SECURITY POLICY FOR NMHU COMPUTER SCIENCE LAB

Gwen, Jeff, Jessie

1. Network Passwords

1.a. Default passwords. Default passwords should be changed immediately, if the

password is not changed, access will not be allowed.

1b. Password choices. Passwords should not be found in the dictionary. Passwords

must consist of at least eight and should be a combination of upper and lower

case letters, numbers, symbols, and special characters.

1c. Changing passwords. Passwords should be changed once a month and should be

enforced by the administrator.

1d. Guest passwords. Guests should have limited access and privileges. These users

should not be allowed to modify hardware and software settings. Users will

have only read and execute privileges, they will not have write and change

privileges.

1e. Sharing passwords. Sharing passwords is not allowed under any circumstances.

1f. Conspicuous posting. Do not post passwords in any visible location, passwords

should not be written down, but memorized immediately.

  1. Access Levels
  2. 2a. Data classification. All electronic files shall be labeled or flagged such that

    access to the file can be allowed or denied automatically based on that file’s

    classification, such as read, write, executable, etc. The sign-in policy should also

    be enforced.

    2b. Restrictions. If students are browsing the web and someone else needs to use the

    computer to do homework, the student doing homework has priority use of the

    system.

  3. Physical Security

3a. Work Area. Combination locks should be changed at least every semester,

especially if lab personnel changes.

3b. Lab Area. The lab assistant on duty at should always monitor this area. The lab

manager should create an inventory control policy, which will be used to keep

track of inventory that is checked out, such as headphones, CDs, etc.

4. Response to Violation

Internal security breach. Deny lab privilege to individuals who alter or attempt to alter any settings on the computers. If serious enough, the matter should be reported to school authorities, which could involve serious disciplinary action.

 

5. Internet

Monitor for pornographic site viewing, chatting, real audio / video. None of these are allowed in the lab.

  1. Viruses
  2. 6a. Physical prevention. Software should not be installed by any of the users to

    prevents viruses from being spread throughout the lab.

    6b. Software prevention. A commercial anitvirus program shall be deployed

    throughout the network at the desktop, server, and firewall level. The program

    shall be updated as often as recommended by the vendor.

  3. Termination
  4. If an employee must be terminated, his or her network access shall be disabled prior to giving him or her notice of termination. If students are no longer enrolled at the university, they should no longer have computer lab access. Their e-mail accounts and student ID’s should be cancelled or disabled. The Network Administrator should enforce this, with the assistance of the Registrar’s office personnel.

  5. Background Checks
  6. Potential hires shall undergo a thorough background check before employment is offered. The background check will include checking for criminal record, and calling and verifying references.

  7. Disaster Plan

The Lab Manager and the interdepartmental security team (made up of several lab assistants) shall create specifications for off-site backup, hot-site, which would be the computer lab in Sininger Hall and cold-site operations, alternative methods of communication, and acquisition of supplies. The Disaster Plan shall set as its goal at least 50 percent restoration of operations within 24 hours.

10. Audit/Review

At least once a year, the interdepartmental security team shall conduct a thorough review of all corporate security systems. The audit/review procedure will include both physical and theoretical checks of the security policy.