Docstoc

The University of Texas-Pan American

Document Sample
The University of Texas-Pan American Powered By Docstoc
					                           The University of Texas-Pan American
                         Information Resources Security Manual
1.     Overview ................................................................................................................................. 3

2.     Acceptable Use ....................................................................................................................... 3

3.     Account Management ............................................................................................................. 3

4.     Administrative/Special Access................................................................................................ 4

5.     Backup Recovery of Systems and Data................................................................................. 4

6.     Change Management ............................................................................................................. 5

7.     Computer Virus Prevention..................................................................................................... 5

8.     Classification of Sensitive Digital Data ................................................................................... 6

9.     Risk Management ................................................................................................................... 6

10. Reduction of Use and Collection of Social Security Numbers ............................................... 6

11. Management of Sensitive Digital Data ................................................................................... 9

12. Electronic Mail (Email) .......................................................................................................... 11

13. Incident Management ........................................................................................................... 12

14. Internet Use........................................................................................................................... 13

15. Information Services (IS) Privacy ......................................................................................... 13

16. Network Access .................................................................................................................... 14

17. Network Configuration .......................................................................................................... 14

18. Passwords............................................................................................................................. 15

19. Physical Access: ................................................................................................................... 15

20. Portable Computing and Remote Access ............................................................................ 16

21. Security Monitoring ............................................................................................................... 16

22. Security Training ................................................................................................................... 17

23. Server Hardening .................................................................................................................. 18

24. Software Licensing................................................................................................................ 18

25. System Development and Deployment ................................................................................ 18

                                                                        1
26. Vendor Access ...................................................................................................................... 19

27. Right to Monitor..................................................................................................................... 21

28. Disciplinary Actions ............................................................................................................... 21

       Appendix 1 ............................................................................................................................ 22

       Appendix 2 ............................................................................................................................ 25

       Appendix 3 ............................................................................................................................ 27

       Appendix 4 ............................................................................................................................ 29

       Appendix 5 ............................................................................................................................ 32

       Appendix 6 ............................................................................................................................ 35

DEFINITIONS ............................................................................................................................... 45

REFERENCES.............................................................................................................................. 54




                                                                       2
1. Overview
The Information Resources Security and Operations Manual provides guidance and
defines procedures relating to the operational implementation of the Information
Resources Use and Security Policy (HOP 8.9.1). These two documents along with the
Information Resources Acceptable Use Policy (HOP 8.9.2) comprise the policy and
procedures foundation for the UTPA computer security program. The UTPA Security
Operations Manual provides guidance for all individuals that have, or may require,
access to UTPA Information Resources and those with responsibility for maintaining the
Information Resources at UTPA.

2. Acceptable Use

All individuals accessing UTPA Information Resources must formally acknowledge and
abide by the UTPA Acceptable Use Policy. Formal acknowledgement of the Acceptable
Use Policy by all individuals accessing UTPA Information Resources serves as a
compliance and enforcement tool.

Users are responsible for exercising good judgment regarding the reasonableness of
personal use in accordance with all policies associated with the acceptable use of
Information Resources (HOP 8.9.2) and the policy on privacy and security of personal
information (HOP 4.11.1).


3. Account Management
Proper management and use of computer accounts are basic requirements for
protecting UTPA Information Resources. All account passwords, including default
passwords, are to be constructed and managed in accordance with the UTPA password
requirements included in this manual and the Acceptable Use Policy (HOP 8.9.2). The
following account management practices apply:

   All accounts for access non-public UTPA information resources must follow an
    account creation process. This process shall document who is associated with the
    account, the purpose the account was created for, and who approved the creation of
    the account. All accounts wishing to access non-public UTPA Information Resources
    must have the approval of the Owner of those resources. This includes accounts
    created for use by outside vendors (see section entitled Vendor Access).
   Each account having special privileges must adhere to the UTPA password
    requirements.
   All accounts must be able to be associated with an identifiable individual or group of
    individuals that are authorized to use that account.
   All accounts are uniquely identifiable by an assigned user name.
   Accounts of individuals who have changed roles within UTPA or who have
    separated from their relationship with UTPA will be changed to reflect current needs,
    removed or disabled.
   All vendor accounts are required to have a password expiration date.


                                            3
4. Administrative/Special Access
All users of administrative/special access accounts with elevated access privileges on
computers, network devices or other critical equipment must be made aware of special
responsibilities associated with the use of special access privileges and not abuse such
privilege. All persons with administrative, special access must adhere to the following
access requirements.

      Individuals that use administrative/special access accounts must use these
       accounts only for their intended administrative purposes.
      Individuals that use administrative/special access accounts may perform
       investigations relating to potential misuse of Information Resources by an
       individual User only under the direction of the Information Security Office.
      Each account used for administrative/special access must adhere to the UTPA
       password requirements as described in section 18.
      UTPA departments must submit to the Information Security Office a list of
       administrative contacts for any systems connected to and applications running on
       the UTPA network.
      All Information Technology Professionals acting as custodians of UTPA data
       must acknowledge their custodial role and responsibilities.
      The password for a shared administrator/special access account must change
       when any individual knowing the password leaves the department or UTPA, or
       changes role, or upon a change in the vendor personnel assigned to UTPA
       contracts and must follow the password requirements as described in section 18.
      For each secured system there must be a password escrow procedure in place
       to enable someone other than the administrator to gain access to the system in
       an emergency situation. Individual user passwords are not escrowed.
      When special access accounts are needed for auditing, software development,
       software installation, or other defined need, they:
            o Must be authorized by the appropriate department head or owner;
            o Must be created with an expiration date; and
            o Must be removed when work is complete.


5. Backup Recovery of Systems and Data
Electronic backups are a business requirement to enable the recovery of data and
applications in the case of events such as natural disasters, system disk drive failures,
espionage, data entry errors, human error, or system operations errors. UTPA requires
the following backup practices:

      All UTPA servers or computers containing data (including research data) or
       programs are backed up as determined by the data owner in consultation with
       technical staff.
      Each college, school, unit or department responsible for a system(s) maintains a
       recovery plan that includes the following:
           o Requirements for off site storage needs.
           o Procedures for recovering data and applications in the case that an
              unexpected event occurs such a natural disaster, power or system disk


                                            4
             failure, espionage, data entry error, human error, or other systems
             operation errors;
          o Physical access controls for onsite and offsite storage and media in
             transit.
          o Processes to ensure backups are viable and can be recovered (routine
             testing of backup and recovery procedures)
      The UTPA Audit Office periodically reviews the backup and recovery plan.


6. Change Management
The Information Resources infrastructure at UTPA is constantly changing and evolving
to support the missions of the university. Computer networks, servers, and applications
require planned outages for upgrades, maintenance, and fine-tuning. To ensure reliable
and stable operations, change logs are maintained to assist with problem resolution.
The following change management procedures apply:

      All changes affecting computing environmental facilities (e.g., air-conditioning,
       water, heat, plumbing, electricity, and alarms) should be coordinated with and
       reported to the appropriate college, school, unit or department managing the
       systems in that facility.
      Colleges, schools, units or departments responsible for information resources will
       ensure that the change management procedures and processes they have
       approved are being satisfactorily performed.
      Colleges, schools, units or departments may deny a scheduled or unscheduled
       change for reasons including, but not limited to, inadequate planning, inadequate
       back out contingencies, inopportune timing in terms of impact on service to Users
       or in relation to key business processes such as year end accounting, or lack of
       resources to address potential problems that may be caused by the change.
      Whenever possible customers will be notified for scheduled and unscheduled
       changes following the steps contained in the Change Management Procedures.
      A responsible college, school, unit or department maintains a Change
       Management Log for all significant changes including emergency changes. At a
       minimum, log entries are to contain the following:
           o Date of submission and date of change;
           o Owner and custodian contact information;
           o Nature of the change; and
           o Indication of success or failure.


7. Computer Virus Prevention
A variety of technologies and practices are required to protect the UTPA network
infrastructure and other Information Resources from threats posed by computer viruses,
worms, and other types of hostile computer programs.

      All UTPA owned and non-University owned systems connecting to the UTPA
       network must install and enable current virus protection software.
      Virus protection software installed on UTPA computers will automatically be
       registered with the centralized anti virus server.
      Email servers must utilize properly maintained email virus protection software.
                                              5
      Any computer identified as a security risk due to lack of virus protection or other
       risk factor may be disconnected from the network and the account disabled until
       adequate protection is in place.
      Every instance of a computer virus infection constitutes a security incident and
       must be reported to the IT Help Desk.


8. Classification of Sensitive Digital Data

Owners of Information Resources shall classify all digital assets based on
confidentiality, sensitivity and risk. Sensitive data identified must comply with UT
System Administration, state and federal regulations, but may exceed these standards.
All institutional data must be categorized into three levels as outlined in appendix 1


9. Risk Management

Responsibility for risk assessment is divided between the Data Owners, the Data
Custodians and the Division of Information Technology. Each has responsibility for
those parts of risk management in their control.

      Under the guidance of the Information Security Office, UTPA shall conduct and
       document an information security risk assessment annually in accordance with
       TAC 202.72.
      Data Owners and Data Custodians are responsible for the risk assessment their
       organizations in the handling of confidential and sensitive data in their control
       and compliance with state and federal guidelines.


10. Reduction of Use and Collection of Social Security Numbers

Each individual who access the UTPA’s Administration Information Resources must
comply will all policies concerning the control of Social Security Numbers and other
sensitive personal data.

      UTPA recognizes the special risks associated with the collections, use, and
       disclosure of social security numbers. Accordingly, the requirements of section
       10 of this manual apply to all social security numbers contained in any medium,
       including paper records that are collected, maintained, used, or disclosed by
       UTPA.
      UTPA shall discontinue the use of social security numbers as an individual’s
       primary identification number unless required or permitted by law. The social
       security number may be stored as a confidential attribute associated with an
       individual.
      If the collection and use of social security numbers is permitted, but not required,
       by applicable law, UTPA shall use and collect social security numbers only as
       reasonably necessary for the proper administration or accomplishment of their
       respective business, governmental, educational and medical purposes, including,
       but not limited to:
                                              6
       o As a means of identifying an individual for whom a unique identification
         number is not known;
       o For internal verification or administrative purposes; and
       o Use for verification or administrative purposes by a third party or agent
         conducting UTPA’s business on behalf of UTPA where the third party or
         agent has contracted to comply with the safeguards described in section
         11.

   Except in those instances in which UTPA is legally required to collect a social
    security number, an individual shall not be required to disclose his or her social
    security number, nor shall the individual be denied access to the services at
    issue if the individual refuses to disclose his or her social security number. An
    individual, however, may voluntee r his or her social security number. Any request
    by UTPA that an individual provide his or her social security number for
    verification of the individual’s identity where the social security number has
    already been disclosed does not constitute a disclosure for the purposes of this
    Policy. Examples of federal and state laws that require the collection of use of
    social security numbers are included in Appendix 6. Questions about whether a
    particular use is required by law should be directed to the UTPA Information
    Security Office (via infosecurity@utpa.edu) who will consult with the U. T. System
    Office of General Counsel with respect to the interpretation of law.
   UTPA reserves the right to designate only selected offices and/or positions as
    authorized to request that an individual disclose his or her social security
    number.
   UTPA shall assign a unique identifier for each applicant, student, employee,
    insured dependent, research subject, patient, alumnus, donor, contractor, and
    other individuals, as applicable, at the earliest possible point of contact between
    the individual and UTPA. The unique identifier shall be used in all electronic and
    paper Information Systems to identify, track, and serve these individuals. The
    unique identifier shall:

       o Be a component of a system that provides a mechanism for the public
         identification of individuals;
       o Be permanent and unique with UTPA as applicable and remain the
         property of, and subject to the rules of, UTPA; and
       o Not be derived for the social security number of the indi vidual; or in the
         alternative, if the unique identifier is derived from the social security
         number, it must be computationally infeasible to ascertain the social
         security number from the corresponding unique number.

   All services and Information Systems should rely on the identification services
    provided by the UTPA unique identifier system.
   UTPA shall inform individuals when it collects social security numbers.
   Each time UTPA requests that an individual initially disclose his or her social
    security number, it shall provide the notice required by Section 7 of the Federal
    Privacy Act of 1974 (5 U.S.C. § 552a), which requires that the individual be
    informed whether the disclosure is mandatory or voluntary, by what statutory or
    other authority the number is solicited, and what uses will be made of it. A

                                         7
    subsequent request for production of a social security number for verification
    purposes does not require the provision of another notice.
   The notice shall use the applicable text from appendix 2 or such other text as
    may be approved by the UTPA Information Security Office who will consult with
    U. T. System Office of General Counsel with respect to the interpretation of law.
   It is preferable that the notice be given in writing, but if at times it will be given
    orally, procedures shall be implemented to assure and document that the notice
    is properly and consistently given.
   Existing stocks of forms need not be reprinted with the disclosure notice; the
    notice may be appended to the form. Future forms and reprints of existing stock
    must include the notice printed on the form.
   In addition to the notice required by the Federal Privacy Act, when the social
    security number is collected by means of a form completed and filed by the
    individual, whether the form is printed or electronic, the notice as required by
    Section 559.003 of the Texas Government Code must also be provided. That
    section requires that UTPA state on the paper form or prominently post on the
    Internet site in connection with the form that: with few exceptions, the individual is
    entitled on the request to be informed about the information that is collected
    about the individual; under Sections 552.021 and 552.023 of the Texas
    Government Code, the individual is entitled to receive and review the information;
    and under Section 559.004 of the Texas Government Code, the individual is
    entitled to have the incorrect information about the individual corrected.
   Employees may not seek out or use social security numbers relating to others for
    their own interest or advantage.
   UTPA must reduce the public display of social security numbers.
   Grades may not be publicly posted or displayed in a manner in which all of any
    portion of either the social security number or the unique identifier identifies the
    individual associated with the information.
   The social security number may not be displayed on documents that can be
    widely seen by the general public (such as time cards, rosters, and bulletin board
    postings) unless required by law. This section does not prohibit the inclusion of
    the social security number on transcripts or on materials for federal or state Data
    reporting requirements.
   If UTPA sends materials containing social security numbers through the mail, it
    shall take reasonable steps to place the social security number on the document
    so as not to reveal the number in the envelope window.
   UTPA shall prohibit employees from sending social security numbers over across
    a network unless the connection is encrypted end-to-end or the social security
    number is encrypted or otherwise secured.
   UTPA shall require employees sending social security numbers by fax to take
    appropriate measures to protect the confidentiality of the fax (such measures
    include confirming with the recipient that the recipient is monitoring the fax
    machine).
   UTPA shall not print or cause the individual’s social security number to be printed
    on a card or other device required to access a product or service provided by or
    through UTPA.
   All Information Systems acquired or developed after January 30, 2004 must
    comply with the following:

                                          8
          o The Information System must use the social security number only as a
            Data element or alternate key to a database and not as a primary key to a
            database;
          o The Information System must not display social security numbers visually
            (such as on monitors, printed forms, system outputs) unless required or
            permitted by law or permitted by policy;
          o Name and directory systems must be capable of being indexed or keyed
            on the unique identifier, once it is assigned, and not on the social security
            number; and
          o For those databases that require social security numbers, the databases
            may automatically cross-reference between social security numbers and
            other information through the use of conversion tables with the Information
            System or other technical mechanisms.


11. Management of Sensitive Digital Data

UTPA’s Minimum Security Standards for Systems describe and require appropriate
steps to protect Category-I Digital Data (e.g., social security numbers, protected health
information (PHI), sensitive research data, digital data associated with an individual
and/or digital data protected by law) stored on UTPA’s computing devices.

UTPA shall control and monitor access to its Category-I Digital Data based on Data
sensitivity and risk (as determined in accordance with Section 9) and by the use of
appropriate physical and technical safeguards.

      UTPA shall limit access to records containing Category-I Digital Data to those
       employees who need access to the Data for the performance of the employee’s
       job responsibilities.

          o Employees may not request disclosure of Category-I Digital Data if it is not
            necessary and relevant to the purposes of UTPA and the particular
            function for which the employee is responsible.

          o UTPA shall monitor access to records containing Category-I Digital Data
            by the use of appropriate measures as reasonably determined by UTPA.

      Employees may not disclose Category-I Digital Data to unauthorized persons of
       entities except:

          o As required or permitted by law;

          o With the consent of the individual;

          o Where the third party is the agent or contractor for UTPA and the
            safeguards described in this section are in place to prevent unauthorized
            distribution; or

          o As approved by U. T. System Office of General Counsel.

                                            9
      UTPA intends to provide Category-I Digital Data to a third party acting as an
       agent of or otherwise o behalf of UTPA (such as an application service provider)
       and if it determines that its provision of Category-I Digital Data to a third party will
       result in a significant risk to the confidentiality and/or integrity of such Data, a
       written agreement with the third party is required which must specify terms and
       conditions that protect the confidentiality and/or integrity of the Category-I Digital
       Data as outlined in this manual. The written agreement must require the third
       party to use appropriate administrative, physical, and technical safeguards to
       protect the confidentiality and/or integrity of all Category-I Digital Data obtained
       and that UTPA, as applicable, shall monitor co mpliance with the provisions of the
       written agreement.

      The appropriate UTPA official (e.g., the Procurement Office) must review such
       written agreements prior to approval.

UTPA shall implement security safeguards to protect its Category-I Digital Data. Such
safeguards shall be appropriate to the confidentiality and/or integrity needs of the Digital
Data to be protected based on the risk.

      UTPA shall protect the security of records containing Category-I Digital Data
       during storage using physical and technical safeguards (such safeguards may
       include encrypting electronic records, including backups, and locking physical
       files.)

      Unless otherwise required by UT System Administration, federal or state law or
       regulation, Category-I Digital Data must not be stored on UTPA or non-University
       owned computers or other electronic devices (e.g., laptop, hand-held device,
       Flash drive, or other portable computing devices) unless:

             It is secured against unauthorized access in accordance with this Manual;

             It will not compromise business or Research efforts or privacy interests if
              lost or destroyed; and

UTPA shall discard electronic media (e.g., disks, tapes, hard drives, etc) containing
Category-I Digital Data as follows:

      In a verifiable manner that adequately protects the confidentiality of the
       Category-I Digital Data and renders it unrecoverable, such as modifying the
       electronic media to make it unreadable or indecipherable or otherwise physically
       destroying the electronic media; and

      In accordance with the Management and Retention Records policy.
       http://www.utpa.edu/hop/files/pdf//C1332526.pdf .

      All copiers or multifunction printers possessing electronic storage memory that
       leave the control of UTPA must be cleared of all potentially sensitive information
       by erasing the hard disk drive or memory storage device. If the machine is leased
                                              10
      then the Information Security Administrator or custodian of the machine is
      responsible for contacting the lessor a nd making arrangements for the machines
      memory storage device to be erased so as to prevent potentially sensitive
      information from leaving the control of UTPA. This requirement applies
      regardless if the machine is being returned to the lessor at the end of the lease
      period, is being exchanged for another machine, or if the machine is to be
      serviced and is otherwise leaving the control of UTPA.


      All copiers, printers, or devices having an internal memory and that are leased
      need to have language in the contract that ensures the internal memory will be
      erased before leaving the control of UTPA.


UTPA shall, based on risk, implement all appropriate technical safeguards necessary to
adequately protect the security of Category-I Digital Data during electronic
communications or transmissions.


12. Electronic Mail (Email)

Email is an essential tool for communicating within UTPA. It is important that
unimpeded email services be available at all times and that email be used in a manner
that achieves its purpose without exposing UTPA to unnecessary technical, financial, or
legal risks. The following practices apply:

         Each faculty member, staff, or student assigned a UTPA e-mail address shall
          exercise prudent e-mail use in accordance with the UTPA policies, standards,
          and/or procedures related to Information Resources acceptable use and
          retention.
         All User activity on UTPA Information Resources assets is subject to logging
          and review.
         Although users retain a reasonable expectation of privacy, e -mail residing in
          university systems is the property of the state.
         Business related email should not be forwarded to other email accounts
         To reduce spam and protect the email environment from malicious virus,
          worm or other threat the Information Security Office, or an otherwise
          appropriate department may filter, block, and/or strip potentially harmful code
          from messages originating from sites known for distribution of spam or
          malicious code.
         Solicitation on University computing and network resources is prohibited by
          the Rules and Regulations of the University of Texas Board of Regents.
          Accordingly, the contact information provided in university directories may not
          be used for transmission and distribution of unsolicited e-mail or other
          commercial purposes.

             o The University does have an official University Group E-mail System
               https://broncnotes.utpa.edu which can be used by authorized persons

                                           11
                 to send e-mail to large groups in the University community, including
                 all students, faculty and staff.

13. Incident Management
Incident management is needed to protect UTPA Information Resources and assure
continued operations in the event of a security breach or misuse of Information
Resources.

      The Information Security Office is required to establish and follow Incident
       Management Procedures to ensure that each incident is reported, documented
       and resolved in a manner that restores operation quickly and if required,
       maintains evidence for further disciplinary, legal or law enforcement actions.
      All faculty members, staff, and/or students shall report promptly any unauthorized
       or inappropriate disclosure confidential data, including social security numbers; to
       the University Chief Information Security Officer (via infosecurity@utpa.edu or
       956-318-7124) and their supervisors.
      The UTPA Chief Information Security Officer shall report to the U. T. System
       CISO incidents involving computer security that compromises the security,
       confidentiality, or integrity of Confidential Data or personal identifying information
       it maintains.
      UTPA shall disclose, in accordance with applicable federal or state law, incidents
       involving computer security that compromises the security, confidentiality, and/or
       integrity of personal identifying information it maintains to any resident of Texas
       and Data Owners whose personal identifying information was, or is reasonably
       believed to have been, acquired without authorization.
      Disclosure shall be made as quickly as possible upon the discovery or receipt of
       notification of the incident taking into consideration (a) the time necessary to
       determine the scope of the incident and restore the reasonable integrity of
       operations or (b) any request of a law enforcement agency that determines that
       the notification will impede a criminal investigation. The notification shall be made
       as soon as the law enforcement agency determines that it will not compromise
       the investigation.

The Information Security Office Incident Management Procedures must incorporate the
following:

      UTPA will establish a Computer Incident Response Team (CIRT) that, in the
       event of a significant computer security incident, will initiate and follow the
       Incident Management Procedures. The members of this team will have defined
       roles and responsibilities which, based on the severity of the incident, may take
       priority over normal duties.
      The University Chief Information Security Officer will report the incident to the
       appropriate university, state, and federal agencies and departments as required
       by governing laws, rules, and procedures.
      The Information Security Office, working with the selected Computer Incident
       Response Team members, will determine if a widespread UTPA communication
       is required, the content of any such communication, and the method of
       distribution. The Office of the Vice President for Information Technology and/or

                                             12
       the Office of the Vice President for Public Affairs will handle any communications
       to the general public.
      The Information Security Office will be responsible for maintaining a chain of
       evidence on incidents it investigates, or participates in investigating, in case the
       incident needs to be referred to law enforcement or other legal proceedings.
      The Information Security Office is responsible for determining the physical and
       electronic evidence to be gathered as part of the incident investigation, except in
       cases involving appropriate law enforcement personnel, where the University
       Police Department or other law enforcement agencies will make these
       determinations.
      Technical staff members from the Computer Incident Response Team (CIRT),
       led by the University Chief Information Security Officer, are responsible for
       ensuring that any damage from a security incident is repaired or mitigated and
       that the vulnerability is eliminated or minimized.
      The Information Security Office is responsible for communicating new issues or
       vulnerabilities to vendors as needed, and for working with the vendors to
       eliminate or mitigate the vulnerabilities.
      The Information Security Office is responsible for initiating, completing, and
       documenting the incident investigation with assistance from the Computer
       Incident Response Team. The University Police Department serves as liaison
       with law enforcement organizations.



14. Internet Use
UTPA network Users must adhere to prudent and responsible Internet practices to
mitigate risks associated with the Internet. The following practices apply:

      To mitigate the risks associated with connecting to the Internet, all UTPA network
       users must adhere to prudent and responsible use practices as outlined in the
       UTPA Acceptable Use Policy and must ensure devices utilizing the UTPA
       network comply with the UTPA Minimum Security Standards for Systems.
      All confidential, personally identifiable, protected health information or student
       data transmitted over the Internet must be encrypted (see appendix 3).
      Personal commercial advertising must not be posted on UTPA web sites.



15. Information Services (IS) Privacy
To manage systems and enforce security, UTPA may log, review, and otherwise utilize
any information stored on or passing through its Information Resource systems in
accordance with the provisions and safeguards provided in the Texas Administrative
Code 202.1-8, Information Resource Standards.

In suspected cases of abuse of Information Resources, the contents of any email or file
may be reviewed in accordance with provisions defined in the Disciplinary section in this
manual.

Access to data will be limited in scope based on business need.
                                            13
16. Network Access
Access to the network is managed to ensure the reliability of the network and the
integrity and appropriate use of information contained within the network: The following
network access procedures apply:

          All network users are required to acknowledge and abide by all policies
           relating to the acceptable use of Information Resources.
          Network Services is required to approve all access methods, installation of all
           network hardware connected to the local-area network, and methods and
           requirements for attachment of any computer systems or devices to any
           UTPA network to ensure that access to the network does not compromise the
           operations and reliability of the network, or compromise the integrity of use of
           information contained within the network.
          Network Services will, at its discretion, disable any unauthorized or non-
           compliant wireless equipment and services that it discovers on the UTPA
           network.
          Traditional wired networks, unlike wireless systems, provide inherent security
           through the use of a physical dedicated medium. Consequently, activities
           requiring robust service levels and/or the transmission of confidential and
           sensitive information shall be limited to wired networks.


17. Network Configuration
Network Services is designated with the responsibility for the UTPA networking
infrastructure, which includes all cabling, wireless signaling, and connected electronic
devices, to ensure reliability of operations, proper accessibility to resources, and
protection of data integrity. Network Services is specifically responsible for the following:

      Will maintain a reliable network with as much built-in redundancy as is feasible to
       acquire and maintain.
      Will ensure that all systems are physically identifiable (such as port and room
       number).
      Installing or authorizing a contractor to install all cabling and network hardware.
      Will make all changes to the configuration of active network management
       devices.
      Sets all protocols and standards used on the UTPA network.
      Approving the specification used to configure all network equipment connected to
       the UTPA network.
      Wireless networking infrastructure must abide by the Texas Administrative Code
       (TAC) 202 requirements.
      Wireless services and equipment will be standardized and must conform to the
       802.1x security model for authentication, key management and the use of
       cryptographic keys for encryption that is greater than 80 bits.
      To prevent unauthorized access and easy viewing of data on the internal
       network, each wireless deployment must enable Wi-Fi Protected Access (WPA
       or WPA2).

                                             14
18. Passwords
Strong passwords are required to control access to UTPA Information Resources. All
account passwords, must be constructed, implemented, and maintained according to
the following, as technology permits:

      Passwords must:
          o Be at least 10 characters in length; and
          o Be minimally com posed of case sensitive letters and digits.
          o Be changed according to established schedules.
          o Be treated as confidential inform ation .
          o Be encrypted when stored or transmitted .
          o Be changed immediately if the security of the password is in doubt .
          o   Be changed once a year.
      Passwords must not:
          o Include personal information such as your nam e, phone number, social
              security number, date of birth, or addresses.
          o Contain words found in a dictionary (English or Foreign), acronyms or popular
              phrases.
          o Contain the user’s account name or respective UTPA ID.
          o Re-use any of the account’s last 10 passwords.
          o Be shared with anyone.
      Security tokens (i.e. Smartcards and other access and identification devices)
       must be returned on demand or upon termination of the relationship with UTPA.
      Administrators must not circumvent the password guidelines requirements for the
       sake of ease of use.
      Unattended computing devices must be secured from unauthorized access.
       Physical security options include barriers such as locked doors or security
       cables. Logical security options include screen saver passwords and automatic
       session time-outs.
      Help Desk password change procedures must include the following:
          o Authentication of the User prior to changing the password (Acceptable
              forms of authentication include answering a series of specific questions ,
              having the person com e to the Help Desk with one or more forms of
              Government Picture ID to request a pass word change).
          o Changing to a strong password.
          o Requiring the User to change the password at first login.

For additional information on passwords and Identity Management please see the UT
System Administration Member Operating Practices
(https://idm.utsystem.edu/utfed/index.html).


19. Physical Access:
The granting, controlling, and monitoring of physical access is an important institution of
the overall security program:



                                             15
       Physical access to all Information Resources restricted facilities must be
        managed.
       All Information Resource facilities must be physically protected in proportion to
        the criticality or importance of their function at UTPA, and the confidentiality of
        any impacted data resources affected.
       Access to Information Resources facilities must be granted only to UTPA
        personnel and contractors whose job responsibilities require access to that
        facility.
       The process for granting access to Information Resource facilities must include
        the approval of the information Resource Manager or his or her designee.
       Access cards and/or keys must not be shared or loaned to others.
       Access cards, and/or keys, that are no longer required must be returned to the
        Physical Plant Locksmith. Cards and keys must not be reallocated to another
        individual bypassing the return process.
       Lost or stolen access cards and/or keys must be reported as soon as possible as
        described in HOP 8.12.2 Section D 2.
       The Physical Plant Locksmith maintains electronic key access records for
        Information Resources facilities.
       The person responsible for the Information Resources facility must notify the
        Physical Plant Locksmith as soon as possible to remove the card and/or key
        access rights of individuals that change roles within the UTPA or who are
        separated from their relationship with the institution.
       Visitors must be escorted in controlled areas of Information Resources facilities.
       The Information Resource Manager or a designee must review access records
        for secured Information Resource facilities on a periodic basis and investigate
        any unusual access.
       The Information Resource Manager or a designee must review card and/or key
        access rights for secured Information Resource facilities on a periodic basis and
        remove access for individuals that no longer require access.
       Signage for restricted access rooms and locations must be practical. Minimal
        discernible evidence of the importance of the location should be displayed.


20. Portable Computing and Remote Access
Computers and devices used to access the UTPA infrastructure must do so in a manner
that preserves the integrity, availability, and confidentiality of UTPA information.

   Remote access to the UTPA network may be made only through approved
    connection methods (i.e. VPN, or approved protocols).
   All university and non-university owned portable computing devices storing
    university sensitive digital data must also comply with U. T. System Security Practice
    Bulletin #1 (SPB-1) http://www.utsystem.edu/ciso/SPB1.pdf.


21. Security Monitoring
Security monitoring is used to confirm that security practices and controls in place are
being adhered to and are effective. Monitoring consists of activities such as automated


                                             16
notification of security breaches and automated or manual review of logs and error files.
The following monitoring requirements apply to Information Resources at UTPA:

      Based on risk assessment, operating system, user accounting, and application
       software audit logging processes will be enabled on host and server systems
      Alarm and alert functions of any firewalls and other network perimeter access
       control systems must be enabled.
      Audit logging of any firewalls and other network perimeter access control
       systems must be enabled.
      Automated tools will provide real time notification of detected wrongdoing and
       vulnerability exploitation. Where possible a security baseline will be developed
       and the tools will report exceptions to the extent technically feasible. These tools
       will be deployed to monitor:
            o Internet traffic
            o Electronic mail traffic
            o Local area network traffic
      The following files will be monitored for signs of wrongdoing and vulnerability
       exploitation at a frequency determined by risk:
            o Sever logs
            o Automated intrusion detection system logs
            o Firewall logs
            o User account logs
            o Network scanning logs
            o System error logs
            o Application logs
            o Data backup and recovery logs
            o Help Desk trouble calls
            o Telephone activity – Call detail reports
      The following checks will be performed at least annually by assigned individuals:
            o Unauthorized network devices
      Any security issues discovered will be reported to Information Security Office and
       appropriate executive officials (see Disciplinary Actions section of this manual).


22. Security Training
The information Security Office is charged with providing a combination of general
computer security awareness supported products training.

      All Users of UTPA Information Resources will be provided with security
       awareness materials to allow them to properly protect UTPA Information
       Resources.
           o All new Users will receive introductory security awareness. Security
              awareness training for all faculty and staff will be offered.
      All users must acknowledge they received the information about UTPA
       requirements regarding computer security policies and procedures (part of the
       Acceptable Use Policy).



                                            17
23. Server Hardening
Servers are used to deliver information and services throughout UTPA. Information and
services must be delivered securely and reliably to assure that data integrity,
confidentiality, and availability are preserved. To achieve these goals, servers must be
installed and maintained in a manner that minimizes service disruptions and prevents
unauthorized access or use. The following standards apply:

      A server must not be connected to the UTPA network until it is in a secured state
       and location.
      All server installations must follow HOP 8.9.4, which details UTPA’s Server
       Management Policy.
      It is also advised that UTPA Server Administrators follow the UTPA Information
       Security Office Server Checklist (see appendix 4) to ensure that their servers are
       in compliance with UTPA policy.
      Each College, School, Unit, or Department responsible for a Server(s) tests
       security patches before installation where technically feasible.
      Each College, School, Unit, or Department responsible for a Server(s) scans all
       servers on a monthly basis to verify that necessary patches have been installed.

24. Software Licensing
All software used on UTPA computers will be used in accordance with the applicable
software license. Unauthorized or unlicensed use of software is regarded as a serious
violation subject to disciplinary action and any such use is without the consent of UTPA:

      UTPA will provide a sufficient number of licensed copies of core business
       software to enable faculty and staff to perform their work in an expedient and
       effective manner.
      Systems administrators have the right to remove software from UTPA computers
       for cause. For example, if User can’t show proof of license, or if the software is
       not required for University business purposes and causes problems on the
       University owned computer.
      All departments or individuals managing UTPA owned computers will periodically
       audit all computers to inventory and document all installed software.
      UTPA departments are responsible for the accurate accounting of software
       purchased by the department and must ensure that the installation of the
       software complies with the license agreement of the software. For audit
       purposes, departments must maintain proof of purchase and/or original
       installation media for each software package.


25. System Development and Deployment
The protection of Information Resources (including data confidentiality, integrity, and
accessibility) must be considered during the development or purchase of new computer
applications.

      All associated systems and applications must restrict access and must provide
       methods for appropriately restricting privileges of authorized users. Access to
       applications is granted on a need-to-access basis.
                                           18
      Separate production and development environments will be maintained to ensure
       the security and reliability of the production system. Exceptions to this must be
       approved by the Information Resource Manager.
      Whenever possible, new development or modifications to a production system
       will be made first in a development test environment. These changes are
       thoroughly tested for valid functionality before released to the production
       environment.
      Information technology outsourcing contracts must address security, backup, and
       privacy requirements, and should include right-to-audit, annual third party
       certification of current controls, or other provisions to provide appropriate
       assurances that applications and Data will be adequately protected. Vendors
       must adhere to all federal and state laws and Regent’s Rules pertaining to the
       protection of Information Resources and privacy of Sensitive Data.

26. Vendor Access
Vendors serve an important function in the support of hardware and software and in
some cases possibly even the operations of computer networks, servers, and/or
applications.

      Vendors must comply with the Information Resources Use and Security Policy,
       and any UTPA department engaging a vendor must provide the vendor with a
       copy of this policy and any other procedures they must follow, including, but not
       limited to:
           o Safety
           o Privacy
           o Security
           o Auditing
           o Software licensing
           o Acceptable Use
      Vendors will adhere to UT System Administration requirements, Federal and
       State laws to which UTPA must adhere.
      Vendor agreements and contracts must specifically reference The Information
       Resources Use and Security Policy, The Information Resources Acceptable Use
       Policy, and the Information Resources Security Operations Manual.
      Vendor agreements and contracts must address the following issues:
           o the UTPA information the vendor may access.
           o the vendor’s responsibility to protect UTPA information.
           o the vendor’s responsibility regarding the deletion, destruction, disposal or
               return of UTPA information at the end of the contract.
           o the vendor’s responsibility to use UTPA information only for the purpose of
               the business agreement.
           o UTPA right to audit and otherwise verify the security of university
               information and other resources in the possession of or being managed by
               the vendor and the University’s right to investigate any security breaches
               involving these resources.
      The UTPA data owners will provide an Information Resources point of contact for
       the vendor. The point of contact will work with the vendor to make certain the
       vendor is in compliance with these policies.

                                           19
   Each vendor must provide UTPA with a list of all employees working on the
    contract. The list must be updated and provided to UTPA within 24 hours of staff
    changes.
   The Owner of the information, in consultation and agreement from the VP of
    Information Technology, has the right to approve or disapprove for cause any
    vendor employee having access to UTPA sensitive or confidential information.
   Vendors must report all security incidents to the Information Resource Manager
    or the Information Security Office.
   Each vendor must follow all applicable UTPA change control processes and
    procedures approved by Information Technology.
   For contracts involving onsite work, regular work hours and duties will be defined
    in the contract. The Information Resource Manager and the department head of
    the department receiving the contract must approve in writing work outside
    defined parameters.
   All vendor accounts and maintenance equipment connecting the UTPA network
    to the Internet or outside organizations will remain disabled except whe n in use
    for authorized maintenance.
   Vendor accounts providing access to UTPA Information Resources must be
    uniquely identifiable and passwords must comply with the UTPA password
    requirements as detailed in this manual.
   Vendors must maintain a log of major work activities that is available to UTPA
    management upon request. Logs may include such events as personnel
    changes, password changes, project milestones, deliverables, and arrival and
    departure times, as necessary for a given contract.
   Upon departure of a vendor employee from a UTPA contract for any reason, the
    vendor will ensure that the employee's access to all UTPA sensitive and
    confidential information is removed within 24 hours in a manner agreed upon by
    UTPA.
   Upon termination of a contract or at the request of UTPA, the vendor will return,
    delete or destroy all UTPA information and provide written certification of that
    return, deletion, or destruction within 24 hours.
   Upon termination of a contract or at the request of UTPA, the vendor must
    immediately surrender all UTPA property and Information Resources. Authorized
    UTPA management must document any equipment and/or supplies to be
    retained by the vendor.
   Vendors are required to comply with all UT System Administration, State of
    Texas, Federal and UTPA auditing requirements, including the auditing of the
    vendor's work.
   All software used by the vendor in providing service to UTPA must be properly
    inventoried and licensed. Software provided by UTPA installed on vendor
    equipment must be removed at the end of the contract.
   All vendor accounts are required to have an expiration date.
   To protect the UTPA intellectual property information technology vendor
    contracts must be in accordance with the Board of Regents’ Rules and
    Regulations concerning intellectual property available on the UTPA web site.




                                        20
27. Right to Monitor

Pursuant to Title 1 Texas Administrative Code § 202.75 (7) and to ensure compliance
with this Policy and state laws and regulations related to the use and security of
Information Resources, the UTPA Information Security Office and IT Network Services
have the authority and responsibility to monitor Information Resources in accordance
with the UTPA Network Monitoring Guidelines (See Appendix 5).

28. Disciplinary Actions

Misuse or destruction of Information Resources can vary in severity and appropriate
disciplinary actions should be taken in proportion to the incident. It is not the role of
Information Technology professionals to impose discipline, but it is their role to
protect/secure resources, to identify potential incidents and to bring such incidents to
the attention of executive management. The following guidelines apply:
 Suspected incidents involving faculty or staff misuse should be brought to the
    attention of the appropriate departmental management.
 Suspected incidents involving student misuse of Information Technology should be
    brought to the attention of Student Judicial Affairs.
 If an investigation involving review of the content of a faculty member, staff member
    or student’s files is required, written permission will be obtained from an executive
    officer.
 If it is determined that a misuse violation has occurred by a faculty or staff member,
    this should be brought to the attention of the employee’s departmental management
    the Office of Human Resources and, in the case of criminal violation, the University
    Police.
 Violations by non-employees will be referred to the appropriate authorities. The
    U. T. System Administration Office of General Counsel may be contacted to provide
    direction in terms of identifying the appropriate authority.




                                           21
Appendix 1 – Data Classification Standard

The Data Classification Standard:
   applies to all data created and maintained by all campuses, except where
      superseded by grant or other contract or by federal copyright law;
   applies to all authorized users of the University’s computing resources;
   complies with applicable federal and state laws which govern the privacy and
      confidentiality of data.
Classifying Data
All institutional data must be categorized into one of the three levels outlined below.
Generally speaking,
   public data (Category-III below) can be seen by anyone, but it requires protection
      against unauthorized modification.
   Category-II data are sensitive, i.e., only authorized individuals may see or modify the
      information. Custom access control procedures are required. Improper disclosure
      may result in harm to the organization or to individuals.
   Category-I requires more care than sensitive data. Improper disclosure may result in
      significant legal or financial harm.




                                            22
 To classify your data, be sure you understand these classifications.

                   Category-I              Category-II                      Category-III
                   High level of           Moderate level of sensitivity    Low level of
                   sensitivity                                              sensitivity

Legal              Protection of data is   Protection of data will prevent Protection of data
Requirements       required by law,*       poor business decisions,          will avoid negative
                   reduces liability and   inaccurate research               publicity
                   negative publicity      conclusions, potential liability,
                                           and moderate negative
                                           publicity

Risk               Long-term loss of       Short-term loss of reputation Loss of data with no
                   reputation              Short-term loss of research impact to the
                   Long-term loss of       funding                       university
                   research funding        Short-term loss of               Inaccurate general
                   Long-term loss of       departmental services            information
                   critical campus or      Unauthorized tampering of
                   departmental            research data
                   services
                   Unauthorized
                   tampering of
                   research data

Data examples      Health related          Project data                  Institutionally
                   research                HR data that is not sensitive published public
                   Personnel                                             data
                                           Research data or results that
                   information             are not sensitive             Academic course
                   Financial data                                        descriptions
                                           Business transactions that
                   Credit cards            are not sensitive             Directory
                                                                         information
                   Social Security
                   Numbers
                   Official transcripts
                   HR records

 * Examples are non-directory information protected by FERPA or Gramm-Leach-Bliley,
 donor data, employee data, and University data that are not otherwise protected by
 statute, but which must be protected due to contractual agreements requiring
 confidentiality, such as Non Disclosure Agreements.
 Some of your data will fit easily into the categories listed above. If you have doubts
 about the classification, please give your data ratings based on the confidentiality,
 integrity and availability requirements (CIA) outlined below.
 For systems containing mixed categories of data, base your classification on the most
 confidential data stored in the system. Even if the system stores data that could be

                                              23
made available in response to an open records request or information that is public, the
entire system must be protected as appropriate for its most confidential data.
Confidentiality – What are the consequences if the data are exposed, copied or
deleted? Is there a legal requirement to restrict access? If the need for confidentiality is
high, the data should be classified as Category-I, and protection should include limited
access, encryption and monitoring.
Integrity – Is accuracy of the data critical? Do operations, research or similar actions
depend on the reliability and accuracy of the data? If the need for integrity is high, the
data should be classified as Category-I.
Availability – Is the data needed in critical operations? Would temporary loss of the
data cause serious processing delays? If so, the data is to be classified as Category-I.
In all cases if the evaluation finds that the data are of medium sensitivity, need medium
levels of integrity and/or availability, they should be assigned a Category II designation.
All other data (not category I or II) will fall into the third Category.
If you are creating a new system that has Category-I data, you should inform the Office
of Information Technology, so that plans can be developed for its protection.
Examples
   1. Social Security Numbers: Category-I data
           a. Protected from disclosure through UTS 165 of the University of Texas
              System, should not be collected except when required by law.
           b. Confidentiality is required
           c. Need for Integrity is high
           d. Need for availability is limited (should not be available for most purposes)
   2. Blogs: Category-III data
           a. Blogs are open documents, to be shared with the public. Their contents
              may be subject to change without serious implications for the hosting
              individual or department. They are not necessary to the ongoing mission
              of the University and can, therefore, be removed or taken offline
              temporarily without serious consequence.
           b. Confidentiality is low
           c. Need for Integrity is low
        d. Need for Availability is low
   3. Sensitive Digital Research Data: Category-I
           a. Sensitive research data requires the highest level of security in order to
              protect the University’s intellectual property or to preserve the
              confidentiality of human research subjects’ identity. The researcher
              (Principal Investigator) has the ultimate responsibility to determine the
              classification of the data.
           b. Confidentiality is high
           c. Need for Integrity is high
           d. Need for Availability is medium

                                                24
Appendix 2 – Sample Disclosures

Disclosure for the employment process.

Disclosure of your social security number (“SSN”) is requested as part of your
application for employment with The University of Texas at __________ (the
“University”). During the employment application process, your SSN will be used as a
unique number in order to identify you within the University’s current applicant tracking
system. Disclosure of your SSN at the time that you apply for employment is voluntary,
but disclosure of your SSN is mandatory before you may be employed by the University.
Federal law requires the University to report income and SSNs for all employees to
whom compensation is paid. Employee SSNs are maintained and used by the
University for payroll, benefits, internal verification, and administrative purposes, to
verify employment, and to conduct background checks for security sensitive positions.
The University reports SSNs to Federal and State agencies or their contractors as
authorized or required by law and for benefits purposes. Further disclosure of your SSN
is governed by the Public Information Act (Chapter 552 of the Texas Government Code)
and other applicable law.

Disclosure for the student application process.

Disclosure of your Social Security Number (“SSN”) is requested for the student records
system of The University of Texas ________ (the “University”) and for compliance with
Federal and State reporting requireme nts. Federal law requires that you provide your
SSN if you are applying for financial aid. Although an SSN is not required for admission
to the University, failure to provide your SSN may result in delays in processing your
application or in the University’s inability to match your application with transcripts, test
scores, and other materials. Student SSNs are maintained and used by the University
for financial aid, internal verification, and administrative purposes, and for reports to
Federal and State agencies as required by law. The privacy and confidentiality of
student records is protected by law and the University will not disclose your SSN without
your consent for any other purposes except as allowed by law.

General mandatory disclosure.

Disclosure of your Social Security Number (“SSN”) is required of you in order for The
University of Texas at _________ to __[state intended use of SSN]_________, as
mandated by [Federal] [State] law. Further disclosure of your SSN is governed by the
Public Information Act (Chapter 552 of the Texas Government Code) and other
applicable law.

General voluntary disclosure.

Disclosure of your social security number (SSN) is requested from you in order for The
University of Texas at ___________ to ____[state intended use of SSN]___________.
No statute or other authority requires that you disclose your SSN for that purpose.
Failure to provide your SSN, however, may result in [state what may happen if the

                                             25
individual fails to provide SSN] . Further disclosure of your SSN is governed by the
Public Information Act (Chapter 552 of the Texas Government Code) and other
applicable law.




                                          26
Appendix 3 – Encryption Guidelines

Introduction

Encryption refers to the transformation of plain text into cipher-text to protect it.
Encryption guards against theft or accidental disclosure of confidential or sensitive
information. Encryption is used to protect against eves -dropping, it renders information
private by making it unreadable to all except those who have the key needed to decrypt
the data. These encryption guidelines are to be used by UTPA employees or individuals
who transmit UTPA’s confidential or personally identifiable information (data that is
required to be protected by HIPAA, FERPA, Gramm-Leach-Bliley, or other law) across
unsecured networks (like the Internet) or for storage on unsecured workstations or
portable devices.

When to Use Encryption

Transfer of Confidential or Sensitive Information to or from a Person or Entity
Outside of UTPA.

Encrypted email or secure FTP must be used for official University business when
transmitting information of a sensitive, private or confidential nature (including
information protected by HIPAA or FERPA) across a public network.
All UTPA employees should use a UTPA assigned Verisign certificate to encrypt email
containing sensitive or confidential information transmitted across unsecured networks.

Email encryption requires that you have the public key of the individual to whom you are
sending an encrypted message. All System component institutions have access to
Verisign certificates. One may obtain a public key in a number of ways. When you
receive a digitally signed message, you receive the sender's public key. Mail clients may
automatically store the public keys of all senders in Outlook Contacts. You may have to
selectively choose to save an individual's public key. An individual's public key may also
be obtained from a directory service (VeriSign's Directory Service). Detailed instructions
on encrypting mail with this method can be found on the Helpdesk information web
page.

Another method of transferring confidential or sensitive information to an outside entity
or person is by the use of secure FTP (SFTP). Before using any secure FTP client,
please read license agreement before downloading software.

Confidential or sensitive information residing on web servers or collected via web
applications should be protected. Protection of data or information residing on a web
server should be in accordance with risk assessment and, at a minimum, SSL or Secure
HTTP (S-HTTP) should be deployed. If there is a need to communicate sensitive data to
a party that is unable to accept encrypted files for technical reasons, the information
should be communicated using alternative means such as US mail or telephone.



                                            27
Desktop Computer Storage:

All University business related data files created or modified by these computers must
be stored only on the centrally managed servers and not on a local hard drive. In certain
cases where personally identifiable information or sensitive information may be
temporarily be cached or saved on a local drive, SafeBoot software or other encryption
methods approved by Chief Information Security Officer may be installed to encrypt the
local drive (IT Helpdesk maintains and supports the use of this encryption software) on
“high risk” computers.

Portable Devices or Removable Media:

All sensitive or confidential data or files stored on a portable device (such as a laptop or
PDA) or removable media (CD’s, thumb drives, etc) must be encrypted. Examples of
information that should always be encrypted includes but is not limited to:

   • personally identifiable information (SSN, Drivers License, date of birth, credit card
       information)

   • data which pertains to an individual’s race, religion, or national origin

   • data that describes the state of an individual physical or emotional well-being

   • data that describes the methods or procedures used to safeguard assets or
       maintain the integrity of a system, application or network

   • information protected by the Federal Educational Rights and Privacy Act (FERPA)

   • information protected by Health Insurance Portability and Accountability Act
        (HIPAA)

   • information relating to sensitive negotiations and research or other University
        business

Any university records on portable devices or saved on removable media is required to
be backed up in an unencrypted form (unless encryption is warranted based on risk
assessment) in a secure location on a network server.
Before international travel; you may need to check the laws pertaining to countries with
encryption restrictions (e.g., some countries may inspect computer software upon
departure; and some equipment and software have been confiscated because of the
data contained or due to software encryption, which is standard in many programs. ).
If you are uncertain about whether data on your local drive should be encrypted or if
data on your portable device is encrypted please contact the IT helpdesk or the
Information Security Office.




                                             28
Appendix 4 – Server Checklist

   MAC Address
    IP Address
  Machine Name
    Asset Tag
 Department Name
Administrator Name
Administrator Email
Administrator Phone
  Date Completed
                                  Preparation and Installation
Step √                                            To Do
         Server Operating System (OS) is licensed for Microsoft and UNIX servers.
         Supports appropriate Internet communication protocols.
         All default passwords for the server OS changed.
         All default (guest accounts) should be disabled
         Configure the device boot order to prevent unauthorized booting from alternate media.

         Physically secure server or have appropriately installed software or hardware devices to
         safeguard against inappropriate access and prevent theft and destruction.
                                   Service Packs and Hotfixes
         Test Service Packs and Hotfixes before applying them to the servers if a test
         environment is available.
         Enable automatic notification of patch availability.
         Verify with Vendor that Service Pack and/or HotFix to be applied for hardware or
         software has is certified.
                                        Auditing Policies
         Configure Audit policy as described.
         Set minimum password length.
         Enable Password Complexity.
         Configure System Event Log Settings.
         Security Event Log restricted to members of an “auditors” group, or other restricted-
         membership group that serves the purpose of reviewing the event logs.
         Audit logs are reviewed on a regular basis to identify possible security breaches and
         weakness.



                                                 29
Audit logs are archived to ensure data is not being lost.

                             Account policies

All user accounts for employees that are no longer affiliated with the University must be
terminated within 5 working days.
The server must maintain a password history so old passwords will not be re- used.
Enforce a password policy that includes periodic password changes for all users
Ensure that access is denied after 3 failed login attempts
                                Security Settings
Ensure that no shares can be accessed anonymously.
Choose "Classic" as the sharing and security model for local accounts.
Once verified with the vendor, name Administrator account (s) something other than
“Administrator”
Each user with administrative privileges will be assigned a unique account, separate
from the built- in “Administrator” account.
Each System Administrator will have a separate account for normal user tasks.

Passwords for administrator accounts are changed at least annually or when any member
of the administrative team leaves the organization.

                         Additional Security Protection
Configure User Rights to be as secure as possible.
Configure Internet Connection Firewall or other methods to limit connections to the
server.
System information backups should take place daily to include all information necessary
to restore the system and data.
                                Additional Steps
Configure system date/time it to synchronize against campus network time servers using
NTP (Network Time Protocol).
Install and enable anti- virus software.
Install and enable anti-spyware software.
Configure anti- virus software to update daily.
Configure anti-spyware software to update daily.
Configure a screen-saver to lock the console's screen automatically if the host is left
unattended.
If the machine is not physically secured against unauthorized tampering, set a
BIOS/firmware password to prevent alterations in system startup settings.
Systems will provide secure storage for Category-I data as required by confidentiality,
integrity, and availability needs. Security can be provided by means such as, but not
limited to, encryption, access controls, file system audits, physically securing the
storage media, or any combination thereof as deemed appropriate.

                                         30
Ensure that file backup tools and devices are installed and work correctly
Encrypt remote administration traffic.
Accept remote administration commands only from an authenticated administrator and
only from one particular host/subnet.




                                         31
Appendix 5 –Network Monitoring Guidelines


The purpose of this document is to outline university guidelines regarding the
monitoring, logging, and retention of network packets that traverse university networks.
The University of Texas-Pan American takes all reasonable measures to assure the
integrity of private and confidential electronic information transported over its networks.
Any inspection of electronic data packets, and any action performed following such
inspection, will be governed by all applicable federal and state statutes and by university
and UT System Administration policies and regulations.

Guidelines

Two groups on campus are authorized to routinely monitor traffic on university
networks. These groups are Information Technology Network Services and the
Information Security Office (ISO). Additional campus IT staff may be approved to
access and monitor specific traffic on specific networks for which they are responsible.
Authorization must be attained from the respective IT Owner(s) of the given College,
School, or Unit and the Office of Institutional Relations and Legal Affairs or the Office of
Compliance. The individual(s) must also complete a Security Sensitive Form and
undergo a standard background check if not already completed. This approval shall also
be communicated to the ISO and IT Network Services. Authorized personnel must
demonstrate a need for and an understanding of the operation of network monitoring
devices.

      Authorized staff shall use network monitoring devices only to detect:

          o the improper release of confidential employee or student data;

          o or to troubleshoot and analyze network-based problems.

          o known patterns of attack or compromise;

      Authorized staff may also analyze certain network -based anomalies to determine
       the security risk to the university and conduct statistical/operational studies. All
       monitoring shall be as narrow in scope as possible.

      Authorized staff may not exceed specified scope of monitoring (for example,
       users, address ranges, protocols, signatures). Only IT Network Services and the
       ISO may monitor public networks and inter-campus networks.

      Personnel authorized to analyze network traffic shall not disclose any information
       realized in the process without approval of the respective Vice President,
       executive management and legal counsel.

      No authori zed personnel shall use network monitoring devices to monitor
       employee electronic transmissions for job performance evaluation, or as part of
                                            32
    an unofficial investigation, without first receiving signed approval from the
    respective Vice President, executive management and legal counsel.

   The ISO will be the contact for resolution of security-related anomalies or other
    suspicious activity noticed by representatives in IT Network Services or in other
    departments. All monitoring points will be architected, approved, and configured
    by IT Network Services. Monitoring points and associated devices may not be
    extended physically or virtually (such as through a VPN) or changed without
    written approval from IT Network Services.

   IT Network Services shall maintain written records of all monitoring points,
    architectures, and agreements.

   Monitored data and usage logs will not be stored past the period of active
    investigation. IT Network Services and the ISO may store incident related data as
    required. Unrelated monitored data may not be stored by anyone except as
    required by law. IT Network Services and the ISO may store aggregated data
    and usage logs for operational, compliance, and statistical purposes. Usage logs
    must be purged as per campus policies.

   Monitoring data stores and logs may not be accessible from the public Internet.
    All personnel must show due care in protection, handling, and storage of all
    monitored data and logs. Off campus access to monitoring data stores and logs
    must be authorized and updated by IT Network Services as part of the monitoring
    point agreement.

   IT Network Services and the ISO have the authority to discontinue service to any
    network or network device that:

   is in violation of university policy,
   has demonstrated an operational hindrance or threat to university network, or
   is a threat to the Internet community, in general.

   In such cases, IT Network Services or the ISO shall notify the appropriate
    department of the disconnection. In less threatening situations, IT Network
    Services and ISO representatives will contact the local network administrator and
    inform them of specific actions that must be taken to avoid imminent
    disconnection. If corrective actions are not implemented as soon as possible, IT
    Network Services or the ISO may discontinue service.

   All normal requests for monitoring assistance from external agencies shall be
    coordinated through the ISO. Exceptional/urgent requests are to be directed to IT
    Network Services (24x7x365), which will comply as appropriate and inform t he
    ISO as lawfully allowed.

   IT Network Services will be responsible for the architecture and operations of all
    network facilities/functions required for Lawful Intercept assistance and
    compliance, and will be responsible for executing all requests as coordinated

                                          33
       through the ISO. Departments will comply with all IT Network Services
       requirements and assist IT Network Services to fulfill its legal obligations.

Misuse or destruction of information technology resources can vary in severity and
appropriate disciplinary actions should be taken in proportion to the severity of the
incident. It is not the role of Information Technology professionals to carry out
disciplinary actions as the result of an incident, but it is their role to monitor resources,
to identify potential incidents and to bring such incidents to the attention of appropriate
University of Texas-Pan American officials.

The following guidelines apply:

      Suspected incidents involving faculty or staff misuse should be brought to the
       attention of the appropriate departmental management.
      Suspected incidents involving student misuse of Information Technology should
       be brought to the attention of Student Judicial Affairs.
      If an investigation involving review of the content of a faculty member, staff
       member or student’s files is required, written permission will be obtained from an
       executive management.
      If it is determined that a misuse violation has occurred by a faculty or staff
       member, this should be brought to the attention of the employee’s departmental
       management the Office of Human Resources and, in the case of criminal
       violation, the University Police.
      Violations by non-employees will be referred to the appropriate authorities. The
       U. T. System Administration Office of General Counsel may be contacted to
       provide direction in terms of identifying the appropriate authority.
      Issues of departmental non-compliance may be reported to the respective
       executive management, the Office of Internal Audit, or the Office of the
       President.




                                              34
Appendix 6

                       FEDERAL STATUTES AND REGULATIONS
          THAT MANDATE OR AUTHORI ZE THE US E OF SOCIAL S ECURITY NUMBERS
                           (Last revi sed December 31, 2003)

Note: The chart below contains brief summ aries of selected statutes and regulations. It i s
intended as a reference only and does not necessarily include all applicable laws and regulations.
The reader i s advi sed to consult with legal counsel.

General Purpose         Authorized or Required Use              Statute or Regulation
Blood donation          Authorizes states and political         42 U.S.C. §§ 405(c)(2)(D)(i),
                        subdivisions to require that a          1320b-11
                        blood donor provide his or her
                        social security number.
Blood donation          Authorizes states to require a          20 C.F.R. § 401.200
                        donor to provide his or her social
                        security number and requires
                        states to provide the social
                        security number to request data
                        from Blood Donor Locator
                        Service.
Charitable              Requires a donee to include on          26 C.F.R. §1.6050L-1
contributions           the donee’s information return
                        the donor’s social security
                        number if the donee disposes of
                        a charitable contribution (other
                        than cash or publicly traded
                        securities) within two years of
                        the gift.
Classified              Requires employers licensed by          10 C.F.R. § 25.17
information             the Nuclear Regulatory
                        Commission to obtain
                        authorization form from NRC in
                        order for employees to access
                        classified information and to
                        identify employees by name and
                        social security number.
Contracts and           Requires those doing business           31 U.S.C. § 7701(c)
grants                  with a federal agency to furnish
                        social security numbers to the
                        agency (for example, lenders in
                        a federal guaranteed loan
                        program and applicants for
                        federal grants, licenses, or
                        permits).



                                                35
General Purpose   Authorized or Required Use          Statute or Regulation
Contracts and     Department of Defense               32 C.F.R. § 22.420
grants            regulation regarding pre-award
                  procedures: requires the
                  collection of social security
                  number from each grant
                  recipient to enable department to
                  check for delinquent accounts as
                  required by 31 U.S.C. § 7701.
Contracts and     With respect to certain federal     41 C.F.R. § 60-4.3
grants            and federally assisted
                  construction contracts, requires
                  reports to include employees’
                  social security numbers for equal
                  employment opportunity reports.
Employment        Authorizes an employer to           8 U.S.C. §1324a(b); 8 C.F.R.
                  examine an alien’s social           § 274a.2
                  security number for verification
                  of eligibility for employment.
Employment        Requires an employer to furnish     42 U.S.C. § 653a
                  for the State Directory of New
                  Hires the social security number
                  of an employee.
Employment        Requires employer to include        20 C.F.R. § 404.452
                  social security number in annual
                  report of wages of individual.
Employment        Requires employer to keep           20 C.F.R. § 404.1225
                  records of remuneration paid to
                  employee and requires social
                  security number to be included in
                  record.
Employment        Requires an employee to provide     26 C.F.R. § 31.6011(b)-2
                  the employer with the
                  employee’s social security
                  number.
Employment        Requires the employer to include    26 C.F.R. § 31.6051-1
                  the employee’s social security
                  number on the Form W-2.
Employment        Requires employers to use the       26 C.F.R. § 301.6057-1
                  employee’s social security
                  number on required reports
                  pertaining to deferred vested
                  retirement programs.




                                      36
General Purpose       Authorized or Required Use            Statute or Regulation
Explosive materials   Provides that it is a federal crime   18 U.S.C. § 842(f)
and weapons of        to import, manufacture, or deal in
mass destruction      explosive materials without
                      federal license. Requires a
                      person who purchases,
                      distributes, or receives explosive
                      materials to furnish his or her
                      social security number to the
                      Secretary of the Treasury.
                      Requires an employer to submit
                      personal information about
                      employees who will possess
                      explosive materials via federal
                      license.
General               Authorizes states to collect and      42 U.S.C. § 405(c)(2)(c)(i)
                      use social security numbers in
                      administering any tax, general
                      public assistance, driver license,
                      or motor vehicle registration law.
Health care           Requires that, as a condition of      42 U.S.C. § 1320b-7(1)
                      eligibility for Medicaid benefits,
                      applicants for and recipients of
                      such benefits furnish their social
                      security numbers to the state
                      administering the program.
Health care           Requires states to obtain             42 U.S.C. § 405(c)(2)(C)(ii)
                      parents’ social security numbers
                      before issuing a birth certificate,
                      unless good cause exists for not
                      doing so.
Health care           Requires social security              42 U.S.C. § 666(a)(13)
                      numbers on death certificates.
Health care           Authorizes manufacturers and          21 C.F.R. §§ 821.25, 821.60,
                      distributors to use social security   821.55
                      numbers for tracking life
                      sustaining or life supporting
                      medical devices used outside a
                      medical facility if failure of the
                      device would result in serious
                      adverse health consequences.
Health care           Requires that organ procurement       42 C.F.R. § 486.304
                      organizations maintain records
                      of organ donors by obtaining
                      personal identifying information,
                      including social security number
                      of donor.



                                            37
General Purpose    Authorized or Required Use          Statute or Regulation
Health care        Requires hospitals that incur       42 C.F.R. § 412.105
education          indirect costs for graduate
                   medical education programs to
                   furnish the social security
                   number for each resident.
Health care        Requires that hospitals that        42 C.F.R. § 413.86
education          receive Medicare payment for
                   direct              graduate
                   medical educational activities
                   identify residents by social
                   security number.
Nuclear reactors   Requires holder of Nuclear          10 C.F.R. § 73.57
                   Regulatory Commission license
                   to operate nuclear power reactor
                   to have FBI perform criminal
                   history check on employees and
                   authorizes holder to obtain
                   identification information
                   including social security number.
Radiation safety   Requires employers licensed by      10 C.F.R. § 19.13
                   the Nuclear Regulatory
                   Commission to provide radiation
                   exposure data and authorizes
                   the employer to use the social
                   security number as identifying
                   data.
Radiation safety   Requires employers with Nuclear     10 C.F.R. § 20.2203
                   Regulatory Commission license
                   to notify employees regarding
                   overexposure to radioactive
                   materials and identify employees
                   by social security number.
Radiation safety   Requires employers licensed by      10 C.F.R. §§ 35.3045,
                   Nuclear Regulatory Commission       35.3047
                   to report medical event and
                   radiation dose to
                   embryo/fetus/nursing child and
                   identify persons by name and
                   social security number.




                                        38
General Purpose    Authorized or Required Use           Statute or Regulation
Radiation safety   Requires Department of Energy        10 C.F.R. § 835.801
                   contractors operating sites or
                   facilities licensed by Nuclear
                   Regulatory Commission to issue
                   reports to employees regarding
                   radiation exposure at DOE sites
                   or facilities and requires
                   identification of employees by
                   name and social security
                   number.
Radiation safety   Requires employee to furnish         41 C.F.R. §§ 50-204.33, 50-
                   appropriate identifying data,        204.36
                   such as the social security
                   number, to receive reports.
Student loans      Requires an institution to verify    20 U.S.C. §§ 1078, 1078-2(f),
                   the borrower’s social security       1090(a)(7), 1091(a)(4)(B),
                   number. Requires the use of a        1092, 1092b; 34 C.F.R. §§
                   common financial aid form            668.16, 668.33, 668.36,
                   whereby institutions of higher       674.41, 674.42, 674.50,
                   education collect the information    682.604, 685.304
                   on the form, including the social
                   security number of parents of
                   dependent children seeking
                   federal financial assistance.
                   Requires a student to submit
                   social security number to receive
                   any grant, loan or work
                   assistance. Requires institutions
                   of higher education to verify
                   social security number in the
                   national student loan database
                   and to include the social security
                   number in certain reports and in
                   loan assignments.




                                        39
General Purpose         Authorized or Required Use             Statute or Regulation
Student loans           Requires social security number        42 C.F.R. §§ 57.206, 57.306,
                        for certain student loan               60.51, 60.53, 60.56
                        applications for the health
                        professions, such as doctors and
                        nurses participating in the Health
                        Education Assistance Loan
                        Program (HEAL). Requires
                        schools to give notice regarding
                        any change i n status of student,
                        to identify students by social
                        security number, and to maintain
                        current records on students,
                        including verification of social
                        security number and the
                        student’s citizenship.
Tax matters             Requires that the social security      26 U.S.C. §§ 3402, 6051,
                        number be the taxpayer                 6103, 6109; 26 C.F.R. §§
                        identification number and              301.6109-1, 301.7701-11
                        requires that a person who must
                        file a return, statement, or other
                        document under the Internal
                        Revenue Service Code include
                        the social security number as the
                        taxpayer number (withholding
                        and annual reporting on Forms
                        W-2 and 1099 are included in
                        this requirement).


                        TEX AS STATUTES AND REGULATIONS
          THAT MANDATE OR AUTHORI ZE THE US E OF SOCIAL S ECURITY NUM BERS
                           (Last revi sed December 31, 2003)

Note: The chart below contains brief summ aries of selected statutes and regulations. It i s
intended as a reference only and does not necessarily include all applicable laws and regulations.
The reader i s advi sed to consul t with legal counsel.

General              Authorized or Required Use                             Statute or Regulation
Purpose
Contracts            Requires that the bid or application to provide        Texas Family Code §§
                     property, materials, or services to a state            231.006, 231.302
                     agency, or to receive a state funded grant or
                     loan include the name and social security
                     number of the individual, sole proprietor, and
                     each partner, shareholder, or owner with an
                     ownership interest of 25%.
Education            Pertains to reports to the Texas Higher                Texas Education Code
                     Education Coordinating Board in the "CBM               Ch. 61
                     Reporting Series." Requires the disclosure of

                                               40
General      Authorized or Required Use                          Statute or Regulation
Purpose
             student and faculty social security numbers in
             reports to the Coordinating Board with respect
             to data that institutions of higher education are
             required to report. The reporting manual
             permits an assigned 9-digit number if the
             student does not have a social security
             number. The reporting manuals are on the
             board’s website at:
             http://www.thecb.state.tx.us/DataAndStatistics/
Education    Requires an institution’s report to the Texas       Texas Education Code §
             Higher Education Coordinating Board to              56.351, et seq.; 19 Tex.
             include the student’s name and social security      Admin. Code § 22.254
             number in order to commit specific award
             amounts to students in the Board’s Texas
             Grant II Program.
Education    Requires that complaints involving improper         Texas Education Code §
             conduct against an educator within a school,        21.041; 19 Tex. Admin.
             including a charter school, be addressed to         Code § 249.14
             the State Board for Educators Certification and
             include the educator’s name and social
             security number.
Education    Requires institutions seeking reimbursement         Texas Education Code §
             for the tuition awards made through the Texas       56.201, et seq.; 19 Tex.
             Higher Education Coordinating Board Early           Admin. Code § 21.959
             High School Graduation Scholarship Program
             to submit a report to the Texas Higher
             Education Coordinating Board and include the
             student’s name and social security number.
Employment   Entitles institutions of higher education to        Texas Government Code
             obtain criminal history record information for      §§ 411.094, 411.086
             evaluating applicants for employment in
             security sensitive positions. The Department
             of Public Safety may require institutions of
             higher education to submit an individual’s
             social security number for identification
             purposes.
Employment   Requires an employer to take notice of a court      Texas Family Code §§
             order or writ for spousal maintenance, which        8.101-8.108, 158.201 et
             may be combined with a child support order,         seq.
             and withhold income for child support
             payments and remit the payment with certain
             information, including the payor’s name and
             social security number and the payee’s name
             and social security number, unless the
             payment is transmitted to the payee by
             electronic funds transfer.
Employment   Requires an employer to furnish to the State        Texas Family Code §

                                     41
General       Authorized or Required Use                         Statute or Regulation
Purpose
              Directory of New Hires a report of all new hires   234.103; 1 Tex. Admin.
              that contains certain information from the         Code § 55.303
              employee’s W-4 form, including social security
              number.
Employment    Requires payroll reports to the State              Texas Government Code
              Comptroller for agencies that do not use           Ch. 403; 34 Tex. Admin.
              Uniform Statewide Payroll/Personnel System         Code § 5.41
              to include employee’s name and social
              security number.
Employment    Requires employer to report to the State           Texas Government Code
              Comptroller the name and social security           Ch. 403; 34 Tex. Admin.
              number of the employee from whose salary or        Code § 5.46
              wages a deduction for the employee’s
              membership in employee organizations is
              made.
Employment    Requires agencies that allow deductions for        Texas Government Code
              payment to credit unions to include in report to   Ch. 403; 34 Tex. Admin.
              the State Comptroller the name and social          Code § 5.47
              security number of each employee for whom
              deductions were made.
Employment    Requires deduction for contributions to            Texas Government Code
              charitable organizations form from employee        Ch. 403; 34 Tex. Admin.
              to employer to include social security number.     Code § 5.48
              Cancellation also requires that the employer
              provide the employee’s social security number
              to the State Comptroller.
Employment    Requires employers that are interested in          Texas Labor Code §
              shared work programs to obtain approval from       215.022
              the Texas Workforce Commission and include
              the names and social security numbers of
              employees involved in the plan.
Health care   Requires that reports to the Department of         Texas Health and Safety
              Health’s cancer registry pursuant to the Texas     Code § 82.001, et seq.;
              Cancer Incidence Reporting Act include name        25 Tex. Admin. Code §
              and social security number of individual with      91.4
              cancer.
Health care   Pertains to spinal cord, traumatic brain, and      Texas Health and Safety
              submersion injuries reports to the Department      Code §92.002; 25 Tex.
              of Health. Authorizes hospitals’ reports to        Admin. Code §§ 103.14;
              include patient’s social security number.          103.16
              Requires reports by pre-hospital providers to
              include name and social security of patient.
Health care   Pertains     to    requirements      of    State   Texas Health and Safety
              immunization registry for children and required    Code § 161.007; 25 Tex.
              reports to the Department of Health. Urges         Admin. Code § 100.5
              inclusion of social security number in
              immunization registry for children to assure

                                      42
General       Authorized or Required Use                          Statute or Regulation
Purpose
              complete match. Parental consent required.
Health care   Requires that the form of birth certificates that   Health and Safety Code
              is completed and filed by hospitals to include      § 192.002; 25 Tex.
              social security numbers of parents.                 Admin. Code § 181.13
Health care   Enables state to provide medical assistance         Texas Human Resources
              (including all health care, services and            Code, Ch. 32 & § 32.042;
              benefits authorized or provided under federal       1 Tex. Admin. Code §
              law) on behalf of needy individuals and             354.2341
              enables state to obtain all benefits for those
              persons under the Social Security Act.
              Requires health insurers to maintain files that
              include the name, address, and social security
              number of each subscriber or policyholder
              covered by insurer. With respect to Medicaid
              health service, requires health insurers to
              maintain a file system that contains
              information     for  each     policyholder     or
              subscriber, including the social security
              number.
Health care   Requires that licensed dentists ensure that         Texas Occupations Code
              removable prosthetic devices or removable           § 251.001; 22 Tex.
              orthodontic appliances delivered to a patient       Admin. Code § 116.11
              include a suitable marking, such as the
              patient’s name and/or social security number.
Health care   Requires that complaints about nurses be            Texas Occupations Code
education     forwarded to the Board of Nursing Examiners         Ch. 301 – 304; 22 Tex.
              and include the name and social security of         Admin. Code §§ 213.13,
              the nurse.      Requires nursing program to         215.8
              maintain records to include social security
              number of enrolled students in nursing
              program.
Insurance     Authorizes the trustee to require an individual     Texas Insurance Code,
              to disclose his or her social security number       Art. 3.52-2
              as the trustee considers necessary to
              administer the Texas Employees Uniform
              Group Insurance Benefits Act.
Law           Requires an agency’s chief administrator to         Texas Occupations Code
Enforcement   report changes affecting an officer’s licensure     Ch. 1701; 37 Tex. Admin.
              to the       Texas Commission on Law                Code §§ 211.29, 215.3
              Enforcement and include the licensee’s name
              and social security number.             Requires
              licensure of academy trainers of police cadets
              and requires academy to provide the name
              and social security number of proposed
              training coordinator and any academy staff
              instructors.


                                      43
General            Authorized or Required Use                       Statute or Regulation
Purpose
Radiation safety   Pertains to requirements for possession and      Texas Health and Safety
                   use of a source of radiation, including the      Code Ch. 401; 25 Tex.
                   maintenance of appropriate records that show     Admin. Code §§ 289.231,
                   the radiation exposure of certain individuals.   289.232; 30 Tex. Admin.
                   Requires reports of certain over exposures to    Code §§ 336.352,
                   radiation to include name and social security    336.405
                   of individual exposed. Requires reports of
                   radiation exposures over the occupational
                   dose to be reported to Texas Commission on
                   Environmental Safety and include name and
                   social security number of overexposed
                   individual.
Retirement         Authorizes a public retirement system to         Texas Government Code
programs           require a person to provide a person’s social    § 815.503
                   security number as the system considers
                   necessary.
Unemployment       Requires records of employees and reports to     Texas Labor Code
compensation       Texas Workforce Commission to include            Chapter 201; 40 Tex.
                   employee names and social security numbers.      Admin. Code §§815.106,
                                                                    815.107
Workers’           Requires the social security number for a wide   Texas Labor Code §§
compensation       variety of reports and requests pertaining to    401-415, 402.087; 28
                   workers’ compensation claims.                    Tex. Admin. Code §§
                                                                    41.15, 42.30, 102.8,
                                                                    120.1, 120.4, 122.2,
                                                                    122.5, 122.100, 131.3,
                                                                    133.206, 133.302,
                                                                    134.504




                                          44
Definitions
Access controls: are the means by which the ability to use, create, modify, view, etc.,
is explicitly enabled or restricted in some way (usually through physical and system -
based controls).

Account: That combination of user name and password that provides an individual,
group, or service with access to a computer system or computer network.

Asymmetric Encryption: Cryptography in which a pair of keys is used to encrypt and
decrypt a message. The sender of the message encrypts the message with the
recipient’s public key. The recipient then decrypts the message with his/her private key.

Authentication: The process of confirming a claimed identity. All forms of
authentication are based on something you know, something you have, or something
you are.
    'Something you know' is some form of information that you can recognize and
       keep to yourself, such as a personal identification number (PIN) or password.
    'Something you have' is a physical item you possess, such as a photo ID or a
       security token.
    'Something you are' is a human characteristic considered to be unique, such as a
       fingerprint, voice tone, or retinal pattern.

Authorization: The act of granting permission for someone or something to conduct an
act. Even when identity and authentication have indicated who someone is,
authorization may be needed to establish what actions are permitted.

Availability: represents the requirement that an asset or resource be accessible to
authorized person, entity, or device.

Backup: Copy of files and applications made to avoid loss of data and facilitate
recovery in the event of a system crash.
Custodian: Guardian or caretaker; the holder of data, the agent charged with
implementing the controls specified by the owner. The custodian is responsible for the
processing and storage of information.

Business Continuity Plan (BCP): The documentation of a predetermined set of
instructions or procedures that describe how an organization's business functions will be
sustained during and after a significant disruption.

Business Impact Analysis (BIA): An analysis of an IT system's requirements,
processes, and interdependencies used to characterize system contingency
requirements and priorities in the event of a significant disruption.

Certificate Authority (CA): a trusted third party, whose purpose is to sign certificates
for network entities that have been authenticated. Other network entities can check the
signature to verify that a CA has authenticated the bearer of a certificate.
                                           45
Certificate Management Plan (or Certificate Policy): The administrative policy for key
and certificate management. This plan addresses all aspects associated with the
generation, production, distribution, accounting, compromise recovery, and
administration of encryption key and digital certificates.

Change: Includes any implementation of new functionality, any interruption of service,
any repair of existing functionality, and any removal of existing functionality.

Change Management: The process of controlling modifications to hardware, software,
firmware, and documentation to ensure that Information Resources are protected
against improper modification before, during, and after system implementation.
Change refers to:
     Any implementation of new functionality
     Any interruption of service
     Any repair of existing functionality
     Any removal of existing functionality

Computer Incident Response Team (CIRT): Personnel responsible for coordinating
the response to computer security incidents in an organization.

Confidential: The Classification of data of which unauthorized disclosure/use could
cause serious damage to an organization or indi vidual.

Confidential Information: Information maintained by state agencies and universities
that is exempt from disclosure under the provisions of the Public Records Act or other
applicable state, federal laws and UT System Administration policies and regulations.
The controlling factor for confidential information is dissemination.

Custodian: Guardian or caretaker; the holder of data, the agent charged with
implementing the controls specified by the owner. The custodian is responsible for the
processing and storage of information. The custodians of information resources,
including entities providing outsourced information resources services to the university,
must:
     Implement the controls specified by the owner(s).
     Provide physical and procedural safeguards for the information resources.
     Assist owners in evaluating the cost-effectiveness of controls and monitoring.
     Implement the monitoring techniques and procedures for detecting, reporting,
       and investigating incidents.

Data:
    Research Data: recorded information, regardless of form in which the
      information may be recorded, that constitutes the original data that are necessary
      to support research activities and validate research findings. Research data may
      include but are not limited to: printed records, observations and notes; electronic
      data; video and audio records, photographs and negatives, etc.
    Digital Research Data: defined as the subset of research data as defined below
      that are transmitted by or maintained in, electronic format and include any of the
      following: (a) Electronic storage data including storage devices in computers

                                            46
       (hard drives, memory) and any removable/transportable digital storage medium,
       such as magnetic tape or disk, optical disk, or digital memory card; or (b)
       Transmission data used to exchange information already in electronic storage
       format. Transmission data include, for example, the Internet (wide-open),
       extranet (using Internet technology to link a business with information accessible
       only to collaborating parties), leased lines, dial-up lines, private networks,
       intranet, and the physical movement of removable/transportable electronic
       storage data.
      Sensitive Digital Research Data: data defined by the university as Category-I
       data.

Data Encrypting Keys: Keys used with symmetric key algorithms to apply
confidentiality protection to information.

Data Steward: University representatives, such as faculty, staff, or researchers, who
are tasked with managing administrative and/or research data owned by the university.
Such data is to be managed by a data steward as a university resource and asset. The
data steward has the responsibility of ensuring that the appropriate steps are taken to
protect the data and that respective policies and guidelines are being properly
implemented. Data Stewards may delegate the implementation of university policies
and guidelines to professionally trained campus or departmental custodians.

Data Stewardship: the formalization of accountability for the management of the
university’s data.

Database: A collection of records stored in a computer in a systematic way, such that a
computer program can consult it to answer questions. Each record is often organized as
a set of data elements to facilitate retrieval and sorting. The data retrieved in answer to
queries become are then used to make decisions.

Digital Certificate: A data structure used in a public key system to bind a particular,
authenticated individual to a particular public key.

Digital Signature: A digital signature is a type of electronic signature, which cannot be
forged. A digital signature provides verification to the recipient that the file came from
the user or entity identified as the sender, and that it has not been altered since it was
signed.

Disaster Recovery Plan (DRP): A written plan for processing critical IT applications in
the event of a major hardware or software failure or destruction of facilities. Such plans
are designed to restore operability of the target system, application, or computer facility
at an alternate site after an emergency.

Electronic mail system: Any computer software application that allows electronic mail
to be communicated from one computing system to another.

Electronic mail (email): Any message, image, form, attachment, data, or other
communication sent, received, or stored within an electronic mail system

Email: Abbreviation for electronic mail.
                                             47
Emergency Change: When an unauthorized immediate response to imminent critical
system failure is needed to prevent widespread service disruption.

Encryption: The process of converting data into a cipher or code in order to prevent
unauthorized access. Encryption obfuscates data in such a manner that a specific
algorithm and key are required to interpret the cipher or code. The keys are binary
values that may be interpretable as the codes for text strings, or they may be arbitrary
numbers. The purpose of encryption is to prevent unauthorized access to data while it is
either in storage or being transmitted.

Escrow: Data decryption keys held in trust by a third party to be turned over to the user
only upon fulfillment of specific authentication conditions.

Fixed Media: Devices distinguished from those in which the data is stored on a
cartridge, disk, or other material that is removable and interchangeable. Hard drives are
typically fixed media, with platters sealed inside the drive chassis.

Handling: when users access, manipulate, change, transfer, or delete data.

Information Resources (IR): any and all computer printouts, online display devices,
mass storage media, and all computer-related activities involving any device capable of
receiving email, browsing Web sites, or otherwise capable of receiving, storing,
managing, or transmitting data including, but not limited to, mainframes, servers,
personal computers, notebook computers, hand-held computers, personal digital
assistant (PDA), pagers, distributed processing systems, network attached and
computer controlled medical and laboratory equipment (i.e. embedded technology),
telecommunication resources, network environments, telephones, fax machines,
printers and service bureaus. Additionally, it is the procedures, equipment, facilities,
software, and data that are designed, built, operated, and maintained to create, collect,
record, process, store, retrieve, display, and transmit information.

Information Resources facilities: Any location that houses Information Resource
equipment (includes servers, hubs, switches, and routers). Facilities are usually
dedicated rooms or mechanical/wiring closets in the buildings.

Information Resources Manager (IRM): Responsible to the State of Texas for
management of the agency's Information Resources. The designation of an agency
Information Resources Manager is intended to establish clear accountability for setting
policy for Information Resources management activities, provide for greater
coordination of the state agency's information activities, and ensure greater visibility of
such activities within and between state agencies. The Information Resource Manager
has been given the authority and the accountability by the State of Texas to implement
Security Policies, Procedures, Practice Standards, and Guidelines to protect the
Information Resources of the agency. If an agency does not designate an Information
Resource Manager, the title defaults to the agency's Executive Director, and the
Executive Director is responsible for adhering to the duties and requirements of an
Information Resource Manager.


                                             48
Integrity: The accuracy and completeness of information and assets and the
authenticity of transactions.

Internet: A global system interconnecting computers and computer networks. The
computers and networks are owned separately by a host of organizations, government
agencies, companies, and colleges.

Intrusion Detection Systems (IDS): A device that monitors and analyzes network
traffic.

Key Management: activities involving the handling of encryption keys and other related
security parameters (e.g., passwords) during the entire life cycle of the encryption keys.
This includes their generation, storage, establishment, entry and output, and
destruction.

Key Management Infrastructure: The framework and services that provide for the
generation, production, distribution, control, accounting, and destruction of all
cryptographic material, including symmetric keys, as well as public keys and public key
certificates. It includes all elements (hardware, software, other equipment, and
documentation); facilities; personnel; procedures; standards; and information products
that form the system that distributes, manages, and supports the delivery of
cryptographic products and services to end users.

Key Manager: Controls the generation, storage and distribution of cryptographic keys.

Lawful Intercept: the interception of data on the university network by the Information
Security Office and Network Services, in accordance with local law and after following
due process and receiving proper authorization from the appropriate authorities.

Local Area Network (LAN): A data communications network spanning a limited
geographical area, a few miles at most. It provides communication between computers
and peripherals at relatively high data rates and relatively low error rates.

Merchant: University unit that accepts credit card payment for goods, services, or gifts.

Merchant Account: The credit card account number assigned by the credit card
processor, Global Payments, to permit credit card payment processing.

Network: All associated equipment and media creating electronic transmission between
any information resource(s), such as wired, optical, wireless, IP, synchronous serial,
telephony, etc.

Network Flow: The sequence of packets between given source and destination
endpoints.

Network Operations Center (NOC): Monitors the health of critical services and
provides the central coordination of data services for campus.

Networking Custodian: Network manager or analyst; the holder of network
configuration data, the agent charged with implementing the network controls and
                                            49
services specified by the owner or the university. This custodian is responsible for the
transfer of information. These custodians, including entities providing outsourced
information resources services to the university, must:
     Implement the network controls specified by the owner or the university.
     Provide physical and procedural safeguards for the network infrastructure.
     Assist owners in evaluating the cost-effectiveness of controls and monitoring.
     Implement the monitoring techniques and procedures for detecting, reporting,
       and investigating or troubleshooting network incidents.

Non-eCommerce Merchant: a department that processes credit card payments with
equipment that does not utilize an external facing IP address, such as point-of-sale
terminals, cash registers and other types of equipment.

Offsite Storage: Based on data criticality, offsite storage should be in a geographically
different location from the campus and a location that does not share the same disaster
threat event. Based on an assessment of the data backed up, removing the backup
media from the building and storing it in another secured location on the Campus may
be required.

Owner: The manager or agent responsible for the function that is supported by the
resource or the individual upon whom responsibility rests for carrying out the program
that uses the resources. The owner is responsible for establishing the controls that
provide the security. The owner of a collection of information is the person responsible
for the business results of that system or the business use of the information. Where
appropriate, ownership may be shared by managers of different departments.

Packet: an electronic unit of data that is routed between an origin and a destination on
a network.

Packet Data: The part of the packet containing user data and other data or information
used by applications.

Packet Header: The part of the packet that contains protocol, source address,
destination address, and other controlling information (including tunneling information).

Password: A string of characters used to verify or "authenticate" a person's identity.

Physical Security Controls: Devices and means to control physical access to sensitive
information and to protect the availability of the information. Examples are physical
access systems (fences, mantraps, guards); physical intrusion detection systems
(motion detector, alarm system); and physical protection systems (sprinklers, backup
generator)

Portable Computing Devices: Any easily portable device that is capable of receiving
and/or transmitting data. These include, but are not limited to, notebook computers,
handheld computers, PDAs (personal digital assistants), pagers, and cell phones.

Private Key: the secret key of a signature key pair used to create a digital signature
and/or to decrypt confidential information.

                                            50
Production System: The system environment comprised of hardware, software and
data in which an organization’s data processing is accomplished.

Promiscuous Mode: mode of operation in which every data packet transmitted is
received and read by every network adapter. Promiscuous mode is often used to
monitor network activity.

Public Key: the publicly available key of a signature key pair used to validate a digital
signature and/or to encrypt confidential information.

Removable Media: Removable media devices permit data to be stored on media that is
removable and interchangeable. CDs, DVDs, flash memory, and floppy disks are
examples of removable media.

Scheduled Change: Formal notification received, reviewed, and approved b y the
review process in advance of the change being made.

Strong Passwords: A strong password is constructed so that it cannot be easily
guessed by another User or a "hacker" program. It is typically a minimum number of
positions in length and contains a combination of alphabetic, numeric, or special
characters.

Security Administrator: The person charged with monitoring and implementing
security controls and procedures for a system. Whereas each agency will have one
Information Security Officer, technical management may designate a number of security
administrators.

Security Incident: In information operations, an assessed event of attempted entry,
unauthorized entry, or an information attack on an automated information system. It
includes unauthorized probing and browsing; disruption or denial of service; altered or
destroyed input, processing, storage, or output of information; or changes to information
system hardware, firmware, or software characteristics with or without the Users'
knowledge, instruction, or intent.

Sensitive Information: Information maintained by state agencies that requires special
precautions to protect it from unauthorized modification or deletion. Sensitive
information may be either public or confidential. It is information that requires a higher
than normal assurance of accuracy and completeness. The controlling factor for
sensitive information is that of integrity.

Server: A computer program that provides services to other computer programs in the
same, or another, computer. A computer running a server program is frequently
referred to as a server, though it may also be running other client (and server)
programs.

Sniffing: The interception of data packets traversing a network

Strong Passwords: constructed so that it cannot be easily guessed by another user or
a "hacker" program. It is typically a minimum number of positions in length and contains
a combination of alphabetic, numeric, or special characters. UTPA requires the
                                            51
following:
a. Character length-Minimum of 10 characters
b. Complex word not found in a dictionary
c. Alphanumeric-numbers and characters i.e.: A thru Z, a thru z, and 0-9
d. Case-mixture of upper and lower case i.e.: 1 English Uppercase character and 1
English Lowercase character

System: Any device capable of receiving e-mail, browsing web sites, or otherwise
capable of receiving, storing, managing, or transmitting data including, but not limited to,
mainframes, servers, personal computers, notebook computers, hand-held computers,
Personal Data Assistants, pagers, distributed processing systems, network attached
and computer controlled medical and laboratory equipment (that is, embedded
technology), telecommunication resources, network environments, telephones, fax
machines, printers and service bureaus.

System Administrator: Person responsible for the effective operation and
maintenance of Information Resources, including implementation of standard
procedures and controls, to enforce an organization's security policy.

System Development Life Cycle (SDLC): the scope of activities associated with a
system, encompassing the system's initiation, development and acquisition,
implementation, operation and maintenance, and ultimately its disposal.

System Security Plan: Provides a baseline of a system's security. A comprehensive
system security plan describes the security controls that are in use, or plan to be used
to protect all aspects of the system. Security plans are supported by security policy and
can be essential tools that identify weaknesses in the system and document what
controls will be added to combat the weaknesses.

Trojan Horse: Destructive programs-usually viruses or worms-that are hidden in an
attractive or innocent-looking piece of software, such as a game or graphics program.
Victims may receive a Trojan horse program by email or on a diskette or CD, often from
another unknowing victim, or may be urged to download a file from a Web site or
bulletin board.

Unauthorized Disclosure: the intentional or unintentional revealing of restricted
information to people who do not have a legitimate need to access that information.

Unscheduled Change: Failure to present notification through the review process in
advance of the change being made. Unscheduled changes will only be acceptable in
the event of a system failure or the discovery of a security vulnerability.

User: An individual, automated application or process that is authorized by the owner to
access the resource, in accordance with the owner's procedures and rules. Has the
responsibility to (1) use the resource only for the purpose specified by the owner, (2)
comply with controls established by the owner, and (3) prevent disclosure of confidential
or sensitive information. The user is any person who has been authorized by the owner
of the information to read, enter, or update that information. The user is the single most
effective control for providing adequate security.

                                             52
Vendor: someone outside UTPA who exchanges goods or services for money.

Virus: A program that attaches itself to an executable file or vulnerable application and
delivers a payload that ranges from annoying to extremely destructive. A file virus
executes when an infected file is accessed. A macro virus infects the executable code
embedded in Microsoft Office programs that allows users to generate macros.

Web page: A document on the World Wide Web. Every Web page is identified by a
unique URL (Uniform Resource Locator).

Web server: A computer that delivers (serves up) web pages.

Website: A location on the World Wide Web, accessed by typing its address (URL) into
a Web browser. A Web site always includes a home page and may contain additional
documents or pages

World Wide Web: Also referred to as the Web is a system of Internet hosts that
supports documents formatted in HTML (Hypertext Markup Language), which contains
links to other documents (hyperlinks) and to audio, video, and graphic images. Users
can access the Web with special applications called browsers, such as Netscape
Navigator, and Microsoft Internet Explorer.

Worm: A program that makes copies of itself elsewhere in a computing system. These
copies may be created on the same computer or may be sent over networks to other
computers. The first use of the term described a program that copied itself benignly
around a network, using otherwise-unused resources on networked machines to
perform distributed computation. Some worms are security threats, using networks to
spread themselves against the wishes of the system owners and disrupting networks by
overloading them. A worm is similar to a virus in that it makes copies of itself, but
different in that it need not attach to particular files or sectors at all.




                                            53
References

UT System Policy UTS 165
http://www.utsystem.edu/policy/policies/uts165.html

UT System Policy UTS 131
http://www.utsystem.edu/policy/policies/uts131.html

UT System Policy INT 124
http://www.utsystem.edu/policy/policies/int124.html

The University of Texas San Antonio – Data Classification Standard
http://www.utsa.edu/infotech/Security/dataclass.htm

Texas Administrative Code 202
http://info.sos.state.tx.us/pls/pub/readtac$ext.ViewTAC?tac_view=4&ti=1&pt=10&ch=20
2&rl=Y

The Rules and Regulations of the Board of Regents of The University of Texas System
http://www.utsystem.edu/BOR/rules.htm

Portions adapted from http://www.utexas.edu/vp/it/policies/ and
http://security.utexas.edu/procedures/spam/ , with permission from ITS, The University
of Texas at Austin, Austin, Texas 78712-1110.




                                           54