Computer & Network Accounts Administration
Source
Penn State Shenango Campus, Technology Department
Date First Issued
November 7, 2007
Date Last Updated
October 7, 2024
Purpose
The purpose of this policy is to maintain an adequate level of security to protect Penn State University data, users, and information systems from unauthorized access and data loss.
Policy
Only authorized Penn State University Faculty and Staff, hereafter known as users, are granted access to information systems, and users are limited to specific defined, documented, and approved applications and levels of access rights. Computer and communication system access control is to be achieved via user IDs that are unique to each individual user to provide individual accountability.
The security access administration function will be controlled only by the members of the Shenango IT Department. The security access administration function provides administration for user access to systems. These responsibilities include, but may not be limited to:
-
Authentication (add, change, delete) services to provide users with the ability to access computer sources using their University issued IDs and passwords
-
Authorization (add, change, delete) services to provide user access to applications
-
General and distribution of reports for monitoring access and potential security breaches. Reporting and monitoring activity should include reports based either on the individual initiating the event or the data and resources affected by the event. Reports can include:
-
Attempted or actual access violations for data and resources
-
Invalid logon attempts
-
Access trends and deviations from those trends
-
Access to sensitive data and resources not previously authorized
-
Developing an incident handling reporting process.
-
The system administrators will monitor system performance, troubleshoot systems, and provide product support. Security responsibilities can include, but may not be limited to, ensuring that:
-
Only authorized software is installed via authorized means
-
Approved security procedures are followed and procedures are established where necessary
-
Systems are recovered in a secure manner
-
Ad hoc system reviews are performed to identify unusual activity
-
Systems are installed and operated using no less than the security controls set in place by Penn State Shenango IT
-
Procedures for software license validation and virus testing have been followed
-
The security access administration function is notified of personnel or software changes that might impact system security features before the installation of those changes
The Shenango Technology Department’s computer and network operations and support functions are responsible for operating, supporting, and managing information systems and networks in accordance with the security policies set forth by the Pennsylvania State University. They shall monitor resources for signs of security violations; ensure system and network architectures maximize security of those resources; ensure network security does not conflict with application security; and follow specified escalation procedures for reporting security violations.
To ensure optimal use of resources and to address security concerns, accounts databases will be kept clean. That is, published eligibility criteria will be consistently applied, testing procedures will be applied at required intervals, and appropriate account removal and archiving tasks will be performed as required.
Accounts Administrators will retain all documentation related to computer accounts while the account is active, and for 1 year following the point at which the individual is no longer associated with Pennsylvania State University, or from the point where the organization having a group account has been dissolved.
Definitions
Penn State Shenango IT resources include all University-owned computers, peripherals, and related equipment and software; voice communications infrastructure, peripherals, and related equipment and software; data communications infrastructure, peripherals, and related equipment and software, and all other associated tools, instruments, and facilities. This definition also includes classroom technologies, computing and electronic communication devices and services, email, phone access, voice mail, fax transmissions, video, multimedia, instructional materials, and related supporting devices or technologies. The components may be individually controlled (e.g., assigned to an employee) or shared single-user or multi-user, and they may be stand-alone or networked.
Security Incident Reporting
Any questionable or suspicious activity that is computer/network-based should be reported to Shenango IT or the Penn State IT Help Desk. Disable the network connection (do not unplug the power cord) and contact Shenango IT at 724-983-2932. After-hours support can be reached at 814-865-HELP (4357).
If your University credit card is lost or stolen please notify University Purchasing at 814-863-0498 and the Business Office at 724-983-2817.
System User Responsibilities
- Read and agree to abide by University Policy AD-95 (formerly AD-20) - Information Assurance and IT Security and all related and referenced policies, as well as any subsequent revisions, amendments, or newly implemented policies.
- Agree not to share account ID or password information.
- Back up important user files.
- Comply with all software license agreements governing installed software. (Please consult with the campus Technology Services staff with questions or concerns.)
- Ensure physical security of the computer at all times. (This is especially significant for laptops)
- Agree not to alter system hardware, software, or network configuration without the assistance and approval of campus Technology Services support staff.
Backup Policies
General Overview
This contingency management plan describes the methods and procedures to be used by Penn State Shenango in order to safeguard and restore data center operations, in the event of a disaster.
Specific Policy Guidelines
Backup Storage
- Shenango IT no longer provides backups of any files/documents created by end-users. Documents that are stored in OneDrive or Sharepoint. Microsoft, however, does provide data protection for their products, which more information can be found here: https://learn.microsoft.com/en-us/compliance/assurance/assurance-sharep….
User Backup Responsibilities
- Users are responsible for backing up data on their workstations. This can be done by saving to a flash drive, Microsoft OneDrive, or Microsoft SharePoint. If you need assistance backing up files please contact Technology Services at 724-983-2932 or [email protected].
Hard Drive Sanitize
Purpose
To maintain data confidentiality by preventing access to information previously stored on workstations transferred to new users or destined for surplus.
Disk Sanitizing Policy
Before a University-owned workstation is sent from Penn State Shenango to surplus, the non-removable hard drive(s) shall be “sanitized” (i.e., all data removed in a manner that prevents subsequent recovery) before the computer leaves the Shenango campus. If a workstation is transferred from one primary user to another, its hard drive(s) shall be sanitized prior to the transfer. The method for sanitizing hard drives will comply with applicable security guidelines established by the United States Department of Defense.
Firewalls
The initial configuration assumes that all inbound connections from outside Penn State Shenango are un-trusted, and therefore blocked with exceptions. All outbound connections, initiated by the user, are permitted through the firewall. The following exceptions have been researched thus far and are to be placed into the active exceptions.
- OAS Printing
- Security Office Scanning
- Microsoft's Authentication Portal (SSO)
- Network Authentication
- PASS
If more specific rule inquiries are needed please contact Technology Services at [email protected].
Request for Exceptions to Firewall Security
It is recognized that a firewall can restrict certain activities on the network and Internet at large that are necessary to conduct teaching, research, and outreach functions. A request can be made to IT to create an exception to the firewall rules. The procedure for requesting an exception is as follows:
- The specific need for the exception and port(s) to be opened with justification for each.
- The Internet name and address of the computer(s) for the exception.
- The name, phone number, and email address of the information technology staff person responsible for the administration of the computer(s). If staffing changes leave an excepted server unmanaged the exception(s) may be removed if an unreasonable security risk arises from the system remaining unmanaged.
- Security measures in force on the system including password policy, auditing policy, antivirus software (if any), and any additional security-related software and/or settings of the machine.
- A statement to the effect that the owner of the computer(s) “understands that the computer(s) will be disconnected from the network and the port(s) granted the exception will be closed if a security incident occurs with that computer, contact information for the technology staff person responsible for the computer is not kept current, or security patches are not being applied in a timely manner.”
Exceptions may not be granted for a request that the IT considers too vulnerable to attack or for operating systems and applications without a proven record of adequate security.