078.1 Information Systems Security
|Created by: Pat Teague on 2/5/1999|
|Category: 0 - General Administration; 70 - Computer Services|
|Originator: Director of Computing and Information Services|
|Current File: 078.1|
|Adoption Date: 3/3/1999|
|Reviewed for Currency: 3/3/1999|
|Replaces File: 078.1|
|Date of Origin: 5/18/1979|
|In Archive? Yes|
078.1 Information Systems Security
Computer systems are used to store information that is private, confidential, and sensitive. Unauthorized access to, modification of, or falsification of such information is unethical and illegal.
All programs and files within any computer system shall be considered confidential and private and as such may be accessed only by those with a legitimate need to access such information and to whom permission has been granted by the person responsible for its security.
1. The Director of Computing and Information Services has the responsibility for providing leadership in safeguarding the confidentiality and privacy of the programs and files. All users are expected to share this responsibility.
2. The absence of security protection on a file or resource shall not imply permission to access that file or resource.
3. Anyone placing confidential information in a computer file, or designing systems to store and process confidential information, must ensure that all reasonable measures to restrict access to that information are taken, and that all applicable laws and standards are followed.
4. Wherever feasible, each user of a computer system must be uniquely identified with a user identification and password known only to that user. Each person assigned such a user identification will be held responsible for all activity attributed to that user. Therefore, users should not share their passwords with others, should choose passwords that are difficult to guess, and change them frequently.
5. Any new systems that are implemented must adhere to the requirement for unique user identification. Existing systems that rely on shared passwords should be phased out as quickly as possible.
6. Computing and Information Services may implement procedures which require users to choose passwords which are difficult to guess and to change them often.
7. Computing and Information Services and other departments that control or give permission for access to programs and data should perform a regular audit to determine whether an individual's or group access to such programs and data is still appropriate.
8. Computing and Information Services must be notified immediately upon the termination of employment or student status of any individual that has access to Furman computing systems, and the reason for such termination. Computing and Information Services staff will delete the accounts of such users, unless special arrangements have been made with the former user's supervisor.
9. This policy shall apply to all persons, including students, faculty members, staff members, and others.
10. This policy shall apply to all programs and data files within any computer system, whether the files belong to a student, a faculty member, an administrative office or a data processing customer.
11. Anyone who has knowledge of an attempt by anyone to violate this policy shall make known this violation to the Director of Computing and Information Services.
12. Any person guilty of violating the security of any files or programs shall be subject to dismissal from the University and/or criminal charges.