Information Security Management Guidelines

The following definitions apply to this document:

Departmental Security Administrator: The person responsible for maintaining the College Information Systems (CIS) accounts within his/her area of responsibility. Responsibilities include but are not limited to the timely inactivation of accounts; providing signed Non-disclosure Agreements to CIS Information Security; assignment and collection of ID cards; and requesting appropriate access to CIS facilities, functions, and tasks from CIS Information Security.

Data Trustee: The designated administrative officer responsible for a collection of data. Responsibilities include but are not limited to granting authorization for access to that data and regular review of that authorization. Access is granted or denied based on the College's administrative and business needs.

System Administrator: The person responsible for installing and maintaining the operating system and application software on a computer system. Responsibilities include but are not limited to controlling access to the system, maintaining the security of the system, and ensuring that the system is in compliance with all security guidelines established by the College.

1. Each Unit/Department must designate at least two responsible employees as Departmental Security Administrators.

2. Data Trustees and System Administrators must know what they are authorizing and to whom. NEED for access must be verified.

3. At least once each year, Departmental Security Administrators, Data Trustees, and System Administrators should conduct and document reviews of access to systems, data, and programs. Reviews should identify sensitive reports and information, define and document the security requirements for this information, and categorize differing requirements where necessary. Issues to consider include data integrity and exposure risks, legal considerations, requirements for audit trails, and requirements for signed receipt. For more information, refer to the "Implementing an Information Security Review" document, available on-line (see item 13 on next page).

4. Departmental Security Administrators and System Administrators are expected to suspend login names of students, staff, contractors, vendors, etc., on departure due to termination, transfer, withdrawal, or leave. Accounts with access to sensitive College Information must be suspended not later than the day of termination or transfer unless, after review, management determines that an exception is warranted. Exceptions should be sparingly granted, must be documented, and must be periodically reviewed. Upon graduation, student accounts will be terminated in accordance with management policy.

5. All systems (mainframe, UNIX, VMS, PC server, etc.) with access to College Information MUST use individual, password-protected accounts. All login names must comply with and be registered in the College Global UserID system. Sensitive College Information must be stored only on password-protected devices.

6. Individual login names and passwords must not be shared. Each individual is responsible for all use of his/her account. See also the CIS Non-Disclosure Agreement and the Mount Zion Policy on Computing Ethics.

7. System Administrators will maintain lists of individuals who have the passwords to systems or privileged accounts on platforms within their respective areas of responsibility. These lists should be reviewed periodically. These passwords should be changed frequently, and must be changed whenever an employee with such a password is terminated or transferred.

8. The following syntactic guidelines apply to passwords on all computing platforms wherever the technology permits. All passwords:

   • should be a mix of upper and lower case letters

   • should contain at least one non-alphabetic character

   • should be a minimum of six characters in length

   • should not be common dictionary words, computing terms, etc.

   These guidelines are expected to be enforced by appropriate systems facilities wherever practical.

9. Passwords can be guessed, possibly decrypted, and discovered by tapping into communication lines/wires. Therefore, System Administrators should advise users to change their passwords frequently. Wherever practical, system facilities should be used to invalidate passwords at periodic intervals, compelling users to make such changes.

10. Passwords must never be contained in a non-encrypted form on the system, even in a protected file. Passwords must not be transmitted via electronic mail. Whenever possible, encrypted passwords should be kept in a protected file. Any exceptions which might be required by the nature of a specific operating system must be determined by management, documented, and periodically reviewed.

11. The use of encryption is encouraged for all sensitive data. All systems containing sensitive data should provide a key-based encryption/decryption package.

12. Regular and frequent backups of sensitive information should be maintained. All backups must be stored in a secure manner; additionally, backups of critical data should be securely stored off-site.

13. Documents concerning security protocols for a number of operating systems are published and can be viewed online. The operating systems described are in common use at the College, and information about security vulnerabilities and remedies is current.

14. Management, Data Trustees, Departmental Security Administrators, and System Administrators are expected to set a good example through practice of sound security procedures.

For assistance in implementing these guidelines and applying them to specific situations, contact the MATRIX Security Team (telephone 210), or send an e-mail message to be viewed online.