|
|
|
X-6.00(A) UMCP ADMINISTRATIVE COMPUTER CENTER SECURITY OF ADMINISTRATIVE DATA
APPROVED BY THE PRESIDENT APRIL 10, 1992
I. Policy
A. All information processed by the Administrative
Computer Center (ACC) is considered a resource which is
the property of the University. Implementation and
adherence to the University's security policy is
necessary to protect this resource. Security standards
shall be applied in the procurement, design,
development, implementation, and operation of computer
systems and applications.
B. ACC computer facilities and administrative data support
the operation of the University. Use of these
facilities or data for unauthorized activity such as:
to obtain personal monetary gain; to jeopardize
legitimate use; to provide resources to other
unauthorized persons; and to conduct illegal activities
is forbidden and will be prosecuted within the scope of
applicable laws. Additionally, violation of security
policies or procedures can result in revocation of
access and disciplinary action, including suspension or
termination.
C. Access to administrative data must be approved by the
individual's department head and by the data owner.
II. Definitions
A. Data Owners Data owners are the heads of the various
University departments (or their representatives)
responsible for the application systems processed at
the ACC.
B. Data Users Data users are those University employees
having a legitimate need for access to administrative
data processed by the application systems at the ACC.
III. Responsibilities
The protection of the administrative data resource is
inherently management's responsibility. Managers identify
and protect data systems' assets within their area of
control. In addition, managers ensure employees understand
their obligations to protect these assets. Implementation
of security measures is the shared responsibility of data
users, data owners, and the ACC.
A. University employees (data users) have a right to
access information in ACC computers as necessary to
perform their assigned duties. In exercising this
right to access data, they shall:
1. Maintain the privacy and security of data and use
the data and computing resource as efficiently as
possible.
2. Maintain the confidentiality of assigned
passwords.
3. Sign a statement indicating understanding of
responsibility to provide privacy for and maintain
integrity of the data provided. Additionally,
users of student data, which falls under the scope
of the Family Educational Rights and Privacy Act
of 1974, will complete the "Statement of
Understanding for Users of Student Data" and view
the video "Matters of Trust."
4. Report suspected misuse of administrative data or
the computing resources of the ACC.
B. Data owners (department heads) shall:
1. Identify the degree of protection required for
their data. Information may be designated as
public, having no requirement for confidentiality.
Other data may be available to all employees or
persons acting on behalf of the University, but
not generally available to the public. Still
higher platforms of sensitivity include student
data, access to which is governed by public law.
Specific requirements governing access to
administrative data must be developed by the data
owner.
2. Coordinate with their application programming
support elements to establish measures which
effect security within the application, if
required. These measures limit users to specific
portions of the application as dictated by the
user's function and promote proper separation of
duties.
3. Develop plans for continuity of operation in the
event ACC operations are interrupted by disaster
or other unforeseen circumstances.
4. Establish retention requirements, if any, for
records stored on magnetic media based on
University, state, and federal requirements.
C. The ACC will:
1. Develop and enforce security procedures and
operating practices which support the tenets
outlined in this policy. These measures must not
interfere with valid use of data for the effective
management of the University.
2. Establish procedures which enforce security
between applications, i.e., which ensure that
access to one application does not afford
unauthorized access to other applications on the
ACC mainframe.
3. Establish measures to counteract events which
compromise data integrity such as system failure,
inadvertent manipulation, unauthorized
penetration, or unforeseen disasters. These
measures include maintaining a proper operating
environment, exercising preventive maintenance
checks of safety and early warning sensors,
performing sufficient system wide back-ups to
enable restoration of operating capability in the
event of system outage, and utilizing off site
storage locations for system wide and application
back-ups.
4. Provide prudent physical and environmental
measures for the hardware, software, and data
within its purview.
5. Establish procedures which enforce separation of
duties such that personnel who develop or install
software cannot alter data or programs currently
used for production purposes.
6. Establish procedures such that changes to
applications and systems software are controlled
according to a formal process, which includes
thorough testing in a development environment and
movement into a production environment through a
defined turnover process.
D. The ACC and data owners will:
1. Monitor and review implementation of the defined
access rules, to include review of audit reports
when available.
2. Ensure security measures are cost-effective and
are supported by a risk analysis process. This
process compares potential threats to data with
the specific vulnerabilities of the ACC operation
to those threats. Security measures are then
selected in those areas where both the threat and
the vulnerability are considered significant.
|
