Skip to Quicklinks
Skip to Quicklinks
Contact Information

Division of Information Technology
PO Box 1510
Pembroke, NC 28372

Phone: 910.521.6260
Fax: 910.775.4337
Email: doit@uncp.edu

Location: D.F. Lowry Building, Room 110
Campus Map

 


Policies

DoIT 01 01 - Information Security Policy

Click here to download a MS Word file.

Effective date: Nov. 5, 2001, revised April 25, 2008

Purpose

This document represents the Information Security Policies of the University of North Carolina at Pembroke. It is the basis for operations and procedures to be followed by technical staff as well as all individuals who access or use the information technology resources of the university.

Audience

These policies have been developed over a long period of time and exist to provide guidance and protection to the university, its resources and those who utilize them.

Policy

1 - Accounts

Accounts are the means by which systems identify users and grant them access to resources. Proper administration of accounts is essential to maintain security and integrity.

1.1 - User Accounts

User accounts are created using standard procedures and deleted on a timely manner. Access to system resources is provided on an as-needed basis.

  1. Only authorized users may access university computer systems.
  2. Faculty, staff, students and administrators are assigned accounts upon application.
  3. Temporary employees may be assigned accounts for the duration of their employment.
  4. Employees of other agencies or vendors are assigned accounts for the duration of their need for the account.
  5. Applications for academic systems do not require additional approval.
  6. Applications for administrative systems require approval by the appropriate data coordinator.
  7. Applications for group web accounts require approval by the appropriate web information coordinator.

Enforcement

  1. All accounts assigned to an employee are expired or deleted upon notification from Human Resources that the employee has separated from the university.
  2. An administrative account assigned to an employee is expired or deleted upon notification from the appropriate data coordinator that the employee no longer requires the account.
  3. Access privileges on an administrative account are changed upon notification from the appropriate data coordinator that the employee requires different access privileges.
  4. A group web account assigned to an employee is expired or deleted upon notification from the appropriate web information coordinator that the employee no longer requires the account.
  5. Student accounts are retained until the student has not enrolled for two normal semesters (fall or winter).
  6. Upon notification of an employee transfer by Human Resources, the appropriate data coordinator is contacted to determine the continued need for an administrative account.

1.2 - Passwords

Passwords control access to user accounts and system resources. They form a critical level of security and must be used according to the following policies.

  1. Passwords on academic accounts are to expire every 180 days.
  2. Passwords on administrative accounts are to expire every 90 days.
  3. Passwords on system administrator accounts are to expire a maximum of every 60 days.
  4. Password histories are to be used to prevent passwords from being reused.
  5. Passwords should be a least six characters in length and may consist of any combination of letters, numbers or other characters as are accepted by the relevant system. Users are encouraged to use longer passwords and include digits as well as letters.
  6. Common English or Spanish words should not be used as passwords. Systems that can prevent the use of common words are to do so.

Enforcement

  1. Systems that have the capability are to warn users within 20 days of password expiration.
  2. Passwords are to never be shared with others. Passwords that are inadvertently revealed to others are to be changed immediately.
  3. Permanent passwords are never to be written down or concealed near a computer system.
  4. Passwords should be hard to guess and should not correspond to or bear a close association with a user in any way. Examples of passwords to avoid include: names, birthdays, pet names, hobbies, hometowns, home states and words associated with ones alum mater, department, special projects, favorite automobiles, sports teams or fictional characters.
  5. Passwords that are suspected to be known to others are to be changed immediately.
  6. Users with multiple accounts are to use multiple passwords.
  7. DoIT will make more explicit password guidelines widely available.

1.3 - Privileged Accounts on Administrative Systems

Privileged accounts on administrative systems have the potential to impact not only the operation of those systems but also have a major impact on the entire university.

  1. Were facilities permit, all activity in accounts with system privileges on administrative systems must be monitored.
  2. Were facilities permit, all activity in accounts with production privileges and access to command procedures or source programs on administrative systems must be monitored.
  3. Monitoring of accounts must be completed routinely. Logs of monitoring activity must be maintained.
  4. Where facilities do not permit monitoring as described in 1. and 2., above, alternative forms of controls must be employed.

2 - Physical Security

Physical security deals with controls over direct physical access to system components and network devices. Physical security is a key layer of overall security and is the foundation of several other layers. Physical security must be maintained at all times.

2.1 - Machine Room Access and Security

The machine room(s) store(s) valuable equipment and sensitive data and must be secured at all times.

  1. Machine room doors are to remain locked at all times.
  2. Machine room windows are to be screened to prevent access.
  3. Normal office hours are Monday-Friday, from 8:00am to 5:00pm. At all other times, doors to offices adjacent to the machine room(s) are to remain locked.
  4. Only authorized personnel are permitted access to the machine room(s).
  5. DoIT personnel whose duties require routine access to the equipment within the machine room(s) are permitted to retain the combination. These personnel are identified in Appendix A.
  6. Personnel whose duties require occasional access to the machine room(s) are not permitted access to the combination. These personnel may have access to the machine room(s) only as long as their duties require and must be supervised by DoIT personnel with access to the combination. These personnel include housekeeping, maintenance or other university staff as well as vendor representatives.

Enforcement

  1. Upon the approval of the director or assistant directors, guests may tour the machine room. Guests are to be supervised by DoIT employees with access to the combination at all times.
  2. Any guest or personnel without access to the combination must sign in and out whenever they enter and leave the machine room.
  3. Combinations to the machine room doors are changed periodically or whenever any staff member with access to the combination leaves the university’s employ or is assigned duties which do not require access to the equipment within the machine room(s).

2.2 - Network Closet Access and Security

Network closets store valuable equipment and allow direct access to network devices. They must be secured at all times.

  1. Network closet doors are to remain locked at all times.
  2. Network closet windows are to be screened or barred to prevent access.
  3. Only authorized personnel are permitted access to network closets.
  4. DoIT personnel whose duties require access to the equipment within the network closets are permitted to obtain a key. These personnel are identified in Appendix B.
  5. In those cases where network closets are also used for other purposes, networking equipment is to be secured within a locked cabinet.

Enforcement

  1. Vendor representatives or other staff whose duties require occasional access to the equipment within a network closet are not permitted to obtain a key. They must be supervised by DoIT personnel with access to a key at all times.
  2. Upon the approval of the Associate Vice Chancellor, Executive Director or directors, guests may tour a network closet. Guests are to be supervised by DoIT employees with access to a key at all times.

2.3 - Office Suite Access and Security

The office suite of the Division of Information Technology contains a great deal of valuable equipment and sensitive data. The suite must be secured at all times.

  1. Normal office hours are Monday-Friday, from 8:00am to 5:00pm. At all other times, the doors to the suite are to remain locked.
  2. Only DoIT personnel are allowed keys to the office suite
  3. Temporary and student workers are not permitted to retain keys to the suite, unless their duties require them to enter after normal office hours.
  4. Only the director and office manager are permitted master keys to each office within the suite.
  5. DoIT staff should be aware of any visitors and monitor their actions.

2.4 - Operator Area Access and Security

The operator area is a place for operators to work containing valuable equipment and sensitive data. It provides access to the machine room and must be secured at all times.

  1. Normal office hours are Monday-Friday, from 8:00am to 5:00pm. At all other times, the doors to the operator’s area and adjacent offices are to remain locked.
  2. DoIT personnel whose duties require access to the machine room are permitted to retain the combination to the operator’s area. These personnel are identified in Appendix A.
  3. All DoIT staff are permitted access to the operator’s area during normal office hours.
  4. Other university staff, guests or vendor representatives whose duties require their present in the operator’s area are to be supervised by DoIT staff at all times.
  5. DoIT staff should be aware of any visitors and monitor their actions.

3 - Retention of Files from Expired or Deleted Accounts

Although a user account may be expired or deleted, data files stored in those accounts may be important to the university.

  1. Files in individual directories from expired or deleted accounts on administrative systems may be reviewed and copied by the appropriate data coordinator or programmer.
  2. Files in individual directories from expired or deleted accounts on academic systems will be kept for six months and then deleted.
  3. Files in individual directories from expired or deleted accounts on web systems will be kept for six months and then deleted.

4 - Data Retention

Various federal and state requirements exist that dictate the amount of time for which the university must retain data.


5 - Access to Programs and Command Procedures

Access to programs and command procedures has the potential to make a significant impact on the university. This impact includes risk associated with allowing access to confidential information, trade secrets or other materials under the constraints of a non-disclosure agreement. It also includes risk from users or intruders bypassing normal security methods to access to copy confidential information.

  1. On administrative systems, read access to the source code of programs or command procedures shall be restricted to those administrators or developers whose duties require maintenance or support of the software.
  2. On web systems, read access to the source code of programs of command procedures shall be restricted to those administrators or developers whose duties require maintenance or support of the software.

Appendix A - Personnel Authorized to Retain Machine Room Combination

Associate Vice Chancellor,
Information Resources		 Robert L. Orr
Executive Director, DoIT Tom Jackson
Enterprise System\Database Administrator Terry Oxendine
Director Networks and System Administration Kevin Pait
Director of Applications Adam Marks
DoIT Staff

Elaine Locklear
Barry Graves
Tony Chavis
Chris Desmit
Alan Prevatte
Sue Gaston

 

Appendix B - Personnel Authorized to Obtain Network Closet Keys

Associate Vice Chancellor,
Information Resources		 Robert L. Orr
Executive Director, DoIT Tom Jackson
Enterprise System\Database Administrator Terry Oxendine
Director Networks and System Administration Kevin Pait
DoIT Staff Elaine Locklear
Barry Graves
Tony Chavis
Chris Desmit
Alan Prevatte

 

Updated: Monday, July 14, 2008

 S

© The University of North Carolina at Pembroke
PO Box 1510 Pembroke, NC 28372-1510 • 800.949.UNCP (8627) • 910.521.6000