Standards are the rules that govern the access, use and
protection of the Information Systems. The following chart indexes the
current Standards in practice at Georgia State University.
|
Number |
Title |
Description |
| 9.1 |
|
University accounts offered to faculty, staff, students and
affiliates. |
| 9.2 |
|
Viewing
information relevant to, contained by or descriptive of,
University business. |
| 9.3 |
|
Acceptable and agreed upon use of the University computing
resources. |
| 9.4 |
|
Circumstances under which the University has jurisdiction
to access individual's accounts. |
| 9.5 |
|
Circumstances under which the University may legitimately
deactivate an individual's account. |
| 9.6 |
|
Appropriate and agreed upon use of the University E-mail
system. |
| 9.7 |
|
Proper
use of userids and passwords, and choosing effective
passwords. |
| 9.8 |
Security |
Maintaining the physical and informational security of the
University computing environment and resources |
| 9.9 |
|
Using
University computing resources from an off-campus
location. |
| 9.10 |
|
Publishing on the University's web servers. |
| 9.11 |
|
Accessing
University computing resources using a wireless connection.
|
Standard
9.1: Authorized
Access to Information Systems (Accounts)
Authorized Access to the University's Information
Systems is the granting of authority to approach, enter, make use of,
and exit the University's Information Systems. Access is accomplished
via an account, which is a record kept by operating systems for each
authorized User of the Information Systems for the purpose of
identification, administration and security. Users are required to
obtain proper authorization (accounts) prior to accessing the
University's Information Systems.
Guidelines establishing eligibility to receive authorized
access:
a)
Every University employee, or student eligible to register may be
granted access to University Information Systems.
b) Users shall
not be granted access in excess of the level required to perform their
job responsibilities.
c) Individuals providing services to the
University may, with the appropriate authorization, be granted access
to University Information Systems.
d) Users shall not misrepresent
their identity or relationship to the University when accessing the
Information Systems.
e) Users shall not access Information Systems
that they are not authorized to access.
Procedures
Standard
9.2: Authorized Access to
University Information/Data
Authorized Access to
University Information/Data is a User's right, with the University's
permission, to approach, enter, make use of, and exit the information or
data stored on the University's Information Systems. Users are
granted permission to access only that data on the University's
Information Systems that they are authorized to access. Users are
prohibited from accessing or attempting to access data on Information
Systems that they are not authorized to access.
Guidelines regarding access to data on Information
Systems:
a)
Users must not defeat or attempt to defeat any Information System's
security.
b) Users must not misrepresent their identity or
relationship to the University when obtaining or using data on
Information Systems.
c) Users, without appropriate authorization,
shall not read, modify or delete data on the Information
Systems.
d) Users shall not store confidential data on Information
Systems without properly securing it.
Procedures
Standard
9.3: Appropriate Use
Appropriate Use of
Information Systems is that which supports the
University's objectives of teaching, research and extension of knowledge
to the public.
Guidelines for the appropriate use of Information
Systems:
a)
Users shall not provide network or computer-based services using
University Information Systems without prior written approval and
registration.
b) Users shall not use Information Systems for
non-University business.
c) Users shall not use Information Systems
to engage in harmful activities. Such activities include, but are not
limited to, Internet Protocol (IP) spoofing, creating and/or
propagating viruses, port scanning, disrupting services, damaging
files, or intentional destruction of or damage to equipment, software,
or data.
d) Users shall not impede, interfere with, impair, or
otherwise cause harm to other User's legitimate use of Information
Systems.
e) Users shall not use Information Systems in such a way
that violates local, state, or federal laws, including copyright
laws.
f) Users shall be responsible for ascertaining that their use
of Information Systems complies with all University policies.
g)
Users shall not use Information Systems in such a way that violates
the University's contractual obligations, including limitations
defined in software and other licensing agreements.
h) Users shall
not use the Information Systems to transmit communications that are
fraudulent, defamatory, harassing, obscene, threatening, that
unlawfully discriminate, or that are prohibited by law.
i) Users
must comply with the regulations and policies of newsgroups, mailing
lists, and other public forums through which they disseminate
messages.
j) Users shall not perform security scanning, probing or
monitoring services without appropriate
permission.
Procedures
Standard 9.4:
University Access to
User's Information/Privacy
University Access to
a User's Information Systems includes any access by the University to
approach, enter, make use of, and exit the information stored on the
University's Information Systems. To the extent
permitted by law, the University seeks to preserve an individual's
information or data from unsanctioned intrusion. Electronic and other
technological methods must not be used to infringe upon a User's
privacy.
Guidelines concerning access to Users'
Information:
a)
The University seeks to preserve individual privacy, and does not
routinely monitor individual usage, however, the University may, in
accordance with state and federal laws, access and monitor all
Information Systems when:
i)
the User has voluntarily made them accessible to the public;
ii)
it reasonably appears necessary to do so to protect the integrity,
security, or functionality of the University or to protect the
University from liability;
iii) when necessary for the normal
operation and maintenance of the Information Systems, or to identify
or diagnose systems or security vulnerabilities and problems;
iv)
there are reasonable grounds to believe that a violation of law or a
significant breach of University policy may have occurred;
v) an
account appears to be engaged in unusual or unusually excessive
activity, as indicated by the monitoring of general activity and
usage patterns; or
vi) it is required by federal, state, or local
law or administrative rules.
Any
such access, other than what is made accessible by the User, required
by law, or necessary to respond to emergency situations must be
authorized in advance by the Provost, Associate Provost for
Information Systems and Technology, and the Office of Legal Affairs.
Depending on the circumstances, the University will make a reasonable
attempt to notify the User of any such action.
b) Users
understand that by attaching personal computers to the University
Information Systems, they consent to the University's monitoring of
Information Systems for maintenance and security
purposes.
Procedures
Standard
9.5: Denial of Service
Denial of Service refers to the legitimate
deactivation of an individual's account. The University may deny a User
access to Information Systems when necessary.
Guidelines concerning Denial of
Service:
a)
The University may temporarily suspend, block, or restrict a User from
accessing Information Systems, whether or not the User is suspected of
a violation of this policy, when such action is necessary to preserve
the integrity, security, or functionality of Information Systems. The
University will make a reasonable attempt to notify the User of any
such action.
b) The University may limit the use of Information
Systems when such use interferes with the efficient operation of the
Information Systems.
Procedures
Standard
9.6: E-mail
9.6.1 Access
E-mail is an enabling
application that facilitates the distribution of administrative and
instructional information within the campus and to external Users. All
students, faculty and staff must be accessible through an e-mail
address.
Guidelines concerning the use of e-mail:
a) E-mail messages and attachments stored on University
Information systems are subject to the Georgia Open Records
Act.
b) Users must follow University guidelines and receive
proper authorization before distributing information to the University
community as a whole (mass mailings, or broadcast emails).
c) The
University reserves the right to discard incoming mass mailings
(spam), without notifying the sender or intended recipient.
d)
Users are encouraged to use their best efforts to discard e-mail and
related attachments within a reasonable time.
Procedures
Standard
9.7: Userids and Passwords
(Authentication Methods)
A
userid and password is one method (and the one most commonly recognized
by the average user) of authentication. A userid is the name by
which a person is known and addressed on the University's Information
Systems. The password - used in conjunction with the userid - is a
unique string of characters that a User types in as an identification
code. Other recognized forms of authentication include, but are not
limited to, smart cards, swipe cards, one-time passwords, digital
signatures, and/or digital keys and biometrics. Users must have a valid
method of authentication before they will be authorized to access the
Information Systems.
Guidelines regarding the use of
userids and passwords:
a)
Users must not use accounts or passwords that they have not been
authorized to use, or have not been assigned to them.
b) Users
shall not give passwords to unauthorized Users.
c) Users shall not
share userids or passwords.
d) Users must effectively control the
creation, use and maintenance of passwords in order to prevent
unauthorized access and the destruction, modification or deletion of
sensitive data.
e) Users are responsible for securing their
passwords from inadvertent disclosure.
f)
Users are responsible for any activity carried out under their
accounts.
Procedures
Standard
9.8: Security
9.8.1 Physical Security
Physical Security refers to
the protection from harm or loss of the pieces of equipment that
constitute an Information Systems environment or personal workstation.
Information Systems must be safeguarded in a way that minimizes
the risk of abuse, theft, and destruction.
Guidelines regarding physical security:
a)
Users must implement appropriate protection measures including
physical barriers, environmental detection and protection, insurance,
and/or other risk management techniques.
b) Users must not leave
mobile computer systems unattended for extended periods of time, and
shall utilize locking devices responsibly.
c) Users shall protect
Information Systems by utilizing protective measures such as locked
screens and password-protected screensavers.
9.8.2 Securing University
Systems
Securing University Systems refers to the protection of a
computer system and its data from harm or loss, particularly the
prevention of access by unauthorized individuals. Users are
responsible for properly securing their Information Systems.
Guidelines for securing University systems:
a)
Users shall not knowingly defeat or attempt to defeat the security of
Information Systems.
b) Users must take reasonable precautions in
ensuring they do not disseminate viruses and malicious programs to
other Users.
c) Users must install and maintain anti-virus software
including updating systems with vendor patches and security
fixes.
d) Users must utilize firewalls when appropriate.
e)
Users must configure University mail servers to prevent them from
being used as third party mail relays.
f) Users are responsible for
maintaining the security of their own Information Systems.
g) Users
who are permitted to provide network, or computer-based services, are
required to take reasonable precautions to ensure that Information
Systems being used for this purpose are not compromised or used by
unauthorized Users.
Procedures
Standard
9.9: Remote Access
Remote Access refers
to the means of approaching, entering, making use of, and exiting the
University's Information Systems from a location not in the immediate
vicinity of the actual System. Users shall be
permitted to remotely connect to the University's Information Systems
for the purpose of conducting University-related business only through
secure, authenticated and centrally approved access methods.
Guidelines concerning remote access:
a)
Users must use a valid userid and password that has been activated
specifically for remote access.
b) Users must acquire appropriate
authorization before remotely accessing certain confidential
information.
Procedures
Standard
9.10: Web Pages
A Web Page is a document on the World Wide Web. It
resides in a particular directory on a particular machine, and is thus
identifiable by a Universal Resource Locator (URL). Any recognized unit
or organization of the University, as well as students, faculty and
staff, may publish on the University's web servers, provided they follow
the established application and development procedures.
Guidelines for web
pages:
a)
Users wishing to create a web page must obtain the appropriate
authorization and follow the guidelines for creating web pages.
b)
Users shall not use Web pages for profit or commercial purposes,
unless expressly authorized.
c) Users are responsible for the
content of the web pages they publish and are expected to abide by
this Policy and the highest standards of quality and
responsibility.
d) Incidental personal information posted on web
pages is deemed acceptable as long as it does not interfere with the
function of the Information Systems, cause disruption of normal
services, incur significant cost to the University or result in
excessive use of University resources.
Procedures
Standard
9.11: Wireless Access