Information Security Office

The University of Texas at San Antonio

Information Resource Standards

Account Management Standard

Purpose - The UTSA Account Management Standard establishes rules for creating, monitoring, controlling and removing user accounts.

Audience - The UTSA Account Management Standard applies equally to all students and employees who have authorization to access to any UTSA information resources. The accounts of vendors and consultants are covered in the Vendor Access Standard.

1. A request and approval process appropriate for the system or service must be in place for all accounts.
2. All users must sign the UTSA Information Resources Security Acknowledgement and Nondisclosure Agreement before access is granted. Where feasible, an electronic version of the Agreement document will be available
3. All accounts must be uniquely identifiable by means of the assigned user name.
4. All account passwords must adhere to the UTSA Password Standard.
5. All passwords are temporary, and must be changed periodically in accordance with the UTSA Password Standard.
6. All new user accounts that have not been accessed within 30 days of creation will be cancelled.
7. Accounts will be locked after three unsuccessful login attempts.
8. System Administrators or other designated staff:
   1. are responsible for removing the accounts of individuals who transfer to other departments at UTSA or no longer work at UTSA
   2. must have a documented process for account modifications such as name changes, accounting changes and changes to user access privileges
   3. must have a documented process for reviewing, at least on an annual basis, the status of existing accounts
   4. are subject to an independent audit review of procedures
   5. must provide a list of accounts for the systems they administer when requested by authorized UTSA management
   6. must cooperate with authorized UTSA management during the investigation of security incidents.
9. Owners:
   1. are responsible for developing plans for departmental accounts
   2. are responsible for notifying appropriate personnel immediately when an employee leaves their department.
10. Vendor and special access accounts must be reassessed at least every quarterly.

Administrative/Special Access Standard

Purpose - The UTSA Administrative/Special Access Security Standard establishes the rules for the creation, use, monitoring, control and removal of accounts with special access privileges for the maintenance of information resources. Administrative access to individual workstations is prohibited unless approved by the Information Resources Manager (IRM).

Audience - The UTSA Administrative/Special Access Standard applies equally to all individuals that have, or may require, special access privilege to any UTSA information resources.

1. All users must sign the UTSA Information Resources Security Acknowledgement and Nondisclosure Agreement before access is granted.
2. All users of Administrative/Special Access accounts must be provided with account management instructions, documentation, training and authorization.
3. Each individual who uses an Administrative/Special Access account must refrain from abuse of privilege. Periodic random audits will be conducted to ensure proper use of the account.
4. Each individual who uses an Administrative/Special access account must use the account most appropriate for the work being performed (i.e., user account vs. administrator account).
5. Each account password must meet the UTSA Password Standard.
6. The password for a shared administrator/special access account must be changed when a password holder leaves the department or UTSA, or upon a personnel change in the vendor assigned to a UTSA contract.
7. If the system has only one administrator, there must be a password escrow procedure in place so someone other than the administrator can gain access to the administrator account in an emergency situation. The procedure will be audited on a regular basis.
8. When Special Access accounts are needed for audit, software development, software installation or other defined need, they:
   1. must be authorized by the system owner, IRM or Information Security Officer (ISO)
   2. must be created with a specific expiration date
   3. must be removed when work is complete
9. The use of privileged commands must be traceable to specific individuals via the use of comprehensive logs.

Backup and Data Recovery Standard

Purpose - The UTSA Backup/DIR Standard establishes the rules for the backup, storage and recovery of electronic UTSA information.

Audience - The UTSA Backup/DIR Standard applies to all individuals within the UTSA enterprise who are responsible for the installation and support of Information Resources, individuals charged with Information resources security and data owners.

Services – OIT has existing arrangements for offsite backup data storage. These services can be extended to all UTSA entities upon request. OIT will maintain a list of all departmental systems and their backup arrangements.

1. The frequency and extent of backups must increase as the importance of the information and the risk of loss, as determined by the data owner, increase.
2. The UTSA information resources backup and recovery process for each system must be documented and periodically reviewed by the system owner.
3. Physical access controls implemented at offsite backup storage locations must meet or exceed the physical access controls of the source systems. Additionally, backup media must be protected in accordance with the highest UTSA sensitivity level.
4. A process must be implemented to verify the operability of the UTSA electronic information backup, including periodic testing to ensure that backups are recoverable.
5. Signature cards held by the offsite backup storage vendor(s) for access to UTSA backup media must be reviewed annually or when an authorized individual leaves UTSA.
6. Procedures involving UTSA and the offsite backup storage vendor(s), if any, must be reviewed at least annually.
7. Backup tapes must have, at a minimum, the following identifying markers that can be readily displayed by labels and/or a bar-coding system:
   1. System name
   2. Creation date
   3. Sensitivity Classification [Based on applicable electronic record retention regulations]
   4. UTSA contact information

Change Management Standard

Purpose - The Change Management Standard provides a plan for the development, implementation and management of changes to UTSA computer systems. Changes require serious forethought, careful monitoring and follow-up evaluation to reduce negative impact to the user community and to increase the value of Information Resources (IR).

Audience - The UTSA Change Management Policy applies to all individuals who develop, install, operate or maintain information resources (IR).

1. Every change to UTSA multi-user production IR such as operating systems, computing hardware, networks and applications is subject to the Change Management Standard and must follow the applicable documented Change Management Procedures.
2. All changes affecting computing environmental facilities (e.g., air conditioning, water, heat, plumbing, electricity and alarms) must be reported to or coordinated with the Director of Technical Support Services or his/her designee.
3. Changes to any OIT-supported central computing systems must be thoroughly documented. Departmental systems administrators must maintain logs of systems changes.
4. Changes in the major administrative systems supported by OIT will be transferred to the production environment through specialized automated control systems.

E-mail Standard

Purpose - This document provides guidelines for prudent and acceptable practices regarding the use of e-mail and the management of e-mail messages sent and received. This standard supplements the e-mail policies articulated in the UTSA Acceptable Use Policy.

Audience - The UTSA E-mail Standard applies equally to all individuals granted access privileges to any UTSA information resource with the capacity to send, receive or store electronic mail.

1. E-mail is an essential tool for communicating within UTSA and the University of Texas System, and must be available at all times and must be used in a manner that does not expose the University and the UT System to unnecessary risks. Each UTSA employee and student will be assigned an e-mail address, and each user is required to exercise prudent e-mail use in accordance with the Information Resources Acceptable Use Policy. The UTSA e-mail system will carry official notices and information unavailable to the recipient in any other format, and it is the obligation of each user to check the e-mail account regularly for such material.
2. All user activity on UTSA Information Resources assets is subject to logging and review.
3. To reduce spam and to protect the e-mail environment from malicious viruses, worms or other threats, the Office of Information Technology may filter, block and/or strip potentially harmful code from messages originating from sites known for distribution of spam or malicious code.
4. Records Retention
   1. The retention requirement associated with any document is determined by its content, not the method of delivery. Each UTSA department has a records retention schedule that specifies the retention period to be applied to various documents. It is critical that records be destroyed when the retention requirement has been met.
   2. The responsibility of retaining an internally created and distributed document (or message) most often falls on the author, not the recipients. Recipients may delete such received messages after they are no longer needed.  
   3. Employees who receive messages from outside UTSA are responsible for proper records retention of those messages.  
   4. Most casual e-mail messages are "transitory records" and can be discarded after their purpose is served.
      For records retention purposes, electronic mail that is digitally signed must be filed electronically, (rather than on paper), if the signature is of importance to the legal status or business usefulness of the document.  
   5. E-mail that has been requested in a subpoena or public information request must be retained until the request has been fulfilled, even if the retention period has expired.
5. Electronic Mail Backup and Recovery
   
   Institutional backups are created solely for the purpose of restoring the entire electronic mail system in the event of a disaster. Backup tapes do not allow for the restoration of departmental electronic mail systems or individual mailboxes and cannot be used as a convenience to retrieve "deleted" messages.

File-Sharing Standard

Purpose – The file-sharing standard limits the use of peer-to-peer (P2P) applications and the sharing of files at the peer level, especially for the exchange of materials that are copyrighted. It is intended

1. to ensure compliance with applicable statutes, regulations, and mandates regarding the management of information resources with regard to copyrighted materials, and
2. to educate individuals who may use the Internet and/or P2P applications or have responsibilities associated with their use.

Audience - The UTSA File-Sharing Standard applies equally to all individuals with access to any UTSA information resource and having the ability to access the Internet and/or the intranet.

1. The unauthorized duplication and distribution of copyrighted software and multimedia files such as games or sound/movie recordings is a form of copyright infringement. Online piracy is increasing as many use the Internet to illegally distribute copies of software and multimedia files (e.g. MP3, DiVX formats). The Recording Industry Association of America (RIAA) monitors the Internet daily and scans for sites that serve as hosts for copyrighted recordings. The organization has been successful in having sound recordings removed from those sites. Any individual may report violations to the RIAA directly.
2. Federal copyright law grants the copyright owner of a sound recording (typically, a record company) the exclusive right to reproduce, adapt, distribute and, in some cases, digitally transmit their sound recordings. Therefore, the following activities, if not expressly authorized by the copyright owner, may violate their rights under federal law:
   1. Creating or saving a copy of all or a portion of a copyrighted file onto a computer hard drive, server or other hardware that has the ability to be connected to a Web site or other online forum.
   2. Converting a copyrighted multimedia file into a digital file format (such as a WAV, DiVX, DVD or MP3 file) and saving it to a hard drive or server;
   3. Transmitting a copy or otherwise permitting users to download copyrighted digital files from a Web site or other forum; and/or
   4. Digitally transmitting to users, at their request, a particular copyrighted file chosen by or on behalf of the recipient.
3. If you reproduce or offer full-length copyrighted multimedia files or software for download without the express authorization of the copyright owner, you are in violation of federal copyright law and could face civil as well as criminal prosecution. Placing disclaimers on your Web site, such as "for demo purposes only" or "sound files must be deleted within 24 hours," does not prevent or mitigate your liability. Moreover, use of these programs may also contribute to an excessive use of bandwidth and a degradation of service for other users on the UTSA network. Using these programs may lead to security issues or other serious problems for the University.
   1. Departments that require P2P applications and communication to complete their assigned University missions must provide the name of the P2P application(s) and must specify whether the P2P application requires access to the Internet. Submit your requests to annette.evans@utsa.edu.
   2. File sharing of copyrighted material (without the owner’s permission) by using File Transfer Protocol (FTP) servers is also illegal.
   3. This standard does not apply to users who access Web sites that broadcast music, such as www.realmusic.com or radio stations that broadcast their signal over the Internet.
   4. Current copyright laws allow the owner of a music CD to copy the sound recordings for personal use only. The owner may make a compilation CD or create digital files for use on devices such as portable MP3 players.

Incident Management Standard

Purpose - This document describes the requirements for dealing with computer security incidents. Security incidents include, but are not limited to: the discovery of viruses, worms, and Trojan horses; detection of unauthorized use of computer accounts and computer systems; and the receipt of complaints of improper use of Information Resources as outlined in the E-mail Policy and the Acceptable Use Policy.

Audience - The UTSA Incident Management Standard applies equally to all individuals who that use any university Information Resources.

1. Whenever a security incident is suspected or confirmed, the appropriate Incident Management procedures must be followed. Security incidents include occurrences such as the receipt of a virus/worm/hoax e-mail, or the discovery of hacking tools or altered data.
2. Whenever unauthorized system access is suspected or confirmed, UTSA personnel must take immediate action to terminate the access. If a virus is found on a computer that has a non-standard virus detection software package installed, the user will be disconnected from the network until the problem has been resolved. UTSA Computer Incident Response Team (CIRT) members have pre-defined roles and responsibilities which can take priority over normal duties.
3. Any attempt to interfere with, prevent, obstruct, retaliate for or dissuade the reporting of a security problem, violation, or vulnerability is strictly prohibited and is cause for disciplinary action.
4. Whenever evidence clearly indicates that UTSA has been victimized by a computer or communications crime, a thorough investigation must be performed by the University police department. This investigation must provide sufficient information so that management can take steps to ensure that: (1) such incidents are not likely to recur, and (2) effective security measures have been reestablished.
5. A stern cease and desist message must be sent to the source of the external attacks mounted against UTSA when the source or intermediate relay points can be identified.
6. The Information Security Officer (ISO) is responsible for notifying the Information Resources Manager (IRM) and the CIRT, and for initiating the appropriate incident management action.
7. The ISO is responsible for determining what electronic evidence is to be gathered as part of the incident investigation. The ISO cooperates with the University police department in criminal cases by supplying electronic evidence.
8. The CIRT is responsible for coordinating activities to ensure that any damage from a security incident is repaired or mitigated and that the vulnerability is eliminated or minimized where possible.
9. The ISO, working with the IRM, will determine if a widespread UTSA communication is required, the content of the message and the method of dissemination.
10. The appropriate technical resources from the CIRT are responsible for communicating new issues or vulnerabilities to the system vendor and working with the vendor to eliminate or mitigate the vulnerability.
11. The ISO is responsible for initiating, completing and documenting the incident investigation with assistance from the CIRT.
12. The UTSA ISO is responsible for reporting the incident to the:
    1. IRM
    2. System owner
    3. Texas Department of Information Resources as outlined in TAC 202.
    4. Local, state or federal officials as required by applicable statutes and/or regulations
    5. UTSA Compliance Office
13. The ISO is responsible for coordinating communications with outside organizations and law enforcement, when appropriate.
14. If law enforcement personnel are not involved, the ISO will recommend disciplinary paths, if appropriate, to the IRM.
15. If University law enforcement is involved, the ISO will act as the liaison between the University police department and UTSA.
16. Information describing all reported security incidents must be retained for a period of three years.

Information Services Privacy

Purpose - This document addresses the expectation of privacy with respect to the use of UTSA information resources.

Audience - The UTSA Information Services Privacy Standard applies equally to all individuals granted access privileges to any UTSA information resource with the capacity to send, receive, or store electronic mail.

1. Internal UTSA users (including faculty, staff, students, contractors and others) should have no expectation of privacy with respect to the use of information resources, except as provided in the Regents Rules and Regulations of the University of Texas System. Electronic files created, sent, received or stored on computers and other information owned, leased, administered, or otherwise under the custody and control of UTSA are not private. They may be accessed as needed for purposes of system administration and maintenance, for resolution of technical problems, for compliance with the Texas Public Information Act, subpoena, or court order and to perform audits.
2. Third parties have entrusted their information to UTSA for business, learning and professional purposes. All users must do their best to safeguard the privacy and security of this information. The most important of these third parties is the individual student. Student account data, protected health information and educational record data are confidential and access will be strictly limited based on a business need for access.
3. To manage systems and to enforce security, the Office of Information Technology may log, review and otherwise utilize any information stored on or passing through the University’s information systems in accordance with the provisions and safeguards provided in the First Article of Texas Administrative Code, Section 202, parts 1-8, Information Resource Standards.
4. In suspected cases of abuse of information resources, the contents of any email or file may be reviewed in accordance with provisions defined in the Disciplinary Actions section of the Information Use and Security Policy.

Internet Use

Purpose - This document provides guidelines for prudent and acceptable practices regarding the use of the Internet. This standard supplements the Internet policies articulated in the UTSA Acceptable Use Policy.

Audience - The UTSA Internet Use Standard applies equally to all individuals granted access privileges to any UTSA information resource with Internet capabilities.

1. UTSA provides Internet access to faculty, staff and students to enhance their efforts in teaching, learning and service. There are certain risks associated with the posting or consuming of information on the Internet. To mitigate these risks, UTSA network users must adhere to prudent and responsible Internet use practices, as outlined in the UTSA Acceptable Use Policy.
2. The Office of Information Technology makes every effort to ensure that software used to access the Internet incorporates appropriate security features and patches and does not expose UTSA information resources to unnecessary security risks. Departments are expected to exercise similar care in selecting software and in protecting the environment in which the software is installed.
3. Personal and commercial advertising must not be posted on UTSA Web sites.
4. Purchases handled via the Internet are subject to the UTSA procurement rules.
5. All confidential student information and protected health information transmitted over the Internet must be encrypted in accordance with encryption guidelines published by the Office of Information Technology.

Intrusion Detection Standard

Purpose -- Intrusion detection is the use of tools and policies to monitor system performance in order to prevent unauthorized use of UTSA information resources. Intrusion detection provides two important functions in protecting information resources:

1. Trigger: a mechanism that determines when to activate planned responses to an Intrusion incident.
2. Feedback: information about the effectiveness of other components of the security system. If a robust and effective intrusion detection system is in place, the lack of detected intrusions is an indication that other defenses are working.

Audience - The UTSA Intrusion Detection Standard applies to all individuals who are responsible for the installation of new information resources, the operations of existing information resources, and individuals charged with information resources security.

1. Users shall be trained to report any anomalies in system performance and/or signs of suspected wrongdoing to the Information Security Officer (ISO) at ext. 5899, the Computer Incident Response Team at ext. 7216, the OIT Help Desk at ext. 5538 or to the UTSA Compliance Hotline, 210-877-1888.
2. All suspected and/or confirmed instances of successful and/or attempted intrusions must be reported immediately in accordance with the Incident Management Standard.
3. Operating system, user accounting and application software audit logging processes must be enabled on all host and server systems.
4. Alarm and alert functions of firewalls and other network perimeter access control systems must be enabled.
5. Audit logging of firewalls and other network perimeter access control systems must be enabled.
6. Audit logs from the perimeter access control systems must be monitored/reviewed daily by the system administrator.
7. System integrity checks of the firewalls and other network perimeter access control systems must be performed on a daily basis.
8. Audit logs for servers and hosts on the internal, protected network must be reviewed on a weekly basis. The system administrator must furnish any audit logs as requested by the ISO.
9. Network/host-based intrusion tools will be checked on a daily basis.
10. All trouble reports received by system administration personnel should be reviewed for signs that might indicate intrusive activity.

Network Access Standard

Purpose - The UTSA Network Access Standard establishes the rules for the access and use of the network infrastructure. These rules are necessary to preserve the integrity, availability and confidentiality of UTSA information.

Audience - The UTSA Network Access Standard applies equally to all individuals with access to any UTSA information resource (IR).

1. Users are permitted to use only network IP addresses issued to them by OIT.
2. All remote access (dial-in services) to UTSA will be either through an approved modem pool or via an Internet Service Provider (ISP).
3. Devices attached to the UTSA data network must not have a modem installed.
4. Users inside the UTSA firewall may not be connected to the UTSA network while simultaneously connected via a modem to an external network.
5. Users must not extend or re-transmit network services (i.e., DNS, DHCP, dynamic routing, etc.) in any way. This means one must not install a router, switch, hub, or wireless access point to the UTSA network without OIT approval.
6. Computer systems requiring network connectivity that are not owned or supported by UTSA must conform to UTSA OIT Data Network Standards and IR Security Management Standards and have approval from OIT before connection is made. Users must not install network hardware or software that provides network services without prior approval from OIT.
7. Users must not download, install or run security programs or utilities that reveal weaknesses in the security of a system. For example, UTSA users must not run password cracking programs, packet sniffers, network mapping tools or port scanners while connected in any manner to the UTSA network infrastructure.
8. Users are not permitted to alter network hardware.
9. Firewalls and other enterprise network security measures must be implemented to provide appropriate network security.
10. All network components, including data closets, wiring and fiber, routers, switches, concentrators and hubs must be locked and protected from unauthorized access.
11. Multiple simultaneous online sessions are not permitted (i.e., one User ID equals one log-in session).
12. By connecting to the UTSA network, you imply that you have accepted the terms and conditions set forth in applicable IR Security Policies and Standards.

Network Configuration Standard

Purpose - The UTSA Network Configuration Security Standard establishes the rules for the maintenance, expansion and use of the network infrastructure. These rules are necessary to preserve the integrity, availability and confidentiality of UTSA information.

Audience - The UTSA Network Configuration Standard applies equally to all individuals with access to any UTSA Information Resource.

1. UTSA Office of Information Technology (OIT) is the custodian and is responsible for the UTSA network infrastructure and will continue to manage further developments and enhancements to this infrastructure
2. To provide a consistent UTSA network infrastructure capable of exploiting new networking developments, all cabling must be installed by UTSA OIT or an approved contractor under management by OIT.
3. All equipment that is connected to the network must be configured to specifications approved by UTSA OIT.
4. All hardware connected to the UTSA network is subject to UTSA OIT management and monitoring standards.
5. Changes to the configuration of active network management devices must have the prior approval of UTSA OIT.
6. The UTSA network infrastructure supports a well-defined set of approved networking protocols. Any use of non-sanctioned protocols must be approved by UTSA OIT. The networking addresses for the supported protocols are allocated, registered and managed centrally by UTSA OIT.
7. All connections of the network infrastructure to external third party networks will be the responsibility of UTSA OIT. This includes connections to external telephone networks.
8. UTSA OIT firewalls must be installed and configured following the UTSA Firewall Implementation/Management Standard documentation.
9. The use of departmental firewalls is not permitted without prior written authorization from UTSA OIT.
10. Users must not extend or re-transmit network services in any way. Users must not install a router, switch, hub or wireless access point to the UTSA network without UTSA OIT approval.
11. Users must not install network hardware or software that provides network services without UTSA OIT approval.
12. Users are not permitted to alter network hardware in any way.

Password Standard

Purpose - The UTSA Password Standard establishes the rules for the creation, distribution, safeguarding, termination and reclamation of the UTSA user authentication mechanisms.

Audience - The UTSA Password Standard applies equally to all individuals who use any UTSA information resource (IR).

1. User account passwords must not be disclosed to any other user. OIT staff and contractors will not ask users for their passwords.
2. Users must not circumvent password entry with procedures such as automatic logon, application remembering, embedded scripts or hard-coded passwords in client software. Exceptions may be made for specific applications (for example, automated backup) with the approval of the UTSA Information Security Officer (ISO). If an exception is granted, there must be a procedure in place to change the applicable passwords.
3. OIT Help Desk password change procedures must include the following:
   1. Authenticate the user to the Help Desk (before changing password) by UTSACard or picture ID or the establishment and use of a security question system
   2. Change to a strong password – the requirements are outlined below
   3. Require user to change password at first login
4. All passwords, including initial passwords, must be constructed and implemented according to the University’s IR rules:
   1. it must be routinely changed, according to schedules established by OIT
   2. it must avoid tie-ins to the account owner such as user name, social security number, nickname, relative’s name, birthdate, etc.
   3. it must not be an acronym or a word found in a dictionary.
   4. it must contain at least 8 characters including a mix of upper and lower case characters and have at least 2 numeric characters. The numeric characters must not be at the beginning or the end of the password. Special characters should be included in the password where the computing system permits.
   5. Password history must be kept to prevent the reuse of a password
   6. The display and printing of passwords must be suppressed such that unauthorized personnel will not be able to observe or subsequently recover them.
   7. Stored passwords must be encrypted.
   8. Security tokens (i.e. Smartcard) must be returned on demand or upon termination of the relationship with UTSA.
   9. System administrators must not circumvent the Password Standard for the sake of ease of use.
   10. All vendor supplied/default passwords must be changed before any computer or communications system is connected to the UTSA network
   11. Computing devices must not be left unattended without enabling a password- protected screensaver or by logging off the device.
   12. If the security of a password is in doubt, the password must be changed immediately. In the event passwords are found out or exposed/ discovered, the following steps must be taken:
       1. Take control of the passwords and protect them
       2. Report the discovery to the OIT Help Desk
   13. Passwords must be changed every 90 days.

Physical Access Standard

Purpose - The UTSA Physical Access Standard establishes the rules for the granting, control, monitoring and removal of physical access to information resource (IR) facilities.

Audience - The UTSA Physical Access Standard applies to all individuals within the UTSA enterprise who are responsible for the installation and support of information resources, individuals charged with information resources security and data owners.  The standard applies to multi-user and centralized computing facilities, as well as to individual workstations and kiosks.

1. All physical security systems must comply with all applicable regulations such as, but not limited to, building codes and fire prevention codes.
2. All multi-user computer and communications equipment must be located in locked rooms to prevent tampering and unauthorized use.
3. Access to information resources facilities must be granted only to the UTSA support personnel and contractors whose job responsibilities require access to that facility.
4. The process for granting card and/or key access to information resources facilities must include the approval of the manager of the facility.
5. Each individual who is granted access rights to an information resources facility must receive training in emergency procedures for that facility and must sign the appropriate access and non-disclosure agreements.
6. Access cards and/or keys must not be shared by or loaned to others.
7. Access cards that are no longer required must be returned to the person responsible for the information resources facility. Cards must not be reallocated to another individual, thereby circumventing  the return process.
8. Lost or stolen access cards and/or keys must be reported to the person responsible for the information resources facility.
9. Where possible, cards and/or keys must not have identifying information other than a return mail address.
10. All information resources facilities that allow access to visitors will track that access with a sign in/out log.
11. Card access records and visitor logs for mission-critical IR facilities must be kept for a period of one year for review. Timelines are based upon the criticality of the information resources being protected.
12. Visitors must be escorted while in access-controlled areas of IR facilities.
13. The manager of the IR facility must review access records and visitor logs for the facility on a periodic basis and investigate any unusual access.
14. The manager of the IR facility must review card and/or key access rights for the facility on a periodic basis and remove access for individuals who no longer require access.
15. Signage for restricted access rooms and locations must be practical, yet minimal.  The signs should emphasize the relative importance of security in the location.
16. If the user has access to sensitive information on his/her computer system, the user must not leave their PC, workstation, or terminal unattended without first logging out or invoking a password-protected screen saver.
17. If there has been no activity on a computer terminal, workstation or PC for ten minutes, the system must automatically blank the screen and suspend the session. Reestablishment of the session must take place only after the user has provided the proper password.
18. All information storage media (such as hard disk drives, floppy disks, magnetic tapes and CD-ROMs) containing sensitive information must be physically secured when not in use.

Portable Computing Standard

Purpose - The UTSA Portable Computing Security Standard establishes the rules for the use of mobile computing devices, such as laptops and personal digital assistants (PDAs), and their connection to the network. These rules are necessary to preserve the integrity, availability and confidentiality of UTSA information.

Audience - The UTSA Portable Computing Security Standard applies equally to all individuals who use portable computing devices and access UTSA information resources.

1. Only UTSA-approved portable computing devices may be used to access UTSA information resources.
2. Portable computing devices must be protected by password or other authentication device/process.
3. UTSA data should not be stored on portable computing devices.  However, in the event that there is no alternative to local storage, all sensitive UTSA data must be encrypted using industry-accepted/approved encryption techniques.
4. UTSA data must not be transmitted via wireless methods to or from a portable computing device unless approved wireless transmission protocols, along with approved encryption techniques, are utilized.
5. All remote access (dial-in services) to UTSA must occur through an approved modem pool or via an Internet Service Provider (ISP).
6. User-owned computer systems that require network connectivity must conform to UTSA information security standards and must be approved in writing by the UTSA Information Security Officer (ISO).
7. Unattended portable computing devices must be physically secured.  They must be locked in an office, locked in a desk drawer or filing cabinet, or attached to a desk or cabinet via a cable lock system.

Security Monitoring Standard

Purpose - Security Monitoring provides a means by which to confirm that information resource security controls are in place, are effective and are not being bypassed. One of the benefits of security monitoring is the early identification of wrongdoing or new security vulnerabilities.  Early detection and monitoring can prevent possible attacks or minimize their impact on computer systems. Other benefits include Audit Compliance, Service Level Monitoring, Performance Measuring, Limiting Liability and Capacity Planning.  This standard serves as a companion to the Intrusion Detection Standard and provides for the continuous monitoring that takes place at the system level.

Audience - The UTSA Security Monitoring Standard applies to all individuals who that are responsible for the installation of new information resources, the operations of existing information resources and individuals charged with information resource security.

1. UTSA will use automated tools to provide real-time notification of detected wrongdoing and vulnerability exploitation. Where possible, a security baseline will be developed and the tools will report exceptions. These tools will be deployed by the Office of Information Technology to monitor UTSA computers and devices for:
   1. Internet traffic
   2. Electronic mail traffic
   3. LAN traffic, protocols and device inventory
   4. Operating system security parameters
   5. Rogue access points/devices
   6. Installed software on servers and desktops
2. The following files will be checked for signs of illicit activity and vulnerability to exploitation at a frequency determined by risk:
   1. Automated intrusion detection system logs
   2. Firewall logs
   3. User account logs
   4. Network scanning logs
   5. System error logs
   6. Configuration files
   7. Application logs
   8. Data backup and recovery logs
   9. Help desk trouble tickets
   10. Telephone activity – Call Detail Reports
   11. Network printer and fax logs
3. Assigned individuals will monitor the following (at least annually):
   1. Password strength
   2. Unauthorized network devices
   3. Unauthorized personal web servers
   4. Unsecured sharing of devices
   5. Unauthorized modem use
   6. Operating System and software licenses
4. For audit purposes, logs will be archived for a minimum of 90 days.
5. Any security issues discovered will be reported to the ISO for follow-up investigation.

Security Training Standard

Purpose - The Security Training Standard describes the requirements to ensure each user of UTSA information resources receives adequate training on computer security issues.

Audience - The UTSA Security Training Standards applies equally to all individuals who use any UTSA information resource.

1. All new users must attend an approved Security Awareness training class prior to, or within 30 days of, being granted access to any UTSA information resources.
2. All users must sign an acknowledgement form stating they have read and understood UTSA requirements regarding computer security policies and procedures.
3. All users (employees, consultants, contractors, temporaries, etc.) must be provided with sufficient training and supporting reference materials to allow them to properly protect UTSA information resources.
4. The Office of Information Technology (OIT) must prepare, maintain and distribute one or more information security manuals that concisely describe UTSA information security policies and procedures.
5. OIT must develop and maintain a communications process to be able to communicate new computer security program information, security bulletin information and security items of interest.
6. A specialized security class will be provided for departmental systems administrators and others who maintain servers on campus.

Server Hardening Standard

Purpose - The UTSA Server Hardening Standard document describes the requirements for installing a new server in a secure fashion and maintaining the security and integrity of the server and application software.

Audience - The UTSA Server Hardening Standard applies to all individuals who are responsible for the installation of new Information Resources that will be connected to the UTSA network, the operations of existing Information Resources, and individuals charged with Information Resource Security.

1. A server must not be connected to the UTSA network until it is secure, and the network connection has been activated.
   1. Internet traffic
   2. Electronic mail traffic
   3. LAN traffic, protocols and device inventory
   4. Operating system security parameters
   5. Rogue access points/devices
   6. Installed software on servers and desktops
2. In order to harden a server, follow these general steps:
   1. Install the operating system from an OIT-approved source
   2. Apply vendor-supplied patches to keep software properly updated
   3. Remove unnecessary software, system services and drivers
   4. Set security parameters and file protections; enable audit logging
   5. Disable or change the password of default accounts
3. UTSA OIT will monitor security issues -- both internal and external to UTSA -- and will manage the testing and application of patches to affected UTSA core systems managed by OIT.
4. Security patches must be implemented within a reasonable timeframe after their release date. UTSA OIT will make periodic announcements of required patches.
5. The server must run legally licensed versions of the operating system and software.
6. The server must run only necessary services. All unnecessary services should be shut down.
7. After the administrator determines what default accounts are required on a server, all other default accounts must be disabled.
8. The server may not function as a relay for SMTP or other means of relaying non-UTSA related mail; it may not function as an FTP server or Web server without written approval from OIT.
9. The server must comply with all other IR security policies and standards.
10. Servers must authenticate all users using industry-standard procedures to ensure only authorized access to the resource.

Software Licensing Standard

Purpose - The Software Licensing Standard establishes the rules for the use of licensed software on UTSA information resources.  Only properly licensed software is allowed to be installed on UTSA hardware.

Audience - The UTSA Software Licensing Standard applies equally to all individuals who use any UTSA information resources.

1. UTSA makes every effort to provide a sufficient number of licensed copies of standard office software in order to create an effective work environment. If additional licensed copies of software are needed, it is the responsibility of management to make appropriate arrangements with the vendor(s).
2. Copyrighted files, such as mp3 (music) files and/or unlicensed software, must not be stored on UTSA systems or networks.  Systems administrators will remove these files and software unless the involved users can provide proof of authorization from the rightful owner(s).
3. Third-party software ("shareware" or "freeware") residing on UTSA computer systems may not be copied except in accordance with copyright law (17 U.S.C. 117, backup copies) and the End User Licensing Agreement and if management has agreed to allow it.  Copies made for contingency planning purposes are exempt from this prohibition.

Vendor Access Standard

Purpose - The UTSA Vendor Access Standard establishes the rules for vendor access to UTSA information resources (IR) and support services, vendor responsibilities, and protection of UTSA information.

Audience - The UTSA Vendor Access Standard applies to all individuals who are responsible for the installation of new information resources assets and the operations and maintenance of existing information resources.

1. Vendors must comply with all applicable UTSA policies, practice standards and agreements, including, but not limited to:
   1. Safety
   2. Privacy
   3. Security
   4. Auditing
   5. Software Licensing
   6. Acceptable Use
2. Vendor agreements and contracts must specify:
   1. What UTSA information the vendor should have access to
   2. How UTSA information is to be protected by the vendor
   3. The acceptable methods for the return, destruction or disposal of UTSA information in the vendor’s possession at the end of the contract
   4. That the vendor must only use UTSA information and information resources for the purpose of the business agreement
   5. That any other UTSA information acquired by the vendor in the course of the contract cannot be used for the vendor’s own purposes or divulged to others. Vendors must sign a non-disclosure agreement that protects such information.
3. Each vendor must provide UTSA with a list of all employees working on the contract. The list must be updated and provided to UTSA within 24 hours of staff changes.
4. Each on-site vendor employee must acquire a UTSA identification badge that will be displayed at all times while on UTSA premises.  The badge must be returned to UTSA when the employee leaves the contract or at the end of the contract.
5. Each vendor employee with access to UTSA confidential/sensitive information must be approved to access that information in accordance with the applicable IR Security Management Standards.
6. Vendor personnel must report all security incidents directly to the UTSA Computer Incident Response Team at (210) 458-7216.
7. If vendor management is involved in UTSA security incident management, the responsibilities and details must be specified in the contract.
8. Vendors must follow all applicable UTSA change control processes and procedures.
9. Regular work hours and duties will be defined in the contract. Work outside of defined parameters must be approved in writing by appropriate UTSA management.
10. All vendor maintenance equipment on the UTSA network that connects to the outside world -- via the network, telephone line, or leased line -- and all UTSA IR vendor accounts will remain disabled except when in use for authorized maintenance.
11. Vendor access must be uniquely identifiable and password management must comply with the UTSA Password Standard and Admin/Special Access Standard.  Vendor’s major work activities must be entered into a log which will be made available to UTSA management upon request. Logs must include, but are not limited to, such events as personnel changes, password changes, project milestones, deliverables and arrival and departure times.
12. Upon departure of a vendor employee from the contract for any reason, the vendor will ensure that all sensitive information is collected and returned to UTSA or destroyed within 24 hours.
13. Upon termination of contract or at the request of UTSA, the vendor must surrender all UTSA Identification badges, access cards, equipment and supplies immediately.  Equipment and/or supplies to be retained by the vendor must be approved and documented by authorized UTSA management.
14. Vendors are required to comply with all state and UTSA auditing requirements, including the auditing of the vendor’s work.
15. All software used by the vendor in providing service to UTSA must be properly inventoried and licensed.

Virus Protection Standard

Purpose - The computer Virus Detection Standard document describes the requirements for prevention, detection and cleanup of computer viruses, worms and backdoor-Trojan horses.

Audience - The UTSA Computer Virus Detection Standard applies equally to all individuals who use any information resources.

1. All workstations, whether connected to the network or standalone, must use the IT-approved virus protection software.  This standard also applies to home computers and portable computing devices that connect to the UTSA network.
2. The virus protection software must not be disabled or bypassed.
3. The virus protection software settings must not be altered in such a manner that reduces the effectiveness of the software.
4. The software’s automatic update feature must not be altered to reduce the frequency of updates.
5. File servers attached to the network must utilize IT-approved virus protection software.
6. E-mail gateways must utilize IT-approved e-mail virus protection software in accordance with IT rules for the setup and use of this software.
7. Any virus that is not automatically cleaned by the virus protection software constitutes a security incident and must be reported to the Help Desk.

Wireless Communication Standard

Purpose - The Wireless Communication Standard prohibits connection to the UTSA network via unapproved wireless communication mechanisms. Only wireless systems that meet the criteria of this standard are approved for connection.

Audience - The Wireless Communication Standard applies equally to all individuals who use any UTSA Information Resources.

1. All Wireless Access Points/Base Stations connected to the UTSA network must be registered and approved by the Office of information Technology (OIT).  These access points/base stations are subject to periodic penetration tests and audits.
2. All wireless Local Area Network (LAN) access must use UTSA-approved vendor products and security configurations. These products and configurations are subject to change as the campus requirements change and the wireless implementation expands.
3. UTSA data must not be transmitted via wireless methods to or from a portable computing device unless approved wireless transmission protocols, along with approved encryption techniques, are utilized.
4. Radio Frequency (RF) devices, such as cordless phones, must be set up to operate in an RF spectrum other than 2.4 GHz or 5.8 GHz. If the device cannot operate in an alternate range, then OIT must be contacted so that RF channel assignments can be coordinated to minimize the RF interference. RF interference works both ways -- by degrading the performance of Air Rowdy (UTSA's wireless program) as well as the device.