Santa Clara University

Information Security Office

End User Information Security Standard

Revised
May 28, 2013

Purpose

All members of the university community share in the responsibility for protecting information resources for which they have access.  The purpose of this document is to establish minimum standards and guidelines to protect against accidental or intentional damage or loss of data, interruption of university business, or the compromise of sensitive information.

Additional Authority

Family Educational Rights and Privacy Act (FERPA)
Gramm Leach Bliley Act (GLBA)
Health Insurance Portability and Accountability Act (HIPAA)
Payment Card Industry Data Security Standard (PCI-DSS), Version 2.0
California SB 1386
Fair and Accurate Credit Transactions Act of 2003

Scope 

Applies to all students, faculty, staff, contractors, consultants, temporary employees, guests, volunteers and all other entities or individuals with access to sensitive information through Santa Clara University or its affiliates.

This standard applies to all university information resources, including those used by the university under license or contract.

Responsible Party

Chief Information Security Officer, 408-554-5554

Standards

All members of the university community are users of Santa Clara’s information resources, even if they have no responsibility for managing the resources. Users include students, faculty, staff, contractors, consultants and temporary employees. Users are responsible for protecting the information resources to which they have access. Their responsibilities cover both computerized and non-computerized information and information technology devices (paper, reports, books, film, microfiche, microfilms, recordings, computers, removable storage media, printers, phones, fax machines, etc.) that they use or possess. Users must follow the information security practices set by the ISO, as well as any additional departmental or other applicable information security practices.

Users are expected to be familiar with and adhere to all university policies and exercise good judgment in the protection of information resources. They should be familiar with this document and other information-related policies, approved practices, standards, and guidelines, including but not limited to the university’s standards regarding acceptable use, access and privacy.

Responsibilities

Physical security:
Users must provide physical security for their information technology devices. Doors must be locked to protect equipment when areas housing them are unattended. Special care should be exercised with portable devices which are vulnerable to loss or theft.
Information storage:
Sensitive information must be kept in a place that provides a high level of protection against unauthorized access and should not be removed from the university. Encryption consistent with university standards is required for sensitive information stored electronically on all computers, and special care should be taken when electing to store sensitive information on any portable devices that are vulnerable to theft or loss.
Distribution and transmission of information:
Sensitive information that is transmitted electronically, transported physically, or spoken in conversation must be appropriately protected from unauthorized interception.
For electronic information, appropriate encryption is required for all sensitive information, especially if that information is transmitted over public networks. Information Services Providers are responsible for employing appropriate encryption when transmitting electronic information; users must avail themselves of these services.
Destruction and disposal of information and devices:
Sensitive information must be disposed of in such manner as to ensure it cannot be retrieved and recovered by unauthorized persons. Physical documents containing sensitive information must be shredded prior to disposal.

When donating, selling, transferring, or disposing of computers or removable media, care must be taken to ensure that sensitive data is rendered unreadable. For example, if used computers are donated or sold, all information stored on machines must be thoroughly erased. It is insufficient to “delete” the information, as it may remain on the medium. Software that rewrites random data on the medium (preferably several times) must be used. Alternatively, the medium may be physically or electromagnetically destroyed.
Passwords:
Access to computers, software applications and electronic information is frequently password controlled. Users are responsible for creating and protecting passwords that grant them access to resources. Passwords cannot be shared, displayed in plain view, or stored in computers.

Passwords used to access systems governed by state, federal, or industry regulations that specify password length, complexity, and longevity must meet those requirements.  Although different systems may have unique password requirements, passwords should be at least 10 characters long and include a combination of letters, numbers, and symbols. Passwords should not contain names or permutations of personal data such as social security numbers, dates of birth, etc.  Default passwords must be changed on a user’s first login.  Generally, passwords must be changed every 365 days.  However, it is recommended that passwords be changed at least every 90 days.

Computer security: 
Users must take steps to protect their desktop, laptop, and mobile devices from compromise either by external individuals or members of the university community. Users must utilize secure operating systems and software and modify default installation passwords and configurations to minimize vulnerabilities. It is the user’s responsibility to ensure that security patches are promptly installed on their laptop, desktop and/or mobile devices, or to ensure that an Information Service Provider has installed these patches. Users must cooperate with and avail themselves of any central services providing support for and/or review of these activities.
Remote access:
Many personal computer operating systems can be configured to allow access across the Internet and other networks. Users must ensure their systems are configured to prevent unauthorized access.
Log off:
Users must log off of applications, computers and networks when finished. If computers are located in secure locations, users may not leave without locking office doors, regardless of the time they anticipate being away. Public terminal users must also log off when completing their session. The use of boot or start-up passwords is required where unauthorized users may have physical access to computers. Users should activate their auto-off monitor function, which requires a password to reactivate.
Virus and Malicious Code Protection:
Users must ensure that their personal computers employ mechanisms that protect against viruses and other forms of malicious code which may be distributed through email or the web. Users must have anti-virus software loaded on any device used to access the university’s network from off-site. To ensure that virus protection remains effective, individuals must install new versions as they become available.

Because no anti-virus software is effective against all viruses, users must exercise caution when opening email or downloading files from the Internet. User should not open unexpected or suspicious attachments and should configure word processing, spreadsheet, and other applications to require user confirmation before macros, scripts, or other executable enclosures are opened. Confirmation should be granted only if the source of the file is known or trusted.

If a virus is detected, it must be immediately and completely eradicated before email or files of any sort are sent to other users. After contamination is eliminated, individuals who may have been sent infected files must be informed by telephone or other non-electronic means. All potentially infected files, including those stored on network servers and backup media must also be examined for infestation and treated accordingly.
Backups: 
Backups and record retention must comply with the university’s records retention policy. Information stored on personal computers and not easily replaced must be copied to removable media to protect from loss.  Backup copies should be made regularly and maintained in a different physical location to protect against loss from natural disaster, fire or theft. Care should be taken to store media under environmentally appropriate, secure conditions and should be periodically refreshed.
Incident handling and reporting:
Users must report suspected compromises of information resources, including contamination by computer viruses, to their managers, the IT Service Center (who will inform the ISO, who in turn will proceed in accordance with the Incident Response Procedure). Incidents must be reported on the same business day users become aware of the compromise.

Enforcement:

Violations of this policy will be handled consistent with university disciplinary procedures applicable to the relevant individuals or departments. Failure to comply with this policy may also result in the suspension of access to network resources until policy standards have been met. Should Santa Clara University incur monetary fines or other incidental expenses from security breaches, the university may recoup these costs from the non-compliant department, school or auxiliary organization.

Portions of this document are adapted with permission from Georgetown University & Boise State University



Information Security Office, 1-408-554-5554, iso@scu.edu