ISU Home | A to Z Listing of Web Sites | Search
Home | Table of Content | A-Z Index | Search Handbook

Part 3. Services, Functions and Facilities Use

Section VIII. Information Technology (5-05)

D. Network Security Policy

1. Mission Statement

The Idaho State University (ISU) Network Security Policy establishes the practices and standards for secure use of information technology systems.

2. Incorporated by Reference

a. The definitions for IT policies, available at http://www.isu.edu/fs-handbook/part3/3_8/3_8a.html.
b. IT Policy 1.0: General Provisions http://www.isu.edu/fs-handbook/part3/3_8/3_8b.html.
c. ISU Information Systems Acceptable Use Policy http://www.isu.edu/fs-handbook/part3/3_8/3_8c.html
d. Faculty/Staff Handbook (http://www.isu.edu/fs-handbook)
e. Student Code of Conduct (http://www.isu.edu/references/st.handbook/)

3. Scope of Use

The security policy applies to:

a. ISU's information technology (IT) systems, which may include, but are not limited to, information systems, networking and telecommunications, data processing hardware and software, data transmission equipment and transmission media, and data storage devices.

b. Information or data processed, stored, or transmitted across ISU's IT systems.

c. Authorized users and/or organizations that access ISU's IT systems.

4. Introduction

a. Storage of university data on computers and transfer of that data across the network eases use and expands functionality. Commensurate with that expansion is the need for the appropriate security measures. Security is not distinct from functionality. In addition, security is the responsibility of every user of the network. The following policy outlines best practices to assure the campus of continuing operation of the network.

b. Whenever connecting to the ISU network, regardless of method, users must comply with the following policies.

5. Passwords

Password creation and maintenance is a significant part of network security.

a. Passwords must be at least six characters in length and uncrackable by commonly available cracking tools. Guidelines for creating secure passwords are available at http://help.isu.edu/index.php?action=knowledgebase&catid=8&subcatid=12.

b. Passwords will be changed every 180 days or less.

c. ISU's ITA and/or designee will audit passwords for compliance and will require a user to change his or her password if it is compromised.

d. All passwords used for authenticating to ISU resources will be sufficiently encrypted to protect the confidentiality of the passwords.

6. User Authentication

All users of ISU's IT system and or network will prove affiliation with ISU through appropriate log on procedures obtained with proper authorization from the ITA and /or designee. In the cases of visiting faculty or students, special, short-term accounts will be available from the ITA or his/her designee.

7. Software Security

a. In the case of any device connected to the network, all critical security patches for the operating systems and other software must be installed. In addition, such devices are required to run virus-checking software.

b. The ITA or designee may perform general scans to determine a device's vulnerability before allowing connection to the network.

c. Software that interferes with the reliable operation of the network and its systems or that attempts to bypass security and capture data is not allowed. Examples of such software include viruses that cause denial of service attacks and keystroke capture applications installed without the user's knowledge.

8. Equipment

a. The Technology Oversight Council will establish a minimum hardware configuration for network machines. The ISU ITA and/or designee must approve any equipment that does not meet those minimum requirements. Hardware with known vulnerabilities will not be allowed to connect to the network.

b. Equipment that interferes with the reliable operation of the network and its systems or that attempts to bypass security and capture data is not allowed. Examples of such equipment include "sniffers" or other devices that tap network cables. Only authorized maintenance staff may use such equipment for troubleshooting and repair. Other equipment may affect network operation inadvertently. The ITA and/or designee will remain aware of such possibilities and help resolve difficulties.

9. Exceptions

Certain research labs or offices may have difficulty operating within these policies. Exemptions to any or all of these policies may be available through consultation with the ITA on a case-by-case basis.