 |
 |
 |
 |
Security @ Information Technology
Up to IT | Technical Services | Help Desk | UHD | Up to Security @ IT
UHD Information Security Handbook
PART 1 - GENERAL
1.0 Policy and Major Laws and Governing Information Security
A) Texas Administrative Code Terms of Usage
B) UHD Information Systems Security and Access Policy PS 08.A.04
1.2 User Responsibilities
PART 2 – COMPUTER OPERATIONS
SUBPART A – PHYSICAL SECURITY
2.0 Physical Security
SUBPART B - COMPUTER ACCESS
PART 1 – GENERAL
1.0 Major Laws and Guidelines Governing Information Security
A) Texas Administrative Code Terms of Usage
Please note the following terms of usage:
1. Unauthorized use is prohibited;
2. Usage may be subject to security testing and
monitoring;
3. Misuse is subject to criminal prosecution;
and
4. No expectation of privacy except as otherwise
provided by applicable privacy laws.
This is based on the Texas Administrative Code regarding Information
Security.
B) UHD Information Systems Security and Access Policy
Focus: Student, Staff, Faculty
Memo to: All UH-Downtown/PS Holders UH - Downtown/PS 08.A.04
Issue No. 1
From: Max Castillo, President Effective date: 3/23/94
Page 1 of 1
1. PURPOSE
The purpose of this PS is to establish the legal use of Information Systems
resources.
2. POLICY/PROCEDURES
2.1 Access to and use of computing resources is restricted to appropriately
identified, authenticated, and authorized users. State law requires that
state-owned information resources be used only for official state purposes.
2.2 The University of Houston - Downtown (UHD) is not exempt from the
copyright laws concerning computer software. Unauthorized use or duplication
of software is a federal crime. Title 17, Section 106 of the US code states
"It is illegal to make or distribute copies of copyrighted material
without authorization". The only exception to this rule is the user's
right to make a backup copy for archival purposes if the manufacturer
does not provide one. Information Systems will maintain a list of federal
and state laws which govern legal use of hardware and software.
2.3 All identification, passwords, telephone numbers, and other "access
means" to information resources are proprietary to the state. Holders
of such access means are accountable for unauthorized or negligent disclosure
or use of access means including sharing of passwords (Vernon's Texas
Code Annotated, Title 18 Penal Code 33.01 - 33.05).
2.4 All computer programs, software and electronic information that are
part of university information systems are property of UHD and must not
be copied or disclosed unless explicitly authorized in writing by appropriate
management. This includes software developed for or by UHD and UHD-purchased
software and its related documentation.
2.5 No software, program, or information can be added to, or removed from, any operating system, database, or file unless explicitly authorized by appropriate management and in compliance with institutional security policies, procedures, and standards. Additionally, software that can bypass, in any manner, approved security software or controls, may not be written or installed.
2.6 Personnel shall not disclose any information designated or otherwise
marked as confidential or sensitive unless it is properly required in
their job, or except as authorized in writing pursuant to security policies.
3. REVIEW AND RESPONSIBILITIES
Responsible Party (Reviewer): Chief Information Officer
Review: Biennial
Reprint of original policy statement. Signed original on file in the President's
Office.
C) Academic Computing Services Policy PS 08.A.05
Memo to: All UH - Downtown/PS Holders UH - Downtown/PS 08.A.05
Issue No. 1
From: Max Castillo, President Effective date: 3/23/94
Page 1 of 1
Subject: Academic Computing Services
1. PURPOSE
The purpose of this PS is to establish policies and procedures which govern
Information Systems support services for academic computing.
2. POLICY/PROCEDURES
2.1 Information Systems administers the central academic lab and publishes
procedures and policies that govern the access and use of the lab. Information
Systems may also administer or jointly operate with academic colleges
a number of satellite labs on campus.
2.2 Requests for hardware, software or support resources may be referred
by the director of academic computing to the appropriate committee for
review and recommendation. This includes, but is not limited to, electronic
classroom and satellite lab support, requests for additional support in
the academic computing lab, new software and hardware installation, research
support, additional training, new product review requests and additional
resources to support curriculum changes.
2.3 Academic grant proposals which may result in significant information
systems support must be reviewed by the Chief Information Officer and/or
the Information Systems Steering Committee prior to processing. Information
systems will assist the academic departments in incorporating procedures
within their grant review process to notify the Chief Information Officer
or the Information Systems Steering Committee of such proposals.
3. REVIEW AND RESPONSIBILITIES
Responsible Party (Reviewer): Chief Information Officer
Review: Biennial
Reprint of original policy statement. Signed original on file in the President's
Office.
(PS 08.A.05)
University of Houston - Downtown
Regulations for Using Academic Computing Facilities and Resources
The primary function of the Department of Academic Computing is to provide
computing resources and user support for instructional activities at the
University of Houston – Downtown (UHD). All users of academic computing
facilities and resources are subject to the following regulations:
UHD students, faculty and staff are eligible to use academic computing facilities and resources. Access will not be granted to others without approval by the director of academic computing. Users must present a valid UHD I.D. card when entering the Academic Computing Lab. Lab users are expected to conduct themselves in a responsible and courteous manner while in the Academic Computing Lab. Computing accounts are for use only by the person to whom the account has been issued by authorized computing personnel. A user may not disclose his/her password or allow other users to access his/her account. Computers and resources in academic computing facilities are to be used for university-related purposes. They are not to be used for business or other profit-producing endeavors or for recreational purposes. Games are prohibited on all Academic Computing resources. This restriction does not apply to games and simulations used in conjunction with academic courses or research. The director of academic computing must receive written notice from the instructor of record in advance of such use. Compromising the security of any computer or network or using university computing resources to engage in any illegal activity is strictly prohibited. Each user is fully responsible for the activity of any account that has been assigned to him/her. If a user suspects that his/her account has been accessed by another user, the director of academic computing should be notified immediately. Any changes to student accounts or access to any system must be requested by the respective faculty member. Users may not write, use or have possession of programs that may be used to intimidate, harass, create an offensive environment for or invade the privacy of other users.Users shall not represent themselves electronically as others. Users shall not obstruct or disrupt the use of any computing system or network by another person or entity either on the UHD campus or elsewhere.
Users shall not, by any means, attempt to infiltrate a computing system or network either on the UHD campus or elsewhere.
All users of UHD's external network connections shall comply with the evolving "Acceptable Use" policies established by the external networks' governing bodies. Copies of policies relating to commonly accessed external networks will be made available in the Academic Computing Lab.
Copying of copyrighted software is illegal and is prohibited
in the Academic Computing facilities or elsewhere on campus. UHD forbids,
under any circumstances, the unauthorized reproduction of software or
use of illegally obtained software. Using university equipment to make
illegal copies of software is prohibited. Lab users may bring licensed
personal copies of software into the Academic Computing facilities but
may not install software on any computer or network or alter any existing
software. Proof of ownership may be requested of users who bring software
into the facilities.
Manuals and software may be checked out for use in the lab only. Users
should not attempt to repair any malfunctioning equipment or software,
but should report any such occurrences to academic computing personnel.
Smoking, eating or drinking is not permitted in academic computing facilities.
Reservations for general lab use are not normally required; however, a
temporary reservation system will be adopted as needed.
Although Academic Computing will make efforts to provide a safe and problem-free
computing environment, in no event will the university or the Department
of Academic Computing be liable for loss of data, inconvenience or other
tangible or perceived damage resulting from or relating to system failures,
viruses, user negligence, or other occurrences. Academic Computing reserves
the right to amend these regulations at any time, giving seven days notice
before the amendments are to take effect. Notice will consist of an announcement
displayed as part of the system login procedure on the systems for which
user accounts are assigned, posting of an announcement at the front desk
of the Academic Computing Lab, and notification of the Academic Computing
Committee and the Student Government Association. Use of Academic Computing
resources after the effective date of the modified regulations constitutes
acknowledgement of the new regulations. Use of academic computing accounts
and resources in violation of these regulations, UHD policy, or any federal,
state, or local laws may result in revocation of the individual's account
privileges or suspension of access to computing resources, and may subject
the account holder to university disciplinary action and/or criminal prosecution.
I have read the regulations printed above and agree to abide by them.
Applicant' s Signature Date
(PS 08.A.05)
Examples of Misuse of Computing Resources or User
Accounts
Using a computer account that you are not authorized to use. Obtaining
a password for or gaining access to a computer account or directory which
has not been assigned to you by authorized computing personnel; Using
the campus network to gain unauthorized access to any computer system;
Knowingly performing an act which will interfere with the normal operation
of computers, terminals, peripherals, or networks; Knowingly running or
installing on any computer system or network, or giving to another user,
a program intended to damage or place excessive load on a computer system
or network. This includes, but is not limited to, programs known as computer
viruses, Trojan horses, and worms; Attempting to circumvent data protection
schemes or uncover security loop holes; Violating terms of applicable
software licensing agreements or copyright laws;
Deliberately wasting computing resources; Using electronic mail or other
means to harass others; Masking the identity of an account or machine;
Posting on electronic bulletin boards materials that violate existing
laws or the University's policies; Attempting to monitor or tamper with
another user's electronic communications, or reading, copying, changing,
or deleting another user's files or software without the explicit agreement
of the owner, Damaging or stealing university-owned equipment or software;
Causing the display of false system messages; Maliciously causing system
slow-downs or rendering systems inoperable; Changing, removing or destroying
(or attempting the same) any data stored electronically without proper
authorization; Gaining or attempting to gain access to accounts without
proper authorization; Making copies of copyrighted or licensed software;
Using university computers for unauthorized private or commercial purposes.
Activities will not be considered misuse when authorized by appropriate
university computing officials for security or performance testing.
D) TEXAS PENAL CODE - CHAPTER 33. COMPUTER CRIMES
PENAL CODE
CHAPTER 33. COMPUTER CRIMES
§ 33.01. DEFINITIONS. In this chapter:
(1) "Access" means to approach, instruct, communicate with,
store data in, retrieve or intercept data from, alter data or computer
software in, or otherwise make use of any resource of a computer, computer
network, computer program, or computer system.
(2) "Aggregate amount" means the amount of:
(A) any direct or indirect loss incurred by a victim, including the value
of money, property, or service stolen or rendered unrecoverable by the
offense; or
(B) any expenditure required by the victim to verify that a computer,
computer network, computer program, or computer system was not altered,
acquired, damaged, deleted, or disrupted by the offense.
(3) "Communications common carrier" means a person
who owns or operates a telephone system in this state that includes equipment
or facilities for the conveyance, transmission, or reception of communications
and who receives compensation from persons who use that system.
(4) "Computer" means an electronic, magnetic,
optical, electrochemical, or other high-speed data processing device that
performs logical, arithmetic, or memory functions by the manipulations
of electronic or magnetic impulses and includes all input, output, processing,
storage, or communication facilities that are connected or related to
the device.
(5) "Computer network" means the interconnection
of two or more computers or computer systems by satellite, microwave,
line, or other communication medium with the capability to transmit information
among the computers.
(6) "Computer program" means an ordered set of
data representing coded instructions or statements that when executed
by a computer cause the computer to process data or perform specific functions.
(7) "Computer services" means the product of the
use of a computer, the information stored in the computer, or the personnel
supporting the computer, including computer time, data processing, and
storage functions.
(8) "Computer system" means any combination of
a computer or computer network with the documentation, computer software,
or physical facilities supporting the computer or computer network.
(9) "Computer software" means a set of computer
programs, procedures, and associated documentation related to the operation
of a computer, computer system, or computer network.
(10) "Computer virus" means an unwanted computer
program or other set of instructions inserted into a computer's memory,
operating system, or program that is specifically
constructed with the ability to replicate itself or to affect the other
programs or files in the computer by attaching a copy of the unwanted
program or other set of instructions to one or more computer programs
or files.
(11) "Data" means a representation of information,
knowledge, facts, concepts, or instructions that is being prepared or
has been prepared in a formalized manner and is intended to be
stored or processed, is being stored or processed, or has been stored
or processed in a computer. Data may be embodied in any form, including
but not limited to computer printouts, magnetic storage media, laser storage
media, and punchcards, or may be stored internally in the memory of the
computer.
(12) "Effective consent" includes consent by a person legally authorized to act for the owner. Consent is not effective if:
(A) induced by deception, as defined by Section 31.01, or
induced by coercion;
(B) given by a person the actor knows is not legally authorized to act
for the owner;
(C) given by a person who by reason of youth, mental disease or defect,
or intoxication is known by the actor to be unable to make reasonable
property dispositions;
(D) given solely to detect the commission of an offense; or
(E) used for a purpose other than that for which the consent was given.
(13) "Electric utility" has the meaning assigned
by Section 31.002, Utilities Code.
(14) "Harm" includes partial or total alteration,
damage, or erasure of stored data, interruption of computer services,
introduction of a computer virus, or any other loss, disadvantage, or
injury that might reasonably be suffered as a result of the actor's conduct.
(15) "Owner" means a person who:
(A) has title to the property, possession of the property, whether lawful
or not, or a greater right to possession of the property than the actor;
(B) has the right to restrict access to the property; or
(C) is the licensee of data or computer software.
UHD Information Security Handbook
(16) "Property" means:
(A) tangible or intangible personal property including a computer, computer
system, computer network, computer software, or data; or
(B) the use of a computer, computer system, computer network, computer
software, or data.
Added by Acts 1985, 69th Leg., ch. 600, § 1, eff. Sept. 1, 1985. Amended by Acts 1989, 71st Leg., ch. 306, § 1, eff. Sept. 1, 1989; Acts 1993, 73rd Leg., ch. 900, § 1.01, eff. Sept. 1, 1994; Acts 1997, 75th Leg., ch. 306, § 1, eff. Sept. 1, 1997; Acts 1999, 76th Leg., ch. 62, § 18.44, eff. Sept. 1, 1999.
§ 33.02. BREACH OF COMPUTER SECURITY. (a) A person
commits an offense if the person knowingly accesses a computer, computer
network, or computer system without the effective consent of the owner.
(b) An offense under this section is a Class B misdemeanor unless in committing
the offense the actor knowingly obtains a benefit, defrauds or harms another,
or alters, damages, or deletes property, in which event the offense is:
(1) a Class A misdemeanor if the aggregate amount involved
is less than $1,500;
(2) a state jail felony if:
(A) the aggregate amount involved is $1,500 or more but less than $20,000;
or
(B) the aggregate amount involved is less than $1,500 and the defendant
has been previously convicted two or more times of an offense under this
chapter;
(3) a felony of the third degree if the aggregate amount
involved is $20,000 or more but less than $100,000;
(4) a felony of the second degree if the aggregate amount
involved is $100,000 or more but less than $200,000; or
(5) a felony of the first degree if the aggregate amount
involved is $200,000 or more.
(c) When benefits are obtained, a victim is defrauded or harmed, or property
is altered, damaged, or deleted in violation of this section, whether
or not in a single incident, the conduct may
be considered as one offense and the value of the benefits obtained and
of the losses incurred because of the fraud, harm, or alteration, damage,
or deletion of property may be aggregated in determining the grade of
the offense.
(d) A person who his subject to prosecution under this section and any
other section of this code may be prosecuted under either or both sections.
Added by Acts 1985, 69th Leg., ch. 600, § 1, eff. Sept. 1, 1985. Amended by Acts 1989, 71st Leg., ch. 306, § 2, eff. Sept. 1, 1989; Acts 1993, 73rd Leg., ch. 900, § 1.01, eff. Sept. 1, 1994; Acts 1997, 75th Leg., ch. 306, § 2, eff. Sept. 1, 1997; Acts 2001, 77th Leg., ch. 1411, § 1, eff. Sept. 1, 2001.
§ 33.03. DEFENSES. It is an affirmative defense to
prosecution under Section 33.02 that the actor was an officer, employee,
or agent of a communications common carrier or electric utility and committed
the proscribed act or acts in the course of employment while engaged in
an activity that is a necessary incident to the rendition of service or
to the protection of the rights or property of the communications common
carrier or electric 'utility.
Added by Acts 1985, 69th Leg., ch. 600, § 1, eff. Sept. 1, 1985.
Renumbered from V.T.C.A., Penal Code § 33.04 and amended by Acts
1993, 73rd Leg., ch. 900, § 1.01, eff. Sept. 1, 1994.
§ 33.04. ASSISTANCE BY ATTORNEY GENERAL. The attorney general, if
requested to do so by a prosecuting attorney, may assist the prosecuting
attorney in the investigation or prosecution of an
offense under this chapter or of any other offense involving the use of
a computer.
Added by Acts 1985, 69th Leg., ch. 600, § 1, eff. Sept. 1, 1985.
Renumbered from V.T.C.A., Penal Code § 33.05 by Acts 1993, 73rd Leg.,
ch. 900, § 1.01, eff. Sept. 1, 1994.
1.2 User Responsibilities
UHD Information Technology’s Acceptable Use Procedure
University of Houston Downtown
Information Technology’s Acceptable Use Procedure
User Responsibilities
1.0 Overview
Information Technology's intentions for publishing an Acceptable Use Procedure
are not to impose restrictions that are contrary to University of Houston
– Downtown (UHD) established culture of openness, trust and integrity.
Information Technology is committed to protecting UHD's employees, Students
and the University from illegal or damaging actions by individuals, either
knowingly or unknowingly.
Internet/Intranet/Extranet-related systems, including but not limited
to computer equipment, software, operating systems, storage media, network
accounts providing electronic mail, WWW browsing, and FTP, are the property
of UHD. State law requires that state-owned information resources be used
only for official state purposes.
Effective security is a team effort involving the participation and support
of every UHD employee and student who deals with information and/or information
systems. It is the responsibility of every computer user to know these
guidelines, and to conduct their activities accordingly.
2.0 Purpose
The purpose of this procedure is to outline the acceptable use of computer
equipment at UHD. These rules are in place to protect the employee, students
and UHD. Inappropriate use exposes UHD to risks including virus attacks,
compromise of network systems and services, and legal issues.
3.0 Scope
This procedure applies to employees, students, consultants, temporaries,
and other workers at UHD, including all personnel affiliated with third
parties. This procedure applies to all equipment that is owned or leased
by UHD.
4.0 Procedure
4.1 General Use and Ownership
1. While UHD's network administration desires to provide a reasonable
level of privacy, users should be aware that the data they create on the
UHD systems remains the property of UHD. Because of the need to protect
UHD's network, management cannot guarantee the confidentiality of information
stored on any network device belonging to UHD.
2. Employees are responsible for exercising good judgment
regarding the reasonableness of personal use. Information Technology is
responsible for creating guidelines concerning personal use of Internet/Intranet/Extranet
systems. In the absence of such policies, employees should consult their
supervisor or manager.
3. Information Technology recommends that any information
that users consider sensitive or vulnerable be encrypted. For guidelines
on information classification, see Information Technology's Information
Sensitivity Procedure.
4. For security and network maintenance purposes, authorized
individuals within UHD may monitor equipment, systems and network traffic
at any time, per Information Technology's Audit Procedure.
5. UHD reserves the right to audit networks and systems on a periodic basis to ensure compliance with this procedure.
4.2 Security and Proprietary Information
1. Employees shall not disclose any information designated or otherwise
marked as confidential or sensitive unless it is properly required in
their ob, or except as authorized in writing pursuant to security policies.
2. Keep passwords secure and do not share accounts. Authorized
users are responsible for the security of their passwords and accounts.
System level passwords should be changed quarterly; user level passwords
should be changed every six months.
3. All PCs, laptops and workstations should be secured with
a password-protected screensaver with the automatic activation feature
set at 10 minutes or less, or by logging-off (control-alt-delete for Win2K
users) when the host will be unattended.
4. Because information contained on portable computers is
especially vulnerable, special care should be exercised. Protect laptops
in accordance with the “Laptop Security Tips”.
5. All hosts used by the employee that are connected to
the UHD Internet/Intranet/Extranet, whether owned by the employee or UHD,
shall be continually executing approved virus-scanning software with a
current virus database.
6. Employees and Students must use extreme caution when opening e-mail attachments received from unknown senders, which may contain viruses, e-mail bombs, or Trojan horse code.
System and Network Activities
The following activities are strictly prohibited, with no
exceptions:
1. Violations of the rights of any person or university
protected by copyright, trade secret, patent or other intellectual property,
or similar laws or regulations, including, but not limited to, the installation
or distribution of "pirated" or other software products that
are not appropriately licensed for use by UHD.
2. Unauthorized copying of copyrighted material including,
but not limited to, digitization and distribution of photographs from
magazines, books or other copyrighted sources, copyrighted music, and
the installation of any copyrighted software for which UHD or the end
user does not have an active license is strictly prohibited.
3. Exporting software, technical information, encryption
software or technology, in violation of international or regional export
control laws, is illegal. The appropriate management should be consulted
prior to export of any material that is in question.
4. Introduction of malicious programs into the network or
server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.).
5. Revealing your account password to others or allowing
use of your account by others. This includes family and other household
members when work is being done at home.
6. Using a UHD computing asset to actively engage in procuring
or transmitting material that is in violation of sexual harassment or
hostile workplace laws in the user's local jurisdiction.
7. Making fraudulent offers of products, items, or services
originating from any UHD account.
8. Making statements about warranty, expressly or implied,
unless it is a part of normal job duties.
9. Effecting security breaches or disruptions of network
communication. Security breaches include, but are not limited to, accessing
data of which the employee or student is not an intended recipient or
logging into a server or account that the employee or student is not expressly
authorized to access, unless these duties are within the scope of regular
duties. For purposes of this section, "disruption" includes,
but is not limited to, network sniffing, pinged floods, packet spoofing,
denial of service, and forged routing information for malicious purposes.
10. Port scanning or security scanning is expressly prohibited.
11. Executing any form of network monitoring which will
intercept data not intended for the employee's or student’s host.
12. Circumventing user authentication or security of any
host, network or account.
13. Interfering with or denying service to any (for example,
denial of service attack).
14. Using any program/script/command, or sending messages
of any kind, with the intent to interfere with, or disable, a user's terminal
session, via any means, locally or via the Internet/Intranet/Extranet.
15. Providing information about, or lists of, UHD employees or students to parties outside UHD.
Email and Communications Activities
The following activities are strictly prohibited
- Sending unsolicited email messages, including the sending of "junk
mail" or other advertising material to individuals who did not specifically
request such material (email spam).
- Any form of harassment via email, telephone or paging,
whether through language, frequency, or size of messages.
- Unauthorized use, or forging, of email header information.
- Solicitation of email for any other email address, other
than that of the poster's account, with the intent to harass or to collect
replies.
- Creating or forwarding "chain letters", "Ponzi"
or other "pyramid" schemes of any type.
- Posting the same or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam).
5.0 Enforcement
Any employee or student found to have violated this procedure may be subject
to disciplinary action.
6.0 Definitions
Term Definition
Spam Unauthorized and/or unsolicited electronic mass mailings.
7.0 Revision History: Revised 8/15/07
One Main Street • Houston, TX 77002 • 713-221-8000
Copyright ©2000 University of Houston-Downtown • Privacy Statement • Contact Information