• All computer systems requiring log-on and password shall have an initial screen banner reinforcing security requirements and reminding users of their need to use computing resources responsibly.
• Users shall not seek or reveal information on, obtain copies of, or modify files, tapes, or passwords belonging to other users, nor may the user misrepresent others.   Each computer account will be assigned to a single individual who is accountable for the activity on that account.
• Users must abide by the laws protecting copyright and licensing of programs and data.   In no case will copies be made of a licensed computer program to avoid paying additional license fees or to share with other users.  
• System Administrators and other custodians of computers are responsible for the physical security of university hardware, software, and data entrusted to their use.   This security includes the following provisions:
  
  • Ensuring doors to areas with computer equipment are locked and/or that computer security devices to secure computers to desks are installed
  • Ensuring that computer equipment is protected from weather, chalk dust, and other foreign materials
  • Securing floppy disks and floppy drives
  • Backing up all critical data files and storing back-up date in a secure, separate area
  • Ensuring that data storage/disk space on computers is adequate for departmental usage
  • Ensuring that the latest version of anti-virus software is installed on computers and is being used
  • Use of surge protectors or uninterrupted power supply (UPS) to protect and save data in case of electrical failure
  • Responsible for taking all possible precautions to protect the programs and operating systems under their care against security violations by network intruders

• Passwords are to be assigned to the individual employee or issued on an individual employee basis if computerized records are being accessed as part of their responsibility.
• Passwords will be a minimum length of eight characters and if stored on the computer needs to be encrypted in storage.
• Passwords will expire every 90 days and can not be reused for a period of one year.
• Passwords must contain at least one character from each of the following classes:
  • Alphabetic: Upper or Lower case (a-z, A-Z)
  • Numeric: 0-9
  • Special Characters: ! # % & ( ) * @ ^
• Screen Savers must be setup as password protected
• Lockout: After 5 consecutive failed login attempts an account will be locked for 30 minutes.
• Passwords should not be:
  • based on personal information, such as names of family, dates, addresses, phone numbers, pet names, etc.
  • based on work information, such as room numbers, building name, co-worker's name, phone number, etc.
  • made of a word or number patterns like, aaabbb, qwerty, zyxwvuts, 123321, abcABC123, etc.
  • a word or combination of words found in any dictionary in any language, slang, dialect, jargon, etc.
  • based on your username, your real name, handle, nickname, screen name, etc.

Threats to computing, network, or telecommunications security, whether actual or potential or illegal activities involving the use of university equipment, shall be reported to NSM IT Security (or designee). In his absence, to the Information Technology security officer or the Chief Information Officer. Illegal activities may also be reported directly to a law enforcement agency. See MAPP 10.03.03 - Security Violations Reporting.

System administrators should conduct a risk assessment program consisting of the following:

• Identification of assets
• Estimation of asset values
• Identification of threats
• Identification of vulnerabilities
• Calculation of risk