Security Governance

ASU Information Security Policy

The ASU Information Security Policy establishes guidelines and standards for the preservation of the confidentiality, integrity and availability of University information resources. Additionally, the ASU Information Security Policy provides for the integrity of institutional processes and records and supports the University’s compliance with state and federal laws, rules and regulations.
A third purpose of the ASU Information Security Policy is to create and implement a University Information Security Program and a University Information Security Committee in support of this policy.

The full policy can be found in the ASU Information Security Policy (pdf).

ACD 125

This policy defines the boundaries of acceptable use of ASU computing and communication resources, including computers, networks, electronic mail services, electronic information sources, voice mail, telephone services, and other communication resources. In addition, this policy reflects the goal of ASU to foster academic freedom while respecting the principles of freedom of speech and the privacy rights of ASU students, faculty, employees, and guests.

The full policy can be found in the Academic Affairs Policies and Procedures Manual (ACD 125) .

A.R.S. 38-448

Law Restricts Employee Use of University Equipment to View Sexually Explicit Materials

Arizona Law

Effective September 18, 2003, Arizona law will allow for the dismissal or discipline of state employees who use state-owned equipment to view material or services that depict nudity or sexual activity, unless the employee has the authorization of the agency head. The statute governs all ASU employees, including student employees.

Under A.R.S. 38-448, unless an ASU employee has authorization from the university President, the employee is prohibited from knowingly using ASU owned or leased computer equipment to access, download, print or store any files or services that depict nudity, sexual activity, sexual excitement, or ultimate sex acts.

Limited Uses Approved

In a document titled "Approved Use of University Computing and Communication Equipment," President Crow has authorized certain employees to access these materials in connection with their academic duties or university administrative functions. Uses outside of this scope may result in sanctions.

Under the current Presidential Approval, the following individuals may access otherwise prohibited material, but only to the extent that the access is related to their academic appointment or job duties at ASU:

• All employees with academic appointments, student research and teaching assistants, and employees performing duties related to university academic functions, as authorized by a department chair, dean or director or provost;
• All employees whose job duties include the provision of physical or mental health services;
• All employees whose job duties include the monitoring, management, or servicing of ASU computing or communication media, systems or devices;
• All employees whose job duties include the analysis of legal issues or the investigation of allegations of misconduct; and
• All employees of campus museums, media services, libraries, and ASU Public Events.

Procedures for responding to allegations of misconduct and applicable sanctions are those set forth in existing ASU employment policies. Approval granted pursuant to A.R.S. - 38-448 does not authorize any person to perform any act that is otherwise illegal under federal or state law.

Additional Approval

Employees who are not covered by this approval may seek approval from the head of their academic or administrative unit for activities related to their job duties. Any approval must be on a form approved by the ASU Office of General Counsel (OGC), and a signed copy of the form should be filed with the OGC.

Spam

The university recognizes that employees may receive an unsolicited e-mail (spam) that depicts nudity, sexual activity or other content restricted by this statute. The university does not intend to impose sanctions against employees who delete or ignore unsolicited e-mail when they recognize that the content is not related to legitimate university business or is otherwise regulated by this statute.

The Health Insurance Portability and Accountability Act of 1996 (HIPAA) Privacy Rule

The Privacy Rule provides federal protections for personal health information held by covered entities and gives patients an array of rights with respect to that information. At the same time, the Privacy Rule is balanced so that it permits the disclosure of personal health information needed for patient care and other important purposes.

The full rule can be found at the U.S. Department of Health & Human Services Website .

Family Educational Rights and Privacy Act (FERPA)

The Family Educational Rights and Privacy Act (FERPA) (20 U.S.C. § 1232g; 34 CFR Part 99) is a Federal law that protects the privacy of student education records. The law applies to all schools that receive funds under an applicable program of the U.S. Department of Education.

The full rule can be found at the U.S. Department of Education Website .

What is a Standard?

The traditional definition of standard is a basis for comparison, a reference point against which other things can be evaluated. In the case of information security a standard is a document that is based on a governance area that is more specific than a policy and typically high level. A standard is specific but not detailed; the detailed aspect of governance is typically called a guideline or a procedure. At ASU our definition of a standard is any document that sets a level for which a bare minimum of requirements are to be met. It should be noted that a standard is not a step-by-step manual on how to complete a task. Documents below will open in PDF format.

• System Audit Requirements
• Standard Measures
• Incident Response Procedures
• Data Classification
• Patch Management
• Copyright
• Privileged Account
• Software Development Life-cycle

• Anti-Virus
• McAfee Usage
• Web Development

Telecommuting Guidelines & Considerations

To ensure fair and consistent treatment, criteria and standards for approving or disapproving a telecommuting request must be established and communicated before considering any request.

All requests and approvals should be in writing. Documentation should include:

• The telecommuting schedule
• Conditions and duration of arrangement.

Any changes to the schedule or workspace should be reviewed and approved by the supervisor in advance.

Employee salary, benefits and employer-sponsored insurance coverage will not change for a telecommuter.

Since the employee's home is an extension of the University's workspace, the University's liability for job-related accidents will continue to exist during the approved work schedule in the employee's designated work location. For the protection of the University and to ensure that a safe work environment exists, the supervisor should retain the right to make on-site inspections at mutually agreed-upon times.

The full guideline can be found at the Office of Human Resources - HR Advisor Website .

Student Computing Standards

It is the policy of the university to maintain access to local, national, and international networks for the purpose of supporting its fundamental activities of instruction, research, outreach, and administration. Users of the Residential Computing Network (ResNet) are to take necessary measures to safeguard the operating integrity of the
systems they access and the accessibility of those systems to other users. This policy covers all persons accessing computer or network resources through any Residential Life facility. The following policies govern the use of the Residential Life computing network:

• All uses of the network are expected to be consistent with all local, state, and federal laws and all university policies including the Student Code of Conduct and ACD 125: Computer, Internet, and Electronic Communications, which can be found at www.asu.edu/aad/manuals/acd/acd125.html

• Residential Computing network services and wiring may not be modified or extended beyond the area of their intended use. This applies to all network wiring, hardware, in-room jacks and extension of such via wireless hub/switch devices. Use of a wireless hub/switch in a residential room is prohibited. The residential network may not be used to provide ASU network or Internet access to anyone outside of the university community for any purpose. Under no circumstances may users give others access to university systems;

• The provision of network services from user computers (e.g. BBS, Chat, DHCP, DNS, FTP, IRC, NNTP, POP2/POP3, IMAP, SMTP, Telnet, WINS, etc.) is prohibited. Users who have a documented academic need to provide such services from their personal computer must have prior written authorization from ResNet administration prior to activating any such service(s) on the ResNet network.

• The residential network is a shared resource. Network use or applications that inhibit or interfere with the use of the network by others is not permitted. For example, applications that require and unusually large portion of the bandwidth for extended periods of time (e.g. peer-to-peer network file sharing applications such as KaZaA, Gnutella, IMESH, WinMX, Audiogalaxy, etc. and network game servers such as Quake (I, II or III), Unreal Tournament, etc.), and applications designed to send repeated email messages or mass email messages ("email spam" or "bulk mailers") are not permitted;

• The residential network may only be used for legal purposes and to access only those systems, software, and data for which the user is authorized. Sharing access to copyrighted software or other copyrighted material (including MP3 files from copyrighted music media and digitized video from copyrighted motion pictures, etc.) on the network is prohibited;

• The use or employment of remote administration tools on others’ computers via the network (SubSeven, Netbus, Back Orifice, etc.) is prohibited;

• The use of port scanning or network administration software by anyone other than authorized network administrators is prohibited. Violations will result in referral to the Office of Student Life for disciplinary action. Prosecution under state and federal laws may also apply;

• Respecting the rights of other users, including their rights as set forth in other university policies for students, faculty, and staff is required at all times on the network. These rights include but are not limited to privacy, freedom from harassment, and freedom of expression;

• Users are required to know and obey the specific policies established for the systems and networks they access;

• The residential network is provided for use consistent with the academic mission of the institution. The network may not be used for commercial purposes or for unsolicited advertising.

• Users may not provide open access to files/folders on their computers that contain anything that is protected by copyright (this includes MP3 files from copyrighted music media and digitized video from copyrighted motion pictures, etc.), that is of a pornographic nature, or anything which would be in violation of the university’s and/or the Residential Life’s community standards;

• Forgery or other misrepresentation of one’s identity via electronic or any other form of communication is a violation of the

  Student Code of Conduct and will be referred to the Office of Student Life for disciplinary action. Prosecution under state and federal laws may also apply. This includes the use of an IP address not specifically assigned by the university to the individual using it and the use of a forged or false identity when using certain email or other electronic communications programs (i.e., mail clients such as Eudora, Netscape, Outlook, Outlook Express and IRC/chat programs such as AOL Instant Messenger, MSN Messenger, and ICQ);

• Administrators of the network have the responsibility to protect the rights of users, to set policies consistent with those
  rights, and to publicize those policies to their users. They have authority to control or refuse access to the network to anyone who violates these policies or who threatens the rights of other users. Administrators have the authority to temporarily suspend network access without notice for a user/computer that is believed to have been the source of an alleged violation pending investigation of the violation and satisfactory resolution of the complaint;

• Using or traversing the ResNet network constitutes FULL agreement with and understanding of this Acceptable Use Policy and any future modifications thereto;

• Residential Life reserves the right to modify, change, and reformat this document as it deems necessary without permission or consent of its network users.

University Computer Acceptable Usage Guidance

Usage of computing site resources must be in accordance with established ASU Computer, Internet, and Electronic Communications Policy.

Food, Drink, and Chewing Tobacco are Not Permitted

Please help maintain our facilities by not bringing these items into the computing sites. Sealed water bottles are the only beverage containers allowed. Any other food or beverage must be kept inside another container such as a bookbag.

Game Playing Prohibited

Computing site workstations are for academic use. Game playing is prohibited.

Maintain a Library Atmosphere

If you are working with a group of people, team work areas are available by reservation. If you need to use a cellular phone, please leave the computing site area.

Unattended Equipment

Computers left unattended for more than 15 minutes will be made available to waiting customers.