P6hx23-6.9017 PROCEDURE: INFORMATION TECHNOLOGY COMPUTER SECURITY

PROCEDURE

P6Hx23-6.9017 PROCEDURE: INFORMATION TECHNOLOGY COMPUTER SECURITY

I. Purpose & Intent

This policy is intended to establish minimum IT security standards for workstations, portable computers and personal data assistants (PDA's) that reside inside of St. Petersburg College’s Internet firewall.

II.Compliance Requirements

All users shall be required to attend security training in order to understand the protections that each computer system automatically applies, the basic protective measures that are maintained by campus support technicians (TRSs) or information systems, and their role in ensuring compliance.

A. Identification Information

The management or designee of each College campus, site or department must work with Information Systems or Property Records, as the case may be, to maintain up to date records identifying the user or user group utilizing a given College owned computer system.

B. Computer Security

1.  All computers shall be configured to have a password-enabled screen saver. This security lockout feature shall automatically initiate after the computer remains idle from user interaction after a predefined time period. A user must then reenter their password to gain access to the computer. Exceptions may be granted for special purpose systems (Kiosk, etc.) whose operation may be adversely impacted while running a screen saver. Where possible, technical resource staff shall initially configure these settings. The user is responsible for ensuring that the feature remains enabled.

2.  All workstations, portable computers, and PDA's must be updated with the latest security patches, virus scanning software and virus data files (where applicable). Patches for high-risk vulnerabilities shall be installed within 24 hours of notification. Where possible, technical resource staff shall configure automatic security updates. The user is responsible for ensuring that the patching remains current.

3.  All software installed on College computers must be College owned or licensed through the College. Exceptions to the above restriction must be documented and approved by the department supervisor to whom the employee reports after consultation with the Administrative Information Systems (AIS) software license administrator. Technical resource staff performing initial software installation shall verify proper licensing. The user is responsible for ensuring that any software installed by the user is in accordance with this Rule.

4.  Installation, introduction or connection of administration domains (forests, NT4 domains, or workgroups) to College networks is prohibited, unless prior approval is obtained from the College’s director of Network Systems. In the absence of the director of Network Systems, the associate vice president of Information Systems may authorize such access.

5.  All PDA's used to connect directly to College computers must be College owned. Exceptions to this must be documented and approved by the department supervisor to whom the employee reports after consultation with the College’s director of Network Systems.

6.  Computers shall not have software or services installed that could interfere with traditional network services or routing services (e.g.: Dynamic Routing Protocols, DHCP, BootP, PxE, RARP…).

7.  The use of remote access technology or remote file sharing mechanisms which grant access to College computers from outside the College firewalls (e.g.: PC-Anywhere, GotoMyPC, VNC, NetMeeting, Remote Desktop, SSH, Telnet server, FTP server, IRC...) is strictly prohibited without the written permission of the College’s director of Network Systems.

8.  Workstations, portable computers, and PDA's should be reasonably secured.

C.  Computer Data Security

1.  Personal and sensitive information, including, but not limited to, names, addresses, and SSNs should only be downloaded to perform duties outlined in the employee’s position description.

2.  Effective in 2008-09, new laptop computers assigned to employees whose job duties require storage of personal and sensitive information shall use encryption technology to protect such sensitive information in the event of loss or theft of the laptop. Exceptions to this must be documented and approved by the department supervisor to whom the employee reports after consultation with the College’s associate vice president of Information Systems.

3.  All storage media must be completely overwritten with random information prior to disposal or transfer to another entity (including hard disks, tape media, floppy disks, and any other writable media). If media cannot be overwritten, media shall be destroyed.

4.  Server based systems are to be used whenever possible for storage, transmission or processing of sensitive data.

5.  Portable storage devices such as hard drives, DVDs, CDs and USB flash drives may not be used to store student or employee personal or sensitive information from any College-owned database. Exceptions to this must be documented and approved by the department supervisor to whom the employee reports after consultation with the College’s associate vice president of Information Systems.

6.  Portable devices used to store College data must make use of encryption technology to fully secure the data.

III. Enforcement and Consequences

Violation of this policy may result in the revocation of access to St. Petersburg College information technology resources.

History: Adopted – 4/17/12. Effective – 4/17/12.

P6.9017-XXX