not mobile

Information Technology Handbook

5.1 USG Information Security Program

Print friendly Version date February 22, 2013

Section 11.3 of the BoR Policy Manual charges USG Information Security & ePrivacy within Information Technology Services (ITS) with the responsibility and authority to:

  1. Create, issue, and maintain standards and guidelines;
  2. Direct USG institutions, the USO, and the GPLS to effectively manage security, privacy and risk;
  3. Advise and consult with USG institutions, the USO, and the GPLS on security issues; and,
  4. Ensure that USG institutions, the USO, and the GPLS are in compliance with the requirements specified in the BoR Policy Manual, and local, state, and federal laws, codes, and/or regulations.

Based on this direction, the USG chief information security officer (CISO) shall develop and maintain an information security organization and architecture for support of information security across the USG and support of activities between participant organizations. He/she shall maintain information security implementation guidelines that the USO, all USG institutions, and the GPLS should consider in the development of their individual information security plans.

Specific guidelines for interpretation and administration of this policy are given in the USG Appropriate Use Policy (AUP) and the USG AUP Interpretation and Administration Guideline. These guidelines contain more specific examples of offenses, and procedures for dealing with incidents.

5.1.1 Institution, USO, and GPLS Responsibilities

Each USG institution, the USO, and the GPLS must provide for the proper use and protection of its information assets. Accordingly, each USG institution, the USO, and the GPLS must:

  1. Build an information security program;
  2. Assign management responsibilities for information security program, including the appointment of an information security officer (ISO), as noted in Section 5.2 of this Handbook;
  3. Develop and maintain a computer/data incident management component as noted in Section 5.4 of this Handbook;
  4. Develop and maintain an information security and privacy policy and compliance management process;
  5. Build, test, and maintain a Continuity of Operations Plan (C.O.O.P.) including:
    • Backup and Recovery Plan
    • Incident Management Plan
      • Note: It is our future intention to require that the C.O.O.P. include a Disaster Recovery Plan and a Business Continuity Plan.
  6. Establish and maintain an information technology and information security risk management program, including a risk assessment, analysis, planning mitigation, and monitoring process as noted in Sections 5.5 and 6.0 of this Handbook;
  7. Maintain an annual information security awareness, and training component for all employees and contractors, as noted in Section 5.6 of this Handbook; and,
  8. Comply with USG reporting requirements, as noted in Section 5.7 of this Handbook.

return to top


5.1.2 USG Appropriate Use Policy (AUP)

This section establishes a USG-wide policy regarding appropriate use of USG information technology (IT) resources.

5.1.2.1 Policy Statement

It is USG policy to provide an environment that encourages the free exchange of ideas and sharing of information. Access to this environment and the USG’s IT resources is a privilege and must be treated with the highest standard of ethics.

The USG expects all institutions and their users to use IT resources in a responsible manner, respecting the public trust through which these resources have been provided, the rights and privacy of others, the integrity of facilities and controls, state and Federal laws, and USG policies and standards. USG institutions, the USO, and the GPLS may develop policies, standards, and guidelines based on their specific needs that supplement, but do not lessen, the intent of this policy.

This policy outlines the standards for appropriate use of USG IT resources, which include, but are not limited to, equipment, software, networks, data, and telephones whether owned, leased, or otherwise provided by USG organizations.

This policy applies to all users of USG IT resources including faculty, staff, students, guests, external organizations and individuals accessing network services, such as the Internet via USG resources.

5.1.2.2 Standard

Preserving the access to information resources is a system-wide effort that requires each institution to act responsibly and guard against abuses. Therefore, the USG as a whole, each individual institution, and its users have an obligation to abide by the following standards of appropriate and ethical use:

  • Use only those IT resources for which you have authorization
  • Protect the access and integrity of IT resources
  • Abide by applicable local, state, federal laws, university policies and respect the copyrights and intellectual property rights of others, including the legal use of copyrighted material
  • Use IT resources only for their intended purpose
  • Respect the privacy and personal rights of others
  • Do no harm

Failure to comply with the appropriate use of these resources threatens the atmosphere for the sharing of information, the free exchange of ideas, and the secure environment for creating and maintaining information property, and subjects one to discipline. Any user of any USG system found using IT resources for unethical and/or inappropriate practices has violated this policy and is subject to disciplinary proceedings including suspension of system privileges, expulsion from school, termination of employment and/or legal action as may be appropriate. Although all members of the USG have an expectation of privacy, if a user is suspected of violating this policy, his or her right to privacy may be superseded by the USG’s requirement to protect the integrity of IT resources, the rights of all users, and the property of the USG and the state. The USG thus reserves the right to examine material stored on or transmitted through its resources if there is cause to believe that the standards for appropriate use are being violated by a participant organization, user, or a trespasser onto its systems or networks.

Specific guidelines for interpretation and administration of this policy are given in the USG AUP Interpretation and Administration Guidelines below. These guidelines contain more specific examples of offenses, and procedures for dealing with incidents.

return to top


5.1.3 USG AUP Interpretation and Administration Guidelines

5.1.3.1 Guidelines for Interpretation & Administration of the USG Appropriate Use Policy for Information Technology (IT) Resources

These guidelines are meant to assist the USG institutions, the USO, and the GPLS in the interpretation and administration of the USG Appropriate Use Policy (AUP). The guidelines outline the responsibilities each participant organization and its users accept when using USG’s computing and IT resources. This is put forth as a minimum set of standards for all areas of the USG and may be supplemented with specific organization-level guidelines. However, such additional guidelines must be consistent with this document and cannot supersede this document. These guidelines include the use of information systems and resources, computers, telephones, Internet access, electronic mail (email), voice mail, reproduction equipment, facsimile systems, and other forms of electronic communications.

5.1.3.2 User Responsibilities

Use of USG IT resources is granted based on acceptance of the following specific responsibilities:

Use only those computing and IT resources for which you have authorization.
For example, it is a violation:

  • To use resources you have not been specifically authorized to use
  • To use someone else’s account and password or share your account and password with someone else
  • To access files, data, or processes without authorization
  • To purposely look for or exploit security flaws to gain system or data access

Protect the access and integrity of computing and IT resources.
For example, it is a violation:

  • To use excessive bandwidth
  • To release a virus or a worm that damages or harms a system or network
  • To prevent others from accessing an authorized service
  • To send email that may cause problems and disrupt service for other users
  • To attempt to deliberately degrade performance or deny service
  • To corrupt or misuse information
  • To alter or destroy information without authorization

Abide by applicable laws and USG policies and respect the copyrights and intellectual property rights of others, including the legal use of copyrighted software.
For example, it is a violation:

  • To download, use or distribute copyrighted materials, including pirated software or music or videos or games
  • To make more copies of licensed software than the license allows
  • To operate and participate in pyramid schemes
  • To upload, download, distribute, or possess pornography
  • To upload, download, distribute, or possess child pornography

Use computing and IT resources only for the intended purposes.
For example, it is a violation:

  • To use computing or network resources for advertising or other commercial purposes
  • To distribute copyrighted materials without express permission of the copyright holder
  • To send forged email
  • To misuse Internet Relay Chat (IRC) software to allow users to hide their identity, or to interfere with other systems or users
  • To send terrorist threats or “hoax messages”
  • To send chain letters
  • To intercept or monitor any network communications not intended for you
  • To attempt to circumvent security mechanisms
  • To use privileged access for other than official duties
  • To use former privileges after graduation, transfer or termination, except as stipulated by the USG Institution

Respect the privacy and personal rights of others.
For example, it is a violation:

  • To use electronic resources for harassment or stalking other individuals
  • To tap a phone line or run a network sniffer or vulnerability scanner without authorization
  • To access or attempt to access other individual’s password or data without explicit authorization
  • To access or copy another user’s electronic mail, data, programs, or other files without permission
  • To disclose information about students in violation of USG Guidelines

5.1.3.3 System and Network Administrator Responsibilities

System Administrators and providers of USG computing and IT resources have the additional responsibility of ensuring the confidentiality, integrity, and availability of the resources they are managing. Persons in these positions are granted significant trust to use their privileges appropriately for their intended purpose and only when required to maintain the system. Any private information seen in carrying out these duties must be treated in the strictest confidence, unless it relates to a violation or the security of the system.

5.1.3.4 Security Caveat

Be aware that although computing and IT providers throughout the USG are charged with preserving the integrity and security of resources, security sometimes can be breached through actions beyond their control. Users are therefore urged to take appropriate precautions such as:

  • Safeguarding their account and password
  • Taking full advantage of file security mechanisms
  • Backing up critical data on a regular basis
  • Promptly reporting any misuse or violations of the policy
  • Using virus scanning software with current updates
  • Using personal firewall protection
  • Installing security patches in a timely manner

5.1.3.5 Violations

Every user of USG IT resources has an obligation to report suspected violations of the above guidelines or of the Appropriate Use Policy for Computing and IT Resources. Reports should be directed to the institution, unit, center, office, division, department, school, or administrative area responsible for the particular system involved.

return to top