Security Policy
Computer Science Department
New Mexico Highlands University
(Doug & Ryan)
1. Network passwords
- Default passwords.
Each user must have a password. When a user receives and account, they will be assigned a password by the system administrator. The user will be required to change the password upon first login. For the Windows NT operating system, clicking in the check box that forces the user to change their password up first login will enforce this. For the Linux operating system, the system administrator will enforce this personally.
- Password choices.
Passwords shall not consist of proper names, words found in any dictionary, birth dates of any kind, social security numbers, addresses, or words merely appended or prefixed with numbers. Passwords shall consist of at least 8 characters. For the Windows NT operating system, they shall consist of at least one numeric character and one non-alphanumeric character. It is also strongly encouraged to include an ALT character. For the Linux operating system, passwords must include at least three of the following: one or more uppercase alphabetic characters, one or more lowercase alphabetic characters, at least one numeric character, and at least one non-alphanumeric character.
- Changing passwords.
Passwords shall be changed at the beginning of each semester for regular users. Administrators are required to change their passwords every eight weeks. Anyone will be required to change their password if a routine audit determines their password any of the above guidelines for passwords.
- Guest passwords.
Guest passwords shall follow the guidelines above. Additionally, they will be deleted when no longer required. Guest is defined as any user that has an account for a semester or less.
- Sharing Passwords.
Sharing passwords is expressly prohibited.
- Conspicuous postings.
Passwords shall not be written on a piece of paper and left near the computer in question, such as under the keyboard or posted to the monitor. Writing down of passwords is allowed so long as they are kept either on person or under lock and key.
2. Access Levels
- Data classification.
All files or directories shall have permissions associated with them, designating which users have read, write and execute privileges for that file or directory. Under the Linux operating system, suid files are expressly prohibited, except in the case where it is absolutely necessary.
- Personnel Classification.
All users shall be given a classification within the domain according to minimal functionality requirements. Email only users shall not be able to log in to any computer in the domain, save the server, and only in the context of checking their email. Lab users shall have very basic access, limited to programs presented to them on the desktop. Users taking an introduction class shall have more ability to alter various settings on their environment, but shall not be allowed access to registry editing tools. Both lab and class users shall be restricted to normal lab hours. Upper division and personal accounts shall be determined on a case by case basis, defaulting to the class user. Administrators will have full access to everything.
3. Physical Security
- Main Lab Facility (LH2).
LH2 will be accessible to all students during normal lab hours, providing they have a student ID that is functional. No exceptions will be made, save by dispensation from the Department chair or the Lab Manager. Lab assistants shall be allowed access outside of regular hours for opening, closing, and lab maintenance.
- Advanced Lab (SCA205).
SCA205 is available to upper division and graduate students, during regular lab hours, unless permission, in writing, has been giving from a faculty member for after lab hours use. Lower division students are only allowed in SCA205 while a class they are in is in session in the lab. This lab is not open to the public. The door to this lab shall remain closed, save when there is a student inside. Furthermore, no signs shall be placed on the door designating it as a computer lab. No sign will cover the window from the outside.
- "Dino Lab"/ Student Lounge.
This room is only accessible to faculty, upper division students, lab assistants, and graduate students. Others shall be allowed access in the presence of authorized personnel. Access to the server area shall be restricted to administrators, or users accompanied by an administrator. No sign shall be posted denoting the contents of the room.
- Offices.
Access is restricted to occupants, the secretary, or people accompanied by the occupant. Occupants shall close their doors upon leaving their offices.
- Closets.
Access is restricted to faculty and staff, or lab assistants accompanied by faculty or staff. Other than a sign denoting it as a storage room, no signs will be posted denoting it as anything other than a storage room.
- Response to Violation
- Internal Security Breach
Unintentional breaches will be met with instruction on the proper procedures. Intentional breaches shall be met with reprimand, reassignment or termination, depending on the severity and frequency of the infraction. A committee consisting of the discovering individual, the department chair, and the lab manager will determine the appropriate reaction. In the case that either the department chair or the lab manager is the discovering individual, an additional professor will be appointed to discuss the appropriate reaction.
- External Security Breach
In the event of an external security breach, a response team consisting of the head of CNS, the department chair, and the discovering individual shall be convened to assess the damages. The proper authorities will be contacted and informed of the situation.
5. Internet
- Monitoring
Monitoring of Internet activities with employees should only be considered in the case that the individual is not performing as well as expected. If monitoring should become necessary, their supervisor shall make random periodic checks.
- Pornography
Viewing of pornography is strictly prohibited using University property.
- Web Server
Administrators shall be the only individuals authorized to upload University or departmental WebPages. All students shall be allowed a directory of web space on a server accessible from the Internet. They shall be allowed to upload files to their own directories, provided that these files are not illegal in and of themselves. Additionally, these files must conform to the student code of conduct and not violate any University policy. Documents on a WebServer must not contain any links to internal documents. If an internal document must be made public, it should be duplicated and placed on the WebServer.
- FTP Server
Anonymous FTP service shall be allowed for downloading at the departments’ discretion. Anonymous uploading must default to a single directory. In addition, file uploaded must be made read only to only the root/administrator upon receipt. Nonanonymous FTP shall be made available at the departments’ discretion.
- Remote Access Service (Dialup)
Use of dialup service shall be restricted to authorized individuals via a request to the administration for access. Each semester, access will be denied by default, and thus requiring resubmitting the request. Privileges shall be restricted to what is available to the user normally.
- News Service (NNTP)
News service shall be provided to all students, faculty and staff. Contents of the newsgroups shall reflect University policy. Any posts in violation of University policy shall be removed. Repeated offense shall be treated as an Internal Security Breach.
- Mail Service
POP3 and IMAP email service shall be made available to all students, faculty and staff. Email shall be for personal use only. Email servers shall be configured to discourage spamming. Spamming by students is prohibited. Any violation will be treated as an Internal Security Breach. Email shall remain confidential and private. It may only be search upon presentation of a search warrant. Internal documents shall be sent on internal mail servers only, and shall not be sent off campus. Encryption of internal documents is mandatory and is encouraged for personal correspondence.
- NFS Service
NFS service is strongly discouraged, and should be phased out as soon as possible.
- NetBEUI Service
Shares via NetBEUI shall be restricted to an absolute minimum. Any files that need to be shared out shall be copied to a shared directory, leaving the original in its location. Enabling write access is strongly discouraged, and should be directed to an appropriate FTP server.
- Telnet Access
Telnet access should be limited to users requiring it. User permissions shall be no greater than what is available with local login.
- Other Protocols
Other protocols shall be dealt with on a case by case basis as determined by cooperation between the department and Computer Network Services.
- Firewall
A firewall shall be implemented for the purpose of network security.
- Viruses
- Physical Prevention
Administrators, faculty, and lab assistants are the only ones allowed to install software upon the systems. Violation of this policy will be treated as an Internal Security Breach.
- Software Protection
Antiviral software shall be deployed across the network at the desktop, server and firewall level. Antiviral software should include an automatic scan of the floppy drive upon access as well as scanning of downloaded software and hard drives. It should be updated as recommended by the vendor. Lambskin condoms are strictly prohibited. In case of a viral outbreak, the affected computers will be quarantined and removed from the network. In addition, they will be thoroughly scanned, and if needed, reformatted.
- Encryption
Sensitive documents must be encrypted before transmitting via email. Encryption method must be at least 56-bit encryption.
- Fax
No sensitive documents shall be sent via fax unless the recipient fax machine is known to be secure. Additionally, no documents should remain in the fax and the buffer should be cleared after each use.
- Termination
If an employee must be terminated, his or her network access shall be disabled prior to giving notice of termination. Keys for the premises will be issued each semester and returned at the end of each semester. In the event of termination, graduation, or leaving the employ of the University, keys will be returned immediately. In the event of graduation or sabbatical, email privileges will be evaluated by the system administrators on a case by case basis.
- Backup of Data
All data shall be backed up periodically by the system administrators. The specific user will back up personal data. Copies of the backups shall be kept offsite in the event of disaster.
- Destruction of Media
If the storage media must be destroyed for any reason, it will be determined by the security manager whether the device contains any sensitive data. Nonsensitive data may simply be erased. Sensitive data should be destroyed, degaussed, or thoroughly cleaned to avoid data remanance.
- Background Checks
Potential staff and faculty shall undergo a thorough background check before hiring. This background check shall include a skill examination, criminal record checks, and random drug testing. The proceeding does not apply to work studies, save in the case of unsatisfactory performance, where procedures may be taken as necessary.
- Security Personnel
A "tiger team" shall be established to audit, implement, and enforce security procedures. Additionally, the team will appoint a team leader, responsible for guiding the team. The team shall have the authority to mandate security related procedures for employees, implement security procedures, and procure equipment to carry them out. The team will report to the head of Computer Network Services. In establishing the members of this team, the utmost care shall be taken to determine the character and background of the individuals that will make up this team.
- Disaster Plan
A disaster plan shall be implemented in the case of catastrophic failure. This plan shall include the use of a hotsite, namely New Mexico Highlands University at Rio Rancho, and a potential one at Luna Vocational Institute. There shall be a goal of 50% restoration of operation within 24 hours. Priority shall be placed upon administrative data, including student financial information and records. A low priority will be placed to Internet services such as web service and ftp.
- Audit/Review
Every semester, the tiger team shall conduct a thorough review of all security systems on campus, including the disaster recovery plan and this document. This report will be submitted to the head of Computer Network Services.