Utah Valley University
Policies and Procedures
|Title||Responsibility for Security of Computing Devices Connected to the UVU Network||Number||447|
|Section||Facilities, Operations, and Information Technology||Approval Date||Oct 14,2004|
|Subsection||Information Technology||Effective Date||Oct 14,2004|
The purpose of this policy is to clearly define requirements for owners and overseers of UVU network-connected devices to close security gaps. It also describes loss of network access for noncompliance, as well as an exception process.
- Policy Statement
Those responsible for devices connected to the UVU network must ensure that key security vulnerabilities are eliminated from these devices.
Although the rapid growth of legitimate new uses of the Internet is quite welcomed, this growth has at the same time increased the opportunities and temptations for misuse of the Internet resource. Security breaches at highly visible computing sites have become commonplace today, and universities are favorite targets for attacks. Critical institution computing resources, such as research, patient care, and student data, are at risk, and institution computing devices are being commandeered by cyber-criminals to launch attacks on corporations and other entities outside the institution. While it is not possible to anticipate and intercept all attacks - cyber-criminals are continuously devising new ways to wreak havoc -- there are specific steps that can be taken to significantly reduce vulnerability. These steps are effective, however, only if they are taken for all devices on the UVU network. The saying that "we are only as strong as our weakest link" most definitely applies in this case. Key security gaps that need to be closed may vary depending upon the type of device. Some examples follow. It is important to note that these are examples only and do not represent a complete list of known security vulnerabilities.
- All device owners should ensure passwords used on their devices are not easily guessable by attackers.
- Owners of personal computers should install and run anti-virus software on these devices and apply updates from the software vendor as they become available.
- Owners of personal computers and servers should apply security-related updates to the operating system running on their devices as these updates become available from operating system vendors.
- Owners of servers and personal computers should switch off unneeded services and/or use a firewall to eliminate the risk of these being exploited.
Vulnerabilities that are considered "key" will change over time as new threats and risks surface. Information Technology Services (ITS) maintains and communicates a current list of key vulnerabilities and steps required to close the vulnerabilities. Device owners are responsible for staying apprised of changes to this list and acting promptly to address any new security gaps defined. ITS wishes to work in partnership with owners and overseers in fulfilling the responsibilities outlined in this policy.
This policy applies to anyone in the institution community owning or overseeing the use of any type of computing device connected to the UVU network, including but not limited to:
- ITS, if the devices are under ongoing support contracts;
- Faculty, staff, students, and other individuals who have devices connected to UVU's network, even if those devices were acquired personally, i.e. not with institution or grant funds;
- UVU department heads, even in cases where vendor owned and/or managed equipment is housed in departments;
- Project Principal Investigators, if their projects use devices connected to UVU's network
If no one claims responsibility for a device, the UVU department head for the department in which the device resides will be presumed to be responsible by default. This policy is especially focused on individuals responsible (as defined above) for devices that serve more than one user. It should be noted, however, that the required actions outlined in this policy are appropriate and must be undertaken by those responsible for single-user devices as well. When devices are used for institution business, compliance will be verified by the institution's Audit Department during routine audits.
In cases where institution network resources and privileges are threatened by improperly maintained computing devices, ITS may act on behalf of the institution to eliminate the threat by working with the relevant device owner to quickly close security holes. In circumstances where these collaborative efforts fail or there is an urgent situation requiring immediate action and leaving no time for collaboration, the device may be disconnected from the network by ITS.
Requests for exceptions to this policy should be made in writing (hard copy or email) to the Chief Information Officer. Exception may be granted if it is clear that the benefits to the institution of the vulnerable device far outweigh the risks, as judged by the VP of Information Technology.
- REVIEW FREQUENCY
Reviewed yearly, by the Chief Information Officer.