General Responsibilities

All authorized users have an interest in the security and stability of the computer resources at Georgia Southern University, and share in the responsibility for protection of those resources, prevention of problems, and incident detection and response. Users must take responsibility for securing their own resources, engage in practices to maintain a secure and stable environment, and respond appropriately to threats against those resources as described in this and related documents.

Security Standards

Prohibited Actions:

The following actions jeopardize a secure computing environment and are expressly prohibited.

1. No device shall be physically connected to the University network without prior approval of the Assistant Director, Network Services/Information Technology Services, or his designee.
1. Workstations: Approval for workstation connection must be obtained as part of the standard workstation installation process handled by Information Technology Services, or authorized departmental technical personnel.
2. Other devices (including, but not limited to, network components such as hubs, switches, access points, servers, wireless and other communication devices): Approval to connect devices other than workstations must be expressly obtained from Information Technology Services/Network Services.
3. Vendors/visitors can obtain a physical connection access to the University network through Information Technology Services on a per visit basis. This access will be granted for a specific period of time.

Required Actions:

Authorized users of Georgia Southern University computing resources shall perform the following actions to promote a safe and secure computing.

1. Virus protection software and practices must be employed.
1. Each workstation running a Windows or Macintosh operating system that is directly attached to the University network must be loaded with University-authorized virus protection software.
   1. Virus protection software and virus definitions must be kept current at least every two weeks.
   2. In the event of a virus attack, instructions from IT Services or your departmental technical representative must be followed for updating virus protection software and/or files.
   3. Virus scans must be performed.
2. Each Unix- or Linux-based workstation must be updated at least monthly with operating system patches. If known security problems require patches, these must be updated immediately.
3. Alternatively, a department may come up with its own written virus protection plans that must be approved by IT Services.
2. Operating systems and application software must be kept updated with security patches to a current level.
   1. Each personal workstation running a Windows-based or Macintosh operating system must have operating system updates applied as instructed by Information Technology Services.
   2. Each Unix, Linux, Novell, Windows NT or Windows 2000 server must be updated at least monthly with security patches. In the case of a specific threat, patches must be updated immediately.
3. For security of University and State records, all computers changing ownership shall have their hard drives formatted to remove any information from the previous owner.
4. Wireless access must utilize encrypted methods requiring authentication.

Physical Security:

Only those individuals specifically authorized by the administrator of each of the listed resources shall have access to those resources:

1. backup tapes and other media;
2. servers;
3. wiring closets, communication access points and networking devices (restricted to personnel authorized for access by Information Technology Services); and
4. workstation data (individual authorized users of the workstation).

Password Security:

Passwords are often the critical key to accessing data and computing resources. Where other attempts at security have failed, the password is often the last barrier to unauthorized access. As such, passwords shall be maintained by each user to be an effective prevention mechanism against unauthorized access. The following standards apply.

1. Passwords to any computing resource shall only be issued to authorized users. Password recipients are responsible for the integrity of their password and shall not distribute it to unauthorized users.
2. Every account must have a password.
3. Passwords must have a minimum of six (6) characters, and include a combination of letters and other characters.
4. Passwords may not be shared or given to others (exceptions listed in Accounts section).
5. Passwords must not be posted or displayed.
6. Server based passwords must be changed periodically.
7. Change passwords from their default values (especially networking devices and application servers).

Accounts (excluded from password sharing policy #3 above):

The following exceptions to the password standard allow password sharing among a very limited group of individuals in select circumstances.

1. General or group accounts: requesting supervisor is responsible for actions taken with account.
2. Privileged accounts: the number of privileged accounts, as determined by the administrator of the machine in question, should be kept to a minimum; the password to a privileged account should only be provided to those personnel who require it.
3. Accounts for students, or temporary or adjunct personnel, must be reviewed each semester for appropriate action (e.g. immediate termination of the account if the individual is no longer an authorized user as defined by the Computer Use Policies).

Security Guidelines

Security guidelines are recommended "best" practices that should be adhered to by authorized users of Georgia Southern University computer resources.

Accounts:

Definition and use of generic accounts and shared accounts should be restricted as much as possible. Only those functions needed by the user should be made available through such accounts.

Servers:

1. run file integrity checker such as Tripwire daily
2. eliminate unused services; tcpwrappers should be used to limit and monitor services that cannot be turned off
3. a blueprint of ports on each machine should be created, maintained and periodically verified
4. SSH should be used for server connections instead of Telnet and FTP
5. SSL should be implemented on Web servers
6. server administrators should apply to and read SANS proc and Machine Makers Security First lists
7. a password guessing program should be used against all user accounts periodically
8. service-providing programs should not be run as root (Solaris)
9. run anti-virus where appropriate
10. run intrusion detection system where appropriate
11. install firewall system where appropriate
12. production change implementation methods should be documented and followed

Passwords:

1. should be changed every 60 to 90 days with repeating for all workstations and servers
2. should not use any words found in dictionary of any language
3. should not use any combination of letters of a user's real name, username, initials or nickname
4. should not use any combination of a famous person's name
5. should not use any combination of a spouse's, girlfriend's, boyfriend's, or child's name
6. should not use any personalized numbers (SSN, driver's license, etc.)
7. should not use all digits or all of same letter
8. should use at least six characters
9. should use mixed case throughout, not just the first character
10. should use a password that can be typed quickly
11. should use special characters

Workstations:

1. Turn off workstations overnight
2. Implement periodic backups
3. Store sensitive data in a secure area
4. Logging:
1. should be enabled to record:
1. successful and unsuccessful login attempts.
2. system and application errors.
2. should be stored remotely
3. should be backed up regularly
5. Enable a screensaver password when away from your workstation

| Organization | Instruction | Students | Scholarship | Service | Faculty Personnel | | Policies | Searches | Legal | Financial | News | Comments |

Last updated 9/12/02. This page has been accessed [an error occurred while processing this directive] times.