Computer & Network Security (D-8.1)
Original Implementation: January 24, 1995
Last Revision: October 18, 2011
This policy establishes the conditions and security requirements for the use of computing equipment and networks at Stephen F. Austin State University (SFA). Computing equipment includes desktops, laptops, servers, handheld devices, and printers. In order to comply with state requirements (Information Resources Management Act, Tex. Gov’t Code Ch.2054, and Texas Administrative Code, Title 1, Part 10, Chapter 202), the director of information technology services (ITS) serves as information resources manager for the university and the Department of ITS ensures compliance.
This policy applies at all university locations or data centers and represents the minimum requirements that must be in place. Individual areas with computers and networks may have additional controls and security.
- Each vice president, dean or director shall designate department staff (not student employees) or the technical services group of ITS as responsible for the support, maintenance and security of the computing equipment within their purview. For organizational units that designate local staff as their support provider, ITS shall provide computing support guidelines specifying the level of support that ITS shall provide as the secondary support provider.
- Each organizational unit shall implement local security procedures to include:
- Protection of the privacy of confidential information;
- Protection of information against unauthorized modification;
- Protection of systems against unauthorized access and use;
- Display of the security banner from the ITS security web page on organization computers;
- Use of the university’s central authentication source for user authentication on servers and desktop computers, where feasible;
- Use of the standard university antivirus software in a managed configuration, where feasible.
- Each organizational unit of SFA that maintains a local area network(s) must develop a local security procedures document that is subject to approval by ITS. In order to mitigate and manage risk, each organizational unit maintaining servers shall participate in the annual information systems security risk assessment. The president or designee shall make the final security risk management decisions either to accept exposures or to protect the data according to their value or sensitivity.
- SFA shall not be liable for the loss of data or interference with files resulting from the university’s efforts to maintain the privacy and security of the university’s computer, information, and network facilities. In order to maintain network security, the university reserves the right to:
- Limit, restrict, or terminate an account holder's usage;
- Inspect, copy, remove, or otherwise alter any data, file, or system resource that threatens the security of a system or network, with or without prior notice to the user;
- Check systems periodically and take the necessary actions to protect university computers, information, and networks.
- Individuals shall exercise responsible, ethical behavior when using the university's information resources. The university reserves the right to limit, restrict or extend privileges and access to its resources.
- Access to certain university information resources is provided through the establishment of an account. Computer accounts must be approved in writing through the respective dean or director (or designated representative) of the administrative unit.
- Since the university permits access to copyrighted data through the Internet, each user is responsible for complying with university policy D-42, Digital Millennium Copyright. Disciplinary action, including termination of service, may be taken on any reported copyright infringements that have been investigated and determined valid.
- Computer systems provided by SFA are reserved only for university-related activities (See Chapter 39 of the Texas Penal Code for provisions dealing with the misuse of state property). The intentional deletion or alteration of information or data of others, intentional misuse of system resources, and misuse of system resources by others are prohibited.
- All users in security sensitive positions or users having access to Banner information, other than their own personal information, shall complete online security awareness training annually. Online security awareness training is considered complete once the user has scored a minimum of 80% on the security awareness quiz.
- Each user is responsible for complying with university policies F-40, Acceptable Use of Information Resources and D-43, Computing Software Copyright.
Sanctions for Policy Violations
Violations of any provision of this policy may result in, but are not limited to:
- a limitation on a user's access to some or all university computer systems;
- the initiation of legal action by the university;
- restitution by the violator for any improper use of service;
- disciplinary sanctions, which may include dismissal.
Many academic courses and work-related activities require the use of computers, networks, and systems of the university. In the event of an imposed restriction or termination of access to some or all university computers and systems, a user enrolled in courses or involved in computer related work activities may be required to use alternative facilities. However, users are advised that if alternative facilities are unavailable or not feasible, users are responsible for the failure to complete requirements for course work or work responsibilities.
Cross Reference: Acceptable Use of Information Resources (F-40); Computing Software Copyright (D-43); Digital Millennium Copyright (D-42); Texas Information Resources Management Act,Tex. Gov’t Code Ch.2054; 1 Tex. Admin. Code §§ 202.1-.2, .70-.78; Tex. Penal Code §§ 39.01-.02.
Responsible for Implementation: Provost and Vice President for Academic Affairs
Contact for Revision: Provost and Vice President for Academic Affairs
Board Committee Assignment: Academic and Student Affairs