Texas A&M Dallas
Computer Security Policy

Certain University Rules and Regulations mentioned in this document are undergoing a review and revision process at this time. Therefore, it is possible that section numbers or other references in this document may no longer designate material applicable to this policy. If you have questions regarding this policy, please contact Sean Pease at s-pease@tamu.edu.

The ability of Texas A&M Dallas to deliver services to the faculty, staff, students, and citizens of the State of Texas has grown enormously through the use of computers. Texas A&M Dallas has significant investments in Information Resources. While the value of equipment such as computer hardware is easily appreciated, we must not overlook the larger investment in less tangible information assets - such as data, software, and automated processes.

Information Resources are vital assets that require protection. Data, whether stored in central computers accessible through remote terminals, processed locally on microcomputers, or generated by word processing systems, are vulnerable to a variety of threats and must be afforded adequate safeguards.

Texas A&M Dallas faculty, staff, and students need to be aware of the value of these resources and the means of protecting them. User awareness through education is the first line of defense in maintaining confidentiality, reliability, availability, and integrity of Texas A&M Dallas Information Resources.

Texas A&M Dallas was developed to assist in the education of faculty, staff, and students in the need for and means of protecting Texas A&M University Information Resources. This document defines the security and data ownership responsibilities of the mission critical computing resources that are maintained and operated by Texas A&M Dallas. This document should be useful in ongoing departmental security programs for security awareness and training.

Continuing availability of information is essential to the operation of Texas A&M Dallas programs. Expanded use of computers and telecommunications has resulted in more accurate, reliable, and faster information processing, with information more readily available to administration, faculty, and staff than ever before. Texas A&M Dallas has realized increased productivity, in terms of improved delivery of services, enhanced administrative capabilities, and lower operating costs, as a direct result of the growing commitment to use information technology.

Information technology has also brought new administration concerns, challenges, and responsibilities. Information assets must be protected from natural and human hazards. Policies and practices must be established to ensure that hazards are eliminated or their effects minimized.

The focus of information security is on ensuring protection of information and continuation of program operations. Providing efficient accessibility to necessary information is the impetus for establishing and maintaining automated information systems. Protecting that information and the surrounding investment is the impetus for establishing an information security program.

Protecting information assets includes:

· Physical protection of information processing facilities and equipment.

· Maintenance of application and data integrity.

· Assurance that automated information systems perform their critical functions correctly, in a timely manner, and under adequate controls.

· Protection against unauthorized disclosure of information.

· Assurance of the continued availability of reliable and critical information.

Many program operations that traditionally were manual or partially automated are today fully dependent upon the availability of automated information services to perform and support their daily functions. The interruptions, disruption, or loss of information support services may adversely affect Texas A&M Dallas' ability to administer programs and provide services. The effects of such risks must be eliminated or minimized.

Additionally, information entered, processed, stored, generated, or disseminated by automated information systems must be protected from internal data or programming errors and from misuse by individuals inside or outside Texas A&M Dallas. Specifically, the information must be protected from unauthorized or accidental modification, destruction, or disclosure. Otherwise, we risk compromising the integrity of Texas A&M Dallas programs, violating individual rights to privacy, violating copyrights, or facing criminal penalties.

An effective and efficient security management program requires active support and ongoing participation from multiple disciplines and all levels of administration.

Responsibilities include identifying vulnerabilities that may affect information assets and implementing cost-effective security practices to minimize or eliminate the effects of the vulnerabilities.

Policy statements regarding computer security of Texas A&M Dallas Information Resources can be found in:

· The Texas A&M University Rules, Sections 33.04.99.M2 & 33.04.99.M3

· The Texas A&M University Student Rules, Section 22 & Appendix V

The Texas Department of Information Resources is responsible for coordinating information technology within state government and is an important source of guidelines, standards, and rules governing computer security at Texas A&M Dallas. The relevant documents from DIR are:

· Information Resources: Security and Risk Management Policy, Standards, and Guidelines, March 1993.

· Information Resource Standards, Texas Administrative Code, Section 201.13(b).

The policies and procedures of this document apply to the mission critical applications and resources operated by Texas A&M Dallas. These include applications such as the campus computer network (local-area and wide-area); and the computing facilities and workstations purchased for Texas A&M Dallas use. In the remainder of this document Information Resources will refer to:

· Network Resources - the Texas A&M Dallas computer network. This DOES include both Local Area Networks and Wide Area Networks as used by and connected to the Texas A&M Dallas equipment.

· Hardware Resources - all computing resources operated by Texas A&M Dallas.

· Software Resources - all applications operated by Texas A&M Dallas or its customers.

Policy Applicability

The Computer Security Policy applies to all Texas A&M Dallas personnel accessing applications and computer systems supporting applications operated by Texas A&M Dallas.

The Computer Security Policy also applies to the Texas A&M University System member personnel when they access applications and computer systems supporting applications operated by Texas A&M Dallas.

Texas A&M Dallas information security policies and standards applies to Information Resources owned by others, such as state agencies, political subdivisions of the state, or federal government agencies, in those cases where a contractual or fiduciary duty exists to protect the resources while in the custody of Texas A&M Dallas. In the event of a conflict, the more restrictive security measures apply.

It is the policy of Texas A&M Dallas that:

· Any violation of this policy may be enforceable under Texas Penal Code Chapter 33: Computer Crimes. (see: Appendix H)

· Information Resources are valuable assets and unauthorized use, alteration, destruction, or disclosure of these assets is a computer-related crime, punishable under Texas statutes and federal laws which are summarized in Appendix E, Computer Security Rules, Regulations, and Laws.

· Attempting to circumvent security or administrative access controls for Information Resources is a violation of this policy. Assisting someone else or requesting someone else to circumvent security or administrative access controls is a violation of this policy.

· Information Resources may be used only for official purposes.

· Violations of the Computer Security Policy will be reported to the Texas A&M Dallas Resident Director.

· Violations of the Computer Security Policy that may be violations of state and federal laws will be reported to the appropriate agency or department.

· Persons violating the Computer Security Policy will be subject to appropriate administrative and criminal sanctions.

· All employees will receive the Computer Security Policy Summary Statement. The summary statement is contained in Appendix G, Computer Security Policy Summary Statement.

· Logon ids and passwords must control access to all Information Resources except for those specific resources identified as having public.

· Passwords must be changed periodically by the logon id owner.

· The logon id owner is responsible to manage their password according to the guidelines specified in Appendix B, Password Management.

· The legitimate proprietary interests of intellectual property owners will be upheld and supported.

· Information which by law is confidential must be protected from unauthorized access or modification. Data which is essential to critical functions must be protected from loss, contamination, or destruction.

· Confidential information shall be accessible only by personnel who are authorized by the owner on a basis of strict "need to know" in the performance of their duties. Data containing any confidential information shall be readily identifiable and treated as confidential in its entirety.

· When an employee terminates employment, their access to Information Resources will be terminated. Appendix D, Personnel Security and Security contains additional information.

· Microcomputer end-user workstations used in sensitive or critical tasks must have adequate controls to provide continued confidentiality, integrity, and availability of data stored on the system.

· All microcomputer end-user workstations should have virus protection software installed.

· Computer software purchased using university or state funds is Texas A&M University System property and shall be protected as such.

· Ownership of computer software developed by faculty, staff, and students is defined in the Texas A&M University System Administrative Policies & Regulations Manual, Section 17.02.01.

· All information processing areas used to house Information Resources supporting critical applications must be protected by physical controls appropriate for the size and complexity of the operations and the criticality or sensitivity of the systems operated at those locations. Physical access to these areas shall be restricted to authorized personnel. Authorized visitors should be supervised and their entry and exit recorded in a log.

· Individuals who believe they have experienced computer generated harassment or illegal discrimination are encouraged to contact the appropriate administrative office to file a complaint. Additional information is provided in Appendix F, Filing Complaints About Computer Generated Harassment or Discrimination.

· Internet access to the Texas A&M Dallas Network will be controlled as appropriate under guidelines established by the Senior Systems Analyst.

The Computer Security Policy is administered by the Senior Systems Analyst and the Computer Security Committee. The Senior Systems Analyst has responsibility to:

· monitor computer security issues.

· file regular reports on computer security issues.

· keep users aware of computer security issues.

· monitor compliance with the this policy.

· act as primary contact for the Computer Emergency Response Team.

· chair the Computer Security Committee.

The Computer Security Policy is maintained by the Senior Systems Analyst and the Computer Security Committee. The policy will be reviewed annually and updated as appropriate.

The data owner is responsible for:

· Maintaining the information in the data file.

· Determining how the data may be used within existing policies.

· Authorizing who may access the data.

The data custodian is the unit assigned to supply services associated with the data. The custodian is:

· The operator or manager of the Center’s computer system, server, or network of microcomputer workstations.

· The end-user of an individual microcomputer workstation.

The custodian provides services in accordance with the directions from the owner and is responsible for:

· Implementing owner specified controls over the data.

· Providing a general security access system.

· Insuring compliance of its employees with security procedures.

The data user is the person who has been granted explicit authorization to access the data by the owner. This authorization must be granted according to established procedures. The user must:

· Use the data only for purposes specified by the owner.

· Comply with security measures specified by the owner or custodian.

· Not disclose information in the data nor the access controls over the data unless specifically authorized in writing by the owner.

Electronic mail is provided to faculty, staff, and students as part of the Information Resources of Texas A&M Dallas to conduct the business of Texas A&M Dallas and the Texas A&M University System. Electronic mail is intended to be a convenient way for the faculty, staff, and students to communicate with one another and colleagues at other locations. It is not the practice of Texas A&M Dallas to monitor the contents of electronic mail messages. However, the information in electronic mail files may be subject to disclosure under certain circumstances; for example, requests filed under the Texas Open Records Act, or during audit or legal investigations.

Auditor Access

There will be occasions when auditors require access to Information Resources and data files. The access will be permitted according to these guidelines:

Internal Auditors from the Texas A&M University System:

· Personnel of the Internal Audit Departments have access to all University activities, records, property, and employees in the performance of their duties. This access is described in Texas A&M University System Policies and Regulations Manual, Section 21.03 and the Texas A&M University Rules, Section 21.03.01.M1.

· For non-investigative audits, access requests for Information Resources and data files will be made to the data owner and the administrative management of the organization operating the computers and information resources, as appropriate.

· For investigative audits, access requests for Information Resources and data files will be made to the appropriate administrative management level of the organization operating the computers and information resources.

· Internal Audit access to data files will be provided as specifically requested by Internal Audit; however, whenever practical, Internal Audit will utilize hard copy output or data file copies.

· Read only access will be granted, unless specific instructions are provided, to ensure proper safeguards for continued integrity and availability of data files.

State and Federal Auditors:

State and Federal auditors will be granted access to Information Resources and data files on an as needed basis after coordination with the Internal Auditors and data owners, and after proper training requirements are met.

The following terms which are used in this document are defined to have these meanings:

Information handled by computer systems must be adequately protected against unauthorized modification, disclosure, or destruction. Effective controls for logical access to information resources minimizes inadvertent employee error and negligence, and reduces opportunities for computer crime. Each user of a mission critical automated system is assigned a unique personal identifier for user identification. User identification is authenticated before the system may grant access to automated information.

Password Selection

Passwords are used to authenticate a user's identity and to establish accountability. A password that is easily guessed is a bad password which compromises security and accountability of actions taken by the logon id which represents the user's identity.

Today, computer crackers are extremely sophisticated. Instead of typing each password by hand, crackers use personal computers to make phone calls to try the passwords, automatically re-dialing when they become disconnected. Instead of trying every combination of letters, starting with AAAAAA (or whatever), crackers use hit lists of common passwords such as WIZARD or DEMO. Even a modest home computer with a good password guessing program can try thousands of passwords in less than a day's time. Some hit lists used by crackers contain several hundred thousand words. Therefore, any password that anybody might guess to be a password is a bad choice.

What are popular passwords? Your name, your spouse's name, or your parents' names. Other bad passwords are these names spelled backwards or followed by a single digit. Short passwords are also bad, because there are fewer of them; they are more easily guessed. Especially bad are "magic words" from computer games, such a XYZZY. Other bad choices include phone numbers, characters from favorite movies or books, local landmark names, favorite drinks, or famous people.

Some rules for choosing a good password are:

· Use both uppercase and lowercase letters if the computer system considers an uppercase letter to be different from a lowercase letter when the password is entered.

· Include digits and punctuation characters as well as letters.

· Choose something easily remembered so it doesn't have to be written down.

· Use at least 8 characters. Password security is improved slightly by having long passwords.

· It should be easy to type quickly so someone cannot follow what was typed by watching the keyboard.

· Use two short words and combine them with a special character or a number, like ROBOT4ME or EYE-CON.

· Put together an acronym that has special meaning to you, like NOTFSW (None Of This Fancy Stuff Works) or AVPEGCAN (All VAX Programmers Eat Green Cheese At Night).

Password Handling

A standard admonishment is "never write down a password." You should not write your password on your desk calendar, on a Post-It label attached to your computer terminal, or on the pull-out drawer of your desk.

A password you memorize is more secure than the same password written down, simply because there is less opportunity for other people to learn a memorized password. But a password that must be written down in order to be remembered is quite likely a password that is not going to be guessed easily. If you write a password in your wallet, the chances of somebody who steals your wallet using the password to break into your computer account are remote.

If you must write down a password, follow a few precautions:

· Do not identify the password as being a password.

· Do not include the name of the account or the phone number of the computer on the same piece of paper.

· Do not attach the password to a terminal, keyboard, or any part of a computer.

· Mix in some "noise" characters or scramble the written version of the password in a way that you remember, but make the written version different from the real password.

· Never record a password on-line and never send a password to another person via electronic mail.

It is prudent and required by the Texas Department of Information Resources to anticipate and prepare for the loss of information processing capabilities. The plans and actions to recover from losses range from routine backup of data and software in the event of minor losses or temporary outages, to comprehensive disaster recovery planning in the preparation for catastrophic losses of information resources.

Data Backup

The backup procedures on the servers are designed to protect against data losses caused by hardware failures and other disasters. The frequency and timing of these backups may not provide sufficient protection to meet end-user requirements for data backup. Therefore, it is strongly recommended that end-users include a data backup step in their information processing procedures, and not to depend on single backup procedure to provide all protection.

Data and software essential to the continued operation of critical department functions must be backed up. The security controls over the backup resources must be as stringent as the protection required of the primary resources.

Contingency Planning

Contingency plans, or disaster control plans, specify actions management have approved in advanced to achieve each of three objectives: to identify and respond to disasters; to protect personnel and systems; and to limit damage. The backup plan specifies how to accomplish critical portions of the mission in the absence of a critical resource such as computers. The recovery plan directs recovery of full mission capability.

In any organization, people are the greatest asset in maintaining an effective level of security. At the same time, people represent the greatest threats to information security. No security program can be effective without maintaining employee awareness and motivation.

Employee Requirements

Every employee is responsible for systems security to the degree that the job requires the use of information and associated systems. Fulfillment of security responsibilities is mandatory and violations of security requirements may be cause for disciplinary action, up to and including dismissal, civil penalties, and criminal penalties.

There are University System regulations and a number of state and federal laws that affect the security of information processing resources, computer systems, computer software, and data files. The following summaries are provided for the reader to review:

· Texas A&M University Student Rules, Section 22 & Appendix V
Regulations concerning computer security and use of Texas A&M University computing resources by students.

· Texas A&M University Rules, Sections 33.04.99.M2 & 33.04.99.M3
Regulations concerning computer security and use of Texas A&M University computing resources.

· Texas Administrative Code, 1 TAC 201.13(b)
Policy, standards, and guidelines for Information Resources Security and Risk Management by the Texas Department of Information Resources.

· Texas Penal Code, Chapter 33: Computer Crimes
State of Texas Law concerning computer crimes.

· Federal Copyright Law
Recognizes that all intellectual works are automatically covered by copyright. The owner of a copyright holds the exclusive right to reproduce and distribute the work.

· Computer Fraud and Abuse Act of 1986
Makes it a crime to access a computer to obtain restricted information without authorization; to alter, damage, or destroy information on a government computer; and to traffic in passwords or similar information used to gain unauthorized access to a government computer.

· Electronic Communications Privacy Act of 1986
Prohibits the interception or disclosure or electronic communication and defines those situations in which disclosure is legal.

Appendix F - Filing Complaints About Computer Generated

Harassment or Discrimination

During the past several years, there have been complaints regarding the use of Texas A&M University System computing resources to generate objectionable material. The objectionable material has included naming of files and processes, surveys about sexual preferences, and graphical images.

Faculty, staff, or students who allege harassment or discrimination as a result of words or images generated or transmitted by an individual using Texas A&M University System computing resources may file a complaint against that individual in accordance with the University Statement of Harassment and Discrimination and the Procedures for Sexual Harassment Complaints.

If the complaint is against a student, the complaint is filed with:

Coordinator of Student Judicial Programs
Department of Student Affairs
979-845-5262

If the complaint is against a faculty member, the complaint is filed with:

Associate Provost and Dean of Faculties
203 Administration Building
979-845-4016

If the complaint is against a staff member, the complaint is filed with:

Employee Relations Manager
Human Resources Department
201 YMCA Building
979-845-4141

Texas A&M Dallas Computer Security Policy

October 2000
Summary Statement

Texas A&M Dallas has developed a comprehensive computer security policy statement. This summary statement presents an overview and the key points of the Texas A&M Dallas Computer Security Policy.

The Information Resources at Texas A&M Dallas are extensive and are readily available to authorized users. This availability of computer hardware, software, and database resources brings with it the responsibility to protect those resources from unauthorized access, unauthorized use, or inappropriate use. During the past several years, much has been written about viruses, worms, and hackers. While these are very real and present dangers, we must also be aware of the dangers from careless activities regarding Information Resources at Texas A&M Dallas, particularly in the network environment.

The Texas A&M University Computer Security Policy is available electronically at dallas.tamu.edu/policy .

The main items of the Computer Security Policy are:

Each user of an Information Resource must be responsible for certain key aspects of security, which include:

· Appropriate handling of passwords and password procedures.

· Using resources, hardware and software, in accordance with the owner's guidelines.

· Taking precautions with regard to viruses.

· Following the prescribed procedures for access and use of data.

· Adhering to copyright policies.

Texas A&M Dallas has instituted certain computer security measures designed to protect the integrity of Information Resources. Any attempt to circumvent these procedures may be a violation of Texas A&M Dallas policies, rules, and regulations, and state and federal statutes.

Virus protection software should be installed on all microcomputer end-user workstations.

All users of Information Resources acknowledge their reading and understanding of computer security issues each time they logon to a Texas A&M Dallas computer system.

Policy statements regarding computer security of Information Resources can be found in:

· The Texas A&M University Rules, Section 33.04.99.M2 & 33.04.99.M3

· The Texas A&M University Student Rules, Section 22 & Appendix V

In this chapter:

(1) "Access" means to approach, instruct, communicate with, store data in, retrieve or intercept data from, alter data or computer software in, or otherwise make use of any resource of a computer, computer network, computer program, or computer system.

(2) "Aggregate amount" means the amount of:

(A) any direct or indirect loss incurred by a victim, including the value of money, property, or service stolen or rendered unrecoverable by the offense; or

(B) any expenditure required by the victim to verify that a computer, computer network, computer program, or computer system was not altered, acquired, damaged, deleted, or disrupted by the offense.

(3) "Communications common carrier" means a person who owns or operates a telephone system in this state that includes equipment or facilities for the conveyance, transmission, or reception of communications and who receives compensation from persons who use that system.

(4) "Computer" means an electronic, magnetic, optical, electrochemical, or other high-speed data processing device that performs logical, arithmetic, or memory functions by the manipulations of electronic or magnetic impulses and includes all input, output, processing, storage, or communication facilities that are connected or related to the device.

(5) "Computer network" means the interconnection of two or more computers or computer systems by satellite, microwave, line, or other communication medium with the capability to transmit information among the computers.

(6) "Computer program" means an ordered set of data representing coded instructions or statements that when executed by a computer cause the computer to process data or perform specific functions.

(7) "Computer services" means the product of the use of a computer, the information stored in the computer, or the personnel supporting the computer, including computer time, data processing, and storage functions.

(8) "Computer system" means any combination of a computer or computer network with the documentation, computer software, or physical facilities supporting the computer or computer network.

(9) "Computer software" means a set of computer programs, procedures, and associated documentation related to the operation of a computer, computer system, or computer network.

(10) "Computer virus" means an unwanted computer program or other set of instructions inserted into a computer's memory, operating system, or program that is specifically constructed with the ability to replicate itself or to affect the other programs or files in the computer by attaching a copy of the unwanted program or other set of instructions to one or more computer programs or files.

(11) "Data" means a representation of information, knowledge, facts, concepts, or instructions that is being prepared or has been prepared in a formalized manner and is intended to be stored or processed, is being stored or processed, or has been stored or processed in a computer. Data may be embodied in any form, including but not limited to computer printouts, magnetic storage media, laser storage media, and punchcards, or may be stored internally in the memory of the computer.

(12) "Effective consent" includes consent by a person legally authorized to act for the owner. Consent is not effective if:

(A) induced by deception, as defined by Section 31.01, or induced by coercion;

(B) given by a person the actor knows is not legally authorized to act for the owner;

(C) given by a person who by reason of youth, mental disease or defect, or intoxication is known by the actor to be unable to make reasonable property dispositions;

(D) given solely to detect the commission of an offense; or

(E) used for a purpose other than that for which the consent was given.

(13) "Electric utility" has the meaning assigned by Section 31.002, Utilities Code.

(14) "Harm" includes partial or total alteration, damage, or erasure of stored data, interruption of computer services, introduction of a computer virus, or any other loss, disadvantage, or injury that might reasonably be suffered as a result of the actor's conduct.

(15) "Owner" means a person who:

(A) has title to the property, possession of the property, whether lawful or not, or a greater right to possession of the property than the actor;

(B) has the right to restrict access to the property; or

(C) is the licensee of data or computer software.

(16) "Property" means:

(A) tangible or intangible personal property including a computer, computer system, computer network, computer software, or data; or

(B) the use of a computer, computer system, computer network, computer software, or data.

Added by Acts 1985, 69th Leg., ch. 600, § 1, eff. Sept. 1, 1985. Amended by Acts 1989, 71st Leg., ch. 306, § 1, eff. Sept. 1, 1989; Acts 1993, 73rd Leg., ch. 900, § 1.01, eff. Sept. 1, 1994.

Amended by Acts 1997, 75th Leg., ch. 306, § 1, eff. Sept. 1, 1997; Acts 1999, 76th Leg., ch. 62, § 18.44, eff. Sept. 1, 1999.

(a) A person commits an offense if the person knowingly accesses a computer, computer network, or computer system without the effective consent of the owner.

(b) An offense under this section is a Class B misdemeanor unless in committing the offense the actor knowingly obtains a benefit, defrauds or harms another, or alters, damages, or deletes property, in which event the offense is:

(1) a Class A misdemeanor if the aggregate amount involved is less than $1,500;

(2) a state jail felony if:

(A) the aggregate amount involved is $1,500 or more but less than $20,000; or

(B) the aggregate amount involved is less than $1,500 and the defendant has been previously convicted two or more times of an offense under this chapter;

(3) a felony of the third degree if the aggregate amount involved is $20,000 or more but less than $100,000;

(4) a felony of the second degree if the aggregate amount involved is $100,000 or more but less than $200,000; or

(5) a felony of the first degree if the aggregate amount involved is $200,000 or more.

(c) (Blank).

(d) A person who his subject to prosecution under this section and any other section of this code may be prosecuted under either or both sections.

Added by Acts 1985, 69th Leg., ch. 600, § 1, eff. Sept. 1, 1985. Amended by Acts 1989, 71st Leg., ch. 306, § 2, eff. Sept. 1, 1989; Acts 1993, 73rd Leg., ch. 900, § 1.01, eff. Sept. 1, 1994.

Amended by Acts 1997, 75th Leg., ch. 306, § 2, eff. Sept. 1, 1997.

     It is an affirmative defense to prosecution under Section 33.02 that the actor was an officer, employee, or agent of a communications common carrier or electric utility and committed the proscribed act or acts in the course of employment while engaged in an activity that is a necessary incident to the rendition of service or to the protection of the rights or property of the communications common carrier or electric utility.

Added by Acts 1985, 69th Leg., ch. 600, § 1, eff. Sept. 1, 1985. Renumbered from § 33.04 and amended by Acts 1993, 73rd Leg., ch. 900, § 1.01, eff. Sept. 1, 1994.

     The attorney general, if requested to do so by a prosecuting attorney, may assist the prosecuting attorney in the investigation or prosecution of an offense under this chapter or of any other offense involving the use of a computer.

Added by Acts 1985, 69th Leg., ch. 600, § 1, eff. Sept. 1, 1985. Renumbered from § 33.05 by Acts 1993, 73rd Leg., ch. 900, § 1.01, eff. Sept. 1, 1994.