TTUHSC IT Policies
1.4 Security Safeguards (TAC 202.75.7)
Conduct Yourself Responsibly
The use of TTUHSC I.T. resources may be temporarily or even permanently revoked at any time for abusive conduct. Such conduct includes placing unlawful information on a system, copyright violations, using abusive or otherwise objectionable language in either public or private messages, sending messages that are likely to result in the loss of recipients' work or systems, sending unauthorized messages to individuals, or any use that would cause congestion of the networks or otherwise interfere with the work of others.
Use of peer-to-peer programs on TTUHSC computers and/or network for downloading and/or uploading of illegal copies of copyrighted media is strictly prohibited. All students, faculty, and staff should remove these applications immediately from TTUHSC computers. Students, faculty, and staff who use their personally-owned computers to connect to the TTUHSC network must disable all peer-to-peer applications and services before connecting to the network. This includes direct connection or remote connection via PPP, VPN, or wireless accounts. Any computers using peer-to-peer applications on the TTUHSC network are subject to removal from the network until the application is removed or disabled.
Misuse of TTUHSC information resources is a violation of the policies contained herein and will result in disciplinary action in accordance with HSC OP’s 70.31 and 77.05 and the Student Affairs Handbook.
Computing Ethics And User Responsibilities
Information technology resources at TTUHSC are owned by the State of Texas and administered by the Information Technology Division. All products created on Institutional property belong to the Institution. These products shall be considered "intellectual property" as defined by and managed according to Board of Regents Rules and Regulations, Chapter 10 - Intellectual Property Rights. TTUHSC will provide access to appropriate central and campus I.T. resources, and to their attached networks to all members of the TTUHSC community. Users are responsible for managing their use of I.T. resources and are accountable for their actions relating to information technology security.
Users must abide by the following list of standards that have been established:
- Report any weaknesses in TTUHSC computer security, any incidents of possible misuse, or violation of these policies to the appropriate I.T. management.
- Access only information that is your own, that is publicly available, or to which you have been given authorized access. Users may use only the I.T. resources they are authorized to use and only for the purposes specified when their accounts were issued or permission to use the resources was granted.
- For security reasons, protect your USER ID, password, and system from unauthorized use. Users who share their access with another individual shall be responsible and will be held accountable for ALL usage of their accounts.
- Use only legal versions of copyrighted software in compliance with vendor license requirements. Users shall not transport software provided by TTUHSC to another computer site without prior authorization from the departmental administrator. To do so constitutes theft.
- DO NOT attempt to circumvent or subvert system, network, destroy the integrity of computer-based information, or access controlled information on the TTUHSC network.
- DO NOT install software/hardware for personal use on TTUHSC systems.
- Sexually explicit material in any form is not allowed on TTUHSC systems. See Sexually Explicit Material section for more detailed guidelines.
- Users must not unreasonably interfere with the fair use of I.T. resources by another. Examples of unreasonable interference include playing games, listening to or viewing streaming audio/video for recreation, intentionally misconfiguring or tampering with videoconferencing equipment, interfering with the scheduled use of a distance learning classroom by failing to promptly vacate the room at the end of a session, and intentionally running a program that attempts to violate the operational integrity of the TTUHSC network.
- Users are prohibited from using the TTUHSC’s systems or networks for personal or commercial gain, such as, selling access to your USER ID or to TTUHSC systems or networks, performing work for profit with TTUHSC resources in a manner not authorized by the TTUHSC, marketing/advertising, and/or personal business transactions with commercial organizations.
- TTUHSC systems are not to be used for partisan political purposes, such as using electronic mail to circulate advertising for political candidates or lobbying of public officials.
- DO NOT use mail or messaging services to harass or intimidate another person, for example, by broadcasting unsolicited messages, or by repeatedly sending unwanted mail.
The above list is by no means exhaustive, but attempts to provide a framework for activities that fall into the category of unacceptable use.
Users shall not view, retrieve, transmit, distribute, print, or save any electronic files that may be deemed sexually explicit on TTUHSC I.T. resources. This includes both visual and textual sexually explicit material as defined by Chapter 43 of the State of Texas Penal Code on Public Indecency. Exceptions are material used for scientific, medical, and/or educational purposes.
It is also illegal to use sexually explicit material to intimidate, persecute, or otherwise harass another individual. This is considered sexual harassment. For more detailed guidelines on sexual harassment, refer to HSC OP 70.14.
Do not open any emails which you believe to contain obscenity or pornography. If obscenity and/or pornography are received through email, there will be no disciplinary proceedings if the mail is deleted immediately. If the offending email originates from a TTU or TTUHSC email address, report the receipt of said material to the Assistant Vice President for Human Resources and/or the Information Security Officer immediately. Reporting of such a violation will be held in the strictest confidence.
eRaider is an account management system which makes it possible for students, faculty, and staff to obtain and access electronic resources at Texas Tech using a single username and password. Your eRaider username and password are required to access many of these resources. An eRaider account is required to access the TTUHSC domain. New students, faculty, and staff receive an eRaider account upon coming to the Health Sciences Center; access is dependant upon account types (i.e. faculty, staff, and students) and department requirements. User access should be reviewed upon changes in job description, job responsibilities, removed upon termination of employment. These changes should be indicated by the department head or listed in the separation checkout for each individual. Questions regarding eRaider account information should be directed to the I.T. Solutions Center at each respective campuses.
This policy provides a set of requirements for the regulation and use of administrator or special access on the TTUHSC systems. This policy will provide a mechanism for the addition and removal of people from special access in the Active Directory domain and a mechanism for periodic reviews of the administrator/special access database.
Special Access will need to be requested by the information owner or designee and submitted to the I.T. Solution Center at http://www.ITSolutions.ttuhsc.edu
Regulation of Special Access Accounts:
- Special access on TTUHSC system is maintained and monitored by both Data Center Operations and the Information Security Officer.
- Passwords for special access accounts are changed on a regular basis as determined by Institutional policy.
- Special access is only provided to individuals who need the access to perform their job.
- Any misuse of special access privileges must be reported to the TTUHSC Information Security Officer when discovered.
- Persons requesting special access must follow all procedures outlined in the Special Access Guidelines.
- Persons who misuse their special access privilege can have special access revoked and may face Institutional disciplinary action (See Policy 10 - Disciplinary Process)
- Special access is reviewed on a periodic basis as defined below.
- All persons who currently (prior to the approval of this policy) have special access are required to submit a completed Special Access Request form and a signed Special Access Guidelines agreement.
Performing a Periodic Review of the Special Access Database
A review of special access will be made on an annual basis or as determined by the TTUHSC Information Security Officer. The review process will involve the following steps:
- A report will be generated from Active Directory. The report will list: special access by system and access type; and access by person (i.e., for each person, all access given to that person is listed).
- The reports will be distributed to the Information Security Officer, the Manager of the Data Center, and the manager of users given special access. Each person reviews the list (or appropriate part of) to determine if any changes should be made.
- Should anyone determine that an individual needs to be added to other special access groups, that individual must submit a Special Access Request form requesting the additional access.
- If there are any deletions to be made to the permissions, the Manager of the Data Center will make the appropriate changes.
Special Access Guidelines
This agreement outlines the use of special access on TTUHSC computers. Special access is defined as having domain access other than as a domain user. The TTUHSC environment is very complex and dynamic. Due to the number and variety of computers and peripherals, special access must be granted to numerous people so the TTUHSC facility can be properly supported. People with special access must develop the proper skill for using that access responsibly.
The Special Access Guidelines have been developed to help people to use their special access in a responsible and secure manner. All persons requesting special access must read and follow these guidelines.
- Be aware of your TTUHSC computing environment.
- Always log on systems where you have an account as yourself. Any action done under a special access account should have an audit trail.
- Use special access only if necessary.
- Many system tasks require the use of root or other special access. However, there are many tasks that can be done without the use of special access. When at all possible use regular accounts for trouble-shooting and investigating.
- Complete the appropriate Change Request processes specified in Section 1.4.5. Document all major actions and/or inform the appropriate people.
- Documentation provides a method to analyze what happened. In the future, others may want to know what was done to correct a certain problem. The Lead System Analyst or Manager of the Data Center is to be informed BEFORE any changes are made to system specific or configuration files.
- Have a backup plan in case something goes wrong. Special access, especially root or administrative access has a large potential for doing damage with just a few keystrokes. You must be able to restore the system to its state before the error occurred.
- With the use of special access, situations arise that have never come up before. Although TTUHSC has many written procedures, they do not cover every circumstance possible. If any doubt exists about how you should proceed on a problem, ask for assistance.
Specific Considerations Regarding Special Access
- Do not share special access passwords with anyone.
- Do not write down the special access passwords or the current algorithm.
- Do not routinely log onto a system for which you have an account, as “root” or any other special access account.
- Do not read or send personal mail, play games, read the net news or edit personal files using a special access account.
- Do not browse other user’s files, directories or email using a special access account.
- Do not make a change on any system that is not directly related to your job duties. The TTUHSC System Administration Handbook states “The Lead System Analyst is responsible for approving all changes to the systems(s) of his/her responsibility. No changes are to be made to any system configuration file or executable file without prior approval of the Lead System Analyst and Manager of the Data Center.” Making a change AND then informing the Lead System Analyst is considered a violation of this guideline.
- Do not use special access to create temporary files or directories for your own personal use.
Shared resources (i.e. Network File Shares) are the primary method of protecting Institutional data. Non-business related data must not be stored on shared resources and is subject to deletion.
Departments are responsible for the creation of electronic and/or paper copies of institutional data and retention of that institutional data as defined by the Records Retention Operating Policy, 10.09. Disaster Recovery backups are not considered a valid retention mechanism for records retention purposes and must not be used by departments to meet records retention requirements.
Institutional server backups are performed for disaster recovery purposes only. Institutional servers are backed up based on the schedule listed below.
Nightly - Incremental backups will be performed to be retained until the next full backup is performed.
Weekly - Full data backups will be performed to be retained for four weeks.
Per disaster recovery best practices, backup tapes are stored off-site. The details of the off-site storage are outlined in the I.T. Division Disaster Recovery Plan.
Shared resource data may be restored provided the backup is within the storage timeframe as defined above. Restoration of shared resource data may be requested through the I.T. Solutions Center work order process.
Email backups are for disaster recovery purposes only. Restoration of individual email boxes is not possible.
Email in the Deleted Items folder will automatically be permanently deleted 15 days after the email is placed in the Deleted Items folder.
Email in the Junk E-mail folder will automatically be permanently deleted 30 days after receipt.
Permanently deleted (either automatically because of retention dates or manually by the user) email is recoverable by the end user for 21 days from the date of permanent deletion using Outlook Tools or Outlook Web Access.
The following change management protocols apply to the Institutional IT units as well as the regional campuses’ IT departments. The IT Division highly recommends that all departments adopt these industry best practices related to IT change management in their respective areas. A change is defined as a modification to the hardware, software, and documentation managed by Information Technology that has a reasonable possibility of impacting normal operations of those resources. Items that are considered changes include, but are not limited to:
- Installation or upgrades of server, networking, or security hardware or software, including patches and interim fixes,
- Modification of hardware or software that affects the operation of desktop computers connected to the TTUHSC network,
- Modification of server, network, or security settings that affect access to I.T. resources, and
- Modification or enhancements to the physical environment that supports I.T. resources.
Specific tasks that should not be considered changes include:
- Creation of new file shares, or modification to permissions of existing shares,
- Installation, activation, or removal of network cable drops, or
- Creation, modification, or deletion of accounts and mailboxes.
Changes will be classified into three categories:
- Category 1 - This category includes changes to resources that provide service to a large number of internal or external I.T. customers, or customers at multiple regional locations.
- Category 2 - This category includes changes to resources that provide service to a moderate number of I.T. customers within a specific location.
- Category 3 - This category includes changes for a single department or smaller group of users at a specific location.
All changes must be documented, and submitted for approval prior to implementation. The following defines the procedure for documentation and approval.
The requester initiating the change must initiate a Request Creator process via the STARS system (http://www.ttuhsc.edu/IT/STARS/roles/default.aspx). The following information must be provided on this form:
- Submission date - Date the change form is submitted for approval,
- Change date and time - Proposed date and time the change will be performed,
- Change duration - Estimated length of time for the change to be completed,
- Control Number - Change Identification number which uses the date of the request and a sequential number for multiple requests originated on the same date starting with 001 in the following format: YYYYMMDD-NNN,
- Change category - See prior section for definition,
- Change Purpose - Fifty character summary of the Change Description,
- Change description - Explanation of the change,
- Impact description - Campus and departments or groups of customers that will be affected by the change,
- Test procedure - Description of the testing performed for the change, if applicable,
- Back-out procedure - Procedure for backing out the change if the implementation is not successful, and
- Back-out duration - Estimated time to back out the change.
The technician’s manager will record the change request in a common Change Request Log maintained by the Managing Director of Network, Security, and Systems.
After the requester completes the Change Approval Form, it will be submitted to their supervisor or manager for review/approval. The approver will ensure the form is completed and information provided is adequate for decision making. The managers will meet with the authorized approver for Network Services, Information Security, Systems, or schools as needed to review and document recommendations. Change forms must be submitted to the approver of the applicable areas a minimum of one full business day prior to the review date.
If the authorized approver is unavailable for the weekly meeting, the managers will meet to discuss and make recommendations for the change requests. The authorized approver must be notified of all category 1 and 2 changes before implementation.
All changes will be forwarded to I.T. Executive Management (consisting of the CIO, AVP of Information Services, AVP of Security and Infrastructure Assurance, and Managing Director of Technology Services) for final disposition of the request.
Category 1 and 2 changes can be implemented no sooner than two full business days after approval. Category 3 changes can be implemented immediately after approval, according to the change date and time on the approval form.
Announcement messages must be distributed prior to all category 1 and 2 changes. Message content should include impact to user and training provided if applicable. The supervisor or manager should prepare this announcement prior to the change review meeting. The authorized approver will be responsible for posting the announcement.
Changes that are backed out during or immediately after implementation must be resubmitted for approval.
Occasionally, it may be necessary to implement changes before the next weekly change approval meeting. These changes will be designated as emergency changes, and will be documented as Emergency (E) Category, a category E1, E2, or E3.
All of the above documentation and approval procedures still apply for emergency changes, except these changes can be immediately submitted to the supervisor, and subsequently the CIO, for approval and implementation.
Emergency change requests should only be submitted when I.T. operations or security will be negatively impacted or compromised if the change is not implemented immediately.
All Institutional email services will be delivered using the Microsoft Exchange platform. The supported email client is Microsoft Outlook or the web-based Outlook Web Access.
TTUHSC email accounts are available dependant on the type of associated HSC affiliation. The creation of email accounts are provisioned through the eRaider account activation process and online eRaider Account Manager. Assistance with eRaider and HSC eMail account setup can be obtained through the department hiring managers and the I.T. Solutions Center.
The volume of unsolicited bulk email (SPAM) that is received negatively impacts the Institution's infrastructure and productivity. Therefore, the Institution has deployed infrastructure to reject a high volume of SPAM emails before they are processed by our email servers. Additional infrastructure has also been deployed for students, faculty, and staff to use on their personal computers. For assistance or more information on strategies to manage SPAM/Junk Email, please contact the I.T. Solutions Center or go to http://www.ttuhsc.edu/it/helpdesk/anti-spam.aspx.
Email Naming Convention
The approved email-addressing format uses the firstname.lastname@example.org naming convention (e.g. email@example.com). This will be the official TTUHSC email address format for all students, faculty, and staff.
The naming convention for people who share the same name is slightly different. If a name already exists in the email database, a variation will be used, such as firstname.lastname@example.org format (e.g., email@example.com).
The CIO or their designee is the central authority for username and email address assignments for all campuses. Any disputes over usernames and/or email addresses should be referred to the CIO or their designee for resolution.
Users wanting to verify their email address can call the following numbers:
Lubbock Information Technology Solutions Center - (806) 743-1234
Amarillo Information Technology Help Desk - (806) 354-5404
El Paso Information Technology Help Desk - (915) 545-6800
Odessa Information Technology Help Desk - (432) 335-5108
To ensure Institution business is not disrupted, all business cards, stationery, and any other correspondence material must reflect the correct email address format, including contact information on web sites. All students, faculty, and staff should only use their official TTUHSC email address to facilitate the dissemination of information as well as promote and sustain the lines of communication.
Because email addresses are printed on official stationery, business cards, or any other correspondence material, all print jobs and/or official publications must follow the Publication Guidelines as established by the Office of News and Publications. Refer to HSC OP 67.01 (Publication Guidelines) for detailed guidelines on printing standards.
Implementation And Compliance Procedure
All TTUHSC students, faculty, and staff will be issued an official TTUHSC email account with the firstname.lastname@example.org naming convention format. This email address will be the only email address used for all official communications between the Institution and students, faculty, and staff. Emails will not be redirected or forwarded to another, non-TTUHSC account.
Sending Confidential Information
Any emails containing confidential information that are sent to persons outside TTUHSC or TTU must be encrypted. For more information regarding confidentiality and encryption please reference Operating Policy 56.04. For further instructions, go to www.ITSolutions.ttuhsc.edu.
Correspondences containing vital Institutional information must include the following disclaimer at the end of the email:
Confidentiality Notice: This message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is strictly prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.
TTUHSC mass email messages must be approved by the President, Vice Presidents or Deans for distribution of suitable email to TTUHSC schools, campuses and institution. For the purpose of student mass email communication, a designated representative of Student Services can also distribute mass email to students, with email content that is considered creditable and informative, that does not include commercial interest.
Suitable mass email material for approval includes, but is not limited to:
• Substantial changes in governance, policy, or practice
• Immediate threats to health, safety, property, or research
• Infrastructure maintenance, computer or telecommunication issues
• Official non-commercial survey material, institutional newsletter publications
• Institutional newsletter publications
The preferred method of communicating with all members of the schools, campuses and institution, which is not viewed as appropriate material for mass email communication, is through announcement web pages, institutional news article releases, mailing material, leaflets, brochures and notice boards.
To facilitate official mass email communication, Information Technology maintains the resources for email address groups. Access to send to these groups is restricted to approved representatives only from the governing authorities. Attempting to send mass email communication to TTUHSC members and groups, which has not been approved by the appropriate authority, is in violation of IT Policy, 1.4.1 Acceptable Use.
Alumni and Retiree Email Accounts
Official TTUHSC email accounts are only issued to current TTUHSC students, faculty, and staff. After the owner's biographical record ceases to be supplied from Personnel Records, Student Records, or other approved sources, the eRaider Account Manager will automatically disable access to HSC eMail. Individuals should make plans to transfer their email to another location prior to graduation or last day of employment.
Graduating students who would like to continue to receive information from TTUHSC are strongly encouraged to register themselves at www.RaiderCheckUp.com . Users needing help registering on the site should call the Alumni Relations Office at (806)743-3238 or email TTUHSCAlumni@ttuhsc.edu
The following describes the requirements for managing security incidents. Security incidents include, but are not limited to detection of viruses, worms, and Trojan horses, unauthorized use of computer accounts and computer systems, as well as complaints of improper use of information resources as outlined in the Acceptable Use Policy.
- developing and preserving the procedures for handling incidents,
- defining and classifying incidents,
- determining the tools and technology utilized in intrusion detection,
- determining if an incident should be investigated and the scope of such an investigation (i.e. law enforcement agencies, forensic work),
- securing the network,
- conducting follow-up reviews,
- insure the proper reporting is conducted, and
- promoting awareness throughout the organization.
- TTUHSC CIRT members may be required to perform duties related to the incident that take precedence over normal duties.
The Information Security Officer is responsible for:
- initiating incident management action, including notifying the appropriate personnel.
- determining the physical and electronic evidence to be gathered as part of the incident investigation.
- determining if a widespread TTUHSC conference call is required, the content of the conference call, and how best to contact CIRT members
- initiating, completing, and documenting the incident investigation with assistance from the CIRT
- coordinating communications with outside organizations and law enforcement.
reporting the incident to the:
- CIO or their designee
- Information Technology Security Council
- Managing Director of Technology Services
- State of Texas Department of Information Resources
The appropriate technical resources from the CIRT are responsible for:
- ensuring that any damage from a security incident is repaired or mitigated, and that the vulnerability is eliminated or minimized where possible.
- communicating new issues or vulnerabilities to the system vendor and working with the vendor to eliminate or mitigate the vulnerability.
- In the case where law enforcement is not involved, the Information Security Officer will provide the appropriate information to the Managing Director of Technology Services, who will notify TTUHSC Human Resources as appropriate.
- In the case where law enforcement is involved, the CIO is responsible for reporting the incident to Federal, State, or local law officials as required by applicable statures and/or regulations as well as act as the liaison between law enforcement and TTUHSC.
Guidelines For Handling A Computer System Incident
Don't panic. Call the I.T. Help Desk. The Help Desk staff will guide you through the next steps to take, which includes the following:
- Assessment. Do not immediately shut down the machine, as you may lose important information. If the machine is being used to attack others, or if the attacker is actively using or damaging the machine, you may need to disconnect it from the network. If this does not appear to be the case, leave the system intact for the moment.
- System scan. Work with the I.T. Help Desk and run an emergency system security scan. This information will help you assess the damage. (The machine must be up and on the network in order to run a scan.)
- Gathering all relevant information. This may include, but is not limited to, system logs, directory listings, electronic mail files, screen prints of error messages, and database activity logs.
- Take notes. Record all relevant information, including things you observed, actions you took, dates and times, etc. It is best to log your activities as they occur.
- Changing account passwords. All system accounts that were involved with the incident may require new passwords as determined by the Information Security Officer. Choose a password in accordance with the password requirements and change it every ninety (90) days.
- ITS will determine the correct course of action. The appropriateness of each course of action varies with the severity of the incident (amount of damage, legal implications, cost of recovery, etc).
Other Steps A Systems Administrator May Take
- Change the status of accounts, if necessary. In the event that a system administrator detects a problem with a system, or questionable user activity on a system, a quick way to stop the unwanted activity is to "close" an account, by restricting logins to it. This results in the account owner having to contact an administrator in order to remove the login restriction. This is not deleting the account, but is merely making the account temporarily unusable.
- Stop rogue service(s), if necessary. In the event that a system compromise or denial-of-service attack is underway, and you are unable to stop or kill the service(s), you may need to disconnect the machine from the network. Examples of this type of attack is a “ping sweep” which occurs when one machine on the network sends other machines Internet Control Messages Protocol (ICMP) requests until the network exceeds capacity causing degradation and/or traffic being blocked.
- Review your backup policies. If you believe your data and/or operating system has been compromised, you must ensure that a backup is available for restoration. If your next backup could overwrite an undamaged backup, take immediate steps to prevent that occurrence. If your disaster recovery policy includes multiple levels of backup, and you are uncertain how long the system has been compromised, you must determine which backup version to restore to. Until that time, do not allow any backups to be overwritten. It is recommended that users regularly back up important data (e.g., student/patient/employee information, data related to Institutional operations, vital mission data, etc.) to a floppy disk or to a drive on the server (see your Department Administrator for Departmental I.T. Representative for access restrictions) at least once a week (or more often for more critical data.)
If you have questions about incident procedures, contact email@example.com.
The CIO is responsible for providing Internet connectivity for the TTUHSC network. Regional campus LANs, or any other supported or non-supported LAN connected to the TTUHSC network, may not connect to any other Internet service provider without written approval of the TTUHSC Information Security Officer (ISO) and Managing Director of Technology Services.
The CIO or their designee must authorize all network connections between the TTUHSC network and external government agencies or affiliated teaching hospitals. These connections will be controlled and monitored by a firewall or other security device under the administrative control of the Information Security Officer and his/her staff.
Access to the Internet and intranet are for Institutional purposes. Please refer to policy 1.4.1 Acceptable Use for additional information.
The Information Technology Security Group shall monitor and audit intrusion detection logs as part of their daily job functions. Intrusion detection logs are maintained for a minimum period of two weeks. Anomalies will be investigated and appropriate measures will be taken in the event of an actual threat in accordance with the incident management procedures outlined in Policy 1.4.7, Incident Management. Compliance with this policy is the responsibility of the Information Security Officer.
Various tools provide the ability to block malicious programs on our email servers, file servers and other computers on our network.
Local Area Networks
Supported LANs are those designed, installed, and operated by the Enterprise Network team. Devices such as computers, printers, scanners, storage devices and arrays, and video-conferencing systems may be connected to a network outlet within a supported LAN with the approval of the campus RSC.
The following may not be connected to an outlet within the TTUHSC network without prior written authorization of the CIO or their designee:
- Proxy servers and firewalls
- Systems or devices providing Virtual Private Networking (VPN) capability to the Internet
- Wireless access points or other wireless networking equipment (Refer to Wireless Access)
- Systems or devices containing a network adapter operating in promiscuous mode where a node on a network accepts all packets, regardless of their destination address
- Systems performing Network Address Translation (NAT)
- Systems operating Domain Naming System (DNS), Windows Internet Naming System (WINS), or Dynamic Host Configuration Protocol (DHCP) services.
- Windows Domain Controllers
All TTUHSC owned PCs and servers attached to the TTUHSC network must be members of the TTUHSC domain and be defined in the appropriate Active Directory Organization Unit (OU)
All modem connections must be approved by the CIO or their designee, and routed through a modem pool or network device which utilizes an I.T. approved authentication system.
The connection of a device to the TTUHSC network that is accessible directly from the Internet, without going through the TTUHSC firewall or an I.T. managed modem pool, is a security risk. Typically, this is a modem device connected to a desktop computer or server on the TTUHSC network which is set to automatically answer incoming calls for connections to outside systems. Incoming connections to modems are not allowed without CIO approval.
Remote Access Policy and Procedures
Remote access to the TTUHSC network provides users with the convenience of accessing the Internet, their office computer, or information on network file shares to which they have access. Along with this convenience, comes the need for appropriate security controls to ensure that data transmitted is secure. Additionally, the network must be protected from illicit use; and to ensure that viruses, malware, and other malicious code are not allowed to propagate across the network.
This policy applies to all remote devices connected to the TTUHSC network infrastructure through Internet access or direct dialup connections.
State and federal legislation requires TTUHSC to provide protection for sensitive data such as patient information and student financial data. Therefore, TTUHSC personnel must use a secure mechanism for accessing the TTUHSC network infrastructure remotely. Additional information on remote access can be found at www.ITSolutions.ttuhsc.edu.
All users who connect remotely to the TTUHSC network must install an anti-virus software on each computer. This anti-virus software must be updated regularly with new anti-virus signatures. TTUHSC provides free McAfee Virus Scan licenses for home use by faculty, staff, and students. This software can be downloaded at https://www.ttuhsc.edu/IT/security/mcafee/.
Any user accessing the TTUHSC network through an Internet connection (Satellite or cable Internet connections) must connect using a Virtual Private Network connection (VPN).
VPN accounts are available at no cost for current faculty, staff, and students of TTUHSC. VPN accounts can be requested at www.ITSolutions.ttuhsc.edu. An email response will usually be returned with account information and setup instructions within 1 business day.
When a VPN account holder (employee or student) leaves TTUHSC, the account will be disabled as soon as Information Technology is notified of the termination date. VPN accounts will be set to automatically expire 12 months from the date the account is created or renewed. At least one week before an account expires, an email will be sent to the account holder reminding him/her to renew the account. The renewal request can be filled out at www.ITSolutions.ttuhsc.edu.
Client Connection Setup
VPN services from connections outside the TTUHSC network are supported, provided that VPN services are in compliance with the Internet Service Provider's policies.
All Institutional security policies are applicable to remote access users. Security controls in place include appropriate authentication and Intrusion Prevention Services (IPS). Monitoring and auditing will be conducted on the remote access connections in the event of unusual network activity. Information Technology will disable a dial-up or VPN account, based on recommendations from the I.T. Security Team, if network activity from any remote access computer is disrupting computing services on the TTUHSC network.
TTUHSC Software Requirements
All systems connected to the TTUHSC network must have approved anti-virus software (I.T. Policy 1.4.22, Viruses and other Malicious Code) installed and operational before the system is connected to the network. This software must be configured to receive regular virus signature updates from the anti-virus servers administered by the TTUHSC Information Security Officer and his/her staff.
This policy describes the requirements and constraints for attaching a computer, system, or network devices, or videoconferencing system to the TTUHSC network. The intent of this policy is to ensure all connections to the TTUHSC network are maintained at appropriate levels of security and interoperability, while at the same time not impeding the ability of TTUHSC faculty, staff, and students to perform their work.
The Chief Information Officer (CIO) is the central authority for all network issues. The CIO may appoint and/or delegate management of certain aspects of network administration as deemed necessary.
TTUHSC regional campuses administer local area networks (LAN), under direction of the CIO and the Managing Director of Technology Services. Each regional campus or location must designate a Regional Site Coordinator (RSC) to serve as the administrator of all LANs at that campus. The RSC is the contact person for all connectivity issues between the regional campus LANs and the TTUHSC wide area network (WAN).
The Managing Director of Technology Services is the main point of contact with Facilities Planning and Construction and Physical Plant at all campuses for all new construction and major renovation projects involving computing systems. Minor renovations will be handled at the local level.
Wide Area Network Connectivity and Routing
All routers within the TTUHSC WAN will be selected, operated, and maintained by personnel designated by the CIO. Subnet IP routing on the TTUHSC WAN will be performed in accordance with delegated IP address space. Routing of private IP address space (as defined by the Internet Engineering Task Force Request For Comments document #1918 - Address Allocation For Private Internets) across the TTUHSC WAN must be approved by the CIO or their designee.
All internal TTUHSC computers are protected from outside network access by a firewall. All incoming network requests not known and defined are denied and are not passed through to the internal campus network. This section describes the procedures to allow special access through the firewall to employees and third parties/vendors in instances where certain services and /or applications are required to maintain workflow and provide services.
Approval for outside network access to TTUHSC computing resources will be based on the following criteria:
- The connection is required for TTUHSC business,
- The connection does not represent an unnecessary security risk to TTUHSC,
- The connection does not use an insecure protocol where a more secure alternative exists, and
- The connection does not involve unnecessary replication of functionality
When the connection has been approved by the CIO, firewall access will be granted when the following have been completed:
- The machine is properly registered with Information Technology by filling out the Special Firewall Access Request Form at http://www.ttuhsc.edu/it/forms/firewallreq.aspx and sending it to the I.T. Solutions Center.
- The target machine passes a vulnerability assessment performed by I.T. Security (ITS). This assessment consists of remotely scanning the target machine for common problems that could result in a security risk.
- The target machine has a reserved IP address.
Registration ensures that the target machine has an administrator known to Information Technology. The administrator will perform the necessary tasks to keep the system up to date and in a secure state, with the assistance from the Information Technology Security Group. Registration will be renewed once a year. Renewal notices will be sent via email by the ITS.
The ITS will perform routine security scans on machines registered for special access.
The firewall access form should be submitted through the web to firstname.lastname@example.org Depending on the request, it may take up to two business days for the request to be completed. If the request is considered urgent, and the two-day timeline is not sufficient, please state that the request is Urgent. Include in the email message the reasons why the request is time critical.
Request for changes to the firewall must come from the administrator of the target machine. Requests received from anyone else will be forwarded to the machine’s administrator for approval.
All requests will be sent to the Regional Site Coordinator (RSC) at the campus where the machine resides. Once the RSC has checked to make sure the machine has a reserved IP address, the request will be forwarded to the Information Technology Security Group for final approval by the Information Security Officer. Once approved, the Information Technology Security Group will make the necessary changes to the firewall. The RSC may require that network configuration of the destination computer be modified prior to approving access.
IP Address Allocation Standards And Procedure
All address delegation with the regional campuses and any supported LANs will be coordinated between the CIO or their designee and with the appropriate RSC. The RSC will be responsible for administration and registration of all IP addresses and sub-networks within the delegated address range(s), according to the standards and guidelines approved by the CIO. All hosts in the TTUHSC domain must obtain a valid IP address from the RSC. No host on the intranet should broadcast dynamic routing information except specially configured gateway or router devices.
To ensure efficient IP address utilization, TTUHSC will allocate their assigned IP addresses to reflect the requirements of each building location, wiring closet, or network service. This ensures compliance with the American Registry for Internet Numbers (ARIN) requirements for utilization of public IP address space.
For regional IP addressing strategy, RSC’s should refer to the IP Address Allocation Strategy.
Reserved IP Address Standards
Reserved IP addresses are available to the following hosts:
- Server systems that provide file sharing, printer sharing, or other application services to multiple client systems
- Printers with a direct network attachment
- Hosts with a directly attached printer, where print jobs will be accepted from client systems on the network
- Hosts providing services or resources to clients outside the TTUHSC network. Refer to the Firewall Access Standards for details on requesting this type of access.
All other hosts will use dynamic addresses, allocated by Dynamic Host Configuration Protocol (DHCP) services at each regional campus. Reserved address requests for hosts that do not correspond with the above list must be approved by the appropriate Regional Site Coordinator.
Refer to the Server Hardening Section for additional requirements that must be met before a server can be assigned a reserved IP address.
Reserved IP Address Allocation Procedures
All reserved IP addresses must be properly authorized and recorded before they are issued. The following outlines the procedure for requesting and allocating reserved IP addresses:
- Complete the Reserved IP Address Request form and send to the Regional Site Coordinators at the respective campuses.
- Upon receipt, the network technician creates a work order, and verifies the attached information is complete.
- Using the TTUHSC IP Address Management application, the host is assigned to the correct VLAN and subnet. The next available address is selected, and the information provided by the requestor is entered into the system.
- The assigned IP address, hostname, and hardware address are entered into the DHCP server(s).
- If requested, Domain Name Service/System (DNS) alias entries are entered into the DNS configuration file to translate domain names into numeric IP addresses.
- The assigned IP address is sent to the requestor via email.
- The technician updates and closes the work order.
Never share your password with anyone.
In accordance with Texas Administrative Code § 202.75, all TTUHSC computing systems shall require a login authentication process, whereby each user is identified and authenticated through their unique USER ID and/or account name. Access to the network and to applications is based on individual roles and determination of user access levels is the responsibility of the owners of the information or applications being accessed.
Texas Tech’s primary authentication is through an account management system known as eRaider, which allows users to access the information resources available at the Health Sciences Center. Passwords for eRaider accounts follow industry best practices and must meet the following requirements:
- 8 - 15 alphanumeric characters,
- Contain upper & lower case characters,
- Contain a number,
- NOT contain a number as the first or last character,
- NOT contain any word found in a dictionary, and
- May contain punctuation marks.
Passwords must be reset every 90 days.
System Identification/Logon Banner
Any TTUHSC computing system that prompts the user for a login should require an unauthorized access warning banner be displayed. The unauthorized access warning banner must inform the user of the restrictions imposed on the system before access is attempted, thereby giving the user the opportunity to avoid violating any access restrictions. The Unauthorized Access Warning Banner must be prominently displayed each time a user attempts to access a server system, network terminal, and/or a restricted/secured web site and/or web page, specifically before the user can begin the login authentication process.
The Unauthorized Access Warning Banner will be made part of the web site and/or web page preceding a restricted/secured web site and/or web page and must be displayed before a user enters the secured web site and/or web page. The user must also be made to acknowledge the warning either in the form of an icon or button stating “OK” or “I Accept” before they can proceed.
Unauthorized Access Warning Banner Text
The following is the text for the Unauthorized Access Warning Banner:
USE OF THIS SYSTEM IS RESTRICTED TO AUTHORIZED USERS ONLY AND SHALL BE USED IN ACCORDANCE WITH THE ACCEPTABLE USE POLICY. USERS HAVE NO EXPECTATION OF PRIVACY EXCEPT AS OTHERWISE PROVIDED BY APPLICABLE PRIVACY LAWS. THIS SYSTEM MAY BE SUBJECT TO MONITORING BY THE INFORMATION TECHNOLOGY DIVISION. UNAUTHORIZED ACCESS IS A VIOLATION OF APPLICABLE TTUHSC, STATE, AND FEDERAL LAWS AND REGULATIONS AND WILL BE SUBJECT TO CRIMINAL PROSECUTION.
Information resource assets consist of hardware, software, and information. Software and Hardware assets are to be controlled according to requirements of O.P. 63.10, Property Management. Appropriate disposal processes are in place by General Services. Departments are responsible for software and data files on computing devices and equipment before they are transferred or surplused unless the software license is transferable. In the event that the computing device contains any confidential information in electronic media, the department is responsible to ensure that all electric media is destroyed prior to being transferred or surplused.
TTUHSC has seen a significant increase in the use of the Portable Computing Devices (laptops, Personal Digital Assistant’s (PDA), smart phones, USB drives, and USB flash drives) at the Institution. This policy is intended to provide guidance for Portable Computing Device utilization.
Portable Computing Devices are inherently at risk for theft and security vulnerability. In cases where there is a justifiable business need or requirement for confidential information, such as patient information, confidential student information, grades, etc., to be stored or transferred to a Portable Computing Device appropriate security measures must be implemented as listed below.
- Confidential information shall not be stored, downloaded, or leave the Institution unless there is a need to access this information away from the Institution. Authorization will need to be obtained by each individual from the information owner. Information owner responsibilities, definition, and more information can be found in Policy 1.1, I.T. Resource Management and Responsibilities.
- Confidential information shall not be shared with others who do not have a job-related need for this information.
- Confidential information should not be copied to or stored on a portable computing device, removable media, or a non-state owned computing device that is not encrypted.
- The Portable Computing Device must be password protected using the security feature provided on the Portable Computing Device and there should be no sharing of the password.
- Removable media such as memory cards must not be used to store confidential information.
- A Desktop PC that is used for synching must have approved antiviral software installed, and require user log on.
- Whenever there is no longer a job related need to access or store this confidential information, it must be deleted.
Rights to personal privacy, while using Institutional I.T. resources, will be maintained in accordance with federal and state statutes. Furthermore, user activity may be monitored pursuant to Policy 1.4.16, Monitoring of I.T. Assets of this policy. For further information, please refer to the links in the Federal and State statutes section.
In addition, the safeguarding of certain financial information (including, but not limited to information used in connection with the awarding and issuance of student loans) that is covered by the Gramm-Leach-Bliley Act of 1999, 15 U.S.C. 6801, et seq., implemented by 16 CFR Part 314, will be governed by the TTUHSC Information Security Plan for Financial Information and TTUHSC OP 56.01 – Use of Information Technology Resources.
TTUHSC O.P. 56.04 states that anyone who has access to confidential information will take reasonable and necessary steps to maintain the confidentiality and privacy of such information.
As a key provider of services and technology in the healthcare industry, TTUHSC has implemented programs to address the transaction standards, and the privacy and security implications of the rules set forth by the Health Insurance Portability and Accountability Act (HIPAA) of 1996. More resources on HIPAA can be found at http://www.ttuhsc.edu/hipaa/.
As a public institution, all TTUHSC computers, videoconferencing systems, and network activity are subject to ongoing and unannounced security audits. The inappropriate use of the systems and/or networks that violate Institutional policies or local, state and federal laws (i.e., copyright violations, pornography) will be investigated and reported. The CIO or their designee will authorize these investigations and the appropriate authorities will be notified. The Information Technology Security Team will be responsible for conducting these audits as necessary.
TTUHSC has the right to disclose the contents of electronic files, as required by legal, audit, or legitimate State, Local, Federal and/or Institutional purposes.
TTUHSC will use the "New Employee Orientation" to initiate security and copyright awareness and educate new employees about TTUHSC I.T. policies. Annual Security Awareness Training will be required for all faculty and staff who access the TTUHSC network. The ISO will be responsible for assuring that the appropriate training is provided and utilized by all network users.
The Information Security Officer, in collaboration with the I.T. Security Council, will ensure additional security awareness will be provided through ongoing web announcements and other media formats.
A server cannot be connected to the TTUHSC network until it is in a TTUHSC I.T. approved secure state. Prior to connecting the server to the network, the following must be performed:
- Complete a Server Registration Form (http://www.ttuhsc.edu/it/forms/serverregistration.aspx)
- Install the operating system from an I.T. approved source which includes proper licenses,
- Receive a reserved IP address from the appropriate regional campus network administrator,
- Remove all unnecessary software, system services, and drivers,
- Set appropriate security parameters, file protections, and enable audit logging,
- Disable or change the password of default accounts, and
- Complete a Server Registration Form (http://www.ttuhsc.edu/it/forms/serverregistration.aspx) and submit it to email@example.com.
Before connecting to the network
- Install I.T. approved anti-virus software, and
Immediately after connection to the network, the following must be completed:
- Apply the latest vendor supplied patches, which have been tested for compatibility with the production environment.
Note: For more detailed information and procedures based on specific operating system, please refer to Guidelines For Operating Systems Security at http://www.ttuhsc.edu/it/policy/ossecurity.aspx.
All servers are required to be submitted to a vulnerability assessment performed by TTUHSC Information Technology Security group (ITS) prior to use.
In the event that a vulnerability or a combination of vulnerabilities are discovered that constitute an unacceptable level of risk as deemed by TTUHSC ITS, the server administrator is responsible for ensuring they are addressed. Any such risk must be addressed prior to production use. Further scanning may be required.
TTUHSC ITS will monitor security issues, both internal and external to TTUHSC, and will monitor the release of security patches on behalf of TTUHSC. After the server administrator is notified by the ITS, patches must be implemented within a specified timeframe determined by the security level of the patch, or the risk level of the vulnerability. ITS will routinely monitor to ensure the system(s) are in compliance. Failure to comply with these guidelines can result in the server(s) being removed from the network.
TTUHSC I.T. will perform due diligence in testing security patches before release when practical.
Installation of any software must have a justifiable business purpose and must be properly licensed. Standard recommended software can be found at www.ITSolutions.ttuhsc.edu/support.aspx. Software that is Institutionally-required (e.g., McAfee VirusScan) must not be removed. Each system should also be set to automatically receive Microsoft Updates. The CIO, or designee, reserves the right to remove any software on computers that poses a threat to TTUHSC computers or to the operation of the network.
The central Data Center at TTUHSC employs a three-tiered architecture that consists of separate testing, staging, and production servers that isolates the testing environment from production environment. All server or web-based applications residing in the central Data Center must be hosted in this type of environment to ensure separation of test and production code/data. PHI data and the services that manage that data must reside on servers located in the central data center with limited access and additional security controls. Within this section, applications are defined as programs, software, systems, or web pages that are available to and interact with multiple users. These applications and associated data usually have a medium to high risk associated with them, as defined in Policy 1.1, I.T. Resource Management and Responsibilities. (See also TAC 202.72)
Access to the production environment must be strictly controlled. Web development and quality assurance practices are described in Policy 9.4, Change Management, Procedures for Official TTUHSC Web Pages/Sites. The quality assurance process for developing, maintaining and changing applications at TTUHSC is described in this section.
Developing Applications/Systems/Web Pages
All applications/systems, acquisition, development, and maintenance will be required to undergo a security audit before being put into production and must follow Policy 9.5, Coding Standards, Security, and Audit Controls.
Migrating Applications/Systems/Web Pages From Test To Production
Within the Information Technology Division at all campuses, all developers must adhere to the following quality assurance procedures:
- All developers and the requesting department are required to thoroughly review and test the application/system/web pages in the testing environment prior to it being moved to production. In many cases, this will require the development of testing documentation that includes test cases and scenarios. If the requesting department is not the owner of the application/system/data, then the application/system/data owner must also be involved in the review and testing. This testing must be completed before the security code review can be conducted.
- All applications/systems/web pages are required to undergo a security code review by Information Services prior to production implementation. A work order for a code review should be submitted via STARS. IS staff will perform a security code review for the project prior to it being moved into production. When requesting a security code review, please allow for adequate time (24-72 hours). The security code review will include the utilization of third party software that is specifically designed to identify vulnerabilities.
- Once the security code review is completed and all vulnerabilities have been addressed, the requesting department must request that the application/system/web pages be moved into production. The request to move to production will be approved by the Associate Vice President for Information Services or the Managing Director of Information Services. If the requesting department is not the owner of the application/system/data, then the application/system/data owner must also approve the move to production.
Designated personnel will migrate the application/system/web page and any applicable data sources from test into production using a documented process. This process should include:
- Implementation procedures and requirements, and
- Making and documenting any changes to IIS, access privileges, etc. necessary to the proper functioning of the application.
- For applications/systems/web pages residing in the central Data Center, Information Services Project Leaders migrate the code and Information Services DBA's migrate any applicable databases into production. The migration of code from the test environment to the production environment is handled by a process developed in-house called the HSC Application Publisher. The HSC Application Publisher is a program designed to control the publishing of applications to the production environment. The application allows users to publish new versions of applications from a specified share to the production environment while giving the user the ability to save a copy of the version they are replacing. The application also does not allow any user to publish to production unless their code has undergone an initial security code review.
- After it is moved into production, the developer and the requesting department are required to do a final review and test of the application/system/web page developed. Once this is completed, the requesting department and the application/data owner are also required to submit a final approval for the project to the developer.
Outside of the Information Technology Division at all campuses, all developers should adhere to the same quality assurance procedures listed above. However, all applications/systems/web pages are required to undergo a:
- Security code review by Information Services prior to production implementation. A work order for a code review must be submitted via STARS IS staff will perform a security code review for the project prior to it being moved into production. When requesting a security code review, please allow for adequate time (24-72 hours). The security code review will include the utilization of third party software that is specifically designed to identify vulnerabilities.
- Once the security code review is completed and all vulnerabilities have been addressed, the requesting department must request that the application/system/web page be moved into production. The request to move to production will be approved by the Associate Vice President for Information Services or the Managing Director of Information Services. If the requesting department is not the owner of the application/system/data, then the application/system/data owner must also approve the move to production.
All applications/systems/web pages residing on servers outside of the central Data Center will be hosted using a three tiered architecture and must follow the below approval process. The Architecture must consist of separate testing, staging, and production servers that isolate the testing environment from production environment and utilizes the quality assurance procedures listed above for the Information Technology Division.
All coding will be consistent with the practices outlined in Policy 9.5, Information Services Coding Standards, Security, and Audit Controls.
Submitting A Project Request For Information Services Resources
A project request must be submitted to Information Services for:
- Any modification or enhancement to an existing web site, web application, or other system,
- The development of new web sites, web applications, or systems,
- The implementation or upgrading of database or storage systems,
- The implementation or upgrading of acquired software or systems,
- The development or modification of e-Commerce applications,
- Security reviews for developed or newly acquired web sites, applications, or systems. All requests for security reviews for new software, applications, or systems should be made at the beginning of the procurement process to allow sufficient time to conduct the security review before procurement, and
- An appropriate Project Management review to be completed.
All project requests are reviewed on a bi-weekly basis. The purpose of this review is to determine whether resources exist to accomplish the objectives of the request and to prioritize approved requests. Before any project can be scheduled and resources allocated, it must be approved by the Associate Vice President for Information Services or the Managing Director of Information Services and the applicable Campus I.T. Director prior to any allocation of resources.
Also, if a request is submitted and the request was not made by the application/data owner, then the application/data owner must approve the request prior to any work starting on the project.
Projects are requested by submitting a work order via STARS.
- Once a request is received, it is reviewed for both resource availability and Project Management needs. If the resources are available and the request is approved, it is assigned to an Information Services staff member(s).
The assigned staff member(s) will:
- Contact the requestor for additional information and further define the request,
- Gather the scope requirements of the request,
- Prepare the necessary project documentation
- Obtain agreement on the scope and requirements of the project and obtain sign-off to begin work,
- Begin work on the maintenance or application development project in the test environment,
- Work with the requestor so that the maintenance change or developed application can be reviewed and tested, and
- Make any changes or corrections discovered during the review and testing,
- Request a security code review and make any necessary adjustments
- Conduct a final round of review and testing,
- Obtain sign-off from the appropriate parties for production implementation,
- Wrap up the project.
Vendors’ physical access to the central Data Center will require the appropriate approval and authorization by the CIO or the Managing Director of Technology Services. Logs will be maintained on all vendor access to the central Data Center facilities and vendors must execute a Business Associate Agreement with the Institution prior to accessing the TTUHSC network to ensure that any confidential information intentionally or unintentionally accessed is properly protected. Vendor access is for a limited time only.
The purpose of this policy is:
- To establish procedures that define the responsibilities for reducing the threat of computer viruses to TTUHSC computers and networks
- To establish responsibility for overseeing computer virus prevention activities within TTUHSC, and to establish a reporting mechanism to ensure all appropriate personnel are contacted in case of a computer virus incident
- To promote awareness of the threat posed by computer viruses to TTUHSC students, faculty, staff, and to ensure that virus protection software and procedures are properly implemented and utilized on a regular basis
Due to the collaborative nature and sensitivity of the work performed at TTUHSC, all Institutional computers must have the institutionally provided antivirus software installed. Users’ continued access to the TTUHSC network is contingent on the installation of institutionally provided antivirus software on all TTUHSC-owned computers. This virus protection software must not be disabled, bypassed, or modified in any way.
TTUHSC expressly prohibits:
- Development of any form of computer virus with the intent to distribute through the TTUHSC network or beyond
- Intentional distribution of a virus, regardless of type (nuisance or destructive)
- Intentional creation of false alarms using hoax virus messages
Specific Responsibilities and Guidelines for Virus Prevention
Students, Faculty, and Staff should:
- Understand the risks associated with viruses and preventative measures that can be reasonably deployed.
- Be aware of and follow the procedures outlined in TTUHSC I.T. announcements (web page or email), which will be used to communicate warnings of potential computer virus threats.
- Treat nuisance viruses with the same urgency as destructive viruses. Write down the name of the virus, if provided by the virus detection software.
- Write down any recent unusual computer activities (for instance, unexpected disk access, error messages, or screen displays) and, if possible, include when these activities were first noticed.
- Contact the Information Technology Solutions Center when a computer virus is suspected and/or detected.
- Never boot directly from external devices or media until they have been scanned for viruses. By default, the Institutional antivirus program is configured to automatically scan all devices upon use. (This is completely done in the background without any visible disruption to the user.)
- Ensure files received from external sources are clean of viruses prior to use or distribution and never use or introduce non-licensed software on any TTUHSC computing device.
- Back up critical data (e.g., student/patient/employee information, data related to Institutional operations, vital mission data, etc.) to a floppy disk or to a drive on the server (see your Department Administrator or Departmental I.T. Representative for access restrictions) at least once a week (or more often for more critical data.)
Computer Security Analyst (CSA) is responsible for:
- Isolating the infected computer(s) from the TTUHSC network as soon as possible. Reasonable attempts should be made to notify the primary user or the system administrator before disconnecting from the network. Depending on the nature of the virus, this may not be possible and the I.T. Solutions Center should be contacted prior to disconnecting a computer from the network. The Solutions Center will coordinate the ITS and networking to minimize any potential risks.
- Identifying and isolating the suspected virus or worm-related file and processes. Do not power off or reboot computers that may be infected. There are some viruses that will destroy disk data if the computer is power-cycled or rebooted. Also, rebooting a computer could destroy needed information or evidence.
- Attempt to halt and/or remove all suspicious processes from the computer. In the case of a worm attack, it may be necessary to keep the computer(s) isolated from the network until all TTUHSC computers have been inoculated and/or the other Internet sites have been cleaned and inoculated.
- Implement fixes and/or patches to inoculate the computer(s) against further attack.
- Notify the ITS prior to bringing the computers back into full operation mode. The users should also be notified the computers are returning to a fully operational state.
Information Technology Security (ITS)’s responsibilities include:
- Overseeing computer virus protection activities within TTUHSC which include the desktops and servers, Internet mail gateway, and Exchange Servers. This is done in coordination with the CSAs.
- Staying current with the latest virus exploits and maintaining attachment filtering lists through the mail servers.
- Evaluating, recommending, and maintaining virus protection software and/or tools for use on TTUHSC PCs, servers, and laptops.
- Coordinating any training on virus control required for CSAs and TTUHSC personnel in general.
- Investigating every report of an apparent computer virus infection, and making every reasonable effort to determine the source of the infection. The Information Security Officer will keep all affected personnel advised of the investigation.
- Monitoring compliance of virus protection policies.
The CSA and ITS are jointly responsible for:
- Verifying the existence and identifying the type of virus on the user system.
- Coordinating with the anti-virus vendor or other sources on disinfection methods.
- Documenting any recent unusual computer activities (for instance, unexpected disk access, error messages, or screen displays) and, if possible, including when these activities were first noticed.
- Ensuring that the appropriate data for the monthly Department of Information Resources virus report is received by the Information Security Officer no later than the second business day of each month.
Information Technology PC Support/System Support (all campuses) should take the following steps:
- Ensure that virus protection software is installed on every desktop, server, and laptop computer acquired by TTUHSC before they are made available for use by TTUHSC students, staff, or faculty,
- Ensure that the virus protection software has loaded a ‘terminate and stay resident’ (TSR) program or service/daemon to constantly monitor for viruses to prevent introduction to the network,
- Inform the ITS/CSA of new anti-virus installs. This procedure is to make sure the desktop, server, or laptop can communicate with the anti-virus management server to receive updates,
- Upon receipt of a notice of a possible virus, clarify the symptoms with the user,
- Verify if there is a virus and if so, report the incident to the ITS/CSA, and
- In the event the virus cannot be removed from the infected computer, the ITS/CSA will contact PC Support or System Support to rebuild the computer.
To ensure proper administration and security of the network, it is important for the development of wireless networking capabilities to be controlled and coordinated.
This document outlines the policies for the implementation of wireless networking technology at TTUHSC. See also Policy 1.4.14 - Portable Computing.
This policy applies to all wireless network devices connected to the TTUHSC network infrastructure, or wireless devices owned by TTUHSC, or operated in TTUHSC facilities.
All TTUHSC faculty, staff, and students should be aware that wireless network connections are inherently less secure than wired connections. State and federal legislation requires TTUHSC to provide protection for sensitive data such as patient information and student financial data. Therefore, TTUHSC personnel are advised against using wireless technology to transmit this type of information.
Information Technology will extend the TTUHSC network to provide wireless service to any area based on the application need and demand and subject to the availability of resources. Wireless networks are not a replacement, but a supplement to the existing wired network.
The Chief Information Officer (CIO) or designee, in concurrence with the Regional Site Coordinator (RSC) at the respective campus, must approve the installation and use of wireless access points connected to the TTUHSC network.
These access points and wireless devices must have the manufacturer’s default SSID changed. These access points and devices will be audited and monitored on a regular basis. Information Technology reserves the right to remove any unauthorized or misconfigured wireless device from the network immediately without prior notice.
Wireless networks and services are subject to the same rules and policies that govern other electronic communications services at TTUHSC. (See Acceptable Use and Portable Computing). Disruption of authorized communications or unauthorized interception of wireless communication is a violation of policy.
TTUHSC will implement wireless equipment that follows the IEEE 802.11 standards. Wireless equipment standards will be reviewed and amended as wireless standards change, and as products are introduced that improve the security and reliability of the wireless network.
Access to the wireless network will be limited to individuals authorized to use the Institutional network and Internet resources. All wireless network users must authenticate his/her identity to an authentication server managed by Information Technology before access to the rest of the TTUHSC network is permitted. Anonymous users will not be allowed to access the wireless network.
- Develop, maintain, and update wireless communications policies and wireless networking standards.
- Approve standards for wireless network hardware and software used by TTUHSC.
- Approve, design, and install wireless network equipment for all TTUHSC locations.
- Inform wireless users of security and privacy policies and procedures related to the use of wireless communications.
- Monitor security of all wireless networks within the TTUHSC network to prevent unauthorized access to the TTUHSC network.
- Monitor the development of wireless network technology, evaluating wireless network technology enhancements and, as appropriate, incorporating new wireless network technology with the TTUHSC network infrastructure.
- Ensure departmental compliance with all applicable TTUHSC policies pertaining to the installation and use of the wireless network.
- Inform wireless users of security and privacy policies and procedures related to the use of wireless communications.
- Notify Information Technology when modifications to the network are needed.