Skip to Content

University Computing and
Telecommunications Security Policy

Introduction

The value of information lies in its availability but, to safeguard information, it must be made inaccessible to all except those who are duly authorized.

As the custodian of campus-wide computing and telecommunications services, the Division of Computing, Communications, and Media Services (CCMS), through its University Computing and Communications Services (UCCS) department, is charged with maintaining information access while preserving overall security on all University computers and various telecommunications network resources. As a major information generator and provider, California State University, Sacramento (CSUS) relies heavily upon computing and networking systems to meet the academic and administrative informational needs of the University. It is essential that CSUS computing systems and networks, as well as the information they store and process, be operated and maintained in a secure environment and in a responsible manner. Institutional security is at risk from wire tapping, electronic eavesdropping, unauthorized reception of microwave or satellite communications, malicious damage to facilities and equipment and the exploration of university files, operating systems and data bases by intruders who may or may not have legitimate access to University networks but who are not authorized unlimited access to University services, resources or files.

To insure a stable and secure environment implies that a meaningful effort must be taken to disseminate awareness/information to users concerning their security responsibilities so as to safeguard inappropriate access or abuse of University resources. Implicit in this, therefore, is an action framework that establishes a policy posture that takes advantage of State of California laws and regulations as well as approved University policies and procedures as coupled herein.

Policy

Information security is an area of pivotal concern and importance to a University so reliant on its computers and telecommunication networks. Given the rapid pace of technological change, the decentralization of computing, and the proliferation of computers, networks and users of varying capabilities in the University setting, it is essential that these systems be protected from misuse and unauthorized access. This University Computing and Network Policy is established so as to (1) inform all users of their rights and responsibilities relative to computer security awareness, (2) encourage proper decorum and behavior when accessing information resources, and (3) help maintain the security of University resources. The policy is intended to represent all computing and telecommunications facilities and refers to all hardware, data, software, networks, and facilities associated with information resources at CSUS.

Policy Principles

General

  1. Basic computing and networking resources are available to all currently enrolled students, affiliated faculty and employed staff of CSUS. With authorization from their instructor, students in courses which have an academic need for additional resources and faculty and staff whose duties and responsibilities require access to additional resources may gain such access by application to University Computing and Communications Services. Additionally, special authorization may be granted for instructional, research/scholarly and creative activity and administrative special projects supporting the mission and programs of the University. All users are required to have a valid campus identification card or special authorization card in their possession while using computing/networking resources and associated facilities.
  2. Telecommunication equipment, including computer systems, networks and associated facilities, provided by the University, are owned by the University and are only to be used to support the instruction, research/scholarly and creative activity(ies) and administrative functions of CSUS. The policy of the University is that use of these computers and networks for any other reason is inappropriate. If faculty, staff or students bring personally-owned equipment into the University environment, they will be required to adhere to existing campus policy(ies) and standards as use of their equipment may compromise data and network security and affect the work of others.
  3. Informational access to resources connected to national and/or international networks may be permitted, as a courtesy to others on the network, as long as their use does not adversely affect campus use and such access provides benefit to the University.
  4. System administration privileges on publicly available computer and/or network equipment may only be granted to those individuals whose duties and responsibilities require extraordinary levels of access to computer and network operating systems. Individuals holding system administration privileges on these machines must be authorized bona fide employees of the campus or service agencies and/or consultants contracted by the University. Any individual who violates the trust and privileges associated with this level of access will immediately loose system administration privileges and/or have the resources administered disconnected from the University backbone. Activities following this course of action are delegated to the Assistant Vice President for Administration/Telecommunications and shall be reported to the Vice-President for Administration for consideration and judgment. Privileges will not be restored and/or resources reconnected until the faulted condition has been resolved and agreed to by the Vice President for Administration.

Users' Responsibilities

  1. Users need to recognize their responsibility in the process of maintaining the security of University computing and networking resources. If users fail to take proper care in securing their password, account or workstation, all other computer/network security measures are meaningless.
  2. Users need to minimize the impact of their work on the work of others by not attempting to encroach on others' use of the facility or deprive them of resources. Users must utilize only those computer and/or network accounts for which they have been authorized, and, as such, are responsible for the use of their assigned accounts.
  3. Workstations and local area network users have the responsibility to maintain and secure data for which they are accountable; including maintaining current backups of said data and protecting the backups in a safe area.
  4. Programs, files or data belonging to other persons or to CSUS may not be accessed or copied without prior authorization. Software may be used on University computing and networking resources only if it has been legally obtained, and its use does not violate any license or copyright restriction.

Proper and Improper Use

  1. Proper computing and networking use follows the same standards of common sense and courtesy that govern use of other public facilities. Improper use violates those standards by preventing others from accessing public facilities or by violating their intellectual property rights. Improper use is defined as: Any use of computing and/or networking facilities or services that is unrelated to legitimate instructional, research/creative activity or administrative requirements; interferes with another's legitimate access; violates another's intellectual property rights; and/or violates any local, state or federal law.
  2. All individuals employed by or contracted with the University are held responsible for adhering to University procedures for system access, use and security. Sensitive and/or mission critical information must be protected from unauthorized use, improper disclosure, accidental alteration and inadvertent or intentional destruction. The University is responsible for the protection of this information through security measures that are consistent with its ethical and legal obligations. Security mechanisms must identify authorized users, identify legitimate uses, secure the equipment and data from environmental hazards, accidental loss or intentional destruction.
  3. Computer and network accounts must not be made available to others or used for any purpose for which they are not authorized. Unsponsored research accounts must not be used for sponsored research or private consulting. Attempts to modify system facilities and/or subvert the restrictions associated with computer accounts are a violation of State law.
  4. Violators of this policy are subject to the termination of their access, referral to the account sponsor and appropriate administrator for sanctions or other actions as may be appropriate depending on the severity of the violation.

Administration and Management

  1. The Division of CCMS is charged with maintaining overall security on all campus computing and networking resources and is responsible for the development and maintenance of appropriate awareness program guidelines, and procedures to assure a secure environment for the University community.
  2. CSUS academic and administrative departments who wish to manage their own systems may do so under guidelines established by the University to protect computing and networking resources, as well as users of these systems and networks. Departments whose operating systems do not comply with these guidelines will be asked to bring their systems and procedures into compliance and their faulted condition reported to the Vice President for Administration. If the faulted condition is not remedied in a reasonable time frame or the security breach is severe, UCCS management, under the direction of the Assistant Vice President for Administration/Telecommunications and after consultation with the Vice President for Administration, will isolate the system by disconnecting it from any and all networks.
  3. University user programs and files are confidential unless they are explicitly made available to other authorized individuals. When performing system maintenance, every effort is made to insure the privacy of a user's files. However, support personnel may access files when required for the maintenance of University computing systems and networks. All such access will be recorded and reported at an appropriate time to the account sponsor. If, in so doing, violations of policy and/or procedure are discovered, they will be immediately reported to the appropriate account sponsor and/or administrator.

Last Updated: February 20, 2006