Information Technology

Security Policy and Guidelines

Revision 2.0

Revision History Page

 

 

Revision #

Change

Date

1.0

Initial release of IT Security Policy

June 2002

2.0

Annual review and Update based on GLB Act

May 2003

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Table of Contents

SECTION

TOPIC

PAGE

1.0

Introduction

3

2.0

Appropriate Use of LCSC IT Resources

3

3.0

Network Systems

4

4.0

Desktop and Client Systems

6

5.0

Enterprise Application Level Security

8

5.1

Electronic Mail and LCSC Messaging Systems

8

5.2

Datatel Colleague System

8

5.3

CampusCruiser

10

6.0

Account Requests and Approval

12

7.0

Account Termination

12

8.0

File Server Security

13

9.0

Student Laboratories

14

10.0

Central Computer and IT Facility Physical Security

15

11.0

Virus Protection

16

12.0

Data Confidentiality

17

              Family Educational Rights & Privacy Act

17

              Gramm-Leach-Bliley Act

17

13.0

Access to Restricted Information

18

14.0

Data Backups/Recovery

19

APPENDIX

A

IT Department Security & Confidentiality Statement

20

 

 

1.0               INTRODUCTION: 

 

Information Technology (IT) security is critical to assuring the integrity and confidentiality of information maintained on Lewis-Clark State College’s numerous Information Systems.  At a minimum, the IT Security Policy is responsible for setting guidelines and processes to assure that:

 

  • Only authorized personnel are given access to LCSC’s Information Systems, and that this access is of an appropriate level.
  • Appropriate safeguards and processes are in place to prevent unauthorized access to LCSC’s Local Area Network (LAN) from within, and outside the campus.
  • Necessary steps are taken to assure the integrity and confidentiality of data during the storage, use, and electronic transfer of data within and outside of LCSC.

 

2.0        APPROPRIATE USAGE OF LCSC INFORMATION TECHNOLOGY RESOURCES:  Appropriate usage of all Information Technology data, tools and services at Lewis-Clark State College is outlined in the LCSC Appropriate Use of Technology Guidelines.  

 

NOTE:  All requests for modifications or additions to this document, clarifications to the intent of specific areas of the document, or the reporting of IT security violations should be directed to the Lewis-Clark State College Chief Technology Officer (CTO) and Director of Information Technology (IT) at the following location:

 

CTO and Director of Information Technology
Sam Glenn Complex, Room B-111
Lewis-Clark State College
500 8th Avenue
Lewiston, ID      83501       

 

3.0        NETWORK SYSTEMS:  Employees at Lewis-Clark State College have access to the college’s Local Area Network (LAN).  While this access yields extensive benefits including data sharing and transfer, resource/hardware sharing, and access to the Internet; access to the network also poses several security risks.  Specific policies related to LAN Security include:

 

·         PASSWORD MANAGEMENT:  Access to LCSC’s LAN Domain is controlled by login requirements including a valid Username and Password.  Usernames are assigned by the IT Department using approved naming standards. 

 

The account/user naming standard at LCSC is: 
 

<First letter of first name, Middle Initial, Entire Last Name>

For example:  The User Name for John Q. Public would be <JQPUBLIC>

 

Password requirements are as follows:

o        Format:  Domain Passwords are required to meet the following minimum format:

§         6 characters in length

§         Passwords may not contain your username or any part of your full name

§         Passwords must contain characters from at least 3 of the following 4 classes:

o        Upper case letters (A,B,C,.....Z)

o        Lower case letters (a,b,c,.....z)

o        Numerals (0,1,2,3,...9)

o        Non-alphanumeric(special characters) (Punctuation Marks and other symbols)

 

o        Expiration & Reuse:  LAN passwords expire after 90 days and must be changed at that time.  No passwords that have been used in the previous 6 password cycles can be reused.

 

INTERNET ACCESS:  All employee and laboratory/classroom computers at LCSC are provided with Internet access.  Policies governing the usage of Internet access from LCSC are included in the LCSC Appropriate Use of Technology Guidelines

 

Policies governing access to Lewis-Clark State College’s LAN via the Internet are outlined below:

 

·         FIREWALL MANAGEMENT:  Lewis-Clark State College’s Internet Firewall is managed by the Network and Client Services Division of the IT Department.  This Division is tasked with assuring that the Firewall Configuration is managed to provide maximum security for the college, while allowing faculty and staff to accomplish their assigned jobs.  Complete documentation and configuration of the LCSC Firewall is maintained by this division.

 

·         FIREWALL CHANGE REQUESTS:  Occasionally, changes to the configuration/conduits of the firewall are required.  Users requesting changes to the firewall configuration are required to submit a request via the IT HelpDesk, including at a minimum the:

 

o        Description of the requested change

o        Justification for the change

o        Required date of change

o        Expiration of change (if the requested change is temporary in nature)

 

The HelpDesk will log the change, and submit the request to the Network and Client Services Division.  All changes to the Firewall Configuration are to be documented and approved in accordance with the IT Configuration Management Plan

 

WIRELESS ACCESS:  (Under Development) The security guidelines and policies related to wireless networking at LCSC will be developed and implemented in parallel with the design and installation of Campus-Wide Wireless technology scheduled for fall 2002. 

 

4.0        DESKTOP AND CLIENT SYSTEMS:    Desktop computers are critical to most functions at LCSC, and nearly every employee has a desktop computer or laptop with LAN and Internet Access, as well as stand-a-lone computing capability.  As a result, these systems not only represent a major productivity tool for the college, if not addressed properly they also represent a significant security risk.  Specific security policies related to desktop/client computer systems (other than laboratory or classroom computers) include.    

  • UNATTENDED SYSTEMS:  Unattended systems represent a security risk to LCSC as critical systems and information can be accessed or compromised by any individual with physical access to the computer.  To prevent security violations as a result of a desktop system being left unattended, users are required to:

 

    • Turn off the desktop computer (or log off) when it will be out of their view of control for an extended period of time, which could result in unapproved system access, or …
    • Lock office doors to prevent unauthorized physical access to the desktop computer, or …
    • Implement a “Screen Saver” password with the Screen Saver set to activate upon system inactivity of no more than 5 minutes, or …
    • Utilize the CTRL-ALT-DELETE options to lock the computer. (Available for Windows 2000 and Windows XP Systems only). 

 

  • LOSS OF DATA:  Desktop computer systems at LCSC do not automatically have data stored on them backed up.  This represents a significant security risk to the college via the potential for the loss of critical data and information.  To prevent the loss of critical data stored on desktop computers, users are encouraged to:

 

    • Store all critical files and information on the college’s file servers managed by the IT Department.  These servers are secure, and backed up nightly to minimize the risk of data loss.  To request a personal or shared account on the file servers, users are required to contact the IT HelpDesk at ext. 2231, email the IT HelpDesk at HelpDesk@lcsc.edu, or contact the HelpDesk online
    • In the event of a critical system failure, data located on the file servers and backed up nightly will be recovered in accordance with the Lewis-Clark State College IT Disaster Recovery Plan.

 

  • DESKTOP PHYSICAL SECURITY:  Due to the varying and unique situations, each end user is responsible for the physical security of computer equipment located in their work area, and assigned to them.  The IT Department is available for consultation, and can assist users in determining if added physical security is necessary, and in recommending options. Some examples of physical security options include:

 

    • Cable/Table locks to prevent unauthorized moving or removal of the equipment.
    • Case locks to prevent unauthorized internal access to the computer system.

 

A complete inventory of all desktop computers and related equipment is maintained by the IT Department as part of the Track-It Database. 

 

  • DESKTOP ADMINSTRATION:  Desktop computer administration and support is the responsibility of the Network and Client Services Division of the IT Department.  Only authorized personnel from this group are allowed to have access to the Local Desktop Administration password.  Guidelines for this password are:

 

    • The password may be the same for all client systems at LCSC, however …
    • The password will be no less than 6 characters in length, case sensitive, and will be a combination of alphanumeric and special characters.
    • The password on all desktop systems at LCSC will be changed as follows:
      • Minimum of 90 days since last password change
      • Whenever a technician (regular or irregular) who has knowledge of the password leaves the IT Department.
      • Whenever any suspicion exists that the password confidentiality may have been compromised.  In this case, the password will be changed immediately, and reported to the CTO & Director or IT regarding the circumstances, for investigation. 

 

5.0        ENTERPRISE APPLICATION LEVEL SECURITY: 

 

5.1 ELECTRONIC MAIL & LCSC MESSAGING SYSTEMS:  Lewis-Clark State College’s email and messaging services are provided using Microsoft (MS) Exchange, using MS Outlook as the primary email/messaging client. 

 

·         PASSWORD MANAGEMENT:  Access to Lewis-Clark State College’s email system is managed as part of the overall Network Domain for the college.  As a result, users have a single User ID and Password for access to the network, to email, and to the Windows based File Servers.  Information on password management is available in Section 3.0 (Network Systems). 

 

·         SHARED EMAIL/CALENDAR ACCESS:  The sharing of email and calendar access is a useful tool within Microsoft Exchange, but can be a security risk if handled inappropriately.  The following guidelines outline the policy regarding granting shared email and/or calendar access.

 

o        General Security:

§         Default configuration is that no individual is granted access to another individual’s calendar details.

§         This configuration can be modified, only by permission of the calendar owner to which access is being shared.

§         The access level is determined and set by the calendar owner.

§         Mailbox access is not to be shared unless established by the owner of the mailbox.

§         The IT Department will not modify any mailbox or calendar to allow access without the expressed/written consent of the calendar/mailbox owner.  (Email notification/approval is acceptable).

 

o        Calendar Detail Access:

§         All individuals at LCSC are granted permission to see all free and blocked out times on other calendars.

§         No individuals are granted access to view the details of the calendar unless authorized by the calendar owner.

 

5.2 DATATEL COLLEAGUE SYSTEM:  The Lewis-Clark State College Enterprise Resource Planning (ERP) system is Datatel’s Colleague application.  This application resides on the IBM RS-6000 Servers and contains critical information in the following areas (but not limited to):

 

  • Financial Management Information
  • Student Financial Aid Information
  • Registration Information
  • Application and Enrollment Management Information

 

As a result of the sensitive and confidential nature of the information, and the critical service that Datatel Colleague provides to the operation of the campus, control of access to the system, the application, and the data is of critical importance.  Key security policies and guidelines related to the Datatel Colleague environment are as follow:

 

  • Password Management:  Since the Datatel Colleague system resides on a UNIX Server (IBM RS-6000), the system is not part of the Lewis-Clark State College domain, and passwords are handled separately for all aspects of the application environment. 

 

APPLICATION/ACCOUNT LEVEL PASSWORD MANAGEMENT:  All users, except those with Root Access, of the Datatel Colleague application require an application level User ID and Password.  The following password management requirements are implemented for all non-Web Advisor accounts to Datatel Colleague.  

 

    • Password Minimum Length:                                6 Characters
    • Minimum Alpha Characters:                                1 Character
    • Minimum Numeric/Other Characters:                   1 Character
    • Maximum Repeated Characters:                         2 Characters
    • Minimum Different Characters:                            4 Characters
    • Password Maximum Age:                                   14 Weeks
    • Weeks between expiration and lockout:               2 Week
    • Weeks between password reuse:                        52 Weeks
    • Number of Passwords before reuse:                     5 Passwords
    • Auto Expiration and Notification                           Yes
    • Case Sensitive                                                   Yes
    • Restricted Work List                                          /user/lc/bad.passwd
    • Max failed login count                                         4

 

SYSTEM LEVEL (ROOT) PASSWORD MANAGEMENT: Root Level access to the Datatel Colleague server is limited to the three Programmer-Analysts of the IT Department.  To assure proper management and continued access to the server, the Root Password does not automatically expire and require mandated change.  Password management guidelines for the Root Password are as follow:

 

    • Password Minimum Length:                                6 Characters
    • Minimum Alpha Characters:                                1 Character
    • Minimum Numeric/Other Characters:                   1 Character
    • Case Sensitive                                                   Yes
    • Password Maximum Age (Manual):                     18 Weeks
    • Maximum Repeated Characters:                         2 Characters
    • Minimum Different Characters:                            3 Characters

 

The Root Level password must be changed when one of the following criteria exist;

 

    • Manual update required after 18 weeks (normally accomplished in conjunction with the automated password change requirement for the Programmer-Analysts)
    • A Programmer-Analyst (who has knowledge of the password) leaves the IT Department or accepts a different position within the Department.
    • An emergency situation resulted in the release of the password (stored in an envelope in the safe in the Central Computer Facility) to someone other than the Programmer-Analysts. 

 

  • File Transfer Protocol (FTP) Access:  FTP access/capability allows for users to transfer data into and out of the Datatel Colleague System.  This capability is reserved for specific users who have a requirement for this functionality. 
    • Default Setting:  By default, users of the Datatel Colleague System are prohibited from FTP capability.  This is accomplished by each individual’s name/User ID being added to the FTP Lockout File at /etc/ftpusers.
    • Acquiring Access: Users requiring FTP capability may request this access by submitting a call to the IT HelpDesk with a justification as to why FTP capability is required.  Approval of FTP access is granted by the Datatel Advisory Committee and implemented by the Datatel Colleague System Administrator. 

 

  • New Datatel Colleague Users:  Personnel requiring access to Datatel Colleague must submit a request to the IT HelpDesk.  New Users will be provided with the basic Inquiry Only access level, unless approved by their management.  New Users will automatically be added to the FTP Lockout File at /etc/ftpusers, unless FTP access is requested by their management and approved by the Datatel Advisory Committee.

 

 

  • Datatel Colleague Security Class Definitions:  Security Class Definition (SCD) levels are implemented to set the capabilities and access levels of individual accounts within Datatel Colleague.  Within the Lewis-Clark State College Datatel Colleague application, the following SCD levels are established:

 

    • Inquiry Only Users:        All new users are granted this basic level of access, at the request of their management for access to Datatel Colleague. 

 

    • General Maintenance Users:       General Maintenance users are those users with the ability to modify and perform data maintenance within the system.  The level of maintenance that is allowed is generally tailored for the specific job function of the individual.  Users requiring this level must submit a request via the IT HelpDesk, and will be approved by the Data Steward/Application Specialist for the specific area.  Specific areas utilizing this level of access include:
      • Financial Aid
      • Admissions and Enrollment Management
      • Controller
      • Registration

 

o        Power Users:  The Power User level has significant access and capability in the Datatel Colleague environment, and has the ability to manipulate data outside of their specific area of involvement.  For this reason, granting of Power User access can only be authorized by a majority vote of the Datatel Advisory Committee.

 

o        IT Programmer-Analyst Users:  The highest level of access (full access at all levels) is reserved for the Information Technology (IT) Programmer-Analysts.  The approval of access at this level is granted by the CTO and Director of Information Technology. 

 

5.3 CAMPUSCRUISER (LCWarriorMail):  CampusCruiser is the email, messaging, and portal system maintained via TimeCruiser, an Application Service Provider (ASP).  Security and acceptable usage of the CampusCruiser application is controlled by TimeCruiser and is documented in the following documents, which are available on the CampusCruiser website:

 

·         CampusCruiser Terms of Usage

·         CampusCruiser Privacy Statement

 

In addition to the guidelines set forth by TimeCruiser, LCSC has established additional guidelines which govern all users of the LCSC CampusCruiser Site (LCWarriorMail.com).  These additional guidelines apply to all users and all functions of the LCWarriorMail CampusCruiser environment.  Functions included in these guidelines include, but are not limited to: Email, Announcements, Calendar events, Chat Rooms, News Groups/Postings, and Message Boards.

All CampusCruiser areas used must be used for lawful purposes only. Users shall not post any material on, or transmit any material to, any area or part of the site that: (i) violates or infringes in any way the rights of any third party; (ii) is unlawful, threatening, abusive, defamatory, invasive of privacy or publicity rights, vulgar, obscene, profane, indecent or otherwise objectionable; or (iii) encourages conduct that would constitute a criminal offense, gives rise to civil liability or otherwise violates any law. Advertising or commercial solicitation may be posted on or transmitted through CampusCruiser.com only the express prior approval by TimeCruiser and the Lewis-Clark State College IT Department.

Users are responsible for their own communications and for the consequences of their posting. The uploading, posting or otherwise making available in any community areas any material protected by copyright, trademark or other proprietary right is strictly forbidden unless the user is the owner or has the express permission of the owner of the copyright, trademark or other proprietary right. Users shall be solely liable for any damages resulting from any infringement of copyright, trademark or other proprietary right, or any other harm resulting from any uploading, posting or submission.

Users are responsible for being in compliance with the CC Terms of Usage policy located under the Campus-General-Welcome tab. Any LCSC faculty, staff, or student found to be in violation of CampusCruiser or LCSC guidelines for use of CampusCruiser will have their accounts terminated pending a full investigation.  Users may petition for re-instatement of their account via sending a letter to the following address:

 

CTO & Director of Information Technology

Lewis-Clark State College

500 8th Avenue

Lewiston, ID  83501-2698

 

6.0        ACCOUNT REQUESTS AND APPROVAL:  (Information in this section does not supercede request and approval requirements outlined in specific areas of this document for systems and applications.  Please refer to specific areas for additional guidelines). Requests for accounts on general LCSC systems and applications, or on the LCSC LAN must be submitted via formal processes for review and approval.  Requesting and approval of accounts is as follows:

 

  • ACCOUNT REQUESTS:

 

    • New Employee: A HelpDesk call is submitted and logged with the IT HelpDesk (either by the Human Resources Department or the employee’s assigned Department), that a new employee has been hired and will be requiring access and accounts (Email, Network, etc.)
    • Existing Employee:  A HelpDesk call is submitted by the employee’s assigned Department or by the employee personally, that a change or new access is required.  A call is logged by the IT HelpDesk.

 

  • REVIEW & APPROVAL:  Upon notification of the request, the IT HelpDesk contacts the Administrative Assistant of the requestor’s department and acquires the following information:
    • Areas of access requested (Network, Email, Datatel, etc.)
    • Access level requested
    • Authorization/Justification for the accesses requested

 

The HelpDesk Specialist then enters the appropriate HelpDesk calls for each specific area requested, outlining the level of access requested and the justification/authorization for the request.

 

o        Network, email, and file server accounts are recreated by the Network and Client Services Division.

o        Telecommunication access/phone is created by the Network and Client Services Division.

o        Datatel accounts are created by the Application Services Division.

o        CampusCruiser account levels are established by the LCWarriorMail Administrator.

 

NOTE:  No individual will be provided with access to another department’s file systems without Department level approval of the department owning the directory/information to be accessed.

 

7.0        ACCOUNT TERMINATION:  Account terminations for all systems are handled in accordance with the User Access and Account Management Process

 

8.0        FILE SERVER SECURITY:  File Servers at Lewis-Clark State College are used for the storage of individual, departmental, and team/project based information.  Information on these servers is considered confidential, and access to these systems and directories/files is managed accordingly. 

 

  • Personal Folders:  All Lewis-Clark State College personnel are granted access to the “HOME” directory on the File Server.  Personal folders are located within this directory.  Security for these folders is managed via NTFS.  Personal folders are locations for individuals within Lewis-Clark State College to store important information on the “HOME” directory.  Personnel requesting a personal storage folder on the file server are required to submit a call to the IT HelpDesk, and a folder will be established for them.
    • Access to this folder (by default) is limited solely to the named owner of the folder.
    • Access to this folder, other than by the owner, must be requested via a formal HelpDesk call.  Only the owner of the folder can grant access, in writing (email acceptable). 

 

  • Department and Project Folders:  Departmental and Project folders are locations for departments/project teams to store common documents and information applicable to personnel within their group.  Security for these folders is managed via “Share Permissions”. These folders are located within the “DEPARTMENTAL” directory on the File Server.  Requests for departmental directories on a file server must be submitted by the Department Head (or his/her designee) to the IT HelpDesk. 
    • By default, all and only members of the Department Account Group are provided access to their specific Department Folder. 
    • Access to a Department Folder, to personnel outside the Department, must be requested via a formal HelpDesk call.  Only the Department Head of the directory, of his/her designee, can authorize access to the folder.  Authorization must be in writing (Email acceptable).
    • On occasion, a department may request that personnel within their department not be granted access to certain sub-folders within the department folder.  Only the Department Head or his/her designee can request removal of a department employee from specific sub-folder access. 

 

  • File Server Password Management:  Access to Lewis-Clark State College’s file servers is managed as part of the overall Network Domain for the college.  As a result, users have a single User ID and Password for access to the network, to email, and to the Windows based File Servers.  Information on password management is available in Section 3.0 (Network Systems). 

 

9.0        STUDENT LABORATORIES:  Lewis-Clark State College maintains 2 primary computer laboratories for student usage.  Information on these computers labs is available on the IT Website.  Basic security parameters associated with the Student Computer Labs is as follows:

 

·         Lab Monitors:  Lab monitors are on staff at both labs during all hours that the labs are open for student usage.  These monitors are present to assist students with usage, but also to assure that proper personnel are accessing the systems, that the systems are not being misused, and that systems are not being damaged or stolen. 

·         Physical/Access Security:  The student laboratories are implemented for the sole usage of current students of Lewis-Clark State College.  Only students presenting a valid/current Student ID to the lab monitor will be allowed access to and usage of the systems.  Upon access to the labs:

    • The student must present their Student ID to the lab monitor. 
    • The Lab monitor maintains the ID and places it on the computer assignment board, identifying the system assigned to the student to use.
    • Upon leaving the lab, the ID card is returned to the student.

 

The Student Laboratory in the Sam Glenn Building (SGC-B127) also has electronic surveillance.  Refer to the section on overall IT Physical Security for information on this topic.

 

·         Data Security:  Student data at LCSC is not maintained on a central file server.  All systems accessible by students is equipped with a Zip Drive.  Students are notified to save all their information on a Zip Disk for security, backup, and easy access when off campus. 

 

10.0      CENTRAL COMPUTER AND IT FACILITY PHYSICAL SECURITY:

 

·         FACILITY SECURITY AND MONITORING:  Physical Security of key Information Technology Facilities is critical to assuring continued reliable service to IT customers, and for the protection of expensive and critical IT components.  Various levels of physical security exist depending on the facility need.  Security requirements for various facilities are as follow:

 

o        Electronic Monitoring: Electronic monitoring will be in place in the following locations, at a minimum.  Additional IT locations may be electronically monitored, as determined:

§         SGC-B106:       Foyer/Conference Room for IT Programmer/Analysts and Central Computer Facility

§         SGC-B106A:    Central Computer Facility

§         SGC-B101:       Desktop/Network Technician Center

§         SGC-B127:       Student Laboratory

 

o        Code Key Entrance Systems:  The following locations, at a minimum, will be equipped with Code Key entrance locks.  Additional IT locations may be equipped with Code Key systems, as determined necessary:

§         SGC-B106:       Foyer/Conference Room for IT Programmer/Analysts and Central Computer Facility

§         SGC-B106A:    Central Computer Facility

§         SGC-B101:       Desktop/Network Technician Center

§         SGC-B102:       Information Technology HelpDesk, and Network & Client Services Office

§         SGC-B126:       Student/Instructional Laboratory

§         SGC-B127:       Student Laboratory

 

Codes are assigned to specific individuals, so there is not a single code that is available to all users.  As a result, code changes/deletions are considered to only be necessary under the following circumstances:

§         An individual believes or it is determined that their code has been compromised.  Their code will be changed.

§         An individual leaves the college, or takes a new position within the college than no longer warrants access to these locations.  Their code will be removed and a new code will not be assigned.  Notification of personnel leaving the college, and the removal of their code, is handled via the User Access and Account Management Process.

 

o        Key Access:  Most offices and remaining IT Facilities which do not have Code Key Systems are required to have key access.  These facilities include, but are not limited to the following:

§         IT Offices

§         Network Communication Closets and related rooms.

§         Telecommunications Switch Room

 

Authorization:  Only the CTO and Director of Information Technology may grant authorization for any individual at LCSC to have access to any of these IT facilities.  Physical production and management of keys is handled by the Lewis-Clark State College Security Department, and will only provide keys to individuals upon written authorization for the IT Director. 

 

11.0      VIRUS PROTECTION:  Protection of Lewis-Clark State College’s critical applications, data, and systems from viruses is a critical component of security at the college.  The Information Technology (IT) Department is assigned the responsibility to assure that adequate tools and technology are in place to minimize the potential for any damage resulting from a virus.  Individuals on the campus all have responsibilities to assist in minimizing this risk:

 

  • VIRUS PROTECTION SOFTWARE:
    • Servers and Desktops:  Network Associate’s McAfee Antivirus Software
    • Microsoft Exchange Server:  GroupShield

 

  • SCANNING FREQUENCY:
    • Desktop Computers:  Desktop computers are scanned completely three times each week (Monday, Wednesday, and Friday) at approximately 12PM. 
      • Users are not allowed to have the ability to terminate/disable the Virus Scanning.

 

    • Servers:  Data on servers is scanned under 2 different scenarios.
      • On Access Scan:  This scanning runs constantly on all servers, and scans documents as they are accessed or loaded on a server.
      • On Demand Scan: This scanning is accomplished on a set schedule at 4AM daily, where the entire contents of the server is scanned.

 

    • Email and Internet Virus Protection:
      • Email:  All incoming and outgoing email for the Exchange Email Server is scanned using GroupShield.
      • Internet Downloads:  All Internet downloads to client computers are scanned via “On-Access”.
      • Internet Mail:  All Internet mail (regardless of destination within LCSC) is scanned using MacAfee’s Unix Antivirus Software. 

 

    • Virus Definition Updates:  With the continual proliferation of new viruses, maintaining a current and accurate account of all viruses with potential impact to LCSC is critical.  Virus definitions are maintained as follows:
      • A daily script downloads all new definitions from ftp.nai.com to a shared directory on Redwood (server) at LCSC.
      • Client/Desktop systems update their anti-virus definitions to the new information on Redwood as necessary.
      • McAfee’s Unix antivirus updates from ftp.nai.com directly. 

 

12.0            DATA CONFIDENTIALITY

 

FAMILY EDUCATIONAL RIGHTS AND PRIVACY ACT (FERPA):

 

  • All systems containing student information will comply with all requirements of the Family Educational Rights and Privacy Act.  Prior to accessing any system that contains information governed by this act, users will receive the following notification:

 

You are accessing student information that is protected by Federal Privacy Law.  Disclosure is allowed to school personnel with a legitimate educational interest in the student.  Information regarding any person’s record should be released to a third party ONLY by the Office of the Registrar.  If there is an emergency need to contact a student, do not give the student’s location on campus or address/telephone information.  Please call the Registrar at extension 2875.

 

  • All student information governed by FERPA, that is to be transmitted via an unsecured network link such as the Internet, will be encrypted in a manner to comply with FERPA guidelines.

 

GRAMM-LEACH-BLILEY ACT (GLBA):

 

  • The GLBA requires that all institutions dealing with individual financial information protect the confidentiality and access to this information to safeguard it from inappropriate access.  While the Act clearly states that colleges and universities are deemed to be in compliance with privacy provisions of the act if they are in compliance with FERPA, these higher educational institutions are still subject to the requirements of the Act dealing with administration, technical, and physical safeguarding of customer information.

 

  • Lewis-Clark State College’s Information Technology Department has processes, procedures, and technology in place to safeguard against unauthorized access to customer and employee financial information.  The IT Department is deemed to be in compliance with the requirements of the GLB Act based on the content and execution of the IT Security Policy and Guidelines document.

 

13.0            ACCESS TO RESTRICTED INFORMATION:  The Information Technology (IT) Department at Lewis Clark State College employs staff and student workers (Irregular Help).  Many of these employees have access to information and data stored on desktop computers, file servers, and other systems such as the college’s Datatel Colleague application.  Many employees also have access to passwords and other information which could allow them access to confidential information.

 

These employees have access to sensitive and restricted information ranging from student, staff, and faculty passwords; personal information; and other information ranging from financial to academic records.  Much of this information is restricted by the Family Educational Rights and Privacy Act (FERPA) and the Gramm-Leach-Bliley Act (GLBA) as identified in Section 12.0.

 

Employees are instructed that information is only to be accessed as required in the accomplishment of their assigned duties, and that no information is to be accessed unless it is absolutely necessary.  In addition, no information accessed and viewed is to be disclosed to anyone other than those individuals that have a definite need to know with regards to the IT work being undertaken.  Any information that must be produced in hardcopy is to be destroyed by shredding so that it is not available for public viewing.

 

In addition, all staff and irregular help with access to confidential information or data are required to sign the IT Confidentiality Agreement, stating that they understand the security and confidentiality implications of their position.  The IT Confidentiality Agreement form is available online and a hardcopy of the document is included as Appendix A.  Signed copies are maintained at the IT Main Office with the IT Administrative Assistant. 

 

14.0            DATA BACKUPS AND RECOVERY:  Backing up all critical information at Lewis-Clark State College is an important component of data security, and in assuring that any negative impact is minimized in the event of a system failure, or a major disaster affecting IT.  As a result, the following guidelines are implemented:

 

  • Desktop Computers:      Information stored on desktop computers is not automatically backed up by the Information Technology Department.  All LCSC Staff and Faculty are highly encouraged to follow one or multiple of the following recommendations to maximize the security and integrity of data stored on their desktops:

 

    • Personal File Server Storage:  Users are encouraged to store information on one of the Lewis-Clark State College File Servers/Directories available for personal, departmental, or project use.  Requests for File Server storage should be submitted to the IT HelpDesk. 
    • Zip Drive, Tape Drive or CD-RW:  Users who do not store information on a file server, or who do but desire an additional level of data security/integrity are encouraged to utilize a Zip Drive, Personal Tape System, or a CD-RW Drive to personally backup information stored on their desktop.  It is important to assure that this information is well documented and stored in an area remote from the physical computer that was backed up.

 

  • Central File and Application Servers:        Central File and Application Servers at LCSC are backed up nightly (Monday – Friday).  Tapes are removed from the Central Computer Facility daily and stored offsite in one of the following locations:

 

    • Daily Backups:              Stored in LCSC Controller Vault, Administration Building
    • Weekly Backups:          Stored in LCSC Controller Vault, Administration Building
    • Monthly Backups:          Stored at Wells Fargo (1st Security) Bank, 10th and Thain

Lewiston, ID

    • Yearly Backups:            Stored in LCSC Controller Vault, Administration Building

 

NOTE:  Daily backups for the Datatel Colleague application/system are removed the same day and stored as noted above. Daily backups for non-Datatel Colleague systems are stored in the Data Center Fireproof Safe for one night, before being transferred to the locations noted above. 

 

Retention Periods:         Backed up information from the LCSC servers are retained for the following retention periods, upon which time tapes are recycled and reused.

 

·         Daily Backups:                    3 days

·         Weekly Backups:                3 weeks

·         Monthly Backups:            &n