TTUHSC Information Techonology
Home Information Technology Policies

TTUHSC IT Policies

1.4        Security Safeguards (TAC 202.75.7)

1.4.1     ACCEPTABLE USE

Conduct Yourself Responsibly

The use of TTUHSC I.T. resources may be temporarily or even permanently revoked at any time for abusive conduct.  Such conduct includes placing unlawful information on a system, copyright violations, using abusive or otherwise objectionable language in either public or private messages, sending messages that are likely to result in the loss of recipients' work or systems, sending unauthorized messages to individuals, or any use that would cause congestion of the networks or otherwise interfere with the work of others.

Use of peer-to-peer programs on TTUHSC computers and/or network for downloading and/or uploading of illegal copies of copyrighted media is strictly prohibited.  All students, faculty, and staff should remove these applications immediately from TTUHSC computers.  Students, faculty, and staff who use their personally-owned computers to connect to the TTUHSC network must disable all peer-to-peer applications and services before connecting to the network.  This includes direct connection or remote connection via PPP, VPN, or wireless accounts.  Any computers using peer-to-peer applications on the TTUHSC network are subject to removal from the network until the application is removed or disabled. 

Misuse of TTUHSC information resources is a violation of the policies contained herein and will result in disciplinary action in accordance with HSC OP’s 70.31 and 77.05 and the Student Affairs Handbook.

Computing Ethics And User Responsibilities

Information technology resources at TTUHSC are owned by the State of Texas and administered by the Information Technology Division. All products created on Institutional property belong to the Institution. These products shall be considered "intellectual property" as defined by and managed according to Board of Regents Rules and Regulations, Chapter 10 - Intellectual Property Rights. TTUHSC will provide access to appropriate central and campus I.T. resources, and to their attached networks to all members of the TTUHSC community.  Users are responsible for managing their use of I.T. resources and are accountable for their actions relating to information technology security.

General Principles

Users must abide by the following list of standards that have been established:

  1. Report any weaknesses in TTUHSC computer security, any incidents of possible misuse, or violation of these policies to the appropriate I.T. management.
  2. Access only information that is your own, that is publicly available, or to which you have been given authorized access.  Users may use only the I.T. resources they are authorized to use and only for the purposes specified when their accounts were issued or permission to use the resources was granted.
  3. For security reasons, protect your USER ID, password, and system from unauthorized use.  Users who share their access with another individual shall be responsible and will be held accountable for ALL usage of their accounts.
  4. Use only legal versions of copyrighted software in compliance with vendor license requirements.  Users shall not transport software provided by TTUHSC to another computer site without prior authorization from the departmental administrator.  To do so constitutes theft.
  5. DO NOT attempt to circumvent or subvert system, network, destroy the integrity of computer-based information, or access controlled information on the TTUHSC network.
  6. DO NOT install software/hardware for personal use on TTUHSC systems.
  7. Sexually explicit material in any form is not allowed on TTUHSC systems.  See Sexually Explicit Material section for more detailed guidelines.
  8. Users must not unreasonably interfere with the fair use of I.T. resources by another.  Examples of unreasonable interference include playing games, listening to or viewing streaming audio/video for recreation, intentionally misconfiguring or tampering with videoconferencing equipment, interfering with the scheduled use of a distance learning classroom by failing to promptly vacate the room at the end of a session, and intentionally running a program that attempts to violate the operational integrity of the TTUHSC network.
  9. Users are prohibited from using the TTUHSC’s systems or networks for personal or commercial gain, such as, selling access to your USER ID or to TTUHSC systems or networks, performing work for profit with TTUHSC resources in a manner not authorized by the TTUHSC, marketing/advertising, and/or personal business transactions with commercial organizations.
  10. TTUHSC systems are not to be used for partisan political purposes, such as using electronic mail to circulate advertising for political candidates or lobbying of public officials.
  11. DO NOT use mail or messaging services to harass or intimidate another person, for example, by broadcasting unsolicited messages, or by repeatedly sending unwanted mail.

The above list is by no means exhaustive, but attempts to provide a framework for activities that fall into the category of unacceptable use. 

Sexually Explicit Material

Users shall not view, retrieve, transmit, distribute, print, or save any electronic files that may be deemed sexually explicit on TTUHSC I.T. resources.  This includes both visual and textual sexually explicit material as defined by Chapter 43 of the State of Texas Penal Code on Public Indecency.  Exceptions are material used for scientific, medical, and/or educational purposes.

It is also illegal to use sexually explicit material to intimidate, persecute, or otherwise harass another individual.  This is considered sexual harassment.  For more detailed guidelines on sexual harassment, refer to HSC OP 70.14.

Do not open any emails which you believe to contain obscenity or pornography.  If obscenity and/or pornography are received through email, there will be no disciplinary proceedings if the mail is deleted immediately.  If the offending email originates from a TTU or TTUHSC email address, report the receipt of said material to the Assistant Vice President for Human Resources and/or the Information Security Officer immediately.  Reporting of such a violation will be held in the strictest confidence.

1.4.2     ACCOUNT MANAGEMENT AND USER RESPONSIBILITIES

eRaider is an account management system which makes it possible for students, faculty, and staff to obtain and access electronic resources at Texas Tech using a single username and password.  Your eRaider username and password are required to access many of these resources.  An eRaider account is required to access the TTUHSC domain.  New students, faculty, and staff receive an eRaider account upon coming to the Health Sciences Center; access is dependant upon account types (i.e. faculty, staff, and students) and department requirements.  User access should be reviewed upon changes in job description, job responsibilities, removed upon termination of employment. These changes should be indicated by the department head or listed in the separation checkout for each individual. Questions regarding eRaider account information should be directed to the I.T. Solutions Center at each respective campuses.

1.4.3     ADMINISTRATOR/SPECIAL ACCESS

This policy provides a set of requirements for the regulation and use of administrator or special access on the TTUHSC systems.  This policy will provide a mechanism for the addition and removal of people from special access in the Active Directory domain and a mechanism for periodic reviews of the administrator/special access database.

Special Access will need to be requested by the information owner or designee and submitted to the I.T. Solution Center at http://www.ITSolutions.ttuhsc.edu

Regulation of Special Access Accounts:

  1. Special access on TTUHSC system is maintained and monitored by both Data Center Operations and the Information Security Officer.
  2. Passwords for special access accounts are changed on a regular basis as determined by Institutional policy.
  3. Special access is only provided to individuals who need the access to perform their job.
  4. Any misuse of special access privileges must be reported to the TTUHSC Information Security Officer when discovered.
  5. Persons requesting special access must follow all procedures outlined in the Special Access Guidelines.
  6. Persons who misuse their special access privilege can have special access revoked and may face Institutional disciplinary action (See Policy 10 - Disciplinary Process)
  7. Special access is reviewed on a periodic basis as defined below.
  8. All persons who currently (prior to the approval of this policy) have special access are required to submit a completed Special Access Request form and a signed Special Access Guidelines agreement.

Performing a Periodic Review of the Special Access Database

A review of special access will be made on an annual basis or as determined by the TTUHSC Information Security Officer.  The review process will involve the following steps:

Special Access Guidelines

This agreement outlines the use of special access on TTUHSC computers.  Special access is defined as having domain access other than as a domain user.  The TTUHSC environment is very complex and dynamic.  Due to the number and variety of computers and peripherals, special access must be granted to numerous people so the TTUHSC facility can be properly supported.  People with special access must develop the proper skill for using that access responsibly.

The Special Access Guidelines have been developed to help people to use their special access in a responsible and secure manner.  All persons requesting special access must read and follow these guidelines.

General Guidelines

  1. Be aware of your TTUHSC computing environment.
  2. Always log on systems where you have an account as yourself.  Any action done under a special access account should have an audit trail.
  3. Use special access only if necessary.
  4. Many system tasks require the use of root or other special access.  However, there are many tasks that can be done without the use of special access.  When at all possible use regular accounts for trouble-shooting and investigating.
  5. Complete the appropriate Change Request processes specified in Section 1.4.5.  Document all major actions and/or inform the appropriate people.
  6. Documentation provides a method to analyze what happened.  In the future, others may want to know what was done to correct a certain problem.  The Lead System Analyst or Manager of the Data Center is to be informed BEFORE any changes are made to system specific or configuration files.
  7. Have a backup plan in case something goes wrong.  Special access, especially root or administrative access has a large potential for doing damage with just a few keystrokes.  You must be able to restore the system to its state before the error occurred.
  8. With the use of special access, situations arise that have never come up before.  Although TTUHSC has many written procedures, they do not cover every circumstance possible.  If any doubt exists about how you should proceed on a problem, ask for assistance.

Specific Considerations Regarding Special Access

  1. Do not share special access passwords with anyone.
  2. Do not write down the special access passwords or the current algorithm.
  3. Do not routinely log onto a system for which you have an account, as “root” or any other special access account.
  4. Do not read or send personal mail, play games, read the net news or edit personal files using a special access account.
  5. Do not browse other user’s files, directories or email using a special access account.
  6. Do not make a change on any system that is not directly related to your job duties.  The TTUHSC System Administration Handbook states “The Lead System Analyst is responsible for approving all changes to the systems(s) of his/her responsibility.  No changes are to be made to any system configuration file or executable file without prior approval of the Lead System Analyst and Manager of the Data Center.”  Making a change AND then informing the Lead System Analyst is considered a violation of this guideline.
  7. Do not use special access to create temporary files or directories for your own personal use.

1.4.4     BACKUP/RECOVERY

Shared resources (i.e. Network File Shares) are the primary method of protecting Institutional data.  Non-business related data must not be stored on shared resources and is subject to deletion.

Departments are responsible for the creation of electronic and/or paper copies of institutional data and retention of that institutional data as defined by the Records Retention Operating Policy, 10.09. Disaster Recovery backups are not considered a valid retention mechanism for records retention purposes and must not be used by departments to meet records retention requirements.

Institutional server backups are performed for disaster recovery purposes only. Institutional servers are backed up based on the schedule listed below.

Nightly - Incremental backups will be performed to be retained until the next full backup is performed.

Weekly - Full data backups will be performed to be retained for four weeks.

Per disaster recovery best practices, backup tapes are stored off-site.  The details of the off-site storage are outlined in the I.T. Division Disaster Recovery Plan.

Data Restoration

Shared resource data may be restored provided the backup is within the storage timeframe as defined above. Restoration of shared resource data may be requested through the I.T. Solutions Center work order process.

Email Retention

Email backups are for disaster recovery purposes only. Restoration of individual email boxes is not possible.

Email in the Deleted Items folder will automatically be permanently deleted 15 days after the email is placed in the Deleted Items folder.

Email in the Junk E-mail folder will automatically be permanently deleted 30 days after receipt.

Permanently deleted (either automatically because of retention dates or manually by the user) email is recoverable by the end user for 21 days from the date of permanent deletion using Outlook Tools or Outlook Web Access.

1.4.5     CHANGE MANAGEMENT

Change Definition

The following change management protocols apply to the Institutional IT units as well as the regional campuses’ IT departments.  The IT Division highly recommends that all departments adopt these industry best practices related to IT change management in their respective areas.  A change is defined as a modification to the hardware, software, and documentation managed by Information Technology that has a reasonable possibility of impacting normal operations of those resources.  Items that are considered changes include, but are not limited to:

Specific tasks that should not be considered changes include:

Change Categories

Changes will be classified into three categories:

Procedures

All changes must be documented, and submitted for approval prior to implementation.  The following defines the procedure for documentation and approval.

Documentation

The requester initiating the change must initiate a Request Creator process via the STARS system (http://www.ttuhsc.edu/IT/STARS/roles/default.aspx). The following information must be provided on this form:

The technician’s manager will record the change request in a common Change Request Log maintained by the Managing Director of Network, Security, and Systems.

Processing

After the requester completes the Change Approval Form, it will be submitted to their supervisor or manager for review/approval.  The approver will ensure the form is completed and information provided is adequate for decision making. The managers will meet with the authorized approver for Network Services, Information Security, Systems, or schools as needed to review and document recommendations.  Change forms must be submitted to the approver of the applicable areas a minimum of one full business day prior to the review date. 

If the authorized approver is unavailable for the weekly meeting, the managers will meet to discuss and make recommendations for the change requests.  The authorized approver must be notified of all category 1 and 2 changes before implementation.

All changes will be forwarded to I.T. Executive Management (consisting of the CIO, AVP of Information Services, AVP of Security and Infrastructure Assurance, and Managing Director of Technology Services) for final disposition of the request.

Category 1 and 2 changes can be implemented no sooner than two full business days after approval.  Category 3 changes can be implemented immediately after approval, according to the change date and time on the approval form.

Announcement messages must be distributed prior to all category 1 and 2 changes.  Message content should include impact to user and training provided if applicable. The supervisor or manager should prepare this announcement prior to the change review meeting.  The authorized approver will be responsible for posting the announcement.

Changes that are backed out during or immediately after implementation must be resubmitted for approval.

Emergency Changes

Occasionally, it may be necessary to implement changes before the next weekly change approval meeting.  These changes will be designated as emergency changes, and will be documented as Emergency (E) Category, a category E1, E2, or E3.

All of the above documentation and approval procedures still apply for emergency changes, except these changes can be immediately submitted to the supervisor, and subsequently the CIO, for approval and implementation.

Emergency change requests should only be submitted when I.T. operations or security will be negatively impacted or compromised if the change is not implemented immediately.

1.4.6     EMAIL

All Institutional email services will be delivered using the Microsoft Exchange platform.  The supported email client is Microsoft Outlook or the web-based Outlook Web Access.

TTUHSC email accounts are available dependant on the type of associated HSC affiliation. The creation of email accounts are provisioned through the eRaider account activation process and online eRaider Account Manager. Assistance with eRaider and HSC eMail account setup can be obtained through the department hiring managers and the I.T. Solutions Center.

The volume of unsolicited bulk email (SPAM) that is received negatively impacts the Institution's infrastructure and productivity.  Therefore, the Institution has deployed infrastructure to reject a high volume of SPAM emails before they are processed by our email servers.  Additional infrastructure has also been deployed for students, faculty, and staff to use on their personal computers.  For assistance or more information on strategies to manage SPAM/Junk Email, please contact the I.T. Solutions Center or go to http://www.ttuhsc.edu/it/helpdesk/anti-spam.aspx.

Email Naming Convention

The approved email-addressing format uses the firstname.last/surname@ttuhsc.edu naming convention (e.g. john.doe@ttuhsc.edu).  This will be the official TTUHSC email address format for all students, faculty, and staff. 

The naming convention for people who share the same name is slightly different.  If a name already exists in the email database, a variation will be used, such as firstname.middleinitial.last/surname@ttuhsc.edu format (e.g., john.s.doe@ttuhsc.edu).

The CIO or their designee is the central authority for username and email address assignments for all campuses.  Any disputes over usernames and/or email addresses should be referred to the CIO or their designee for resolution.

Users wanting to verify their email address can call the following numbers:

Lubbock Information Technology Solutions Center - (806) 743-1234

Amarillo Information Technology Help Desk - (806) 354-5404

El Paso Information Technology Help Desk - (915) 545-6800

Odessa Information Technology Help Desk - (432) 335-5108

To ensure Institution business is not disrupted, all business cards, stationery, and any other correspondence material must reflect the correct email address format, including contact information on web sites.  All students, faculty, and staff should only use their official TTUHSC email address to facilitate the dissemination of information as well as promote and sustain the lines of communication.

Because email addresses are printed on official stationery, business cards, or any other correspondence material, all print jobs and/or official publications must follow the Publication Guidelines as established by the Office of News and Publications.  Refer to HSC OP 67.01 (Publication Guidelines) for detailed guidelines on printing standards.

Implementation And Compliance Procedure

All TTUHSC students, faculty, and staff will be issued an official TTUHSC email account with the firstname.last/surname@ttuhsc.edu naming convention format.  This email address will be the only email address used for all official communications between the Institution and students, faculty, and staff.  Emails will not be redirected or forwarded to another, non-TTUHSC account.

Sending Confidential Information

Any emails containing confidential information that are sent to persons outside TTUHSC or TTU must be encrypted. For more information regarding confidentiality and encryption please reference Operating Policy 56.04. For further instructions, go to www.ITSolutions.ttuhsc.edu.

 Correspondences containing vital Institutional information must include the following disclaimer at the end of the email:

Confidentiality Notice: This message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information.  Any unauthorized review, use, disclosure, or distribution is strictly prohibited.  If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

Mass Email

TTUHSC mass email messages must be approved by the President, Vice Presidents or Deans for distribution of suitable email to TTUHSC schools, campuses and institution.  For the purpose of student mass email communication, a designated representative of Student Services can also distribute mass email to students, with email content that is considered creditable and informative, that does not include commercial interest.

Suitable mass email material for approval includes, but is not limited to:

    • Substantial changes in governance, policy, or practice

    • Immediate threats to health, safety, property, or research

    • Infrastructure maintenance, computer or telecommunication issues

    • Official non-commercial survey material, institutional newsletter publications

    • Institutional newsletter publications

The preferred method of communicating with all members of the schools, campuses and institution, which is not viewed as appropriate material for mass email communication, is through announcement web pages, institutional news article releases, mailing material, leaflets, brochures and notice boards.

To facilitate official mass email communication, Information Technology maintains the resources for email address groups.  Access to send to these groups is restricted to approved representatives only from the governing authorities.  Attempting to send mass email communication to TTUHSC members and groups, which has not been approved by the appropriate authority, is in violation of IT Policy, 1.4.1 Acceptable Use.

Alumni and Retiree Email Accounts        

Official TTUHSC email accounts are only issued to current TTUHSC students, faculty, and staff.  After the owner's biographical record ceases to be supplied from Personnel Records, Student Records, or other approved sources, the eRaider Account Manager will automatically disable access to HSC eMail. Individuals should make plans to transfer their email to another location prior to graduation or last day of employment.

Graduating students who would like to continue to receive information from TTUHSC are strongly encouraged to register themselves at www.RaiderCheckUp.com . Users needing help registering on the site should call the Alumni Relations Office at (806)743-3238 or email TTUHSCAlumni@ttuhsc.edu

1.4.7     INCIDENT MANAGEMENT

The following describes the requirements for managing security incidents.  Security incidents include, but are not limited to detection of viruses, worms, and Trojan horses, unauthorized use of computer accounts and computer systems, as well as complaints of improper use of information resources as outlined in the Acceptable Use Policy.

Responsibilities

TTUHSC Information Technology Security (ITS) group, in coordination with the Computer Incidence Response Team (CIRT) members is responsible for the following:

Standard/Procedure

  1. TTUHSC CIRT members may be required to perform duties related to the incident that take precedence over normal duties.
  2. The Information Security Officer is responsible for:
    1. initiating incident management action, including notifying the appropriate personnel.
    2. determining the physical and electronic evidence to be gathered as part of the incident investigation.
    3. determining if a widespread TTUHSC conference call is required, the content of the conference call, and how best to contact CIRT members
    4. initiating, completing, and documenting the incident investigation with assistance from the CIRT
    5. coordinating communications with outside organizations and law enforcement.
    6. reporting the incident to the:
  3. The appropriate technical resources from the CIRT are responsible for:
    1. ensuring that any damage from a security incident is repaired or mitigated, and that the vulnerability is eliminated or minimized where possible.
    2. communicating new issues or vulnerabilities to the system vendor and working with the vendor to eliminate or mitigate the vulnerability.
  4. In the case where law enforcement is not involved, the Information Security Officer will provide the appropriate information to the Managing Director of Technology Services, who will notify TTUHSC Human Resources as appropriate.
  5. In the case where law enforcement is involved, the CIO is responsible for reporting the incident to Federal, State, or local law officials as required by applicable statures and/or regulations as well as act as the liaison between law enforcement and TTUHSC.

Guidelines For Handling A Computer System Incident

Don't panic.  Call the I.T. Help Desk.  The Help Desk staff will guide you through the next steps to take, which includes the following:

  1. Assessment.  Do not immediately shut down the machine, as you may lose important information.  If the machine is being used to attack others, or if the attacker is actively using or damaging the machine, you may need to disconnect it from the network.  If this does not appear to be the case, leave the system intact for the moment.
  2. System scan.  Work with the I.T. Help Desk and run an emergency system security scan.  This information will help you assess the damage.  (The machine must be up and on the network in order to run a scan.)
  3. Gathering all relevant information.  This may include, but is not limited to, system logs, directory listings, electronic mail files, screen prints of error messages, and database activity logs.
  4. Take notes.  Record all relevant information, including things you observed, actions you took, dates and times, etc.  It is best to log your activities as they occur.
  5. Changing account passwords.  All system accounts that were involved with the incident may require new passwords as determined by the Information Security Officer. Choose a password in accordance with the password requirements and change it every ninety (90) days.
  6. ITS will determine the correct course of action.   The appropriateness of each course of action varies with the severity of the incident (amount of damage, legal implications, cost of recovery, etc).

Other Steps A Systems Administrator May Take

  1. Change the status of accounts, if necessary.  In the event that a system administrator detects a problem with a system, or questionable user activity on a system, a quick way to stop the unwanted activity is to "close" an account, by restricting logins to it.  This results in the account owner having to contact an administrator in order to remove the login restriction.  This is not deleting the account, but is merely making the account temporarily unusable.
  2. Stop rogue service(s), if necessary.  In the event that a system compromise or denial-of-service attack is underway, and you are unable to stop or kill the service(s), you may need to disconnect the machine from the network.  Examples of this type of attack is a “ping sweep” which occurs when one machine on the network sends other machines Internet Control Messages Protocol (ICMP) requests until the network exceeds capacity causing degradation and/or traffic being blocked.
  3. Review your backup policies.  If you believe your data and/or operating system has been compromised, you must ensure that a backup is available for restoration.  If your next backup could overwrite an undamaged backup, take immediate steps to prevent that occurrence.  If your disaster recovery policy includes multiple levels of backup, and you are uncertain how long the system has been compromised, you must determine which backup version to restore to.  Until that time, do not allow any backups to be overwritten.  It is recommended that users regularly back up important data (e.g., student/patient/employee information, data related to Institutional operations, vital mission data, etc.) to a floppy disk or to a drive on the server (see your Department Administrator for Departmental I.T. Representative for access restrictions) at least once a week (or more often for more critical data.)

If you have questions about incident procedures, contact its@ttuhsc.edu.

1.4.8     INTERNET AND INTRANET CONNECTIVITY

The CIO is responsible for providing Internet connectivity for the TTUHSC network.  Regional campus LANs, or any other supported or non-supported LAN connected to the TTUHSC network, may not connect to any other Internet service provider without written approval of the TTUHSC Information Security Officer (ISO) and Managing Director of Technology Services.

The CIO or their designee must authorize all network connections between the TTUHSC network and external government agencies or affiliated teaching hospitals.  These connections will be controlled and monitored by a firewall or other security device under the administrative control of the Information Security Officer and his/her staff.

Access to the Internet and intranet are for Institutional purposes.  Please refer to policy 1.4.1 Acceptable Use for additional information.

1.4.9     INTRUSION DETECTION

The Information Technology Security Group shall monitor and audit intrusion detection logs as part of their daily job functions.  Intrusion detection logs are maintained for a minimum period of two weeks.  Anomalies will be investigated and appropriate measures will be taken in the event of an actual threat in accordance with the incident management procedures outlined in Policy 1.4.7, Incident Management.  Compliance with this policy is the responsibility of the Information Security Officer.

Various tools provide the ability to block malicious programs on our email servers, file servers and other computers on our network.

1.4.10   NETWORK ACCESS

Local Area Networks

Supported LANs are those designed, installed, and operated by the Enterprise Network team.  Devices such as computers, printers, scanners, storage devices and arrays, and video-conferencing systems may be connected to a network outlet within a supported LAN with the approval of the campus RSC.

The following may not be connected to an outlet within the TTUHSC network without prior written authorization of the CIO or their designee:

TTUHSC Domain

All TTUHSC owned PCs and servers attached to the TTUHSC network must be members of the TTUHSC domain and be defined in the appropriate Active Directory Organization Unit (OU)

Modem Connections

All modem connections must be approved by the CIO or their designee, and routed through a modem pool or network device which utilizes an I.T. approved authentication system.

The connection of a device to the TTUHSC network that is accessible directly from the Internet, without going through the TTUHSC firewall or an I.T. managed modem pool, is a security risk.  Typically, this is a modem device connected to a desktop computer or server on the TTUHSC network which is set to automatically answer incoming calls for connections to outside systems.  Incoming connections to modems are not allowed without CIO approval.

Remote Access Policy and Procedures 

Remote access to the TTUHSC network provides users with the convenience of accessing the Internet, their office computer, or information on network file shares to which they have access.  Along with this convenience, comes the need for appropriate security controls to ensure that data transmitted is secure.  Additionally, the network must be protected from illicit use; and to ensure that viruses, malware, and other malicious code are not allowed to propagate across the network.

Scope

This policy applies to all remote devices connected to the TTUHSC network infrastructure through Internet access or direct dialup connections.

Policy

State and federal legislation requires TTUHSC to provide protection for sensitive data such as patient information and student financial data.  Therefore, TTUHSC personnel must use a secure mechanism for accessing the TTUHSC network infrastructure remotely.  Additional information on remote access can be found at www.ITSolutions.ttuhsc.edu.

All users who connect remotely to the TTUHSC network must install an anti-virus software on each computer.  This anti-virus software must be updated regularly with new anti-virus signatures.  TTUHSC provides free McAfee Virus Scan licenses for home use by faculty, staff, and students.  This software can be downloaded at https://www.ttuhsc.edu/IT/security/mcafee/.

VPN

Any user accessing the TTUHSC network through an Internet connection (Satellite or cable Internet connections) must connect using a Virtual Private Network connection (VPN).  

Account Administration

VPN accounts are available at no cost for current faculty, staff, and students of TTUHSC.  VPN accounts can be requested at www.ITSolutions.ttuhsc.edu. An email response will usually be returned with account information and setup instructions within 1 business day.

When a VPN account holder (employee or student) leaves TTUHSC, the account will be disabled as soon as Information Technology is notified of the termination date.  VPN accounts will be set to automatically expire 12 months from the date the account is created or renewed.  At least one week before an account expires, an email will be sent to the account holder reminding him/her to renew the account.  The renewal request can be filled out at www.ITSolutions.ttuhsc.edu.

Client Connection Setup

VPN services from connections outside the TTUHSC network are supported, provided that VPN services are in compliance with the Internet Service Provider's policies.

Security

All Institutional security policies are applicable to remote access users.  Security controls in place include appropriate authentication and Intrusion Prevention Services (IPS).  Monitoring and auditing will be conducted on the remote access connections in the event of unusual network activity.  Information Technology will disable a dial-up or VPN account, based on recommendations from the I.T. Security Team, if network activity from any remote access computer is disrupting computing services on the TTUHSC network.

TTUHSC Software Requirements

All systems connected to the TTUHSC network must have approved anti-virus software (I.T. Policy 1.4.22, Viruses and other Malicious Code) installed and operational before the system is connected to the network.  This software must be configured to receive regular virus signature updates from the anti-virus servers administered by the TTUHSC Information Security Officer and his/her staff.

1.4.11   NETWORK CONFIGURATION

This policy describes the requirements and constraints for attaching a computer, system, or network devices, or videoconferencing system to the TTUHSC network.  The intent of this policy is to ensure all connections to the TTUHSC network are maintained at appropriate levels of security and interoperability, while at the same time not impeding the ability of TTUHSC faculty, staff, and students to perform their work.

Responsibilities

The Chief Information Officer (CIO) is the central authority for all network issues.  The CIO may appoint and/or delegate management of certain aspects of network administration as deemed necessary.

TTUHSC regional campuses administer local area networks (LAN), under direction of the CIO and the Managing Director of Technology Services.  Each regional campus or location must designate a Regional Site Coordinator (RSC) to serve as the administrator of all LANs at that campus.  The RSC is the contact person for all connectivity issues between the regional campus LANs and the TTUHSC wide area network (WAN).

The Managing Director of Technology Services is the main point of contact with Facilities Planning and Construction and Physical Plant at all campuses for all new construction and major renovation projects involving computing systems.  Minor renovations will be handled at the local level.

Wide Area Network Connectivity and Routing

All routers within the TTUHSC WAN will be selected, operated, and maintained by personnel designated by the CIO.  Subnet IP routing on the TTUHSC WAN will be performed in accordance with delegated IP address space.  Routing of private IP address space (as defined by the Internet Engineering Task Force Request For Comments document #1918 - Address Allocation For Private Internets) across the TTUHSC WAN must be approved by the CIO or their designee.

Firewall Access Standard

All internal TTUHSC computers are protected from outside network access by a firewall.  All incoming network requests not known and defined are denied and are not passed through to the internal campus network.  This section describes the procedures to allow special access through the firewall to employees and third parties/vendors in instances where certain services and /or applications are required to maintain workflow and provide services.

Standard

Approval for outside network access to TTUHSC computing resources will be based on the following criteria:

When the connection has been approved by the CIO, firewall access will be granted when the following have been completed:

Registration ensures that the target machine has an administrator known to Information Technology.  The administrator will perform the necessary tasks to keep the system up to date and in a secure state, with the assistance from the Information Technology Security Group.  Registration will be renewed once a year.  Renewal notices will be sent via email by the ITS.

The ITS will perform routine security scans on machines registered for special access.

Procedures

The firewall access form should be submitted through the web to itsolutions@ttuhsc.edu  Depending on the request, it may take up to two business days for the request to be completed.  If the request is considered urgent, and the two-day timeline is not sufficient, please state that the request is Urgent.  Include in the email message the reasons why the request is time critical.

Request for changes to the firewall must come from the administrator of the target machine.  Requests received from anyone else will be forwarded to the machine’s administrator for approval.

All requests will be sent to the Regional Site Coordinator (RSC) at the campus where the machine resides.  Once the RSC has checked to make sure the machine has a reserved IP address, the request will be forwarded to the Information Technology Security Group for final approval by the Information Security Officer.  Once approved, the Information Technology Security Group will make the necessary changes to the firewall.  The RSC may require that network configuration of the destination computer be modified prior to approving access.

IP Address Allocation Standards And Procedure

IP Addressing

All address delegation with the regional campuses and any supported LANs will be coordinated between the CIO or their designee and with the appropriate RSC.  The RSC will be responsible for administration and registration of all IP addresses and sub-networks within the delegated address range(s), according to the standards and guidelines approved by the CIO.  All hosts in the TTUHSC domain must obtain a valid IP address from the RSC.  No host on the intranet should broadcast dynamic routing information except specially configured gateway or router devices.

To ensure efficient IP address utilization, TTUHSC will allocate their assigned IP addresses to reflect the requirements of each building location, wiring closet, or network service.  This ensures compliance with the American Registry for Internet Numbers (ARIN) requirements for utilization of public IP address space.

For regional IP addressing strategy, RSC’s should refer to the IP Address Allocation Strategy.

Reserved IP Address Standards

Reserved IP addresses are available to the following hosts:

All other hosts will use dynamic addresses, allocated by Dynamic Host Configuration Protocol (DHCP) services at each regional campus.  Reserved address requests for hosts that do not correspond with the above list must be approved by the appropriate Regional Site Coordinator.

Refer to the Server Hardening Section for additional requirements that must be met before a server can be assigned a reserved IP address.

Reserved IP Address Allocation Procedures

All reserved IP addresses must be properly authorized and recorded before they are issued.  The following outlines the procedure for requesting and allocating reserved IP addresses:

  1. Complete the Reserved IP Address Request form and send to the Regional Site Coordinators at the respective campuses.
  2. Upon receipt, the network technician creates a work order, and verifies the attached information is complete.
  3. Using the TTUHSC IP Address Management application, the host is assigned to the correct VLAN and subnet.  The next available address is selected, and the information provided by the requestor is entered into the system.
  4. The assigned IP address, hostname, and hardware address are entered into the DHCP server(s).
  5. If requested, Domain Name Service/System (DNS) alias entries are entered into the DNS configuration file to translate domain names into numeric IP addresses.
  6. The assigned IP address is sent to the requestor via email.
  7. The technician updates and closes the work order.

1.4.12   PASSWORD/AUTHENTICATION

Never share your password with anyone.

In accordance with Texas Administrative Code § 202.75, all TTUHSC computing systems shall require a login authentication process, whereby each user is identified and authenticated through their unique USER ID and/or account name.  Access to the network and to applications is based on individual roles and determination of user access levels is the responsibility of the owners of the information or applications being accessed. 

Texas Tech’s primary authentication is through an account management system known as eRaider, which allows users to access the information resources available at the Health Sciences Center.  Passwords for eRaider accounts follow industry best practices and must meet the following requirements:

Passwords must be reset every 90 days. 

System Identification/Logon Banner

Any TTUHSC computing system that prompts the user for a login should require an unauthorized access warning banner be displayed.  The unauthorized access warning banner must inform the user of the restrictions imposed on the system before access is attempted, thereby giving the user the opportunity to avoid violating any access restrictions.  The Unauthorized Access Warning Banner must be prominently displayed each time a user attempts to access a server system, network terminal, and/or a restricted/secured web site and/or web page, specifically before the user can begin the login authentication process.

The Unauthorized Access Warning Banner will be made part of the web site and/or web page preceding a restricted/secured web site and/or web page and must be displayed before a user enters the secured web site and/or web page.  The user must also be made to acknowledge the warning either in the form of an icon or button stating “OK” or “I Accept” before they can proceed.

Unauthorized Access Warning Banner Text

The following is the text for the Unauthorized Access Warning Banner:

WARNING!

USE OF THIS SYSTEM IS RESTRICTED TO AUTHORIZED USERS ONLY AND SHALL BE USED IN ACCORDANCE WITH THE ACCEPTABLE USE POLICY. USERS HAVE NO EXPECTATION OF PRIVACY EXCEPT AS OTHERWISE PROVIDED BY APPLICABLE PRIVACY LAWS. THIS SYSTEM MAY BE SUBJECT TO MONITORING BY THE INFORMATION TECHNOLOGY DIVISION. UNAUTHORIZED ACCESS IS A VIOLATION OF APPLICABLE TTUHSC, STATE, AND FEDERAL LAWS AND REGULATIONS AND WILL BE SUBJECT TO CRIMINAL PROSECUTION.

1.4.13   ASSET MANAGEMENT

Information resource assets consist of hardware, software, and information.  Software and Hardware assets are to be controlled according to requirements of O.P. 63.10, Property Management.  Appropriate disposal processes are in place by General Services. Departments are responsible for software and data files on computing devices and equipment before they are transferred or surplused unless the software license is transferable. In the event that the computing device contains any confidential information in electronic media, the department is responsible to ensure that all electric media is destroyed prior to being transferred or surplused.

1.4.14   PORTABLE COMPUTING

TTUHSC has seen a significant increase in the use of the Portable Computing Devices (laptops, Personal Digital Assistant’s (PDA), smart phones, USB drives, and USB flash drives) at the Institution.  This policy is intended to provide guidance for Portable Computing Device utilization.

Security Guidelines

Portable Computing Devices are inherently at risk for theft and security vulnerability.  In cases where there is a justifiable business need or requirement for confidential information, such as patient information, confidential student information, grades, etc., to be stored or transferred to a Portable Computing Device appropriate security measures must be implemented as listed below.

Security Policy

1.4.15   PRIVACY

Rights to personal privacy, while using Institutional I.T. resources, will be maintained in accordance with federal and state statutes.  Furthermore, user activity may be monitored pursuant to Policy 1.4.16, Monitoring of I.T. Assets of this policy. For further information, please refer to the links in the Federal and State statutes section.

In addition, the safeguarding of certain financial information (including, but not limited to information used in connection with the awarding and issuance of student loans) that is covered by the Gramm-Leach-Bliley Act of 1999, 15 U.S.C. 6801, et seq., implemented by 16 CFR Part 314, will be governed by the TTUHSC Information Security Plan for Financial Information and TTUHSC OP 56.01 – Use of Information Technology Resources.

TTUHSC O.P. 56.04 states that anyone who has access to confidential information will take reasonable and necessary steps to maintain the confidentiality and privacy of such information.

As a key provider of services and technology in the healthcare industry, TTUHSC has implemented programs to address the transaction standards, and the privacy and security implications of the rules set forth by the Health Insurance Portability and Accountability Act (HIPAA) of 1996.  More resources on HIPAA can be found at http://www.ttuhsc.edu/hipaa/.

1.4.16   MONITORING OF I.T. ASSETS

As a public institution, all TTUHSC computers, videoconferencing systems, and network activity are subject to ongoing and unannounced security audits.  The inappropriate use of the systems and/or networks that violate Institutional policies or local, state and federal laws (i.e., copyright violations, pornography) will be investigated and reported.  The CIO or their designee will authorize these investigations and the appropriate authorities will be notified.  The Information Technology Security Team will be responsible for conducting these audits as necessary.

TTUHSC has the right to disclose the contents of electronic files, as required by legal, audit, or legitimate State, Local, Federal and/or Institutional purposes.

1.4.17   SECURITY AWARENESS AND TRAINING

TTUHSC will use the "New Employee Orientation" to initiate security and copyright awareness and educate new employees about TTUHSC I.T. policies.  Annual Security Awareness Training will be required for all faculty and staff who access the TTUHSC network.  The ISO will be responsible for assuring that the appropriate training is provided and utilized by all network users.

The Information Security Officer, in collaboration with the I.T. Security Council, will ensure additional security awareness will be provided through ongoing web announcements and other media formats.

1.4.18   SERVER HARDENING

Standard/Procedure   

A server cannot be connected to the TTUHSC network until it is in a TTUHSC I.T. approved secure state.  Prior to connecting the server to the network, the following must be performed:

Before connecting to the network

Immediately after connection to the network, the following must be completed:

Note: For more detailed information and procedures based on specific operating system, please refer to Guidelines For Operating Systems Security at http://www.ttuhsc.edu/it/policy/ossecurity.aspx.

All servers are required to be submitted to a vulnerability assessment performed by TTUHSC Information Technology Security group (ITS) prior to use.

In the event that a vulnerability or a combination of vulnerabilities are discovered that constitute an unacceptable level of risk as deemed by TTUHSC ITS, the server administrator is responsible for ensuring they are addressed. Any such risk must be addressed prior to production use. Further scanning may be required.

TTUHSC ITS will monitor security issues, both internal and external to TTUHSC, and will monitor the release of security patches on behalf of TTUHSC.  After the server administrator is notified by the ITS, patches must be implemented within a specified timeframe determined by the security level of the patch, or the risk level of the vulnerability.  ITS will routinely monitor to ensure the system(s) are in compliance.  Failure to comply with these guidelines can result in the server(s) being removed from the network. 

TTUHSC I.T. will perform due diligence in testing security patches before release when practical.

1.4.19   AUTHORIZED SOFTWARE

Installation of any software must have a justifiable business purpose and must be properly licensed.  Standard recommended software can be found at www.ITSolutions.ttuhsc.edu/support.aspx.  Software that is Institutionally-required (e.g., McAfee VirusScan) must not be removed.  Each system should also be set to automatically receive Microsoft Updates.  The CIO, or designee, reserves the right to remove any software on computers that poses a threat to TTUHSC computers or to the operation of the network. 

1.4.20   APPLICATION SYSTEM DEVELOPMENT, ACQUISITION, AND LIFECYCLE

The central Data Center at TTUHSC employs a three-tiered architecture that consists of separate testing, staging, and production servers that isolates the testing environment from production environment.  All server or web-based applications residing in the central Data Center must be hosted in this type of environment to ensure separation of test and production code/data.  PHI data and the services that manage that data must reside on servers located in the central data center with limited access and additional security controls. Within this section, applications are defined as programs, software, systems, or web pages that are available to and interact with multiple users.  These applications and associated data usually have a medium to high risk associated with them, as defined in Policy 1.1, I.T. Resource Management and Responsibilities.  (See also TAC 202.72)

Access to the production environment must be strictly controlled.  Web development and quality assurance practices are described in Policy 9.4, Change Management, Procedures for Official TTUHSC Web Pages/Sites.  The quality assurance process for developing, maintaining and changing applications at TTUHSC is described in this section.

Developing Applications/Systems/Web Pages

All applications/systems, acquisition, development, and maintenance will be required to undergo a security audit before being put into production and must follow Policy 9.5, Coding Standards, Security, and Audit Controls.

Migrating Applications/Systems/Web Pages From Test To Production

Within the Information Technology Division at all campuses, all developers must adhere to the following quality assurance procedures:

Outside of the Information Technology Division at all campuses, all developers should adhere to the same quality assurance procedures listed above.  However, all applications/systems/web pages are required to undergo a:

All applications/systems/web pages residing on servers outside of the central Data Center will be hosted using a three tiered architecture and must follow the below approval process. The Architecture must consist of separate testing, staging, and production servers that isolate the testing environment from production environment and utilizes the quality assurance procedures listed above for the Information Technology Division.

All coding will be consistent with the practices outlined in Policy 9.5, Information Services Coding Standards, Security, and Audit Controls.

Submitting A Project Request For Information Services Resources

All project requests are reviewed on a bi-weekly basis.  The purpose of this review is to determine whether resources exist to accomplish the objectives of the request and to prioritize approved requests.  Before any project can be scheduled and resources allocated, it must be approved by the Associate Vice President for Information Services or the Managing Director of Information Services and the applicable Campus I.T. Director prior to any allocation of resources.

Also, if a request is submitted and the request was not made by the application/data owner, then the application/data owner must approve the request prior to any work starting on the project.

Projects are requested by submitting a work order via STARS.

1.4.21   VENDOR ACCESS

Vendors’ physical access to the central Data Center will require the appropriate approval and authorization by the CIO or the Managing Director of Technology Services.  Logs will be maintained on all vendor access to the central Data Center facilities and vendors must execute a Business Associate Agreement with the Institution prior to accessing the TTUHSC network to ensure that any confidential information intentionally or unintentionally accessed is properly protected. Vendor access is for a limited time only.

1.4.22   VIRUSES AND OTHER MALICIOUS CODE

The purpose of this policy is:

Due to the collaborative nature and sensitivity of the work performed at TTUHSC, all Institutional computers must have the institutionally provided antivirus software installed.  Users’ continued access to the TTUHSC network is contingent on the installation of institutionally provided antivirus software on all TTUHSC-owned computers. This virus protection software must not be disabled, bypassed, or modified in any way.

Specific Restrictions

TTUHSC expressly prohibits:

Specific Responsibilities and Guidelines for Virus Prevention

Students, Faculty, and Staff should:

Computer Security Analyst (CSA) is responsible for:

Information Technology Security (ITS)’s responsibilities include:

The CSA and ITS are jointly responsible for:

Information Technology PC Support/System Support (all campuses) should take the following steps:

1.4.23   WIRELESS ACCESS

To ensure proper administration and security of the network, it is important for the development of wireless networking capabilities to be controlled and coordinated.

This document outlines the policies for the implementation of wireless networking technology at TTUHSC.  See also Policy 1.4.14 - Portable Computing.

Scope

This policy applies to all wireless network devices connected to the TTUHSC network infrastructure, or wireless devices owned by TTUHSC, or operated in TTUHSC facilities.

Policy

All TTUHSC faculty, staff, and students should be aware that wireless network connections are inherently less secure than wired connections.  State and federal legislation requires TTUHSC to provide protection for sensitive data such as patient information and student financial data.  Therefore, TTUHSC personnel are advised against using wireless technology to transmit this type of information.

Information Technology will extend the TTUHSC network to provide wireless service to any area based on the application need and demand and subject to the availability of resources.  Wireless networks are not a replacement, but a supplement to the existing wired network. 

The Chief Information Officer (CIO) or designee, in concurrence with the Regional Site Coordinator (RSC) at the respective campus, must approve the installation and use of wireless access points connected to the TTUHSC network.

These access points and wireless devices must have the manufacturer’s default SSID changed.  These access points and devices will be audited and monitored on a regular basis.  Information Technology reserves the right to remove any unauthorized or misconfigured wireless device from the network immediately without prior notice.

Wireless networks and services are subject to the same rules and policies that govern other electronic communications services at TTUHSC.  (See Acceptable Use and Portable Computing).  Disruption of authorized communications or unauthorized interception of wireless communication is a violation of policy.

Equipment

TTUHSC will implement wireless equipment that follows the IEEE 802.11 standards.  Wireless equipment standards will be reviewed and amended as wireless standards change, and as products are introduced that improve the security and reliability of the wireless network.

Security

Access to the wireless network will be limited to individuals authorized to use the Institutional network and Internet resources.  All wireless network users must authenticate his/her identity to an authentication server managed by Information Technology before access to the rest of the TTUHSC network is permitted.  Anonymous users will not be allowed to access the wireless network.

Responsibilities

Information Technology

Department Administrators

1.4.24   VULNERABILITY ASSESSMENT

Vulnerability assessments apply to all institutional computing devices. In order to test security measures currently in place, vulnerability assessments will be conducted on a scheduled, and ad hoc, basis. Vulnerability assessments will only be conducted by the TTUHSC IT Security Department, and must be approved by the TTUHSC Information Security Officer, and the TTUHSC Chief Information Officer. When vulnerabilities are detected that constitute an unacceptable level of risk as deemed by the TTUHSC IT Security Department, the server administrator will be notified of the vulnerabilities. The server administrator is responsible for ensuring that the risk is mitigated in a timely manner.

Download Free Adobe Reader Get Adobe Reader Adobe Acrobat Reader is required to view items marked with this icon:
Please click on the left image to download the free version.