Information Resources Security Operations Manual
1. Purpose of Policy
The purpose of this policy is to establish a University-wide approach for the consistent handling and control of all University data with respect to security, access and confidentiality. This policy also provides direction and defines procedures relating to the operational implementation of the UT System Information Resources Use and Security Policy (BPM 53) [link no longer valid].
The University of Texas at Brownsville Information Resources Security Operations Manual provides guidance for all individuals that have, or may require, access to University of Texas at Brownsville Information Resources.
3. Acceptable Use
Before an individual is provided access to a University of Texas at Brownsville technology resource he or she must acknowledge the Information Resources Acceptable Use Policy.
4. Account Management
The following account management practices are required:
- All accounts that access non-public University of Texas at Brownsville Information Resources must follow an account creation process. This process should document who is associated with the account, the purpose the account was created for, and who approved the creation of the account. All accounts wishing to access non-public university Information Resources must have the approval of the owner of these resources.
- Accounts of individuals who have had their status, roles, or affiliation with the university change must be updated to reflect their current status.
- Accounts must be reviewed annually to ensure their current state is correct.
- Password aging and expiration dates must be enabled, where supported by the underlying account mechanism, on all accounts created for outside vendors, external contractors, or those with contractually limited access to the university’s information resources.
Back to top
5. Administrative/Special Access
Users must be made aware of the privileges granted to their accounts, especially those that could impact access to Information Resources or that allow them to circumvent controls in order to administer the information resource. Abuse of such privileges will not be tolerated. Anyone using accounts with privileges of this type must adhere to the following access requirements.
- Individuals that use accounts with special privileges must use these accounts only for their intended administrative purposes.
- Individuals that use accounts with special privileges may perform investigations relating to potential misuse of Information Resources by an individual user only under the direction of the Information Security Office.
- The password for a shared administrator/special access account must change when any individual knowing the password leaves the department or the University of Texas at Brownsville , or changes role, or upon a change in the vendor personnel assigned to the University of Texas at Brownsville contracts.
Back to top
Backups are a business requirement to enable the recovery of data and applications in the case of events such as natural disasters, system disk drive failures, espionage, data entry errors, human error, or system operations errors. The University of Texas at Brownsville requires the following backup practices, as warranted by data classification guidelines:
- The information resource data or server owner is responsible for having a backup procedure in place for that resource.
- Each department or entity responsible for a server(s) maintains a recovery plan that includes the following:
- Requirements for off site storage.
- Physical access controls for onsite and offsite storage.
- Processes to ensure backups can be recovered.
The University of Texas at Brownsville Office of Internal Audit periodically reviews the backup and recovery plans.
Back to top
7. Change Management
The Information Resources infrastructure at the University of Texas at Brownsville is constantly changing and evolving to support the mission of the organization and its departments. Computer networks, servers, and applications require planned outages for upgrades, maintenance, and fine-tuning. The following change management procedures are required in proportion to the respective data classification category, the availability requirements of the data, and the impact of the change on the user community:
- All changes to environmental controls affecting computing facility machine rooms (for example, air-conditioning, water, heat, plumbing, electricity, and alarms) should be logged and reported to the appropriate department or unit(s) managing the servers in that facility.
- Departments or entities responsible for Information Resources will ensure that the change management procedures and processes they have approved are being performed.
- A department or entity may object to a scheduled or unscheduled change for reasons including, but not limited to, inadequate planning, inadequate back out contingencies, inopportune timing in terms of impact on service to users or in relation to key business processes such as year end accounting, or lack of resources to address potential problems that may be caused by the change. All objections will be reviewed by the responsible department or entity.
- Whenever possible, customers will be notified of changes following the steps contained in change management procedures.
A responsible department or entity, consistent with change management procedures, maintains a change management log for all significant changes including emergency changes. Change management log entries should contain at least the following information:
- Date of submission and date of change
- Owner and custodian contact information
- Nature of the change
Back to top
8. Computer Virus Prevention
A variety of technologies and practices are required to protect the University of Texas at Brownsville network infrastructure and other Information Resources from threats posed by computer viruses, worms, and other types of hostile computer programs.
- Each responsible department or entity must install current virus protection software on all University of Texas at Brownsville computers on the University of Texas at Brownsville network.
- E-mail gateways must utilize properly maintained e-mail virus protection software.
- Any computer identified as a security risk due to lack of virus protection may be disconnected from the network or the respective network access account may be disabled until adequate protection is in place.
- Every instance of a computer virus infection constitutes a security incident and must be reported to the Instructional and Client Support Services Department.
Back to top
Electronic mail (E-mail) is an essential tool for communicating within the University of Texas at Brownsville . It is important that unimpeded e-mail services be available at all times and that e-mail be used in a manner that achieves its purpose without exposing the University of Texas at Brownsville to unnecessary technical, financial, or legal risks. The following practices are required:
- All e-mail is subject to logging and review.
- To reduce spam and protect the e-mail environment from malicious viruses, worm or other threats, Information Technology Services, or an otherwise appropriate department or entity, may filter, block, and/or strip potentially harmful code from messages.
Back to top
10. Incident Management
Incident management is needed to assure continued operations in the event of a security breach or incident involving a computer virus, worm, attack against university information systems, or misuse of Information Resources . The Instructional and Client Support Services Department is required to establish and follow Incident Management Procedures to ensure that each incident is reported, documented and resolved in a manner that restores operation quickly and if required, maintains evidence for further disciplinary, legal, or law enforcement actions. The following standard operating procedure will be followed:
- The Instructional and Client Support Services will report the incident to the appropriate university, state, and federal agencies and departments as required by governing laws, rules, and procedures.
- Instructional and Client Support Services, working with the selected Computer Incident Response Team members, will determine if a widespread University of Texas at Brownsville communication is required, the content of any such communication, and the method of distribution.
- The Instructional and Client Support Services Department will be responsible for maintaining a chain of evidence on incidents it investigates, or participates in investigating, in case the incident needs to be referred to law enforcement or other legal proceedings.
- The Instructional and Client Support Services Department is responsible for determining the physical and electronic evidence to be gathered as part of the incident investigation, except in cases involving appropriate law enforcement personnel, where the University Police Department or other law enforcement agencies will make these determinations.
- The University Police Department serves as liaison with law enforcement organizations.
Back to top
11. Incidental Use
Incidental personal use by University of Texas at Brownsville affiliates of Information Resources is permitted per the Information Security Policy. Instructional and Client Support Services Department or the appropriate department or entity is permitted to monitor the incidental personal use of Information Resources to ensure that:
- Use is restricted to the University of Texas at Brownsville affiliates only.
- Use does not result in a direct cost to the University of Texas at Brownsville .
- Use does not expose the university to unnecessary risks.
Back to top
12. Internet Use
The University of Texas at Brownsville network Users must adhere to prudent and responsible Internet practices to mitigate risks associated with the Internet. The following practices are required:
- Software and operating systems utilizing the university network are expected to be kept updated and to have features that enhance network security enabled.
- Content on all University of Texas at Brownsville departmental Web sites must relate to university business, research, service, and/or academics and must be approved by the appropriate department or entity publishing the information.
- Purchases for the University of Texas at Brownsville handled via the Internet are subject to the University of Texas at Brownsville procurement rules.
- Personal commercial advertising must not be posted on University of Texas at Brownsville Web sites.
- All confidential, personally identifiable, protected health information, certain financial data, or certain student data transmitted over any network must be encrypted in accordance with Data Classification Guidelines.
Back to top
13. Information Services Privacy
The University of Texas at Brownsville may log, review, and otherwise utilize any information stored on or passing through its information resource systems in accordance with the provisions and safeguards provided in the Texas Administrative Code 202.1-8, Information Resource Standards.
In cases of suspected abuse of Information Resources , the contents of any e-mail or file may be reviewed in accordance with provisions defined in the Disciplinary Actions section of this manual.
Access to data and information associated with such actions will be handled using standards of privacy and confidentiality required by law and university policy.
Back to top
14. Network Access
Access to the network is managed to ensure the reliability of the network and the integrity and appropriate use of information contained within the network: The following network access procedures are required:
- No network hardware (router, switch, hub, firewall, wireless access point, or other network appliance) may be installed on the University of Texas at Brownsville network without prior notification by the Instructional and Client Support Services Department.
- Systems attaching to the university network must operate in a way that poses no internal or external security or operational hazard. Owners of systems that do not meet these criteria must cooperate fully with university staff in correcting the problems.
Back to top
15. Network Configuration
The Instructional and Client Support Services Department:
- Will operate and maintain a reliable network with appropriate redundancies to meet quality of service goals.
- All registered hosts attached to the university network may be scanned by the Instructional and Client Support Services Department for potential vulnerabilities.
- Must install or authorize a contractor to install all cabling and network hardware.
- Will approve the specification used to configure all equipment connected to the University of Texas at Brownsville network.
- Has the authority over changes to the configuration of active network management devices.
- Sets all protocols and standards used on the University of Texas at Brownsville network.
- Must install, configure, and maintain the University of Texas at Brownsville network firewalls following the University of Texas at Brownsville Firewall Implementation Standards.
- Provides written authorization for the use of departmental firewalls. Their use is not permitted without written authorization.
Back to top
Strong passwords are required on University of Texas at Brownsville accounts. All passwords must be constructed, implemented, and maintained according to the following, as technology permits:
- Passwords for accounts:
- Be at least 8 characters in length.
- Contain letters, numbers, and special characters (e.g. ! @ # $ % & * ( ) - + = < >)
- Must not:
- Include personal information such as your name, phone number, social security number, date of birth, or addresses.
- Contain words found in a dictionary
- Re-use any of your last 10 passwords
- Contain a series of the same character
- Contain your UTB ID
- All systems should be configured to allow users to change their own passwords upon demand without third-party involvement.
- Password requirements must be followed by everyone, including those with special privileges.
- Unattended computing devices must be secured from unauthorized access. Physical security options include barriers such as locked doors or security cables. Logical security options include screen saver passwords and automatic session time-outs.
Back to top
17. Physical Access
The granting, controlling, and monitoring of physical access is an important component of the overall security program:
- All information technology resource facilities must be physically protected in proportion to the criticality, confidentially, or importance of their function at the University of Texas at Brownsville .
- All Information Resources facilities must have physical access controls in proportion to the importance, sensitivity, and accountability requirements of the data and systems housed in that facility.
- Access to information technology resource facilities will only be granted to authorized personnel of the University of Texas of Austin and other contractors or personnel whose job responsibilities require such action.
- Access cards and/or keys must not be shared or loaned to others.
- Access cards, and/or keys, and badges that are no longer required must be returned to the responsible department contact. All returned access cards must be forwarded to the responsible campus key management or ID center contact as soon as possible. Cards must not be reallocated to another individual, thereby bypassing the return process.
- Lost or stolen access cards and/or keys must be reported to the appropriate department or entity as soon as possible.
- Information Resources facilities access and log records are the responsibility of the department that manages the facility. Such records will be kept in accordance to the accountability requirements of the data and systems in that facility.
- Visitors must be escorted in controlled areas of Information Resources facilities.
- The appropriate department or entity or a designee must review access records for secured information technology resource facilities on a periodic basis and investigate any unusual access.
- The appropriate department or entity or a designee must review card and/or key access rights for secured information technology resource facilities on a periodic basis and remove access for individuals that no longer require access.
- Signage for restricted access rooms and locations must be practical. Minimal discernible evidence of the importance of the location should be displayed.
Back to top
18. Portable Computing and Remote Access
Computers and devices used to access the University of Texas at Brownsville infrastructure must do so in a manner that preserves the integrity, availability, and confidentiality of the University of Texas at Brownsville information.
Back to top
19. Security Monitoring
Security monitoring is used for confirming security practices and controls in place are being adhered to and are effective. It is also used in identifying anomalous activity that might be an indication of an operation or security concern. Monitoring consists of activities such as automated notification of security breaches and automated or manual examination of logs, controls, procedures and data. The following monitoring requirements apply to Information Resources at the University of Texas at Brownsville :
- Operating system user accounting and application software audit logging processes will be enabled on host and server systems.
- Alarm and alert functions of any firewalls and other network perimeter access control systems must be enabled.
- Audit logging of any firewalls and other network perimeter access control systems must be enabled.
- Automated tools will provide real time notification of detected wrongdoing and vulnerability exploitation. Where possible, a security baseline will be developed and automated tools will report exceptions to the extent technically feasible.
- Information Resources connected to the university network are subject to automated monitoring and notifications of possible security events of interest by the Instructional and Client Support Services Department.
Back to top
20. Computer Security Training
The Instructional and Client Support Services Department is charged with providing a combination of general computer security awareness programs and training.
- All users of the University of Texas at Brownsville Information Resources will be provided with training and supporting materials to allow them to properly protect the Information Resources they use.
- Recurring security awareness training for all faculty and staff will be offered annually (training to be arranged by Instructional and Client Support Services Department).
The Instructional and Client Support Services Department
- Must prepare, maintain, and distribute information that concisely describes the University of Texas at Brownsville Information security policies and procedures.
- Must develop and maintain a process to communicate new computer security program information, security bulletin information, and security items of interest to faculty, staff and students.
- Will provide specific security training to information technology professionals serving in positions of special trust (for example, system administrators).
Back to top
21. Operating System Hardening
Information and services must be transmitted securely and reliably to assure that data integrity, confidentiality, and availability are preserved. To achieve these goals, systems must be installed and maintained in a manner that minimizes service disruptions and prevents unauthorized access or use. The following standards apply:
- A system must not be connected to the University of Texas at Brownsville network until it is in a secured state and location (as defined by the responsible department or entity).
- The following general steps are:
- Installation of the operating system from a reliable source.
- Application of vendor supplied patches.
- Removal of unnecessary software, system services, and drivers.
- Setting of security parameters, file protections and enabling of audit logging in proportion to the importance, sensitivity, and accountability requirements of the data processed by the system.
- Disabling or changing of passwords associated with default accounts.
- Installation of appropriate intrusion detection and/or file integrity software.
- Departments are responsible for ensuring their systems have been properly specified, configured, installed and continue to be maintained.
- The responsible department or entity tests security patches before installation where technically feasible.
- All departments or entities must implement security patches in a timely and appropriate manner.
- The responsible department or entity will periodically examine all systems, in proportion to data sensitivity. System administrators must maintain an inventory of systems, operating system versions in use, critical software and versions that are use, as well as the last time patches were applied. System administrators will also be expected to monitor security mailing lists, and other information sources, for vulnerabilities concerning their operating systems and software.
Back to top
22. Software Licensing
All software used on the University of Texas at Brownsville computers will be used in accordance with the applicable software license:
- The University of Texas at Brownsville will provide a sufficient number of cost-effective, licensed copies of core business software to enable faculty and staff to perform their work in an expedient and effective manner.
- Systems administrators have the right to remove software from the University of Texas at Brownsville computers for cause. For example, if a user is unable to show proof of license, or if the software is not required for university business purposes and causes problems on the university owned computer.
- All responsible departments or entities will periodically audit all computers to inventory all installed software.
- All University of Texas at Brownsville departments are responsible for the accurate accounting of software purchased by the department and must ensure that the installation of the software complies with the license agreement of the software. For audit purposes, departments must maintain proof of purchase and/or original installation media for each software package.
Back to top
23. Enterprise Development and Deployment
The protection of Information Resources (including data confidentiality, integrity, and accessibility) must be considered during development or purchase of new enterprise computer applications.
- Departments or entities responsible for developing, maintaining, and participating in quality assurance/project management practices as appropriate for projects of varying scope, cost, and risk.
- The department(s) that requests the development of an application is the owner of that software system. In most cases, the departmental contact designated during the development process is considered a custodian of the system. Likewise, staff or faculty charged with oversight of the technical infrastructure supporting an application are considered custodians of the application.
- Separate production and development environments will be maintained to ensure the security and reliability of the central production system.
- Whenever possible, new development or modifications to a production system will be made first in a development test environment. These changes are thoroughly tested for valid functionality before being released to the central production environment.
Back to top
24. Vendor Access
Vendors serve an important function in the support of hardware and software and in some cases possibly even the operations of computer networks, servers, and/or applications.
Vendors must comply with the Information Resources Use and Security Policy (BPM-53)
[link no longer valid], when Information Resources are involved, and any University of Texas at Brownsville department engaging a vendor must provide the vendor with a copy of this policy and any other procedures they must follow, including, but not limited to:
- Software licensing
- Acceptable Use
- Vendors will adhere to Federal and State laws to which the University of Texas at Brownsville must adhere.
- Vendor agreements and contracts must specifically reference The Information Resources Use and Security Policy (BPM-53), The University of Texas at Brownsville Acceptable Use Policy, and the Information Resources Security Operations Manual when Information Resources are involved.
- Vendor agreements and contracts must address the following issues when Information Resources are involved:
- The University of Texas at Brownsville information the vendor may access.
- The vendor’s responsibility to protect the University of Texas at Brownsville information.
- The vendor’s responsibility regarding the deletion, destruction, disposal or return of the University of Texas at Brownsville information at the end of the contract.
- The vendor’s responsibility to use the University of Texas at Brownsville information only for the purpose of the business agreement.
- The University of Texas at Brownsville , or respective department, right to audit and otherwise verify the security of university information and other resources in the possession of or being managed by the vendor and the university’s right to investigate any security breaches involving these resources.
- The University of Texas at Brownsville , or respective department, right to require background checks for vendors working with security sensitive university information.
- The University of Texas at Brownsville will provide an Information Resources point of contact for the vendor. The point of contact will work with the vendor to make certain the vendor is in compliance with these policies.
- Each vendor must provide the University of Texas at Brownsville with a list of all employees working on the contract when Information Resources are involved. The list must be updated and provided to the University of Texas at Brownsville within one business day of staff changes.
- The owner of the information has the right to approve or disapprove for cause any vendor employee having access to the University of Texas at Brownsville sensitive or confidential information.
- Vendors must report all security incidents involving university resources to the University of Texas at Brownsville Information Security Office.
- Each vendor must follow all applicable University of Texas at Brownsville change management procedures approved by the appropriate department or entity.
- For contracts involving onsite work, regular work hours and duties will be defined in the contract. The appropriate department or entity must approve in writing work outside defined parameters.
- All vendor accounts and maintenance equipment connecting the University of Texas at Brownsville network to the Internet or outside organizations will remain inactive except when in use for authorized maintenance.
- Vendor accounts providing access to the University of Texas at Brownsville Information Resources must be uniquely identifiable and passwords must comply with the University of Texas at Brownsville password requirements as detailed in this manual.
- Vendors must maintain a log of major work activities that is available to the University of Texas at Brownsville management upon request. Logs may include such events as personnel changes, password changes, project milestones, deliverables, and arrival and departure times, as necessary for a given contract.
- Upon departure of a vendor employee from a University of Texas at Brownsville contract for any reason, the vendor will ensure that the employee's access to all the University of Texas at Brownsville sensitive and confidential information is removed within 24 hours in a manner agreed upon by the University of Texas at Brownsville .
- Vendors are required to comply with all State of Texas and the University of Texas at Brownsville auditing requirements, including the auditing of the work the vendor has done for the university.
- All software used by the vendor in providing service to the University of Texas at Brownsville must be properly inventoried and licensed. Software provided by the University of Texas at Brownsville installed on vendor equipment must be removed at the end of the contract.
- To protect the University of Texas at Brownsville intellectual property information, technology vendor contracts must be in accordance with the Board of Regents’ Rules and Regulations concerning intellectual property.
Back to top
25. Disciplinary Actions
Misuse or destruction of Information Resources can vary in severity and appropriate disciplinary actions should be taken in proportion to the severity of the incident. It is not the role of Instructional and Client Support Services Department professionals to carry out disciplinary actions as the result of an incident, but it is their role to monitor resources, to identify potential incidents and to bring such incidents to the attention of appropriate University of Texas at Brownsville officials. The following guidelines apply:
Suspected incidents involving student, faculty, or staff misuse of Information Resources should be brought to the attention of the Instructional and Client Support Services Department.
If it is determined that a misuse violation has occurred by a student, faculty, or staff member, this should be brought to the attention of the Information Security Office. The Information Security Office with consult with either the Human Resource Services or Student Judicial Services, as needed, and in the case of criminal violations, the University Police Department.
Violations by non-affiliates will be referred to the appropriate authorities.
Issues of departmental non-compliance may be reported to the respective executive management, the Office of Internal Audit, or the Office of the President.
Back to top