Policy on Computer and Network Accounts Administration for Faculty and Staff Usage
SOURCEPenn State Shenango Campus, Technology Department
DATE ISSUEDNovember 7,2007
In order to ensure that University information systems and processes have a consistent view and that the outside world has a consistent view of the Pennsylvania State University population, accounts administration and management processes and procedures must be consistent. The purpose of this policy is to maintain an adequate level of security to protect PENNSYLVANIA STATE UNIVERSITY data and information systems from unauthorized access.
Only authorized PENNSYLVANIA STATE UNIVERSITY Faculty and Staff, hereafter known as users, are granted access to information systems, and users are limited to specific defined, documented, and approved applications and levels of access rights. Computer and communication system access control is to be achieved via user IDs that are unique to each individual user to provide individual accountability.
The security access administration function will be controlled only by the members of the Technology Department at PENNSYLVANIA STATE UNIVERSITY Shenango. The security access administration function provides administration for user access to systems. These responsibilities include, but may not be limited to:
- Authentication (add, change, delete) services to provide users with the ability to access computer sources using their University given logon ids and passwords
- Authorization (add, change, delete) services to provide user access to applications
- General and distribution of reports for monitoring access and potential security breaches. Reporting and monitoring activity should include reports based either on the individual initiating the event or the data and resources affected by the event. Reports can include:
- Attempted or actual access violations for data and resources
- Invalid logon attempts
- Access trends and deviations from those trends
- Access to sensitive data and resources not previously authorized
- Developing an incident handling reporting process.
The system administration function monitors performance, provides problem determination, production support, and performs system backups. Security responsibilities, can include, but may not be limited to, ensuring that:
- Only authorized software is installed via authorized means
- Approved security procedures are followed and procedures are established where necessary
- Systems are recovered in a secure manner
- Ad hoc system reviews are performed to identify unusual activity
- Systems are installed and operated using no less than the security controls set in place by the PENNSYLVANIA STATE UNIVERSITY Shenango Technology Department
- Procedures for software license validation and virus testing have been followed
- The security access administration function is notified of personnel or software changes that might impact system security features before the installation of those changes
The Shenango Technology Department’s computer and network operations and support functions are responsible for operating, supporting, and managing information systems and networks in accordance with the security policies set forth by the Pennsylvania State University. They shall monitor resources for signs of security violations; ensure system and network architectures maximize security of those resources; ensure network security does not conflict with application security; and follow specified escalation procedures for reporting security violations.
To ensure optimal use of resources and to address security concerns, accounts databases will be kept clean. That is, published eligibility criteria will be consistently applied, testing procedures will be applied at required intervals, and appropriate account removal and archiving tasks will be performed as required.
Accounts Administrators will retain all documentation related to computer accounts while the account is active, and for 1 year following the point at which the individual is no longer associated with Pennsylvania State University, or from the point where the organization having a group account has been dissolved.
Pennsylvania State University Information Technology Resources includes all University-owned computers, peripherals, and related equipment and software; voice communications infrastructure, peripherals, and related equipment and software; data communications infrastructure, peripherals, and related equipment and software, and all other associated tools, instruments, and facilities. Included in this definition are classroom technologies, computing and electronic communication devices and services, modems, electronic mail, phone access, voice mail, Fax transmissions, video, multimedia and hyper media information, instructional materials, and related supporting devices or technologies. The components may be individually controlled (e.g., assigned to an employee) or shared single-user or multi-user, and they may be stand-alone or networked.
In partnership with the Campus Executive Officer and other naming functions and stakeholders, the campus’ Technology Department will coordinate accounts administration procedures, and will develop and publish central account procedures and processes.
The Shenango Campus Executive Officer will be responsible for local adherence to this policy, and for additional local processes, procedures, and additions to this and other accounts policies on the campus as required.