| General Security |
- Responsibility for information security on a day-to-day basis is every worker's duty. Specific responsibility for information security is NOT solely vested in the Information Services Department.
|
| |
| Network |
- The internal configurations, and related system design for Purdue North Central networked computer systems must be restricted such that users outside Purdue North Central internal network cannot access this information unless given approval by the Manager of Information Services or the Director of Information Services.
|
| |
| Physical Property |
- Unauthorized personnel are not permitted in the computer room.
|
- When the computer room is vacant, the door must be locked.
|
- Visitors or other third parties who have access to Pearl and/or other work areas containing sensitive information must be controlled by staff members.
|
| |
| User Accounts |
- The Manager of Information Services will grant permissions for the creation of user accounts as individuals are hired. The system privileges of all users will be restricted based on the need-to-know.
|
- Each user-ID must uniquely identify only one user. Shared or group user-ID's are not permitted.
|
- All user-ID creation, deletion, and change activity preformed by UNIX specialists must be securely logged.
|
- All user access privileges must cease when workers terminate.
|
- User-ID and Password information must be sent in a sealed envelope with no notification of what is in the envelope.
|
| |
| Passwords |
- Passwords must be constructed to meet the following requirements:
- A password must have at least eight characters, but no more than fourteen.
- Characters must be from the 7-bit US-ASCII character set; letters from the English alphabet.
- A password must contain a combination of letters and numbers without any special characters.
- A password must not be something you have used before.
- A password must be difficult to guess. Personal details such as spouse's name, automobile license plate, social security number, and birthday must not be used unless accompanied by additional unrelated characters.
|
- All users must change their password at least once every 120 days.
|
- The initial passwords issued by a security administrator must be changed in the user's first on-line session.
|
- After five unsuccessful attempts to enter a password, the involved user-ID will be suspended.
|
- All passwords must be promptly changed if they are suspected or known to have been disclosed to unauthorized parties.
|
- Passwords must not be written down and left in a place where unauthorized persons might discover them.
|
- Users must never write down or otherwise record a readable password and store it near the access device to which it pertains.
|
- Regardless of the circumstances, passwords must never be shared or revealed to anyone else besides the authorized user.
|
- Users are responsible for all activity performed with their personal user ID's.
|
| |
| Log-off |
- If there has been no activity on a computer, terminal, or workstation for 15 minutes, the system will automatically log-off the user.
|
- Users must not leave their microcomputer, workstation or terminal unattended with out first logging-out or locking the computer.
|
| |
| Backups |
- All critical business information and critical software resident on the computer system (Pearl) must be periodically backed-up. These backup processes must be performed daily:
- Archive Informix
- Archive HPUX (includes Edvanta software )
- Logical Logs
|
- Backups of essential business information and software must be stored in an access-controlled site that is a sufficient distance away from the originating facility to escape a local disaster.
|
- Backups of essential business information and software must be maintained for recovery process.
- Archive Informix - 7 days
- Archive HPUX (includes Edvanta software) - 7 days
- Logical Logs - 2 weeks
|
If you have any questions, concerns, or suggestions, please contact the Help Desk at ext. 5511
or submit a trouble ticket online at: 
