administrator's supervisor and may be taken with or without notice to the user. Additionally, computer center personnel may access others' files when necessary for the maintenance of the computer system. When performing maintenance, every effort is made to insure the privacy and confidentiality of authorized user files;
  • In an academic or instructional setting activities such as academic game development, computer security research, and the investigation of self-replicating code can be performed as long as authorized users involved in these activities contact the appropriate systems/security administrator so that the effects on the system can be determined and evaluated;
  • The same standards of intellectual honesty and plagiarism apply to software as to other forms of published work. For example, individuals should not copy another's computer file and submit it as theirs nor should they work with someone else on an assignment, sharing the computer files and then submit that file, or a modification thereof, as their own individual work;
  • Authorized users logoff University computer systems if they will not be accessing data for an extended time;
  • Authorized Users understand and comply with their responsibilities as noted in the Responsibilities section of this document;
  • Authorized users are aware that the University disclaims any loss or damage to software or data that results from its efforts to enforce these Guidelines.

VII. Compliance And Enforcement

Campus procedures regarding computer security and usage should require that any individual found misusing University computing resources, accessing University computing resources without approval, or otherwise violating these Guidelines may be denied or given limited (i.e., to allow for the performance of required academic or employment related tasks) access to University computer systems and shall be subject to reprimand, suspension, dismissal, or other disciplinary action.