Computer & Network Accounts Administration
Source
Penn State Shenango Campus, Technology Department
Date Issued
November 7, 2007
Purpose
In order to ensure that University information systems and processes have a consistent view and that the outside world has a consistent view of the Pennsylvania State University population, accounts administration and management processes and procedures must be consistent. The purpose of this policy is to maintain an adequate level of security to protect PENNSYLVANIA STATE UNIVERSITY data and information systems from unauthorized access.
Policy
Only authorized PENNSYLVANIA STATE UNIVERSITY Faculty and Staff, hereafter known as users, are granted access to information systems, and users are limited to specific defined, documented, and approved applications and levels of access rights. Computer and communication system access control is to be achieved via user IDs that are unique to each individual user to provide individual accountability.
The security access administration function will be controlled only by the members of the Technology Department at PENNSYLVANIA STATE UNIVERSITY Shenango. The security access administration function provides administration for user access to systems. These responsibilities include, but may not be limited to:
-
Authentication (add, change, delete) services to provide users with the ability to access computer sources using their University given logon ids and passwords
-
Authorization (add, change, delete) services to provide user access to applications
-
General and distribution of reports for monitoring access and potential security breaches. Reporting and monitoring activity should include reports based either on the individual initiating the event or the data and resources affected by the event. Reports can include:
-
Attempted or actual access violations for data and resources
-
Invalid logon attempts
-
Access trends and deviations from those trends
-
Access to sensitive data and resources not previously authorized
-
Developing an incident handling reporting process.
-
The system administration function monitors performance, provides problem determination, production support, and performs system backups. Security responsibilities, can include, but may not be limited to, ensuring that:
-
Only authorized software is installed via authorized means
-
Approved security procedures are followed and procedures are established where necessary
-
Systems are recovered in a secure manner
-
Ad hoc system reviews are performed to identify unusual activity
-
Systems are installed and operated using no less than the security controls set in place by the PENNSYLVANIA STATE UNIVERSITY Shenango Technology Department
-
Procedures for software license validation and virus testing have been followed
-
The security access administration function is notified of personnel or software changes that might impact system security features before the installation of those changes
The Shenango Technology Department’s computer and network operations and support functions are responsible for operating, supporting, and managing information systems and networks in accordance with the security policies set forth by the Pennsylvania State University. They shall monitor resources for signs of security violations; ensure system and network architectures maximize security of those resources; ensure network security does not conflict with application security; and follow specified escalation procedures for reporting security violations.
To ensure optimal use of resources and to address security concerns, accounts databases will be kept clean. That is, published eligibility criteria will be consistently applied, testing procedures will be applied at required intervals, and appropriate account removal and archiving tasks will be performed as required.
Accounts Administrators will retain all documentation related to computer accounts while the account is active, and for 1 year following the point at which the individual is no longer associated with Pennsylvania State University, or from the point where the organization having a group account has been dissolved.
Definitions
Pennsylvania State University Information Technology Resources includes all University-owned computers, peripherals, and related equipment and software; voice communications infrastructure, peripherals, and related equipment and software; data communications infrastructure, peripherals, and related equipment and software, and all other associated tools, instruments, and facilities. Included in this definition are classroom technologies, computing and electronic communication devices and services, modems, electronic mail, phone access, voice mail, fax transmissions, video, multimedia and hyper media information, instructional materials, and related supporting devices or technologies. The components may be individually controlled (e.g., assigned to an employee) or shared single-user or multi-user, and they may be stand-alone or networked.
Procedural Preference
In partnership with the Campus Executive Officer and other naming functions and stakeholders, the campus’ Technology Department will coordinate accounts administration procedures, and will develop and publish central account procedures and processes.
The Shenango Campus Executive Officer will be responsible for local adherence to this policy, and for additional local processes, procedures, and additions to this and other accounts policies on the campus as required.
IPAS Incident Reporting
Any questionable or suspicious activity which is computer/network-based should be reported to Security Operations and Services (SOS). Disable the network connection (do not unplug the power cord) and contact SOS during normal work hours 814-863-9533 or after-hours 814-777- 9533. An email may also be sent to [email protected] but direct telephone contact should be made.
For non-computer/network-based events please contact the Privacy Office at 814-863-3049 during normal business hours or email [email protected].
If your University credit card is lost or stolen please call 1-877-PSU4PNC, then notify University Purchasing at 814-863-0498 and the Business Office at 724-983-2817.
System User Responsibilities
- Read and agree to abide by University Policy AD-95 (formerly AD-20) - Information Assurance and IT Security and all related and referenced policies, as well as any subsequent revisions, amendments, or newly implemented policies.
- Agree not to share account ID or password information.
- Back up important user files.
- Comply with all software license agreements governing installed software. (Please consult with the campus Technology Services staff with questions or concerns.)
- Ensure physical security of the computer at all times. (This is especially significant for laptops)
- Agree not to alter system hardware, software, or network configuration without the assistance and approval of campus Technology Services support staff.
The form that must be filled out by all Shenango personnel can be received in Technology Services located in Sharon Hall 202.
Backup and Disaster
General Overview
This contingency management plan describes the methods and procedures to be used by Penn State Shenango in order to safeguard and restore data center operations, in the event of a disaster.
Specific Policy Guidelines
Backups
- Incremental backups are performed on a nightly basis on administrative servers.
- Full backups are performed on a weekly basis on administrative servers.
- Backup procedures are to be automated as much as possible so that another Technology Services staff member can perform the backups when necessary.
- Each backup procedure will generate a log file, which can be inspected on a daily basis to determine the success or failure of the backup.
- There will be a primary and backup staff member assigned to perform the system backups for each system. Both the primary and backup staff member will inspect the backup log on a daily basis to verify the success of the backup and troubleshoot hardware and/or software problem related to the backup procedures.
- A short written log of each backup performed will also be maintained in the computer room to provide rapid access to tape information.
Backup Storage
- Daily incremental data backup occurs every night at 11 p.m. This backup is located at University Park, and is part of the University Backup for Infrastructure (UBI) service. The Office of Enterprise Information Technology (EIT) then creates an on premise and off-site backup of this data.
- Weekly backup tapes consist of tapes A, B, and C. These tapes are rotated every Friday. This gives the Administrator the ability to retrieve data as far back as three weeks at any given time. The tapes are stored in a secured room on campus to provide rapid access for restores. Only the Technology Services staff and security can access this room.
User Backup Responsibilities
- Users are responsible for backing up data on their workstations. This can be done by saving to a flash drive, CD/DVD, the local network drive, Box online storage or Microsoft OneDrive online storage. If you need assistance backing up files please contact Technology Services at 724-983-2932 or [email protected].
Disaster Recovery
- All administrative servers are powered by an Uninterruptible Power System (UPS) which can maintain full power to all equipment for approximately 45 minutes. If the server senses that the battery power has been depleted, it will initiate a shut down sequence to insure no data is lost.
- Users that need to recover lost data must contact Technology Services, 724-983-2932, and give the name of the file, the date it was last modified, and the location of where the file was stored.
Hard Drive Sanitize
Purpose
To maintain data confidentiality by preventing access to information previously stored on workstations transferred to new users or destined for surplus.
Disk Sanitizing Policy
Before a University-owned workstation is sent from Penn State Shenango to surplus, the non-removable hard drive(s) shall be “sanitized” (i.e., all data removed in a manner that prevents subsequent recovery) before the computer leaves the Shenango campus. If a workstation is transferred from one primary user to another, its hard drive(s) shall be sanitized at the time of transfer.
The method for sanitizing hard drives shall be approved by Technology Services and comply with applicable security guidelines established by the United States Department of Defense. Technology Services staff shall follow the Disk Sanitizing Procedure.
Firewalls
The initial configuration assumes that all inbound connections from outside Penn State Shenango are un-trusted, and therefore blocked with exceptions. All outbound connections, initiated by the user, are permitted through the firewall. The following exceptions have been researched thus far and are to be placed into the active exceptions.
- OAS Printing
- SOS Security Scanning
- IPAS Scanning
- WebAccess
- DCE Authentication
- PASS
If more specific rule inquiries are needed please contact Technology Services at [email protected].
Request for Exceptions to Firewall Security
It is recognized that a firewall can restrict certain activities on the network and Internet at large that are necessary to conduct the teaching, research, and outreach functions of the College. Therefore a request can be made to the Technology Services create an exception to the firewall rules. The procedure for requesting an exception is as follows:
- The specific need for the exception and port(s) to be opened with justification for each.
- The Internet name and address of the computer(s) for the exception.
- The name, phone number, and email address of the information technology staff person responsible for administration of the computer(s). If staffing changes leave an excepted server unmanaged the exception(s) may be removed if an unreasonable security risk arises from the system remaining unmanaged.
- Security measures in force on the system including password policy, auditing policy, antivirus software (if any), and any additional security related software and/or settings of the machine.
- A statement to the effect that the owner of the computer(s) “understands that the computer(s) will be disconnected from the network and the port(s) granted the exception will be closed if a security incident occurs with that computer, contact information for the technology staff person responsible for the computer is not kept current, or security patches are not being applied in a timely manner.”
Exceptions may not be granted for a request that the Technology Services considers too vulnerable to attack or for operating systems and applications without a proven record of adequate security.