Purpose of the Policy
The purpose of this policy is to ensure the security of administrative information that is processed, stored, maintained, or transmitted on computing systems and networks centrally managed by Azusa Pacific University, and to protect the confidentiality of that data. This policy is designed to protect data from unauthorized change, destruction, or disclosure, whether intentional or accidental.
This policy applies to any Information Technology (IT) employee, permanent or temporary, that has access to data (staff). It regulates the use of the systems, applications, and applies to all computer programs used to access data, as well as the computers and terminals that run the programs including workstations to which the data has been downloaded.
It is the responsibility of staff to protect data from unauthorized change, destruction or disclosure. This policy governs all IT maintained applications that provide access to data (systems), and defines the responsibilities of staff that maintain or use those systems. It should be noted that, in general, IT is not the Data Owner, but IT is the custodian of the data. It is the owner who has the authority to grant or revoke access to data or systems which use data.2 It is IT's responsibility to implement specific procedures which enforce access authority and establish guidelines and standards for systems and data security under this policy.
It is also IT's responsibility to establish and promulgate procedures for the dissemination of this policy. Each individual is responsible for carrying out his or her responsibilities under this policy.
Violations of this policy include, but are not limited to: accessing data or systems which the individual has no legitimate access to; enabling unauthorized individuals to access the data; disclosing data in a way which violates applicable policy, procedure or other relevant regulations or laws; or inappropriately modifying or destroying data. Violations may result in access revocation, corrective action up to and including dismissal, and/or civil or criminal prosecution under applicable law.
Definition of Terms
custodian of the Data – the entity or office that is delegated by the Data Owner the responsibility of performing management functions for the data.
data – administrative information that is processed, stored, maintained, or transmitted on computing systems and networks centrally managed by IT.
data owner – the entity or office that is authorized to collect and manage the data as official record3.
staff – any Information Technology (IT) employees (permanent or temporary) who have access to data.
systems – all IT maintained central administrative systems that provide access to data.
Appropriate system-specific standards should be created locally for each system (as defined above). There are at least four areas in which system standards must be defined: authorization to access, termination of computer access, safeguarding accounts and passwords, and user-identification and password standards. Standards in other areas may be added as appropriate for the individual systems.
Authorization to Access
Only those users who have valid business reasons (as determined by the Data Owner) for accessing computers, systems, or data will be granted access. Access privileges are normally determined by a person's job duties. Access is granted by means of a Network ID and password. Access is to be used only for the specific business purposes required to process the data.
Termination of Computer Access
When a user no longer works for the organization or assumes different job duties within the organization, it is the responsibility of their manager or supervisor to request that their user-id be deleted, at the latest, by the date of termination or transfer. If a transferred employee needs access in a new job, a new user-id must be obtained. User-ids will be terminated if they are not used for one fiscal year. Access to computer accounts may be suspended at any time if security violations or misuse are suspected. A user-id will be suspended when an incorrect password is entered five consecutive times.
Safeguarding Accounts and Passwords
Access to computer accounts must be protected, at minimum, by a user-identification (user-id) and password. It is the responsibility of the user to safeguard his/her user-id and password. A user-id is not to be shared; the password is not to be divulged to others.
User-Identification and Password Standards
A user-id and password must be required to access any system. A user-id must be at least six characters long. Passwords must be at least six characters long. Restrictions on password complexity are system dependent. Passwords must be changed at least once every 180 days.
Guidelines for Administrative Data Security
Application Security Administrator
Each application system shall have an Application Security Administrator designated by the Data Owner. This individual is responsible for authorizing access privileges to the application, for ensuring that employees who receive user-ids have proper authorization, and for monitoring Data access violations. All such authorizations and approvals must be in writing.
System Security Administrator
Each computer system shall have a designated System Security Administrator. This individual is responsible for creating user-ids with the associated access privileges granted by the appropriate Application Security Administrator, for maintaining an appropriate level of overall system security, and for monitoring the system for security violations. This individual shall also maintain records for all accounts including appropriate signatures and granting associated access privileges. Such records shall be maintained for two years after account termination.
Individual employees are responsible for maintaining the security and confidentiality of data in their possession, such as hardcopy reports or data downloaded to their workstations. Individuals must report to the appropriate security administrator any known breach of application or system security. Individuals who have constructive suggestions to improve security are encouraged to propose them.
Training and Testing
Application system developers and installers shall provide user training on security issues when new systems are installed. Copies of production data should not be used for purposes that may compromise the confidentiality of individuals or organizations.
Separation of Responsibilities
There shall be a distinct separation of job duties and responsibilities such that no one person has the authority and the ability to circumvent the normal checks and balances of the systems. For example, except for an organization that has a sole programmer, no single individual should hold the responsibilities as an Application Programmer and Production Control personnel; or Application Programmer and Database Administrator; or Production Control personnel and Database Administrator. For applications that contain mission-critical, financial or confidential data, maintenance responsibility for the database and system software shall reside in a separate organizational unit. The approval of access privileges to an application shall be in a separate unit from that of the implementer of the access privileges.
All data shall be properly disposed of when it has exceeded its required retention period, or it is no longer needed for the operation of the organization. This includes output such as paper listings, CDs, magnetic tapes, microfiche, etc.
Appendix A – Policy Routing
This policy was approved by the IT Cabinet on April 9, 2002.
This policy was approved by the UIMC on ________________
Approved by: John C. Reynolds, Vice President for Information Technology/CIO
Author: John C. Reynolds, Vice President for Information Technology/CIO