|
University of California, San Francisco | About UCSF | Search UCSF | UCSF Medical Center | |
|
 |
|
|
Business & Finance Bulletin IS-3
|
|||||||||||||||||||
| Electronic Information Resource Criticality | ||||
| Essential | Required | Deferrable | ||
| Data Sensitivity | Restricted | Requires access security; must be in Disaster Recovery plan | Requires access security; may be in Disaster Recovery plan | Requires access security; need not be in Disaster Recovery plan |
| Unrestricted | Minimal security required; must be in Disaster Recovery plan | Minimal security required; may be in Disaster Recovery plan | Minimal security required; need not be in Disaster Recovery plan | |
Campuses are responsible for preparing, periodically updating, and regularly testing a campus plan for recovering from a disaster that renders certain Electronic Information Resources unavailable for an unacceptable period of time. Such a Disaster Recovery Plan should establish the frequency of testing campus disaster recovery procedures. The campus should ensure that any local operations procedures are coordinated with the campus Disaster Recovery Plan.
Recovery plans to address the failure of Essential Electronic Information Resources must be included in the campus Disaster Recovery Plan (see Section IV, Risk, Sensitivity and Criticality). Campuses may decide whether or not to include recovery plans for Required or Deferrable Electronic Information Resources in the campus Disaster Recovery Plan. For the purpose of this section, the term Essential may be augmented, at campus discretion, to include campus designated Required or Deferrable Electronic Information Resources.
The Disaster Recovery Plan shall include provisions for implementing and running Essential applications at an alternate site or provisions for equivalent alternate processing (possibly manual) in the event of a disaster or other interruption that renders normal processing inoperable for the period of time specified in the designation of the Electronic Information Resources as Essential.
The Disaster Recovery Plan shall also specify emergency response procedures, including specifying teams of personnel assigned responsibility for responding in emergency situations, and specifying procedures to enable team members to communicate with each other and with management during an emergency. For these purposes, an emergency is an event that has led or will imminently lead to a situation in which Essential Electronic Information Resources cannot be restored to functioning status within the time specified in the designation of the Information Resources as Essential. The Plan should include or ensure the availability of any systems documentation required for performing Recovery.
Backup copies of data and software that are sufficient for recovery from an emergency situation pertaining to Essential Electronic Information Resources must be stored at a secure, commercial site providing standard protection or at a non-commercial off-campus site providing equivalent protection against fire, flood, earthquake, theft, decay, and other hazards. Requirements and procedures for such offsite backup shall be included in the Disaster Recovery Plan, including procedures and authorities for obtaining access to such sites in the event of an emergency.
Disaster Recovery requirements should be specified when establishing maintenance agreements with vendors supplying components of Essential Electronic Information Resources (for example, ensuring that the vendor can provide replacement components within a reasonable period of time).
This section addresses security measures related to controlling access to Electronic Information Resources through logical measures (e.g., via software or network controls), controls related to software development and change control, security of data, communications security, and reduction of risk from Intrusive Computer Software.
Access to Restricted Electronic Information Resources and data retained within or accessible through these Information Resources must be limited to Authorized Users. Authorized Users and their specific level of privilege are specified by the Electronic Information Resource Proprietor, unless otherwise defined by University policy.
Such access must be controlled with secure means of authentication and authorization. Authentication is the process of identifying individuals as belonging to a class, which may be a group (e.g., faculty, undergraduate students) or an individual. Authorization is the process by which it is determined whether or not the identified individual or class is authorized to access an Information Resource, and at what level (read only, create, delete, modify).
These Guidelines do not require any specific technology to be employed for Logical Security, as long as the security functions of authentication and authorization are performed before access to Restricted or Essential Electronic Information Resources is granted to a User. Selected technology, however, must be adequate to ensure sufficient protection commensurate with the level of risk ascribed to the Electronic Information Resource (see Section IV, Risk, Sensitivity and Criticality), and should be supported by process controls designed to ensure that the Electronic Information Resource is adequately protected commensurate with the corresponding level of risk. For example, access controls should be accompanied by mechanisms to detect, record, and generate alerts about repeated failed attempts at access.
The campus Electronic Information Resource Security Guidelines Coordinator (see Section IX, Responsibilities) is responsible for the coordination of the review and approval of the means used to provide the requisite security of Restricted or Essential Electronic Information Resources.
Procedures for initially providing Users with authorization for access to Electronic Information Resources or to data in or accessible through Electronic Information Resources must incorporate review and approval mechanisms to avoid any unauthorized persons being granted access. These procedures may include a requirement for the Electronic Information Resource Proprietor to approve an individual's request for authorization and the associated level of privilege. Authorization records should be retained consistent with University Records Disposition Program and Procedures (BFB RMP-2).
It is a violation of these Guidelines and other University and campus policies for Users to attempt to gain unauthorized access to any Electronic Information Resources or in any way damage, alter, or disrupt the operations of these Electronic Information Resources. It is also a violation of these Guidelines for Users to capture or otherwise obtain or tamper with passwords, encryption keys, or any other access control mechanism that could permit unauthorized access, except where expressly required in the performance of their duties, such as when systems personnel need to provide access to Electronic Information Resources when passwords or other keys have been lost or misplaced. (See Section VI. B., System Administration Access Controls.) Among other possible disciplinary actions, Electronic Information Resource Proprietors may withdraw the privileges of any User who violates these Guidelines if, in their opinion, continuation of such privileges threatens the security (including integrity, privacy and availability) of a Restricted Electronic Information Resource. Appeals regarding revocation of privileges should follow normal campus conflict resolution procedures.
Passwords selected by Users or automatically generated to protect access to Information Resources should be hard to guess and, for Essential Electronic Information Resources, should be changed frequently. Passwords should be shared with other individuals only when the access provided by such passwords is limited to a specific Electronic Information Resource, when such sharing is essential to the continuity of an authorized business practice associated with that Information Resource, and when the other User is authorized to at least the same level of access privilege. Passwords to data that is Essential or Restricted should not be shared. Individual passwords should not be shared. When there is a need for shared passwords, specific accounts should be set up for that purpose.
Modifications to data residing in Essential applications should be performed according to predefined methods that have been developed with provisions for ensuring data integrity, availability, privacy, and compliance with audit requirements (in accordance with BFB IS-10, Systems Development Standards and BFB RMP-8, Legal Requirements on Privacy of and Access to Information) to avoid circumvention of data integrity and auditing controls. For example, updates to payroll records should be performed only through the production Payroll application. Exceptions may be made on a case-by-case basis, but should always be performed in a controlled manner and with the knowledge of the Electronic Information Resource Proprietor.
Campus implementation of these Guidelines should encourage, where applicable, the use of system logs to assist in monitoring access to Electronic Information Resources and/or access to data retained within or accessible through such Resources. Such logs should include sufficient detail (such as records of all login attempts) to ensure that suspicious patterns of activity can be identified. Since such logs may contain personally-identifiable information, the Electronic Information Resource Proprietor should comply with University policies related to privacy (see BFB RMP-8). Campuses should consider using system tools to automatically identify suspicious patterns of activity within the logs.
Controls designed to protect Electronic Information Resources from unauthorized access must not be so restrictive as to prevent authorized access to the Information Resource. An example of such an over-protection is business data stored in protected format, with no provisions in place to ensure availability of the data to Authorized Users.
System administrators routinely require access to Electronic Information Resources to perform essential system administration functions critical to the continued operation of the Electronic Information Resource. Such privileged access is often termed "superuser access" and accounts that provide such privileges to system administrators are termed "superuser accounts." Privileged or superuser accounts enable vital system administration functions to be performed, such as establishing userid's or accounts, maintaining authorization for these accounts, terminating another user's session, correcting problems, and other broadly-defined system or other Electronic Information Resource privileges.
Such privileged accounts are especially sensitive and campuses must establish procedures, commensurate with the level of risk involved, to ensure that abuse will not occur. In particular, the number of privileged accounts must be kept to a minimum, and only provided to those personnel whose job duties require them. Those personnel who do require privileged accounts should also have less powerful accounts to use when not performing system administration tasks and must be instructed not to use superuser accounts for other than authorized purposes. Activities performed using a superuser account should be logged, where feasible, and the logs should be reviewed, on a regular basis, by an independent and knowledgeable person. These logs should be printed or stored in a non-subvertible form, where feasible. Superuser accounts should be monitored periodically to ensure they are being used for designated purposes.
Development and maintenance of administrative applications performed by University personnel or performed by any vendor engaged by University personnel must conform to the specifications of BFB IS-10, Systems Development Standards (see http://www.ucop.edu/ucophome/policies/bfb/is10.pdf). BFB IS-10 describes the circumstances under which the Standards apply, as well as delineating roles and responsibilities, project planning and management, phases of systems development, and data retention and privacy considerations. Application development and maintenance efforts must also conform to any local standards, procedures, guidelines and conventions.
In general, campuses are encouraged to involve Internal Audit and the campus Controller in the development or implementation of Essential applications in order to obtain advice on establishing proper controls. Internal Audit must be notified of all application system development projects early in the development process. (See BFB IS-10 for more information.)
The purpose of change controls is to ensure the accuracy, integrity, authorization, and documentation of all changes. Only authorized personnel may implement changes to software for Restricted or Essential applications, and must perform such changes according to change management procedures established by the campus. Change procedures should include assignment of responsibilities to ensure adequate separation of duties, and may also include: confirmation of testing, authorization for moving the programs to production, user training requirements, and documentation requirements. For example, in some cases the Electronic Information Resource Proprietor may be required to authorize program modifications before changes can be implemented in production. Change procedures should include backup of prior versions of application programs, so that a change may be "rolled back" if problems occur.
Backup copies of data and software associated with Restricted or Essential Electronic Information Resources must be sufficient to satisfy Disaster Recovery requirements (see Section V, Disaster Recovery and Emergency Procedures), application or other Electronic Information Resource processing requirements, and any functional requirements of any Electronic Information Resource Proprietor dependent upon such data. Backup copies of Essential data for Disaster Recovery purposes must be stored at a secure, commercial site that provides standard protection or at a non-commercial off-campus site providing equivalent protection. These backup requirements extend to Essential or Restricted software and data stored on personal computers as well as software and data stored on shared servers.
Backup and other retention services for data must also comply with University of California policies regarding data retention. See:
UC Records Disposition Program and ProcedurBFB RMP-2)
(http://www.ucop.edu/ucophome/policies/bfb/bfbrmp.html -- see Section 2 for RMP-2)
Vital Records Protection (BFB RMP-4)
(http://www.ucop.edu/ucophome/policies/bfb/bfbrmp.html — see Section 4 for RMP-4)
UC Records Disposition Schedules Manual
Systems Development Standards (BFB IS-10)
(http://www.ucop.edu/ucophome/policies/bfb/is10.pdf)
University Electronic Information Resources must conform to University policies and regulations related to privacy of data or information records associated with them. Applicable policies include:
Legal Requirements on Privacy of and Access to Information (BFB RMP-8)
(http://www.ucop.edu/ucophome/policies/bfb/bfbrmp.html -- see Section 8 for RMP-8)
Systems Development Standards (BusinBFB IS-10)
(http://www.ucop.edu/ucophome/policies/bfb/is10.pdf)
University of California Electronic Mail Policy (http://www.ucop.edu/ucophome/policies/email/email.html)
Before any Restricted data may be transferred from one server to another or to a workstation, the User effecting the transfer must ensure that access controls on the destination system are commensurate with access controls on the originating server or commensurate with the security requirements established by the Electronic Information Resource Proprietor. Those responsible for granting access to Restricted data or to any Restricted or Essential Electronic Information Resource must ensure that Authorized Users are apprised of this constraint when access is originally granted to the User. They may choose to require the User's signature to acknowledge this notification.
Communications access controls, such as firewalls, must be present to limit unauthorized access to Restricted or Essential Electronic Information Resource across campus or University communication networks. These firewalls may be limited to protection at the appropriate subnet level.
Campuses should consider use of intrusion detection systems to help identify attempted or actual unauthorized intrusions.
Where technology is available that readily supports this capability, the use of encryption is encouraged to prevent unauthorized access to restricted data during transmission.
While Intrusive Computer Software (such as computer viruses) can potentially affect any type of computer or server, the area of greatest risk is personal computers that receive files from external sources, whether over a network or dialup connection, or via shared detachable storage devices. Campuses should evaluate their exposure regarding adverse Intrusive Computer Software for different Information Resources, and put in place precautions commensurate with the level of risk and the associated cost to the institution for such anticipated loss; and implement processes to notify users and take other appropriate remedial action in the event of propagation of Intrusive Computer Software.
Each campus should establish procedures for the physical protection of its Electronic Information Resources. At a minimum, campuses shall develop policies and procedures to protect physical areas containing shared Electronic Information Resources that support Restricted or Essential Electronic Information Resources. These policies and procedures should address the following:
Appropriate measures for the prevention, detection, early warning of, and recovery from emergency conditions, including earthquake, fire, water leakage or flooding, disruption of power, air conditioning failures, and environmental conditions exceeding equipment limits.
Controls for limiting physical access to facilities housing Restricted or Essential Electronic Information Resources through the use of combination locks, key locks, badge readers, sign in/out logs for visitors, verification of identification, etc.
Controls over check stock, produced checks, and other financial instruments.
In addition, physical inventories of equipment should be completed and maintained in accordance with BFB Bus-29, Management and Control of University Equipment (http://www.ucop.edu/ucophome/policies/bfb/bus29.html)
Departments must also consider physical security for personal computers and other local Electronic Information Resources housed within their immediate work area. Protection of physical equipment, or of software and data residing on storage media, from theft, damage or improper use should be addressed. Particular attention must be paid where access to or functioning of Restricted or Essential Electronic Information Resources is concerned.
Restricted data should not be transferred and stored on separate portable equipment such as laptops.
This section addresses security measures with respect to employment and other organizational matters, and actions to be taken with respect to suspected violations of these Guidelines.
Some of the positions with job responsibilities related directly to Electronic Information Resources may be deemed Critical Positions in accordance with University personnel policies and guidelines for staff (see Personnel Policies for UC Staff Members, http://www.ucop.edu/humres/policies/welcome.html). Campuses should develop policies and procedures to ensure that candidates for open Critical Positions related to Restricted or Essential Electronic Information Resources undergo applicable background checks as part of the selection process.
For staff working in Critical Positions related to Restricted or Essential Electronic Information Resources, procedures should be established that can be implemented in the event of disciplinary action or termination. Where there is a concern that access to Electronic Information Resources endangers the integrity of such Resources, management should act to restrict, suspend or terminate access. During an investigatory leave or after termination, revocation of the individual's access privileges to the work location is normally warranted. All procedures must be established in accordance with University personnel policies and guidelines. See Personnel Policies for UC Staff Members.
Background checks are also required for non-University contractors or consultants engaged to work on Restricted or Essential Electronic Information Resources. Consideration should be given to limiting outside vendor access to Restricted or Essential Electronic Information Resources. Access should be revoked when the work has been completed.
Procedures for authorizing Users to access Electronic Information Resources or data in or accessible through them shall provide for prompt notification of the Electronic Information Resource Proprietorof any significant changes in job duties or other status of a User, if these changes are such as to require modification to the User's authorization. Such procedures must also provide for prompt removal of authorization for persons who have terminated employment or other association with the University, except where specifically permitted by Policy and by the Electronic Information Resource Proprietor. In certain circumstances, authorization should be removed for individuals who have announced their decision to terminate, where continued access might result in an unacceptable level of risk.
The principles of separation of duties should be followed when assigning job responsibilities relating to Restricted or Essential Electronic Information Resources. No one individual, for example, should have authorization for both implementing programs into production and updating production data for a Restricted or Essential application.
Supervisors or other employees with responsiblities for security should periodically review the system administration work of personnel with access to privileged "superuser" accounts on shared servers . (See also Section VI B, System Administration Access Controls) Such review is intended to provide a periodic audit or review for those system administration functions that are not otherwise audited or reviewed in the course of being completed.
If an employee (or contractor or consultant) becomes aware of the occurrence of any violation of these Guidelines, s/he should report the violation promptly to his/her supervisor (or their client within the University in the case of contractors or consultants), department head, the Electronic Information Resource Proprietor or Custodian, or the Internal Audit department. Supervisors and Department Heads are, in turn, responsible for promptly reporting any known or suspected violations to the Electronic Information Resource Proprietor or Custodian or to the Internal Audit department.
Depending on the nature of the violation and the likelihood of a recurrence, the Electronic Information Resource Proprietor or Custodian shall take prompt action to protect against future violations to the extent feasible, and/or remove the means by which the violation occurred. Depending on the nature of the violation, the Electronic Information Resource Proprietor or Custodian shall consult with other campus authorities in accordance with policies governing potential disciplinary action. In the event that the violation involves possible unlawful action by a User, Internal Audit or the Police should immediately be notified in accordance with BFB G29, Procedures for Investigating Misuse of University Resources. Notification of Internal Audit or the Police should take place before any action is taken, unless prompt emergency action is required to prevent bodily harm, significant property loss or damage, loss of significant evidence of one or more violations of law or of University policy, or significant liability to the University or to members of the University community.
The University reserves the right to revoke access to any Electronic Information Resource for any User who violates these Guidelines, or for any other business reasons in conformance with other applicable University or campus policies.
Campus implementation of these Guidelines must include procedures for testing software used to provide logical access controls and access control points for connectivity (e.g., firewalls).
Campuses should designate a campus authority responsible for the coordination of tracking, taking preventive measures, and reacting to Intrusive Computer Software, such as computer viruses. Any suspicion or detection of such intrusive software should be immediately reported to this authority and to the Police, if appropriate, in accordance with BFB G29, Procedures for Investigating Misuse of University Resources, unless such intrusive software is already known and can be prevented or eliminated with standard commercial software.
The Associate Vice President, Information Resources and Communications (IR&C) is responsible for development, maintenance, and publication of these Guidelines.
Each Chancellor and the Senior Vice President--Business and Finance shall designate an individual to have overall coordination responsibility for campus compliance with these Guidelines. The individual shall be designated as the campus Electronic Information Resource Security Guidelines Coordinator. Given the wide distribution of Electronic Information Resources at campuses, responsibility for compliance with these Guidelines will most likely rest with a number of individuals on each campus. The campus Electronic Information Resource Security Guidelines Coordinator must track individuals who are responsible for implementation of these Guidelines in every major campus functional area, and shall provide education on the contents of these Guidelines.
University departments have different responsibilities for the security of Electronic Information Resources, depending on their roles. The roles of Electronic Information Resource Proprietor, Electronic Information Resource Custodian, and User are defined in Appendix A. Campus procedures must ensure that the campus Electronic Information Resource Security Guidelines Coordinator is responsible for confirming that these roles are assigned for every Essential Electronic Information Resource.
The responsibilities for each of these roles with respect to information security is as follows:
The Electronic Information Resource Proprietor is designated by the Chancellor and has primary responsibility for determining the purpose and function of the Electronic Information Resource. For example, the Registrar's Office on campus could be the Electronic Information Resource Proprietor for a central student registration system. The Proprietor, subject to appropriate management review, is responsible for determining the level of security required for access controls, based on the sensitivity of the Electronic Information Resource. The Electronic Information Resource Proprietor is responsible for determining the level of criticality of an Electronic Information Resource, subject to appropriate management review. (see also Section IV on Risk, Sensitivity and Criticality) For those Electronic Information Resources deemed Essential, the Proprietor has responsibility for determining the appropriate method for providing business continuity (e.g., performing Disaster Recovery at an alternate site, performing equivalent manual procedures, etc.). For Electronic Information Resources consisting of applications or data, the Proprietor is also responsible for specifying adequate data retention, in accordance with University policies (see also Data Security in Section VI, Logical Security).
The Electronic Information Resource Custodian is responsible for implementing security measures in accordance with the level of access security identified by the Electronic Information Resource Proprietor (see also Section IV, Risk, Sensitivity and Criticality, Section VI, Logical Security, and Section VII, Physical Security). For example, the central Information Technology department on a campus would be the Electronic Information Resource Custodian of a central student registration system. For Electronic Information Resources consisting of applications or data, the Information Resource Custodian is responsible for ensuring that data retention requirements are met (see also Data Security in Section VI, Logical Security) For Electronic Information Resources deemed Essential, the Custodian is responsible for Disaster Recovery preparation and general oversight of the performance of Disaster Recovery in the event of a disaster (see also Section V, Disaster Recovery and Emergency Procedures)
Users of Electronic Information Resources are responsible for familiarizing themselves with and complying with all University policies, procedures and standards relating to information security. Users are responsible for appropriate handling of Electronic Information Resources (e.g., data) as established by the Electronic Information Resource Proprietor and implemented by the Electronic Information Resource Custodian.
Each campus shall establish procedures and practices that implement these Guidelines. A summary of campus responsibilities assigned in these Guidelines follows:
Each Chancellor and the Senior Vice President--Business and Finance shall designate an individual or individuals to have overall responsibility for compliance with these Guidelines (Electronic Information Resource Security Guidelines Coordinator) (see Section IX, Responsibilities).
Each campus must determine which specific Electronic Information Resources warrant security measures, based on a risk assessment (see Section IV, Risk, Sensitivity and Criticality).
Each campus shall prepare, periodically update and regularly test Disaster Recovery plans for Essential Electronic Information Resources (see Section V, Disaster Recovery and Emergency Procedures).
Each campus shall provide means for performing authentication and authorization functions prior to allowing access to Restricted or Essential Electronic Information Resources (see Section VI, Logical Security).
The Electronic Information Resource Security Guidelines Coordinator is responsible for review and approval of the means used to provide the requisite security of Restricted or Essential Electronic Information Resources, or may designate another person as having this responsibility for specified Electronic Information Resources (see Section VI, Logical Security).
Campus procedures for initially providing users with authorization for access to Electronic Information Resources, or data accessible through them must incorporate a review and approval mechanism (see Section VI Logical Security).
Campus implementation procedures should encourage the use of system logs to assist in monitoring access to Electronic Information Resources and/or access to data retained within or accessible through them (see Section VI, Logical Security).
Campus implementation procedures should ensure that the number of system administration userids on shared servers is kept to a minimum, and only provided to those personnel requiring system administration capabilities in order to perform their job duties (see Section VI, Logical Security).
Campus implementation procedures should ensure that only authorized personnel may implement changes to software for Restricted or Essential applications and that such changes are carried out according to established procedures (see Section VI, Logical Security).
Campus implementation procedures should ensure that backup copies of data and software associated with Restricted or Essential Electronic Information Resources are sufficient to satisfy disaster recovery requirements, application or other Electronic Information Resource processing requirements, and any functional requirements of any Electronic Information Resource Proprietor dependent upon such data (see Section VI, Logical Security).
Campus implementation must ensure that communications access controls, such as firewalls, are present to limit external access to Restricted or Essential Electronic Information Resources across campus or University communication networks , except to the extent specifically authorized by the Electronic Information Resource Proprietor to fulfill essential business functions (see Section VI, Logical Security).
Campus implementation should encourage the use of encryption to prevent unauthorized access to Restricted data during transmission of such data across a communications network (see Section VI,Logical Security).
Campuses should determine their exposure to adverse Intrusive Computer Software for different Electronic Information Resources, and put in place precautions commensurate with the level of risk (see Section VI, Logical Security).
Campus implementation should establish procedures for the physical protection of Electronic Information Resources, including disaster controls, physical access controls, and procedural controls (see Section VII, Physical Security).
Campus implementation should ensure that candidates for open Critical Positions (as defined in University Staff Policy) related to Restricted or Essential Electronic Information Resources undergo background checks as part of the selection process (see Section VIII, Managerial Security Measures).
Campus implementation should include procedures for promptly reporting to the Electronic Information Resource Proprietor any significant changes in job duties or other status of a User, if these changes are such as to require modification to the User's authorization. These procedures must also provide for removal of authorization for persons who have terminated employment or other association with the University, except where specifically allowed by Policy and by the Electronic Information Resource Proprietor (see Section VIII, Managerial Security Measures).
Campus implementation should include provision for a review of the system administration work performed by employees with access to privileged system administration accounts on shared servers (see Section VIII, Managerial Security Measures).
Campus procedures should provide mechanisms for employees to report violations of these Guidelines (see Section VIII, Managerial Security Measures).
Campus implementation must include procedures for testing software used to provide logical access controls and access control points for connectivity (e.g., firewalls) (see Section VIII, Managerial Security Measures).
Campus implementation must include provision for designation of a single campus authority responsible for tracking, taking preventive measures, and reacting to Intrusive Computer Software, such as computer viruses (see Section VIII, Managerial Security Measures).
Campus procedures must ensure that the campus Electronic Information Resource Security Guidelines Coordinator is responsible for confirming that the roles of Information Resource Proprietor and Information Resource Custodian are assigned for every Essential Information Resource (see Section IX, Responsibilities)
Authorized User: A University employee, student or other individual affiliated with the University who has been granted authorization by the Electronic Information Resource Proprietor, or his or her designee, to access an Electronic Information Resource and who invokes or accesses an Electronic Information Resource for the purpose of performing his or her job duties or other functions directly related to his or her affiliation with the University. The authorization granted is for a specific level of access to the Electronic Information Resource as designated by the Electronic Information Resource Proprietor, unless otherwise defined by University policy. An example of an Authorized User includes someone who handles business transactions and performs data entry into a business application, or someone who gathers information from an application or data source for the purposes of analysis and management reporting.
Business Continuity Plan: A plan for the continued operation of critical business administration in the case of a disaster affecting normal functioning. A Business Continuity Plan is more all-inclusive than a Disaster Recovery Plan, which normally relates to information systems only.
Computer Virus: An example of Intrusive Computer Software (see definition below).
Disaster: Any event or occurrence that prevents the normal operation of Electronic Information Resource(s) for a period of time, such that the resulting disruption and/or losses exceed the acceptable limits established consistent with these Guidelines. A disaster may occur as a result of a natural disaster (such as a flood, fire or earthquake), employee error or other accidents, long-term system failures, and criminal or malicious action.
Disaster Recovery Plan: A written plan including provisions for implementing and running Essential Electronic Information Resources at an alternate site or provisions for equivalent alternate processing (possibly manual) in the event of a disaster.
Electronic Information Resource: A resource used in support of University business administration that involves the electronic storage, processing or transmitting of data, as well as the data itself. Electronic Information Resources include application systems, operating systems, tools, communications systems, data — in raw, summary, and interpreted form — and associated computer server, desktop, communications and other hardware used in support of University business administration.
Electronic Information Resource Custodian: The department that has physical or logical control over the Electronic Information Resource. This includes, for example, central campus Information Technology departments with maintenance responsibility for an application; departmental system administrators of a local area network; and the database administrator for a campus-wide database. This role provides a service to the Electronic Information Resource Proprietor.
Electronic Information Resource Proprietor: The Proprietor of an Electronic Information Resource is the individual designated by the Chancellor or his or her designee as having the responsibility for determining the purpose and function of the Electronic Information Resource. Such responsibility may include, for example: specifying the uses for a departmentally-owned server; establishing the functional requirements during development of a new application or maintenance to an existing application; and determining which Users may have access to an application or to data accessible via an application. All Electronic Information Resources are University resources, and Electronic Information Resource Proprietors are responsible for ensuring that these Resources are used in ways consistent with the mission of the University as a whole.
Electronic Information Security Guidelines Coordinator: The individual on each campus who has been designated to have overall coordination responsibility for campus compliance with these Guidelines. Although responsibility for compliance with these Guidelines will most likely rest with a number of individuals on each campus, the campus Electronic Information Resource Security Guidelines Coordinator must track individuals who are responsible for implementation in every major campus functional area, and shall provide education on the contents of these Guidelines.
Intrusive Computer Software: Intrusive computer software (such as a computer virus) is an unauthorized program designed to embed copies of itself in other programs, to modify programs or data, or to self-replicate. Intrusive computer software may be spread via removable storage media (e.g., diskettes for personal computers) or via a network. The term "intrusive computer software" as it is used in these Guidelines is intended to encompass the variety of such unauthorized programs, including viruses, bacteria, worms, Trojan Horses, etc.
Security: Measures taken to reduce the risk of 1) unauthorized access to Electronic Information Resources, via either logical, physical or managerial means; and 2) damage to or loss of Electronic Information Resources through any type of disaster (such as employee error or other accidents, long-term system failures, natural disasters, and criminal or malicious action). Security also encompasses measures taken to reduce the impact of any violation of security or a disaster that occurs despite preventive measures.
Server:A multi-user computer, including mainframes, servers, and personal computers providing services to multiple users. A computer employed as a single-user workstation is not considered a server.
User: see Authorized User
home
about its