TTUHSC IT Policies

1.4 Security Safeguards (TAC 202.75.7)

1.4.1 ACCEPTABLE USE

Conduct Yourself Responsibly

The use of TTUHSC I.T. resources may be temporarily or even permanently revoked at any time for abusive conduct. Such conduct includes placing unlawful information on a system, copyright violations, using abusive or otherwise objectionable language in either public or private messages, sending messages that are likely to result in the loss of recipients' work or systems, sending unauthorized "chain letters" or "broadcast" messages to lists or individuals, or any use that would cause congestion of the networks or otherwise interfere with the work of others.

Use of peer-to-peer programs on TTUHSC computers and/or network for downloading and/or uploading of illegal copies of copyrighted media is strictly prohibited. All students, faculty, and staff should remove these applications immediately from TTUHSC computers. Students, faculty, and staff who use their personally-owned computers to connect to the TTUHSC network must disable all peer-to-peer applications and services before connecting to the network. This includes direct connection or remote connection via PPP, VPN, or wireless accounts. Any computers using peer-to-peer applications on the TTUHSC network are subject to removal from the network until the application is removed or disabled.

Misuse of TTUHSC information resources is a violation of the policies contained herein and will result in disciplinary action in accordance with HSC OP’s 70.31 and 77.05 and the Student Affairs Handbook.

Computing Ethics And User Responsibilities

Information technology resources at TTUHSC are owned by the State of Texas and administered by the Information Technology Division. TTUHSC will provide access to appropriate central and campus I.T. resources, and to their attached networks to all members of the TTUHSC community. Users are responsible for managing their use of I.T. resources and are accountable for their actions relating to information technology security.

General Principles

Users must abide by the following list of standards that have been established:

Report any weaknesses in TTUHSC computer security, any incidents of possible misuse, or violation of these policies to the appropriate I.T. management.
Access only information that is your own, that is publicly available, or to which you have been given authorized access. Users may use only the I.T. resources they are authorized to use and only for the purposes specified when their accounts were issued or permission to use the resources was granted.
For security reasons, protect your USER ID, password, and system from unauthorized use. Users who share their access with another individual shall be responsible and will be held accountable for ALL usage of their accounts.
Use only legal versions of copyrighted software in compliance with vendor license requirements. Users shall not transport software provided by TTUHSC to another computer site without prior authorization from the departmental administrator. To do so constitutes theft.
DO NOT attempt to circumvent or subvert system, network, or resources of the Internet, destroy the integrity of computer-based information, or access controlled information and/or systems without authorization.
DO NOT install software/hardware for personal use on TTUHSC systems.
Sexually explicit material in any form is not allowed on TTUHSC systems. See Sexually Explicit Material section for more detailed guidelines.
Users must not unreasonably interfere with the fair use of I.T. resources by another. Examples of unreasonable interference include playing games, listening to or viewing streaming audio/video for recreation, intentionally misconfiguring or tampering with videoconferencing equipment, interfering with the scheduled use of a distance learning classroom by failing to promptly vacate the room at the end of a session, and intentionally running a program that attempts to violate the operational integrity of the TTUHSC network.
Users are prohibited from using the TTUHSC’s systems or networks for personal or commercial gain, such as, selling access to your USER ID or to TTUHSC systems or networks, performing work for profit with TTUHSC resources in a manner not authorized by the TTUHSC, marketing/advertising, and/or personal business transactions with commercial organizations.
TTUHSC systems are not to be used for partisan political purposes, such as using electronic mail to circulate advertising for political candidates or lobbying of public officials.
DO NOT use mail or messaging services to harass or intimidate another person, for example, by broadcasting unsolicited messages, or by repeatedly sending unwanted mail.

The above list is by no means exhaustive, but attempts to provide a framework for activities that fall into the category of unacceptable use.

Sexually Explicit Material

Users shall not view, retrieve, transmit, distribute, print, or save any electronic files that may be deemed sexually explicit on TTUHSC I.T. resources. This includes both visual and textual sexually explicit material as defined by Chapter 43 of the State of Texas Penal Code on Public Indecency. Exceptions are material used for scientific, medical, and/or educational purposes.

It is also illegal to use sexually explicit material to intimidate, persecute, or otherwise harass another individual. This is considered sexual harassment. For more detailed guidelines on sexual harassment, refer to HSC OP 70.14.

Do not open any emails which you believe to contain obscenity or pornography. If obscenity and/or pornography are received through email, there will be no disciplinary proceedings if the mail is deleted immediately. If the offending email originates from a TTU or TTUHSC email address, report the receipt of said material to the Assistant Vice President for Human Resources and/or the Associate Vice President for Technology Services immediately. Reporting of such a violation will be held in the strictest confidence.

1.4.2 ACCOUNT MANAGEMENT AND USER RESPONSIBILITIES

eRaider is an account management system which makes it possible for students, faculty, and staff to obtain and access electronic resources at Texas Tech using a single username and password. Your eRaider username and password are required to access many of these resources. An eRaider account is required to access the TTUHSC domain. New students, faculty, and staff receive an eRaider account upon coming to the Health Sciences Center. Questions regarding eRaider account information should be directed to the I.T. Help Desk at their respective campuses.

Authorization is based on the account type and departmental requirements for accessing additional resources. The table below lists the various TTUHSC user accounts and the rights that are associated with each account:

	Microsoft Campus Agreement	McAfee VirusScan	Bluesocket	TTUHSC.EDU Domain Account	TTUHSC Email	TTUHSC VPN	TTUHSC Dialup PPP	TTUHSC WiFi	TTUHSC Personal Web Page
TTUHSC Account Types
Graduate Student	X	X	X	X	X	X	X	X	X
Applied Student				X	X
Admitted Student				X	X	X	X	X	X
Student	X	X	X	X	X	X	X	X	X
Resident Physician	X	X	X	X	X	X	X	X	X
Faculty	X	X	X	X	X	X	X	X
Staff	X	X	X	X	X	X	X	X
Non-Salaried Employee			X	X		X	X	X
Retired [1]				X	X	X	X
PUBLIC Account Types
Ongoing Business Partner			X	X	X	X		X
Research Partner			X	X		X		X
General Public

[1]: Retirees retain services for the duration of their retirement but only have use of their email accounts for 6 months after retirement

1.4.3 ADMINISTRATOR/SPECIAL ACCESS

This policy provides a set of requirements for the regulation and use of administrator or special access on the TTUHSC systems. This policy will provide a mechanism for the addition and removal of people from special access in the Active Directory domain and a mechanism for periodic reviews of the administrator/special access database.

The Special Access Request form can be found at http://www.ttuhsc.edu/it/helpdesk.

Regulation of Special Access Accounts:

Special access on TTUHSC systems is maintained and monitored by both Data Center Operations and the Information Security Officer.
Passwords for special access accounts are changed on a regular basis as determined by Institutional policy.
Special access is only provided to individuals who need the access to perform their job.
Any misuse of special access privileges must be reported to the TTUHSC Information Security Officer when discovered.
Persons requesting special access must follow all procedures outlined in the Special Access Guidelines.
Persons who misuse their special access privilege can have special access revoked and may face Institutional disciplinary action (See Section 10 - Disciplinary Process.)
Special access is reviewed on a periodic basis as defined below.
All persons who currently (prior to the approval of this policy) have special access are required to submit a completed Special Access Request form and a signed Special Access Guidelines agreement.

Performing a Periodic Review of the Special Access Database

A review of special access will be made on an annual basis or as determined by the TTUHSC Information Security Officer. The review process will involve the following steps:

A report will be generated from Active Directory. The report will list: special access by system and access type; and access by person (i.e., for each person, all access given to that person is listed).
The reports will be distributed to the Information Security Officer, the Manager of the Data Center, and the manager of users given special access. Each person reviews the list (or appropriate part of) to determine if any changes should be made.
Should anyone determine that an individual needs to be added to other special access groups, that individual must submit a Special Access Request form requesting the additional access.
If there are any deletions to be made to the permissions, the Manager of the Data Center will make the appropriate changes.

Special Access Guidelines

This agreement outlines the use of special access on TTUHSC computers. Special access is defined as having domain access other than as a domain user. The TTUHSC environment is very complex and dynamic. Due to the number and variety of computers and peripherals, special access must be granted to numerous people so the TTUHSC facility can be properly supported. People with special access must develop the proper skill for using that access responsibly.

The Special Access Guidelines have been developed to help people to use their special access in a responsible and secure manner. All persons requesting special access must read and follow these guidelines.

General Guidelines

Be aware of the TTUHSC environment.
Always log on systems where you have an account as yourself. Any action done under a special access account should have an audit trail.
Use special access only if necessary.
Many system tasks require the use of root or other special access. However, there are many tasks that can be done without the use of special access. When at all possible use regular accounts for trouble-shooting and investigating.
Complete the appropriate Change Request processes specified in Section 1.4.5. Document all major actions and/or inform the appropriate people.
Documentation provides a method to analyze what happened. In the future, others may want to know what was done to correct a certain problem. The Lead System Analyst or Manager of the Data Center is to be informed BEFORE any changes are made to system specific or configuration files.
Have a backup plan in case something goes wrong. Special access, especially root or administrative access has a large potential for doing damage with just a few keystrokes. You must be able to restore the system to its state before the error occurred.
With the use of special access, situations arise that have never come up before. Although TTUHSC has many written procedures, they do not cover every circumstance possible. If any doubt exists about how you should proceed on a problem, ask for assistance.

Specific Considerations Regarding Special Access

Do not share special access passwords with anyone.
Do not write down the special access passwords or the current algorithm.
Do not routinely log onto a system for which you have an account, as “root” or any other special access account.
Do not read or send personal mail, play games, read the net news or edit personal files using a special access account.
Do not browse other user’s files, directories or email using a special access account.
Do not make a change on any system that is not directly related to your job duties. The TTUHSC System Administration Handbook states “The Lead System Analyst is responsible for approving all changes to the systems(s) of his/her responsibility. No changes are to be made to any system configuration file or executable file without prior approval of the Lead System Analyst and Manager of the Data Center.” Making a change AND then informing the Lead System Analyst is considered a violation of this guideline.
Do not use special access to create temporary files or directories for your own personal use.

1.4.4 BACKUP/RECOVERY

Shared resources of Institutional servers are the primary method of protecting Institutional data. Customers should save Institutional data utilizing these shared resources. Institutional shared resources are limited in physical size so, personal data should not be saved on those resources.

Institutional server backup schedules are defined in the Data Center Backup Scheduling Procedure. Generally, Institutional servers are backed up on a scheduled basis as listed.

Nightly - Incremental backups will be performed to be retained until the next full backup is performed.

Weekly - Full data backups will be performed to be retained for five weeks.

Monthly - Full data backups will be performed to be retained one year from the date of the backup.

Annual - Full data backup will be performed to be retained for five years.

Per disaster recovery best practices, backup tapes are stored off-site. The details of the off-site storage are outlined in the I.T. Division Disaster Recovery Plan, Section 50.41 - Backup Services and Procedures.

Desktop Backups

Personnel should submit, in writing, to the Managing Director of Network, Security, and Systems any requests to backup desktop computers. This request must detail the following:

Specific need for the backup,
Value of the data,
Security and or encryption requirements for the data,
Demonstrate proof of data integrity (i.e. assurance the data is free from viruses and other security hazards to data),
Reason why the data is not stored on an Institutional shared resource,
Identify the specific path to the directories where the data is stored separately from the program files and operating system files,
Define the time period to retain the backup, and
Specific needs or requirement for repetition of the backup.

Approved desktop computer backups will be performed on data directories only. The Schedule and Procedure for approved backups will follow these steps.

Customers with approved desktop computer backups will copy the data to an Institutional shared resource (to be identified on the approval document) on Saturday mornings at 4:00 a.m.
This Institutional shared resource will be backed up to tape on Sunday evenings at 11:59:59 p.m.

Data Restoration

Data may be restored to any resource provided the backup is within the storage timeframe as defined above. Restoration of data may be requested through the I.T. Helpdesk workorder process.

1.4.5 CHANGE MANAGEMENT

Change Definition

The following change management protocols apply to the Institutional IT units as well as the regional campuses’ IT departments. The IT Division highly recommends that all departments adopt these industry best practices related to IT change management in their respective areas. A change is defined as a modification to the hardware, software, and documentation managed by Information Technology that has a reasonable possibility of impacting normal operations of those resources. Items that are considered changes include, but are not limited to:

Installation or upgrades of server, networking, or security hardware or software, including patches and interim fixes,
Modification of hardware or software that affects the operation of desktop computers connected to the TTUHSC network,
Modification of server, network, or security settings that affect access to I.T. resources, and
Modification or enhancements to the physical environment that supports I.T. resources.

Specific tasks that should not be considered changes include:

Creation of new file shares, or modification to permissions of existing shares,
Installation, activation, or removal of network cable drops, or
Creation, modification, or deletion of accounts and mailboxes.

Change Categories

Changes will be classified into three categories:

Category 1 - This category includes changes to resources that provide service to a large number of internal or external I.T. customers, or customers at multiple regional locations.
Category 2 - This category includes changes to resources that provide service to a moderate number of I.T. customers within a specific location.
Category 3 - This category includes changes for a single department or smaller group of users at a specific location.

Procedures

All changes must be documented, and submitted for approval prior to implementation. The following defines the procedure for documentation and approval.

Documentation

The technician implementing the change must fill out the Change Management Request Form (http://www2.ttuhsc.edu/IT/ChangeRequest) to obtain approval. The following information must be provided on this form:

Submission date - Date the change form is submitted for approval,
Change date and time - Proposed date and time the change will be performed,
Change duration - Estimated length of time for the change to be completed,
Control Number - Change Identification number which uses the date of the request and a sequential number for multiple requests originated on the same date starting with 001 in the following format: YYYYMMDD-NNN,
Change category - See prior section for definition,
Change Purpose - Fifty character summary of the Change Description,
Change description - Explanation of the change,
Impact description - Campus and departments or groups of customers that will be affected by the change,
Test procedure - Description of the testing performed for the change, if applicable,
Back-out procedure - Procedure for backing out the change if the implementation is not successful, and
Back-out duration - Estimated time to back out the change.

The technician’s manager will record the change request in a common Change Request Log maintained by the Managing Director of Network, Security, and Systems.

Processing

After the technician completes the Change Approval Form, he/she will submit the form to their supervisor or manager for review. The manager will ensure accuracy and form completeness. The managers will meet with the Managing Director of Network, Security, and Systems once per week to review and document recommendations. Change forms must be submitted to the supervisor or manager a minimum of one full business day prior to the review date.

If the Managing Director is unavailable for the weekly meeting, the managers will meet to discuss and make recommendations for the change requests. The Managing Director must be notified of all category 1 and 2 changes before implementation.

All changes must be forwarded to the Associate Vice President of Technology Services or his designee for final disposition of the request.

Category 1 and 2 changes can be implemented no sooner than two full business days after approval. Category 3 changes can be implemented immediately after approval, according to the change date and time on the approval form.

Announcement messages must be distributed prior to all category 1 and 2 changes. The supervisor or manager should prepare this announcement prior to the change review meeting. The Managing Director will be responsible for posting the announcement.

Changes that are backed out during or immediately after implementation must be resubmitted for approval.

Emergency Changes

Occasionally, it may be necessary to implement changes before the next weekly change approval meeting. These changes will be designated as emergency changes, and will be documented as a category E1, E2, or E3.

All of the above documentation and approval procedures still apply for emergency changes, except these changes can be immediately submitted to the supervisor, and subsequently the Associate VP of Technology Services, for approval and implementation.

Emergency change requests should only be submitted when I.T. operations or security will be negatively impacted or compromised if the change is not implemented immediately.

1.4.6 EMAIL

All Institutional email services will be delivered using the Microsoft Exchange platform. The email client is Microsoft Outlook or the web-based Outlook Access. Information Technology will forward non-standard legacy emails to the respective Exchange mailboxes until April 30, 2003. Request to extend the forwarding must be submitted in writing to the CIO.

School and/or Department Administrators are primarily responsible for setting up network services, including requesting an email account and USER ID, for all new students, faculty, and staff of the TTUHSC. This can be completed online at http://www.ttuhsc.edu/it/helpdesk/forms/userid.aspx.

The volume of unsolicited bulk email (SPAM) that is received negatively impacts the Institution's infrastructure and productivity. Therefore, the Institution has deployed infrastructure to reject most SPAM emails before they are processed by our email servers. Additional infrastructure has also been deployed for students, faculty, and staff to use on their personal computers. For assistance or more information on strategies to manage SPAM/Junk Email, please contact the I.T. Help Desk or go to http://www.ttuhsc.edu/it/helpdesk/anti-spam.aspx.

Email Naming Convention

The approved email-addressing format uses the firstname.last/surname@ttuhsc.edu naming convention (e.g. john.doe@ttuhsc.edu). This will be the official TTUHSC email address format for all students, faculty, and staff. For further information, see the Department of Information Resources’ Standards Review and Recommendation Publication 10.

The naming convention for people who share the same name is slightly different. If a name already exists in the email database, a variation will be used, such as firstname.middleinitial.last/surname@ttuhsc.edu format (e.g., john.s.doe@ttuhsc.edu).

The CIO or their designee is the central authority for username and email address assignments for all campuses. Any disputes over usernames and/or email addresses should be referred to the CIO or their designee for resolution.

Users wanting to verify their email address can call the following numbers:

Lubbock Information Technology Help Desk - (806) 743-2875

Amarillo Information Technology Help Desk - (806) 354-5404

El Paso Information Technology Help Desk - (915) 545-6800

Odessa Information Technology Help Desk - (915) 335-5108

To ensure Institution business is not disrupted, all business cards, stationery, and any other correspondence material must reflect the new email address format, including contact information on web sites. All students, faculty, and staff should only use their official TTUHSC email address to facilitate the dissemination of information as well as promote and sustain the lines of communication.

Because email addresses are printed on official stationery, business cards, or any other correspondence material, all print jobs and/or official publications must follow the Publication Guidelines as established by the Office of News and Publications. Refer to HSC OP 67.01 (Publication Guidelines) for detailed guidelines on printing standards.

Implementation And Compliance Procedure

All TTUHSC students, faculty, and staff will be issued an official TTUHSC email account with the firstname.last/surname@ttuhsc.edu naming convention format. This email address will be the only email address used for all official communications between the Institution and students, faculty, and staff. Emails will not be redirected or forwarded to another, non-TTUHSC account.

Email Confidentiality Clause

In order to preserve the confidentiality of privileged and/or sensitive information, email correspondences shall not contain patient records, Social Security numbers, student information, or any personal and/or confidential information. Correspondences containing vital Institutional information shall include the following disclaimer at the end of the email:

Confidentiality Notice: This message, including any attachments, is for the sole use of the intended recipient(s) and may contain confidential and privileged information. Any unauthorized review, use, disclosure, or distribution is strictly prohibited. If you are not the intended recipient, please contact the sender by reply e-mail and destroy all copies of the original message.

Alumni and Retiree Email Accounts

Official TTUHSC email accounts are only issued to current TTUHSC students, faculty, and staff. To aid in their transition, graduating students and retiring faculty and staff will be allowed to continue using their TTUHSC email accounts for up to 6 months after their departure from the Institution. After which, their email accounts will be deleted.

All retiree accounts issued prior to June 1, 2003 will be grandfathered under this policy. However, no permanent retiree accounts will be issued after June 1, 2003. Students, faculty, and staff (other than graduates and/or retirees) who leave the Institution in good standing can request their emails be forwarded to a personal account for a maximum of 6 months. This request should be submitted to the Information Technology Division at their respective campuses.

Graduating students and retiring faculty and staff who would like continued email services are strongly encouraged to register themselves on the Texas Tech Alumni Association web site in order to sign up for the free email service through the Alumni Association. Users needing help registering on the site should call the Alumni Association at (806) 742-3641 or email christine.canales@ttu.edu.

1.4.7 INCIDENT MANAGEMENT

The following describes the requirements for managing security incidents. Security incidents include, but are not limited to detection of viruses, worms, and Trojan horses, unauthorized use of computer accounts and computer systems, as well as complaints of improper use of information resources as outlined in the Acceptable Use Policy.

Responsibilities

TTUHSC Information Technology Security (ITS) group, in coordination with the Computer Incidence Response Team (CIRT) members is responsible for the following:

developing and preserving the procedures for handling incidents,
defining and classifying incidents,
determining the tools and technology utilized in intrusion detection,
determining if an incident should be investigated and the scope of such an investigation (i.e. law enforcement agencies, forensic work),
securing the network,
conducting follow-up reviews,
insure the proper reporting is conducted, and
promoting awareness throughout the organization.

Standard/Procedure

TTUHSC CIRT members may be required to perform duties related to the incident that take precedence over normal duties.
The Information Security Officer is responsible for:
1. initiating incident management action, including notifying the appropriate personnel.
2. determining the physical and electronic evidence to be gathered as part of the incident investigation.
3. determining if a widespread TTUHSC conference call is required, the content of the conference call, and how best to contact CIRT members
4. initiating, completing, and documenting the incident investigation with assistance from the CIRT
5. coordinating communications with outside organizations and law enforcement.
6. reporting the incident to the:
  - CIO or their designee
  - Associate VP of Technology Services
  - Information Technology Security Council
  - Managing Director of Network, Security, and Systems
  - State of Texas Department of Information Resources
For an explanation of severity levels and reporting order, go to http://www.ttuhsc.edu/it/policy/documents/SecurityReporting.pdf.
The appropriate technical resources from the CIRT are responsible for:
1. ensuring that any damage from a security incident is repaired or mitigated, and that the vulnerability is eliminated or minimized where possible.
2. communicating new issues or vulnerabilities to the system vendor and working with the vendor to eliminate or mitigate the vulnerability.
In the case where law enforcement is not involved, the Information Security Officer will provide the appropriate information to the Associate VP of Technology Services, who will notify TTUHSC Human Resources as appropriate.
In the case where law enforcement is involved, the CIO is responsible for reporting the incident to Federal, State, or local law officials as required by applicable statures and/or regulations as well as act as the liaison between law enforcement and TTUHSC.

Guidelines For Handling A Computer System Incident

Don't panic. Call the I.T. Help Desk. The Help Desk staff will guide you through the next steps to take, which includes the following:

Assessment. Do not immediately shut down the machine, as you may lose important information. If the machine is being used to attack others, or if the attacker is actively using or damaging the machine, you may need to disconnect it from the network. If this does not appear to be the case, leave the system intact for the moment.
System scan. Work with the I.T. Help Desk and run an emergency system security scan. This information will help you assess the damage. (The machine must be up and on the network in order to run a scan.)
Gathering all relevant information. This may include, but is not limited to, system logs, directory listings, electronic mail files, screen prints of error messages, and database activity logs.
Take notes. Record all relevant information, including things you observed, actions you took, dates and times, etc. It is best to log your activities as they occur.
Changing account passwords. All system accounts that were involved with the incident may require new passwords as determined by the Information Security Officer. Never share your password with anyone. Choose a password in accordance with the password requirements and change it every ninety (90) days.
ITS will determine the correct course of action. The decision may be to "clean up" and move on. It is also an option to attempt to catch the culprit. The appropriateness of each course of action varies with the severity of the incident (amount of damage, legal implications, cost of recovery, etc).

Other Steps A Systems Administrator May Take

Change the status of accounts, if necessary. In the event that a system administrator detects a problem with a system, or questionable user activity on a system, a quick way to stop the unwanted activity is to "close" an account, by restricting logins to it. This results in the account owner having to contact an administrator in order to remove the login restriction. This is not deleting the account, but is merely making the account temporarily unusable.
Stop rogue service(s), if necessary. In the event that a system compromise or denial-of-service attack is underway, and you are unable to stop or kill the service(s), you may need to disconnect the machine from the network. Examples of this type of attack is a “ping sweep” which occurs when one machine on the network sends other machines Internet Control Messages Protocol (ICMP) requests until the network exceeds capacity causing degradation and/or traffic being blocked.
Review your backup policies. If you believe your data and/or operating system has been compromised, you must ensure that a backup is available for restoration. If your next backup could overwrite an undamaged backup, take immediate steps to prevent that occurrence. If your disaster recovery policy includes multiple levels of backup, and you are uncertain how long the system has been compromised, you must determine which backup version to restore to. Until that time, do not allow any backups to be overwritten. It is recommended that users regularly back up important data (e.g., student/patient/employee information, data related to Institutional operations, vital mission data, etc.) to a floppy disk or to a drive on the server (see your Department Administrator for Departmental I.T. Representative for access restrictions) at least once a week (or more often for more critical data.)

If you have questions about incident procedures, contact its@ttuhsc.edu.

1.4.8 INTERNET AND INTRANET CONNECTIVITY

The CIO is responsible for providing Internet connectivity for the TTUHSC network. Regional campus LANs, or any other supported or non-supported LAN connected to the TTUHSC network, may not connect to any other Internet service provider without written approval of the TTUHSC Associate Vice President of Technology Services.

The CIO or their designee must authorize all network connections between the TTUHSC network and external government agencies or affiliated teaching hospitals. These connections will be controlled and monitored by a firewall or other security device under the administrative control of the Managing Director of Network, Security, and Systems and his/her staff.

Access to the Internet and intranet are for Institutional purposes. Please refer to the Acceptable Use section for additional information (1.4.1).

1.4.9 INTRUSION DETECTION

At TTUHSC, several systems are used to monitor, detect, and log intrusion attempts via the IP network. These systems include a Network Behavior and Anomaly Detection System, Intrusion Prevention Systems, firewalls, email antivirus protection for Exchange servers, and antivirus software for client computers.

The Information Technology Security Group shall monitor and audit intrusion detection logs as part of their daily job functions. Intrusion detection logs are maintained for a minimum period of two weeks. Anomalies will be investigated and appropriate measures will be taken in the event of an actual threat in accordance with the incident management procedures outlined in Section 1.4.7. Compliance with this policy is the responsibility of the Managing Director of Network, Security, and Systems.

Antivirus software provide for the blocking of virus, worm and Trojan horse programs on our email servers as well as the other computers on our network. These programs are used to block communications on various troublesome ports and block the sending of attachment types with potentially malicious content.

1.4.10 NETWORK ACCESS

Local Area Networks

Supported LANs are those designed, installed, and operated by the RSC and his/her support staff at each regional campus. Devices such as computers, printers, scanners, storage devices and arrays, and video-conferencing systems may be connected to a network outlet within a supported LAN with the approval of the campus RSC.

The following may not be connected to an outlet within the TTUHSC network without prior written authorization of the CIO or their designee:

Proxy servers and firewalls
Systems or devices providing Virtual Private Networking (VPN) capability to the Internet
Wireless access points or other wireless networking equipment (Refer to Wireless Access)
Hubs/switches/routers/bridges.
Systems or devices containing a network adapter operating in promiscuous mode where a node on a network accepts all packets, regardless of their destination address
Systems performing Network Address Translation (NAT)
Systems operating Domain Naming System (DNS), Windows Internet Naming System (WINS), or Dynamic Host Configuration Protocol (DHCP) services.

Modem Connections

The connection of a device to the TTUHSC network that is accessible directly from the Internet, without going through the TTUHSC firewall or an I.T. managed modem pool, is a security risk. Typically, this is a modem device connected to a desktop computer or server on the TTUHSC network which is set to automatically answer incoming calls for connections to outside systems. All such connections must be approved by the CIO or their designee, and routed through a modem pool or network device which utilizes an I.T. approved authentication security system.

Third Party Access

Remote Access Policy and Procedures

Remote access to the TTUHSC network provides users with the convenience of accessing the Internet, their office computer, or information on network file shares to which they have access. Along with this convenience, comes the need for appropriate security controls to ensure that data transmitted is secure. Additionally, the network must be protected from illicit use; and to ensure that viruses, malware, and other malicious code are not allowed to propagate across the network.

Scope

This policy applies to all remote devices connected to the TTUHSC network infrastructure through Internet access or direct dialup connections.

Policy

State and federal legislation requires TTUHSC to provide protection for sensitive data such as patient information and student financial data. Therefore, TTUHSC personnel must use a secure mechanism for accessing the TTUHSC network infrastructure remotely. Additional information on remote access can be found at http://www.ttuhsc.edu/IT/helpDesk/.

All users who connect remotely to the TTUHSC network must install an anti-virus software on each computer. This anti-virus software must be updated regularly with new anti-virus signatures. TTUHSC provides free McAfee Virus Scan licenses for home use by faculty, staff, and students. This software can be downloaded at https://www.ttuhsc.edu/IT/security/mcafee/.

VPN

Any user accessing the TTUHSC network through an Internet connection (dial-up, DSL, Satellite or cable Internet connections) must connect using a Virtual Private Network connection (VPN).

Account Administration

VPN accounts are available at no cost for current faculty, staff, and students of TTUHSC. VPN accounts can be requested at http://www.ttuhsc.edu/IT/helpdesk/. An email response will usually be returned with account information and setup instructions within 1 business day.

When a VPN account holder (employee or student) leaves TTUHSC, the account will be disabled as soon as Information Technology is notified of the termination date. VPN accounts will be set to automatically expire 12 months from the date the account is created or renewed. At least one week before an account expires, an email will be sent to the account holder reminding him/her to renew the account. The renewal request can be filled out at http://www.ttuhsc.edu/IT/helpdesk/.

Client Connection Setup

VPN services from dial-up (PPP) and broadband (DSL, cable) connections outside the TTUHSC network are supported, provided that VPN services are in compliance with the Internet Service Provider's policies.

Institutional Dial-Up Service

Students, faculty, and staff can connect to the TTUHSC network and the Internet from home using a dial-up connection via a telephone modem. Dial-up (PPP) accounts are available in Amarillo, El Paso, Lubbock and Odessa.

Security

All Institutional security policies are applicable to remote access users. Security controls in place include appropriate authentication and Intrusion Prevention Services (IPS). Monitoring and auditing will be conducted on the remote access connections in the event of unusual network activity. Information Technology will disable a dial-up or VPN account, based on recommendations from the I.T. Security Team, if network activity from any remote access computer is disrupting computing services on the TTUHSC network.

TTUHSC Software Requirements

All systems connected to the TTUHSC network must have approved anti-virus software installed and operational before the system is connected to the network. This software must be configured to receive regular virus signature updates from the anti-virus servers administered by the TTUHSC Information Security Officer and his/her staff.

1.4.11 NETWORK CONFIGURATION

The TTUHSC network architecture is based on industry best practices for perimeter protection. There is an external router that receives all incoming traffic from the internet and other external data sources. Incoming traffic is then routed through a firewall which restricts unauthorized access to or from our internal network. The next component for security is an Intrusion Prevention Device (IPS) that blocks viruses, malicious code, and other known exploits. The IPS is also utilized to block peer-to-peer traffic to reduce the risk of copyright violations. External and internal traffic are then routed through an internal router. Through the use of virtual local area networks (VLANs), routers, firewalls and IPS devices public Internet traffic and the Institution’s internal network traffic are separated by a neutral zone know as a Demilitarized Zone (DMZ).

Additional protection is provided internally to the Institutional server farm by utilizing a secondary IPS device. Threats from Institutional dial-up users connecting to the HSC network are mitigated with the use of secure authentication and IPS protection. Institutional users accessing the network from remote locations via the Internet are required to utilize a Virtual Private Network connection which creates a secure encrypted tunnel between their computer and the Institutional network. Additional security within the internal network is provided by segmenting functionally similar areas through the use of VLANs. Wireless users are required to authenticate and establish a secure tunnel prior to connecting to the Institutional network. Local users are required to authenticate to the network operation systems (Active Directory) before connecting to their computer.

This policy describes the requirements and constraints for attaching a computer, system, or network, or videoconferencing system to the TTUHSC network. The intent of this policy is to ensure all connections to the TTUHSC network are maintained at appropriate levels of security and interoperability, while at the same time not impeding the ability of TTUHSC faculty, staff, and students to perform their work.

Responsibilities

The Chief Information Officer (CIO) is the central authority for all network issues. The CIO may appoint and/or delegate management of certain aspects of network administration as deemed necessary.

TTUHSC regional campuses operate and maintain physical local area networks (LAN), with strategic oversight and operational direction from the CIO or their designee. Each regional campus or location must designate a Regional Site Coordinator (RSC) to serve as the administrator of all LANs at that campus. The RSC is the contact person for all connectivity issues between the regional campus LANs and the TTUHSC wide area network (WAN).

The Managing Director of Network, Security, and Systems is the main point of contact with Facilities Planning and Construction and Physical Plant at all campuses for all new construction and major renovation projects involving computing systems. Minor renovations will be handled at the local level.

Wide Area Network Connectivity and Routing

All routers within the TTUHSC WAN will be selected, operated, and maintained by personnel designated by the CIO. Subnet IP routing on the TTUHSC WAN will be performed in accordance with delegated IP address space. Routing of private IP address space (as defined by the Internet Engineering Task Force Request For Comments document #1918 - Address Allocation For Private Internets) across the TTUHSC WAN must be approved by the CIO or their designee.

Firewall Access Standard

All internal TTUHSC computers are protected from outside network access by a firewall. All incoming network requests not known and defined are denied and are not passed through to the internal campus network. This section describes the procedures to allow special access through the firewall to employees and third parties/vendors in instances where certain services and /or applications are required to maintain workflow and provide services.

Standard

Approval for outside network access to TTUHSC computing resources will be based on the following criteria:

The connection is required for TTUHSC business,
The connection does not represent an unnecessary security risk to TTUHSC,
The connection does not use an insecure protocol where a more secure alternative exists, and
The connection does not involve unnecessary replication of functionality

When the connection has been approved in principal, firewall access will be granted when the following have been completed:

The machine is properly registered with Information Technology by filling out the Special Firewall Access Request Form at http://www.ttuhsc.edu/it/forms/firewallreq.aspx and sending it to the ITS.
The target machine passes a vulnerability assessment performed by the ITS. This assessment consists of remotely scanning the target machine for common problems that could result in a security risk.
The target machine has a reserved IP address.

Registration ensures that the target machine has an administrator known to Information Technology. The administrator will perform the necessary tasks to keep the system up to date and in a secure state, with the assistance from the Information Technology Security Group. Registration will be renewed once a year. Renewal notices will be sent via email by the ITS.

The ITS will perform routine security scans on machines registered for special access.

Procedures

The firewall access form should be submitted through the web to its@ttuhsc.edu. Depending on the request, it may take up to two business days for the request to be completed. If the request is considered urgent, and the two-day timeline is not sufficient, please state that the request is Urgent. Include in the email message the reasons why the request is time critical.

Request for changes to the firewall must come from the administrator of the target machine. Requests received from anyone else will be forwarded to the machine’s administrator for approval.

All requests will be sent to the Regional Site Coordinator (RSC) at the campus where the machine resides. Once the RSC has checked to make sure the machine has a reserved IP address, the request will be forwarded to the Information Technology Security Group for final approval by the Information Security Officer. Once approved, the Information Technology Security Group will make the necessary changes to the firewall. The RSC may require that network configuration of the destination computer be modified prior to approving access.

IP Address Allocation Standards And Procedure

IP Addressing

All address delegation with the regional campuses and any supported LANs will be coordinated between the CIO or their designee and with the appropriate RSC. The RSC will be responsible for administration and registration of all IP addresses and sub-networks within the delegated address range(s), according to the standards and guidelines approved by the CIO. All hosts in the TTUHSC domain must obtain a valid IP address from the RSC. No host on the intranet should broadcast dynamic routing information except specially configured gateway or router devices.

To ensure efficient IP address utilization, TTUHSC will allocate their assigned IP addresses to reflect the requirements of each building location, wiring closet, or network service. This ensures compliance with the American Registry for Internet Numbers (ARIN) requirements for utilization of public IP address space.

For regional IP addressing strategy, RSC’s should refer to the IP Address Allocation Strategy.

Reserved IP Address Standards

Reserved IP addresses are available to the following hosts:

Server systems that provide file sharing, printer sharing, or other application services to multiple client systems
Printers with a direct network attachment
Hosts with a directly attached printer, where print jobs will be accepted from client systems on the network
Hosts providing services or resources to clients outside the TTUHSC network. Refer to the Firewall Access Standards for details on requesting this type of access.

All other hosts will use dynamic addresses, allocated by Dynamic Host Configuration Protocol (DHCP) services at each regional campus. Reserved address requests for hosts that do not correspond with the above list must be approved by the appropriate Regional Site Coordinator.

Refer to the Server Hardening Section for additional requirements that must be met before a server can be assigned a reserved IP address.

Reserved IP Address Allocation Procedures

All reserved IP addresses must be properly authorized and recorded before they are issued. The following outlines the procedure for requesting and allocating reserved IP addresses:

Complete the Reserved IP Address Request form and send to the Regional Site Coordinators at the respective campuses.
Upon receipt, the network technician creates a work order, and verifies the attached information is complete.
Using the TTUHSC IP Address Management application, the host is assigned to the correct VLAN and subnet. The next available address is selected, and the information provided by the requestor is entered into the system.
The assigned IP address, hostname, and hardware address are entered into the DHCP server(s).
If requested, Domain Name Service/System (DNS) alias entries are entered into the DNS configuration file to translate domain names into numeric IP addresses.
The assigned IP address is sent to the requestor via email.
The technician updates and closes the work order.

1.4.12 PASSWORD/AUTHENTICATION

In accordance with Texas Administrative Code § 202.75, all TTUHSC computing systems shall require a login authentication process, whereby each user is identified and authenticated through their unique USER ID and/or account name. Access to the network and to applications is based on individual roles and determination of user access levels is the responsibility of the owners of the information or applications being accessed.

Texas Tech’s primary authentication is through an account management system known as eRaider, which allows users to access the information resources available at the Health Sciences Center. Passwords for eRaider accounts follow industry best practices and must meet the following requirements:

8 - 15 alphanumeric characters,
Contain upper & lower case characters,
Contain a number,
NOT contain a number as the first or last character,
NOT contain any word found in a dictionary, and
May contain punctuation marks.

Passwords must be reset every 90 days.

System Identification/Logon Banner

Any TTUHSC computing system that prompts the user for a login should require an unauthorized access warning banner be displayed. The warning banner must inform the user of the restrictions imposed on the system before access is attempted, thereby giving the user the opportunity to avoid violating any access restrictions. The Unauthorized Access Warning Banner must be prominently displayed each time a user attempts to access a server system, network terminal, and/or a restricted/secured web site and/or web page, specifically before the user can begin the login authentication process.

The Unauthorized Access Warning Banner will be made part of the web site and/or web page preceding a restricted/secured web site and/or web page and must be displayed before a user enters the secured web site and/or web page. The user must also be made to acknowledge the warning either in the form of an icon or button stating “OK” or “I Accept” before they can proceed.

Unauthorized Access Warning Banner Text

The following is the text for the Unauthorized Access Warning Banner:

WARNING!

USE OF THIS SYSTEM IS RESTRICTED TO AUTHORIZED USERS ONLY AND SHALL BE USED IN ACCORDANCE WITH THE ACCEPTABLE USE POLICY. THIS SYSTEM MAY BE SUBJECT TO MONITORING BY THE INFORMATION TECHNOLOGY DIVISION. UNAUTHORIZED ACCESS IS A VIOLATION OF APPLICABLE TTUHSC, STATE, AND FEDERAL LAWS AND REGULATIONS AND WILL BE SUBJECT TO CRIMINAL PROSECUTION.

1.4.13 ASSET MANAGEMENT

Information resource assets consist of hardware, software, and information. Software and Hardware assets are to be controlled according to requirements of O.P. 63.10, Property Management. Appropriate disposal processes are in place by General Services. All digital media being surplused is destroyed either by erasing the media or physically destroying the media. General Services is responsible for maintaining records of surplused and/or destroyed information resource assets.

1.4.14 PORTABLE COMPUTING

TTUHSC has seen a significant increase in the use of the Portable Computing Devices (laptops, Personal Digital Assistant’s (PDA), smart phones, USB drives, and USB flash drives) at the Institution. This policy is intended to provide guidance for Portable Computing Device utilization.

Security Guidelines

Portable Computing Devices are inherently at risk for theft and security vulnerability. In cases where there is a justifiable business need or requirement for confidential information, such as patient information, confidential student information, grades, etc., to be stored or transferred to a Portable Computing Device appropriate security measures must be implemented as listed below.

Security Policy

Confidential information shall not be stored, downloaded, or leave the Institution unless there is a need to access this information away from the Institution. Authorization will need to be provided by the information owner.
Confidential information shall not be shared with others who do not have a job-related need for this information.
Confidential information must be encrypted.
The Portable Computing Device must be password protected using the security feature provided on the Portable Computing Device and there should be no sharing of the password.
Removable media such as memory cards must not be used to store confidential information.
A Desktop PC that is used for synching must have approved antiviral software installed, and require user log on.
Whenever there is no longer a job related need to access or store this confidential information, it must be deleted.

1.4.15 PRIVACY

Rights to personal privacy, while using Institutional I.T. resources, will be maintained in accordance with federal and state statutes. For further information, please refer to the links in the Federal and State statutes section.

In addition, the safeguarding of certain financial information (including, but not limited to information used in connection with the awarding and issuance of student loans) that is covered by the Gramm-Leach-Bliley Act of 1999, 15 U.S.C. 6801, et seq., implemented by 16 CFR Part 314, will be governed by the TTUHSC Information Security Plan for Financial Information and TTUHSC OP 56.01 – Use of Information Technology Resources.

TTUHSC OP 10.05 requires all TTUHSC "authorized representatives" to ensure the confidentiality of all information regarding patient, personnel, and/or student records, communications, activities, and all other information made confidential by law and TTUHSC policy.

As a key provider of services and technology in the healthcare industry, TTUHSC has implemented programs to address the transaction standards, and the privacy and security implications of the rules set forth by the Health Insurance Portability and Accountability Act (HIPAA) of 1996. More resources on HIPAA can be found at http://www.ttuhsc.edu/hipaa/.

1.4.16 MONITORING OF I.T. ASSETS

As a public institution, all TTUHSC computers, videoconferencing systems, and network activity are subject to ongoing and unannounced security audits. The inappropriate use of the systems and/or networks which violate Institutional policies or local, state and federal laws will be investigated (i.e., copy right violations, pornography). The CIO will authorize these investigations and the appropriate authorities will be notified. The Information Technology Security Team will be responsible for conducting these audits as necessary.

TTUHSC has the right to disclose the contents of electronic files, as required by legal, audit, or legitimate State, Local, Federal and/or Institutional purposes.

1.4.17 SECURITY AWARENESS AND TRAINING

TTUHSC will use the "New Employee Orientation" to initiate security and copyright awareness and educate new employees about TTUHSC I.T. policies. Biennial Security Awareness Training will be required for all faculty and staff who access the TTUHSC network. The ISO will be responsible for assuring that the appropriate training is provided and utilized by all network users.

The Information Security Officer, in collaboration with the I.T. Security Council, will ensure additional security awareness will be provided through ongoing web announcements and other media formats.

1.4.18 SERVER HARDENING

Standard/Procedure

A server cannot be connected to the TTUHSC network until it is in a TTUHSC I.T. approved secure state. Prior to connecting the server to the network, the following must be performed:

Install the operating system from an I.T. approved source which includes proper licenses,
Receive a reserved IP address from the appropriate regional campus network administrator,
Remove all unnecessary software, system services, and drivers,
Set appropriate security parameters, file protections, and enable audit logging,
Disable or change the password of default accounts, and
Complete a Server Registration Form (http://www.ttuhsc.edu/it/forms/serverregistration.aspx) and submit it to its@ttuhsc.edu.

Immediately after connection to the network, the following must be completed:

Install I.T. approved anti-virus software, and
Apply the latest vendor supplied patches, which have been tested for compatibility with the production environment.

Note: For more detailed information and procedures based on specific operating system, please refer to Guidelines For Operating Systems Security at http://www.ttuhsc.edu/it/policy/ossecurity.aspx.

All servers are required to pass a vulnerability assessment performed by the TTUHSC ITS prior to use. Administrators are required to correct all network/operating system vulnerabilities identified as high or medium risk during the vulnerability assessment. Examples of high and medium risk vulnerabilities are:

Accounts with blank or weak passwords
Outdated version or patch levels of server software and services

TTUHSC ITS will monitor security issues, both internal and external to TTUHSC, and will monitor the release of security patches on behalf of TTUHSC. After the server administrator is notified by the ITS, patches must be implemented within a specified timeframe determined by the security level of the patch, or the risk level of the vulnerability. ITS will routinely monitor to ensure the system(s) are in compliance. Failure to comply with these guidelines can result in the server(s) being removed from the network.

Patches are classified as follows:

Critical Updates - These include updates or hotfixes for the operating system and mission critical applications. These fixes address security vulnerabilities and system stability problems.
Virus updates - Anti-virus vendors supply updates/signatures to protect against the latest viruses. In order to provide maximum protection, all servers should receive regular anti-virus updates and upgrades.
Applications/Program patches - This includes updates for specific applications that could affect the overall security of the server.

TTUHSC I.T. will perform due diligence in testing security patches before release when practical.

1.4.19 AUTHORIZED SOFTWARE

Installation of any software must have a justifiable business purpose and must be properly licensed. Standard recommended software can be found at http://www.ttuhsc.edu/it/helpdesk/support.aspx. Software that is Institutionally-required (e.g., McAfee VirusScan) must not be removed. Each system will also be set to automatically receive Microsoft Updates. The CIO, or designee, reserves the right to remove any software on computers that poses a threat to TTUHSC computers or to the operation of the network.

1.4.20 APPLICATION SYSTEM DEVELOPMENT, ACQUISITION, AND LIFECYCLE

The central Data Center at TTUHSC employs a three-tiered architecture that consists of separate testing, staging, and production servers that isolates the testing environment from production environment. All server or web-based applications residing in the central Data Center must be hosted in this type of environment to ensure separation of test and production code/data. Within this section, applications are defined as programs, software, systems, or web pages that are available to and interact with multiple users. These applications and associated data usually have a medium to high risk associated with them, as defined in Section 1.1. (See also TAC 202.72.)

Access to the production environment must be strictly controlled. Web development and quality assurance practices are described in Section 9.4 - Change Management Procedures for Official TTUHSC Web Pages/Sites. The quality assurance process for developing, maintaining and changing applications at TTUHSC is described in this section.

Developing Applications/Systems/Web Pages

All applications/systems, acquisition, development, and maintenance will be required to undergo a security audit before being put into production and must follow Section 9.5 - Coding Standards, Security, and Audit Controls.

Migrating Applications/Systems/Web Pages From Test To Production

Within the Information Technology Division at all campuses, all developers must adhere to the following quality assurance procedures:

All developers and the requesting department are required to thoroughly review and test the application/system/web pages in the testing environment prior to it being moved to production. In many cases, this will require the development of testing documentation that includes test cases and scenarios. If the requesting department is not the owner of the application/system/data, then the application/system/data owner must also be involved in the review and testing. This testing must be completed before the security code review can be conducted.
All applications/systems/web pages are required to undergo a security code review by Information Services prior to production implementation. A project request for a code review should be submitted via the Information Services Project Request form located at http://www.ttuhsc.edu/it/IS/forms/ProjectRequest/. IS staff will perform a security code review for the project prior to it being moved into production. The security code review will include the utilization of third party software that is specifically designed to identify vulnerabilities.
Once the security code review is completed and all vulnerabilities have been addressed, the requesting department must request that the application/system/web pages be moved into production. The request to move to production will be approved by the Assistant Vice President for Information Services or the Manager of Web Programming AND the Institutional Information Security Officer. If the requesting department is not the owner of the application/system/data, then the application/system/data owner must also approve the move to production.
Designated personnel will migrate the application/system/web page and any applicable data sources from test into production using a documented process. This process should include:
- Implementation procedures and requirements, and
- Making and documenting any changes to IIS, access privileges, etc. necessary to the proper functioning of the application.
For applications/systems/web pages residing in the central Data Center, Information Services Project Leaders migrate the code and any applicable databases into production. The migration of code from the test environment to the production environment is handled by a process developed in-house called the HSC Version Control System. The HSC Version Control System is a program designed to control the publishing of applications to the production environment. The application provides access to a source code repository and allows users to check in/out source code files and publish new versions of applications from the test environment to production.
After it is moved into production, the developer and the requesting department are required to do a final review and test of the application/system/web page developed. Once this is completed, the requesting department and the application/data owner are also required to submit a final approval for the project to the developer.

Outside of the Information Technology Division at all campuses, all developers should adhere to the same quality assurance procedures listed above. However, all applications/systems/web pages are required to undergo a:

Security code review by Information Services prior to production implementation. A project request for a code review must be submitted via the Information Services Project Request form located at http://www.ttuhsc.edu/it/IS/forms/ProjectRequest/ prior to procurement. IS staff will perform a security code review for the project prior to it being moved into production. The security code review will include the utilization of third party software that is specifically designed to identify vulnerabilities.
Once the security code review is completed and all vulnerabilities have been addressed, the requesting department must request that the application/system/web page be moved into production. The request to move to production will be approved by the Assistant Vice President for Information Services or the Manager of Web Programming AND the Institutional Information Security Officer. If the requesting department is not the owner of the application/system/data, then the application/system/data owner must also approve the move to production.

All applications/systems/web pages residing outside of the central Data Center will be hosted using a three tiered architecture that consists of separate testing, staging, and production servers that isolates the testing environment from production environment.

All coding will be consistent with the practices outlined in Section 9.5.

Submitting A Project Request For Information Services Resources

A project request must be submitted to Information Services for:
- Any modification or enhancement to an existing web site, web application, or other system,
- The development of new web sites, web applications, or systems,
- The implementation or upgrading of database or storage systems,
- The implementation or upgrading of acquired software or systems,
- The development or modification of e-Commerce applications, and
- Security reviews for developed or newly acquired web sites, applications, or systems. All requests for security reviews for new software, applications, or systems should be made at the beginning of the procurement process to allow sufficient time to conduct the security review before procurement.

All project requests are reviewed on a bi-weekly basis. The purpose of this review is to determine whether resources exist to accomplish the objectives of the request and to prioritize approved requests. Before any project can be scheduled and resources allocated, it must be approved by the Assistant Vice President for Information Services or the Manager of Web Programming and the applicable Campus I.T. Director prior to any allocation of resources.

Also, if a request is submitted and the request was not made by the application/data owner, then the application/data owner must approve the request prior to any work starting on the project.

Project requests are submitted via the Information Services Project Request form located at http://www.ttuhsc.edu/it/IS/forms/ProjectRequest/.

Once a request is received, it is reviewed. If the resources are available and the request is approved, it is assigned to an Information Services staff member(s).
The assigned staff member(s) will:
- Contact the requestor for additional information and further define the request,
- Begin work on the maintenance or application development project in the test environment,
- Work with the requestor so that the maintenance change or developed application can be reviewed and tested, and
- Make any changes or corrections discovered during the review and testing then review and test again.

1.4.21 VENDOR ACCESS

Vendors’ physical access to the central Data Center will require the appropriate approval and authorization by the CIO or the Associate Vice President of Technology Services. Logs will be maintained on all vendor access to the central Data Center facilities and vendors must execute a Business Associate Agreement with the Institution prior to accessing the TTUHSC network. Vendor access is for a limited time only.

1.4.22 VIRUSES AND OTHER MALICIOUS CODE

The purpose of this policy is:

To establish procedures that define the responsibilities for reducing the threat of computer viruses to TTUHSC computers and networks
To establish responsibility for overseeing computer virus prevention activities within TTUHSC, and to establish a reporting mechanism to ensure all appropriate personnel are contacted in case of a computer virus incident
To promote awareness of the threat posed by computer viruses to TTUHSC students, faculty, staff, and to ensure that virus protection software and procedures are properly implemented and utilized on a regular basis

Due to the collaborative nature and sensitivity of the work performed at TTUHSC, all Institutional computers must have the approved anti-virus program, McAfee VirusScan, installed. Users’ continued access to the TTUHSC network is contingent on the installation of McAfee VirusScan on all TTUHSC-owned computers. This is to eliminate any possibility of a network-wide virus infection or disruption of productivity. This virus protection software must not be disabled, bypassed, or modified in any way.

Specific Restrictions

TTUHSC expressly prohibits:

Development of any form of computer virus with the intent to distribute through the TTUHSC network or beyond
Intentional distribution of a virus, regardless of type (nuisance or destructive)
Intentional creation of false alarms using hoax virus messages

Specific Responsibilities and Guidelines for Virus Prevention

Students, Faculty, and Staff should:

Understand the risks associated with viruses and preventative measures that can be reasonably deployed.
Be aware of and follow the procedures outlined in TTUHSC I.T. announcements (web page or email), which will be used to communicate warnings of potential computer virus threats.
Treat nuisance viruses with the same urgency as destructive viruses. Write down the name of the virus, if provided by the virus detection software.
Write down any recent unusual computer activities (for instance, unexpected disk access, error messages, or screen displays) and, if possible, include when these activities were first noticed.
Contact the Information Technology Help Desk when a computer virus is suspected and/or detected.
Never boot directly from a floppy diskette until the diskette has been scanned for viruses. By default, the Institutional antivirus program, McAfee VirusScan, is configured to automatically scan all floppy disks upon use. (This is completely done in the background without any visible disruption to the user.)
Ensure files received from external sources are clean of viruses prior to use or distribution and never use or introduce non-licensed software on any TTUHSC computing device.
Back up critical data (e.g., student/patient/employee information, data related to Institutional operations, vital mission data, etc.) to a floppy disk or to a drive on the server (see your Department Administrator or Departmental I.T. Representative for access restrictions) at least once a week (or more often for more critical data.)

Computer Security Analyst (CSA) is responsible for:

Isolating the infected computer(s) from the TTUHSC network as soon as possible. Reasonable attempts should be made to notify the primary user or the system administrator before disconnecting from the network. Depending on the nature of the virus, this may not be possible and the Help Desk should be contacted prior to disconnecting a computer from the network. The Help Desk will coordinate the ITS and networking to minimize any potential risks.
Identifying and isolating the suspected virus or worm-related file and processes. Do not power off or reboot computers that may be infected. There are some viruses that will destroy disk data if the computer is power-cycled or rebooted. Also, rebooting a computer could destroy needed information or evidence.
Attempt to halt and/or remove all suspicious processes from the computer. In the case of a worm attack, it may be necessary to keep the computer(s) isolated from the network until all TTUHSC computers have been inoculated and/or the other Internet sites have been cleaned and inoculated.
Implement fixes and/or patches to inoculate the computer(s) against further attack.
Notify the ITS prior to bringing the computers back into full operation mode. The users should also be notified the computers are returning to a fully operational state.

Information Technology Security (ITS)’s responsibilities include:

Overseeing computer virus protection activities within TTUHSC which include the desktops and servers, Internet mail gateway, and Exchange Servers. This is done in coordination with the CSA’s.
Staying current with the latest virus exploits and maintaining attachment filtering lists through the mail servers.
Evaluating, recommending, and maintaining virus protection software and/or tools for use on TTUHSC PCs, servers, and laptops.
Coordinating any training on virus control required for CSAs and TTUHSC personnel in general.
Investigating every report of an apparent computer virus infection, and will make every reasonable effort to determine the source of the infection. The Information Security Officer will keep all affected personnel advised of the investigation.
Monitoring compliance of virus protection policies.

The CSA and ITS are jointly responsible for:

Verifying the existence and identifying the type of virus on the user system.
Coordinating with the anti-virus vendor or other sources on disinfection methods.
Documenting any recent unusual computer activities (for instance, unexpected disk access, error messages, or screen displays) and, if possible, include when these activities were first noticed.
Ensuring that the appropriate data for the monthly Department of Information Resources virus report is received by the Information Security Officer no later than the second business day of the each month.

Information Technology PC Support/System Support (all campuses) should take the following steps:

Ensure that virus protection software is installed on every desktop, server, and laptop computer acquired by TTUHSC before they are made available for use by TTUHSC, students, staff, or faculty,
Ensure that the virus protection software has loaded a ‘terminate and stay resident’ (TSR) program or service/daemon to constantly monitor for viruses to prevent introduction to the network,
Inform the ITS/CSA of new anti-virus installs. This procedure is to make sure the desktop, server, or laptop can communicate with the anti-virus management server to receive updates,
Upon receipt of a notice of a possible virus, clarify the symptoms with the user,
Verify if there is a virus and if so, report the incident to the ITS/CSA, and
In the event the virus cannot be removed from the infected computer, the ITS/CSA will contact PC Support or System Support to rebuild the computer.

1.4.23 WIRELESS ACCESS

The emergence of wireless network technology has resulted in requests from TTUHSC departments to implement wireless network solutions for office, clinic, and classroom locations. To ensure proper administration and security of the network, it is important for the development of wireless networking capabilities be controlled and coordinated.

This document outlines the policies for the implementation of wireless networking technology at TTUHSC. See also Section 1.4.14 - Portable Computing.

Scope

This policy applies to all wireless network devices connected to the TTUHSC network infrastructure, or wireless devices owned by TTUHSC, or operated in TTUHSC facilities.

Policy

All TTUHSC faculty, staff, and students should be aware that wireless network connections are inherently less secure than wired connections. State and federal legislation requires TTUHSC to provide protection for sensitive data such as patient information and student financial data. Therefore, TTUHSC personnel are advised against using wireless technology to transmit this type of information.

Information Technology will extend the TTUHSC network to provide wireless service to any area based on the application need and demand and subject to the availability of resources. Wireless networks are not a replacement, but a supplement to the existing wired network. Wireless connectivity will only be allowed in areas that wired connectivity is not available, or there is a justifiable business or educational case for its use.

The Chief Information Officer (CIO) or designee, in concurrence with the Regional Site Coordinator (RSC) at the respective campus, must approve the installation and use of wireless devices connected to the TTUHSC network.

Only wireless hardware and software approved by the CIO or designee, in concurrence with the RSC from each campus, will be used for the wireless infrastructure.

All wireless access points and wireless devices must have the manufacturer’s default SSID changed. These access points and devices will be audited and monitored on a regular basis. Information Technology reserves the right to remove any unauthorized or misconfigured wireless device from the network immediately without prior notice.

Wireless network and services are subject to the same rules and policies that govern other electronic communications services at TTUHSC. (See Acceptable Use and Portable Computing). Disruption of authorized communications or unauthorized interception of wireless communication is a violation of policy.

Approval

Departments with a justifiable need for wireless connectivity should provide a written request from their department administrator to the Managing Director of Network, Security, and Systems and/or the appropriate RSC for approval. The following should be included in the request in order for Information Technology to properly evaluate the request:

Department name
Reason or need for wireless communications
Area (building, room, etc.) where wireless access is needed
Estimated number of wireless users

After the request has been reviewed, Information Technology will survey the site and discuss with the department administrators the project plan for implementation.

Equipment

TTUHSC will implement wireless equipment that follows the IEEE 802.11 standards. Wireless equipment standards will be reviewed and amended as wireless standards change, and as products are introduced that improve the security and reliability of the wireless network.

Security

Access to the wireless network will be limited to individuals authorized to use the Institutional network and Internet resources. All wireless network users must authenticate his/her identity to an authentication server managed by Information Technology before access to the rest of the TTUHSC network is permitted. Anonymous users will not be allowed to access the wireless network.

Responsibilities

Information Technology

Develop, maintain, and update wireless communications policies and wireless networking standards.
Approve standards for wireless network hardware and software used by TTUHSC.
Approve, design, and install wireless network equipment for all TTUHSC locations.
Inform wireless users of security and privacy policies and procedures related to the use of wireless communications.
Monitor security of all wireless networks within the TTUHSC network to prevent unauthorized access to the TTUHSC network.
Monitor the development of wireless network technology, evaluating wireless network technology enhancements and, as appropriate, incorporating new wireless network technology with the TTUHSC network infrastructure.

Department Administrators

Ensure departmental compliance with all applicable TTUHSC policies pertaining to the installation and use of the wireless network.
Inform wireless users of security and privacy policies and procedures related to the use of wireless communications.
Notify Information Technology when modifications to the network are needed.

1.4.24 VULNERABILITY ASSESSMENT

Management will conduct security reviews continually. Vulnerability assessments will be conducted periodically to test security measures currently in place. Employees leaving the employment of TTUHSC, for whatever reason (resignation, termination, retirement, etc.), will have their access privileges revoked and the employee shall be prevented from accessing Institutional I.T. resources in accordance with these policies.

Download Free Adobe Reader

Adobe Acrobat Reader is required to view items marked with this icon:

Please click on the left image to download the free version.

Quick Search

IT Resources

IT Policies

HSC Resources

TTUHSC IT Policies

1.4 Security Safeguards (TAC 202.75.7)

1.4.1 ACCEPTABLE USE

1.4.2 ACCOUNT MANAGEMENT AND USER RESPONSIBILITIES

TTUHSC Account Types

PUBLIC Account Types

1.4.3 ADMINISTRATOR/SPECIAL ACCESS

1.4.4 BACKUP/RECOVERY

1.4.5 CHANGE MANAGEMENT

1.4.6 EMAIL

1.4.7 INCIDENT MANAGEMENT

1.4.8 INTERNET AND INTRANET CONNECTIVITY

1.4.9 INTRUSION DETECTION

1.4.10 NETWORK ACCESS

1.4.11 NETWORK CONFIGURATION

1.4.12 PASSWORD/AUTHENTICATION

1.4.13 ASSET MANAGEMENT

1.4.14 PORTABLE COMPUTING

1.4.15 PRIVACY

1.4.16 MONITORING OF I.T. ASSETS

1.4.17 SECURITY AWARENESS AND TRAINING

1.4.18 SERVER HARDENING

1.4.19 AUTHORIZED SOFTWARE

1.4.20 APPLICATION SYSTEM DEVELOPMENT, ACQUISITION, AND LIFECYCLE

1.4.21 VENDOR ACCESS

1.4.22 VIRUSES AND OTHER MALICIOUS CODE

1.4.23 WIRELESS ACCESS

1.4.24 VULNERABILITY ASSESSMENT