| Introduction
Purpose
Scope
Terms
Compliance
Reporting Security Violations
Appeals
Administrative
Procedures
Policies
1.0 Introduction
Georgia State University's
Information Systems are critical resources and play an integral part
in the fulfillment of the University's objectives of teaching, research,
and extension of knowledge to the public. The Georgia State University
Information Systems Use Policies provide guidelines for the access,
use and protection of these resources.
2.0 Purpose
The purpose of
this document is to summarize and provide in a single location all approved
policies aimed at ensuring that the access, use and protection of the
Information Systems promotes the University's objectives. These Policies
will achieve the following principles:
- ensure that
Users abide by state and federal laws, as well as the policies of
the University and the University System of Georgia;
- ensure that
all individuals accessing or using the Information Systems assume
responsibility for protecting these resources from unauthorized access,
modification, destruction or disclosure;
- ensure the integrity,
reliability, and availability of the Information Systems; and
- ensure that
individuals do not abuse the University's Information Systems and
do respect the rights of members of the University community.
3.0 Scope
This document and
the catalogued Policies apply to students, and all University employees,
including, but not limited to, faculty and staff. The Policies also
apply to all individuals, whether authorized or not, who use the University's
Information Systems from any location. Use of the University's Information
Systems, even when carried out on a privately owned computer that is
not managed or maintained by the University, is governed by these Policies.
4.0 Terms
User refers
to any person, whether authorized or not, who makes any use of any Information
Systems from any location.
Information
Systems includes, but is not limited to, computers, terminals, servers,
printers, networks, data, modem banks, online and off-line storage media,
access card systems, computer integrated telephony, other technology
hardware, databases, data repositories, metadirectories, and related
equipment.
5.0 Compliance
Violations of these
Policies may result in the discipline of an individual in accordance
with applicable University policies or state or federal law, including
criminal prosecution. The University may temporarily suspend, block,
or restrict access to Information Systems when it reasonably appears
necessary to do so in order to protect the integrity, security, or functionality
of Information Systems or to protect the University from liability.
6.0 Reporting
Violations
Alleged
violations of the Policies should be reported to the appropriate University
disciplinary and/or law enforcement authorities. If the alleged violation
could pose a security hazard to the University's technology resources,
the alleged violation should also be reported to the University's Information
Security Officer for appropriate action to secure the affected technology
resources. When appropriate, the University disciplinary and/or law
enforcement authorities will coordinate with the University's Information
Security Officer to investigate and respond to alleged violations. Alleged
violations of Policies will be pursued in accordance with the appropriate
disciplinary procedures for faculty, staff, and students, as outlined
in the Faculty Handbook, the Student Code of Conduct, and other applicable
policies and procedures.
7.0 Appeals
Users
found in violation of any of the catalogued Policies may appeal any
imposed disciplinary action in accordance with the appeals provisions
of the relevant disciplinary procedures.
8.0 Administrative
Procedures
This
document, and any of the catalogued Policies, may be changed by the
Information Technology Senate Sub-Committee (ITSS), with such changes
being reviewed and recommended through the Senate Information Systems
and Technology Committee (ISAT). Information Systems and Technology
(IST) will prepare, coordinate, and process all recommended changes.
9.0 Policies
The following chart
catalogs the current Information System Use Policies in practice
at Georgia State University.
| Policy |
What
is it? |
Who
does it apply to? |
What
needs to be done? |
| Anti-Virus
Software Policy |
Requires mandatory
use of Anti-virus protection for Windows and Macintosh computers |
Anyone at
Georgia State with a personal computer connected to the University
network |
Install a
copy of Symantec Anti-Virus; see the Procedures section for download
and installation directions |
| Data
Stewardship and Access Policy |
Defines “University
Information” and how it will be controlled and accessed. |
Anyone at
Georgia State who accesses University information |
Access to
University information requires approval by the appropriate Data
Steward; see the Procedures section for specifics |
| Email
System Acceptable Use and Security Policy |
Describes
how University email systems will be managed and protected |
Anyone
at Georgia State who uses email
____________________
Anyone at Georgia State who maintains an email server |
Use
strong passwords; do not send confidential information via email;
follow procedures to send email messages to large numbers of Georgia
State recipients
____________________
Indicate on-going compliance to the email server security standards
in this policy |
| Information
Systems Ethics Policy |
Requires appropriate
and civil use of network resources; describes institutional protection
of user information |
Anyone at
Georgia State using the University’s computing and networking
resources |
Read the “Appropriate
Use” and “University Access to User’s Information
(Privacy)” sections. |
| Internet
Services (Server) Registration Policy |
Registration
of all devices connected to the University network that serve information
to on- or off-campus users. |
Anyone at
Georgia State installing a server |
Register the
server and apply security patches; see the Procedures section for
details |
| Minimum
Information Security Environment Policy |
Minimum precautions
for securing computing devices and access to the GSU network. Responsibilities
of the Information Security Officer. |
Anyone at
Georgia State using computers or having responsibility for a server |
Don’t
use computers or systems you are not authorized to use; don’t
send an email as if you were someone else; use the University-supported
versions of Windows, Mac OS, and Novell; Netware, GroupWise, VPN
(Virtual Private Network) and Anti-virus clients; follow the password
generation rules for creating passwords; don’t share userids
and passwords; maintain documentation to verify proper licensing
of purchased software; physically protect your computer or server;
do not attempt to defeat the security of information systems. |
| Remote
Access Policy |
Off-campus
access to network and systems are through approved methods only. |
Anyone
at Georgia State providing access to local servers from off-campus
locations
_______________________
Anyone accessing
a Georgia State network or information system from off-campus |
Read the
policy and follow the outlined standards and procedures.
_______________________
Use a Virtual
Private Network (VPN) client for authentication and encryption;
see Procedure for details. |
| Sensitive
Information Protection Policy |
Protection
of systems holding Social Security Numbers, credit card numbers,
and other identity or personal information. |
Anyone at
Georgia State storing identity or personal information about other
people on desktops or servers |
If you store
bulk social security numbers, credit card numbers, HIPAA (Health
Insurance Portability and Accountability Act – medical information),
student data (grades, test scores, etc.), bank account numbers on
a server you are responsible for or on your personal workstation,
read this policy or contact the Information Security Officer. |
| Student
Computer Access Policy |
Requirement
for students to have access to computers for Georgia State University
course work. |
Student at
Georgia State |
All students
must have access to a computer; it is the responsibility of students
to ensure their access to computers. At a minimum, the computer
must provide access to the worldwide web using a current browser,
spreadsheet capability and word processing. Academic departments
may have more stringent requirements. |
| Network
Connection of Surveillance System Cameras and Digital Video Recorders
Policy |
Approval and
configuration requirements for video systems used to protect resources
or personnel. |
Anyone at
Georgia State planning to install a digital surveillance system
|
Contact the
Information Security Officer prior to acquisition and installation.
|
| Wireless
Access Policy |
WiFi/802.11
access through centrally managed authenticated methods. Existing
installations which do not meet the standards of this policy must
be in compliance no later than June 30, 2004. |
Anyone
using a wireless device at Georgia State
_______________________
Anyone
installing a wireless access point on Georgia State’s network
|
You must
use a Virtual Private Network (VPN) client; see Procedures section
for details.
_______________________
Read the Procedures sections on “Configuration, Installation,
and Management” and “Unauthorized Access Points”
|
| Security
Review Policy |
Where appropriate,
Information Security personnel will conduct risk assessments of
technologies/processes that are being evaluated and/or used at Georgia
State University. |
Anyone at
Georgia State |
Read the policy
and follow the outlined standards and procedures. |
| Incident
Response Policy |
Information
Security incidents occurring on the University network or attached
devices will be managed centrally by the University Information
Security Officer (ISO) and will include other campus resources as
determined by the ISO. |
Anyone at
Georgia State |
Read the policy
and follow the outlined standards and procedures. |
|