1.00 GENERAL

1.01 Under the provisions of the Information Resources Management Act, Information Resources are strategic assets of the State of Texas that must be managed as valuable state resources. These procedures are established to achieve the following:

• To ensure compliance with applicable statutes, regulations, and mandates regarding the management of information resources.

• To establish prudent and acceptable practices regarding the use of information resources.

• To educate individuals who may use information resources with respect to their responsibilities associated with such use.

Violation of these procedures may result in disciplinary action up to and including termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; or dismissal for interns and volunteers. Additionally, individuals are subject to loss of the Texas Cooperative Extension (Extension) and other Agriculture Program Information Resources access privileges, civil, and criminal prosecution.

A. Owner of an Information Resource – A person responsible for a business function and for determining controls and access to information resources supporting that business function. For Extension, the Director is the owner of all information resources in the agency.

B. Custodian of an Information Resource – A person responsible for implementing owner-defined controls and access to an information resource. For Extension, accountable property officers are the designated custodians of all information resources for which they are responsible.

C. User of an Information Resource – An individual or automated application authorized to access an information resource in accordance with the owner-defined controls and access rules.

D. Information Resource facilities - The physical infrastructure associated with supporting, managing and providing computing services to Agriculture Program customers.

1.03 Responsibilities

A. The Head, Information Technology is responsible for the dissemination, interpretation, and administration of these procedures. The Head, Information Technology must:

1. Develop and maintain written procedures necessary to ensure implementation of and compliance with these procedures.

2. Provide appropriate support and guidance to assist employees to fulfill their responsibilities under these procedures.

B. Custodians at all levels of the organization must:

1. Ensure that all appropriate personnel are aware of and comply with these procedures.

2. Create appropriate performance standards, control practices, and procedures designed to provide reasonable assurance that all employees observe these procedures.

1. Perform the review of system logs at regular intervals.

2. Schedule penetration tests as warranted by the importance of the data processed by the application.

3. Report security incidents as they are identified. Incidents should be reported to securityhelp@ag.tamu.edu.

C. Owners at all levels of the organization must:

1. Identify IT services/resources critical to the operation of the business and convey that information to the custodians.

D. Users at all levels (including staff, guests or visitors) of the organization must:

1. Follow requirements for Physical security in section 2.01 of this document

2. Follow requirements for Computer Software Use and installation, copyrights and license agreements in section 3.01 of this document

3. Follow requirements for Accounts and passwords in sections 4.01, 4.02 and 4.03 of this document

4. Follow requirements for Internet and e-mail use in section 5.01 of this document.

5. Follow Acceptable Use regulations in section 5.03 of this document

6. Follow Unacceptable Use rules in section 5.04 of this document

7. Follow Computer virus protection requirements in section 6.02 of this document

8. Follow Backup and recovery guidelines in section 7.01 of this document

1.04 Terms of use
A. Electronic files created, sent, received, or stored on Information Resources owned, leased, administered, or otherwise under the custody and control of Extension are the property of the agency.

2.00 PHYSICAL SECURITY

It is agency policy to protect computer hardware, software, data, and documentation from misuse, theft, unauthorized access, and environmental hazards.

2.01 User Responsibilities:

A. Protect information resources in proportion to the value to the Agriculture Program office.

B. Physical access to all Agriculture Program information resources shall be documented and managed.

C. Access to Agriculture Program Information Resource faclities shall be granted only to departmental personnel, vendors and other authorized personnel whose job responsibilities require access to the facility.

D. Security access codes, access cards, and or keys to Agriculture Program information resource facilities shall not be shared or loaned to others.

E. Appropriate departmental personnel responsible for the physical security of Agriculture Program information resources shall review access rights for the facility on a periodic basis and revoke access for individuals that no longer require such access.

F. Diskettes, CDs, tapes, or DVDs should be stored out of sight when not in use. If they contain highly sensitive or confidential data, they must be locked up.

G. Diskettes, CDs, tapes, or DVDs should be kept away from environmental hazards such as heat, direct sunlight, and magnetic fields.

H. Diskettes, CDs, tapes, DVDs and printed content that contain confidential information (such as personel identity numbers, names, addresses, credit card numbers, social security numbers) should be properly disposed of. If you are not aware of where a shredder is located for your office, please ask one of the senior staff members.

I. Critical computer equipment such as file servers or network servers must be protected by an uninterruptible power supply (UPS). Other computer equipment should be protected by a UPS or a surge suppressor if at all possible.

J. Environmental hazards to hardware such as food, smoke, liquids, high or low humidity, and extreme heat or cold should be avoided.

K. Employees should exercise care to safeguard the valuable electronic equipment assigned to them. Employees who neglect this duty may be accountable for any loss or damage that may result.

3.00 COMPUTER SOFTWARE USE AND INSTALLATION, COPYRIGHTS AND LICENSE AGREEMENTS

Users of Extension information resources will comply with all laws regarding intellectual property. Further, installation and operation of certain non-business software, even if freeware or properly licensed, can result in poor performance of legitimate business software.Extension is legally bound to comply with the Federal Copyright Act (Title 17 of the U. S. Code: http://www4.law.cornell.edu/uscode/17/) and all proprietary software license agreements. Noncompliance can expose Extension and the responsible user(s) to civil and/or criminal penalties.This directive applies to all software that is owned by, licensed to, or developed using Extension resources by employees or non-employee users of Extension information resources.

3.01 Users Shall:

A. Install on agency computers only that software which is licensed to, owned by Extension, or recognized as 'legitimate use' and supported by IT staff. Additionally, the license covers installation on the employee’s specific computer.

B. Copy software only if authorized by the specific license agreement governing that software.

C. Install on agency computers only software which has a business or computer maintenance purpose. As such, use of unapproved screen savers, internet chat, and other software which has a personal purpose should be avoided. Extension Information Technology approved software is available at: http://eit.tamu.edu/tnt/TNTApril05.htm#free

D. Maintain documentation, original media, or other forms of evidence necessary to demonstrate that software installed on agency computers is properly licensed for the specific machines on which it is installed. Such documentation or media should be stored in a binder, pocket file folder, zip lock bag, or other such storage device, and kept in the immediate vicinity of the computer. IT support personnel reserve the right to remove any unlicensed software from any computer system. If such action is taken, the support person will notify the employee and respective supervisor.

4.00 ACCOUNTS AND PASSWORDS

The confidentiality and integrity of data stored on agency computer systems must be protected by access controls to ensure that only authorized users have access. This access shall be restricted to only those capabilities that are appropriate to each user's job duties.

4.01 Account Management Guidelines

A. All accounts created must have an associated request and approval signature on file using the Network Users Form: (http://eit.tamu.edu/network/ntfrm112.pdf) The approval must be made by the appropriate information resource custodian or a designated representative.

B. All accounts must be uniquely identifiable using the assigned user name.

1. computer accounts are not to be shared

C. Accounts will not be created for functional or group use unless the Network Users Form is accompanied by statement signed by the unit head or administrator certifying that an analysis has been made of the risks associated with such access, that steps are being taken to mitigate those risks, that safeguards are in place to assure the risk is minimized, and that there is a real organizational benefit to implementing such account and not simply a matter of personal convenience.

D. All passwords for accounts must be constructed in accordance with the password guidelines at http://eit.tamu.edu/passwordinfo/passwords.htm

E. System Administrators and other designated staff:

1. are responsible for modifying the accounts of individuals that change roles or are separated from their relationship with the Agriculture Program

2. must have a documented process to modify a user account to accommodate situations such as name changes, accounting changes and permission changes

3. must have a documented process for periodically reviewing existing accounts for validity

4. will remove accounts that cannot be associated with active, recoginzed retired employees or other entity currently supporting Agriculture Programs

5. must provide a list of accounts for the systems they administer when requested by authorized Agriculture Program administrators.

6. must cooperate with authorized administrators investigating security incidents.

4.02 Password Standards

A. All passwords should be constructed and maintained according to the following guidelines:

1. be routinely changed as outlined subsection G below

2. be at least 8 characters in length

3. be a combination of upper and lower case alpha and numeric (and or special) characters

4. not be anything that can easily tied back to the account owner such as: user name, social security number, nickname, relatives’ names, birth date

5. not be dictionary words or acronyms

6. not be the same passwords used for personal accounts with services like Yahoo, MSN, AOL, Hotmail, etc.

B. User account passwords should not be divulged to anyone nor displayed in a publically accessible area. IT support personnel will only ask for user account passwords when necessary to resolve a specific problem.

C. If the security of a password is in doubt, the password must be changed immediately.

D. System administrators must not circumvent the password guidelines for the sake of ease of use.

E. Users should not circumvent password entry with such means as auto logon, auto-complete (also known as 'password remembering'), embedded scripts or hardcoded passwords in client software. Exceptions may be made for specific applications (like automated backup).

F. Computing devices should not be left unattended without enabling a password protected screen saver or logging off of the device.

G. System administrator password change procedures must include the following:

1. authenticating the user before changing the password.

2. changing to a strong password as described in password guidelines at http://eit.tamu.edu/passwordinfo/passwords.htm .

3. requesting the user to change the password after the next login.

4.03 Each user:

A. Shall be responsible for all computer transactions that are made with his/her User ID and password.

B. Shall not disclose passwords to others. Passwords must be changed immediately if it is suspected that they may have become known to others. Passwords should not be recorded where they may be easily obtained.

C. Should use passwords that will not be easily guessed by others.

D. Should log out or activate a password protected screen saver when leaving a workstation for an extended period. EIT recommends that an inactivity period of no more than 10 minutes be used before a keyboard lock takes place.

4.04 Employee departures

Within two (2) business days, information resource custodians must notify EIT through submission of a Network Users Form of user transfers and terminations for all users within their respective units. The Agriculture Program Human Resources office should provide EIT with a monthly report of employee transfers and terminations as reflected in BPP reports. When involuntary terminations occur, these notifications must be submitted concurrent with the termination.

1. Excepting email and server access for retirees, all access Ag program information resources and offices are to be surrendered at the time of employee departure. This includes all physical access to information resources.

4.05 Verification of account removal

The agency Information Security Officer will implement a process to periodically monitor compliance with rules regarding both the establishment of accounts as well as the termination of accounts. The results of such periodic monitoring will be documented and provided to the agency Information Resource Manager annually.

5.00 INTERNET AND E-MAIL

The Internet is a very large, publicly accessible network that has millions of connected users and organizations worldwide. One popular feature of the Internet is e-mail.

Access to the Internet is provided to users for the benefit of Extension and its customers. Users are able to connect to a variety of educational information resources around the world.

The Internet is also replete with risks and inappropriate material. To ensure that all users are responsible and productive Internet users and to protect Extension’s interests, users will adhere to the following are guidelines when using the Internet and e-mail :

5.01 Users who access the Internet for e-mail shall:

A. Ensure that all communications are for professional reasons and that they do not interfere with their productivity.

B. Be responsible for the content of all text, audio, or images that they place or send over the Internet. All official external communications should have the employee's name and contact information included as a signature block. If the communications is personal in nature, the message should include a disclaimer statement indicating that the content of the message does not represent Extension or any other agency of the Agriculture Program.

C. Not transmit copyrighted materials without permission.

D. Run a virus scan on any file(s) received through the Internet.

E. Not click on any e-mail attachment that is sent from an unknown source.

F. Avoid transmission of private customer or employee information. If it is necessary to transmit private information, employees are required to take steps reasonably intended to ensure that information is delivered to the proper person who is authorized to receive such information for a legitimate use.

G. Understand that e-mail is not a private or secure form of communication and may be viewed in accordance with paragraph 1.04 - terms of use.

5.02 File ownership and permissions

Users accessing the Internet are not permitted to copy, transfer, rename, add, or delete information or programs belonging to others unless given express permission to do so by the owner. Failure to observe copyright or license agreements may result in disciplinary action by Extension and/or legal action by the copyright owner.

5.03 Acceptable Use:

Users accessing the Internet are representing Extension. Users are responsible for ensuring that the Internet is used in an effective, ethical, and lawful manner.

Examples of acceptable use are:

A. Using Web browsers to obtain educational information from commercial, governmental, and educational Web sites.

B. Accessing databases for information as needed to support official business.

C. Using e-mail for official business communication.

D. Using web browsers to access agency databases and reporting systems.

E. Setting up web servers for educational or organizational purposes.

5.04 Unacceptable Use:

Users must not access the Internet for purposes that are illegal, unethical, harmful to Extension, or nonproductive.

Examples of unacceptable use are:

A. Sending or forwarding chain e-mail, i.e., messages containing instructions to forward the message to others.

B. Using Extension resources for personal use, except to the extent allowed as "incidental personal use" as defined in System Policies & Regulations. - http://rules-saps.tamu.edu/PDFs/33.04.99.M3.pdf

C. Using Extension resources to promote, or give the appearance of promoting, a personal business; e.g., providing a hypertext link to a family member’s business.

D. Transmitting any content that is offensive, harassing, fraudulent; e.g., pornographic, sexually harassing, "get rich quick" materials or disruptive to computer systems.

6.00 COMPUTER VIRUS PROTECTION

Computer viruses, trojans, worms, spyware, and other such malicious applications are programs designed to make unauthorized changes to programs and data, and therefore, can cause destruction of agency resources. While technically not the same, the term "virus" will be used below to refer to this general class of destructive software.

It is important to know that:

A. Computer viruses are much easier to prevent than to cure.

B. Defenses against computer viruses include protection against unauthorized access to computer systems, using only trusted sources for data and programs, and maintaining virus-scanning software.

6.01 The Extension Information Technology (EIT) department shall:

A. Assist users with the acquisition, installation, and maintenance of appropriate antivirus software on all computers.

B. Notify all users of imminent virus attacks, providing them guidance on how to respond, destroy any virus detected, and document each incident

6.02 Users Shall:

A. establish password protection for access to information resources.

B. not load diskettes, flashdrives or other removable media of unknown origin.

C. scan incoming diskettes, flashdrives or other removable media for viruses before they are read.

D. IMMEDIATELY disconnect workstations from any network to which they may be connected, run available up-to-date virus scanning software, and notify appropriate computer support personnel if it is suspected that their workstations have been infected by viruses.

E. not connect any web or file servers to the network until they are reasonably certain that they have applied all available software patches and have configured all security settings in the software to the most secure level possible given the purpose and function of the server. If possible, isolated security screening of these servers should be done prior to connecting them to the network. Users are also expected to patch the operating system on desktop or personal computers at regular intervals and or as the updates are provided by the software manufactures.

F. not use nor access any e-mail system other than the GroupWise system administered by Extension Information Technology unless they have installed and keep up to date the latest virus scanning software and security patches available for this alternative e-mail system.

G. not use any internet chat software capable of transferring files unless they have installed and keep up to date the latest virus scanning software and security patches available for that software.

All electronic information considered of institutional value should be copied onto backup storage media on a regular basis (i.e., backed up) for disaster recovery and business continuity purposes. This section outlines the minimum requirements for the creation and retention of backups. Special backup needs identified through risk analysis which exceed these requirements should be accommodated on an individual basis.

7.01 User Responsibility:

Users are individually responsible for providing adequate primary backups to ensure the recovery of institutional data and systems in the event of failure or loss. These backup provisions allow Extension business processes to be resumed in a reasonable amount of time with minimal loss of data. Since hardware and software failures can take many forms, and may occur over time, multiple generations of institutional data backups should be maintained.

7.02 General Guidelines:

A. Backups of institutional data should be retained such that systems are fully recoverable. This may be achieved using a combination of image copies, incremental backups, differential backups, transaction logs, or other techniques.

B. The frequency of backups is determined by the volatility of the data; the retention time for backup copies is determined by the criticality of the data. At a minimum, backups should be retained for 14 days.

C. At least two copies of the data should be maintained.

D. At a minimum, one fully recoverable version of all critical data and any required restoration and application software must be stored in a secure, off-site location. Off site location means any location which is not likely to be subject to the same catastrophic event (fire, flood, tornado, etc.) as the primary site.

E. Derived data (i.e., data calculated from a raw data source) should be backed up only if restoring it is more efficient that recreating it from the original source.

F. Critical information used on workstations may be placed on networked file server drives to allow for secondary backup. Likewise, critical information used on a networked file server may be placed on individual workstations to allow for secondary backup.

G. Backup documentation must include identification of critical data, programs, documentation, and support items necessary to perform essential tasks during a recovery process.

H. Documentation of the restoration process must include procedures for the recovery from single-system or application failures or loss as well as a total center or department disaster scenario.

I. Backup and recovery documentation should be reviewed and updated periodically to account for new technology, business changes, and migration of applications to alternative platforms.

J. Recovery procedures should be tested on a periodic basis, but no less than annually.

8.00 MANAGEMENT CONTROLS

8.01 Change Management

A. General. Change management procedure describes the requirements for managing changes in a rational and predictable manner so that staff and clients can plan accordingly. Changes require serious forethought, careful monitoring, and follow-up evaluation to reduce negative impact to the user community and to increase the value of information resources.

B. Controls and Responsibilities

1. Every change to Extension Information Resources resource such as operating systems, computing hardware, networks, and applications is subject to the change management procedure.

2. Users shall be notified of each scheduled or unscheduled change.

3. A review shall be performed for each change, whether scheduled or unscheduled, and whether successful or not.

4. A change management log shall be maintained for all changes. The log shall contain, but is not limited to:

* Date of change
* Nature of the change
* Indication of success or failure.

5. The Agency Director delegates responsibility to all unit heads or their equivalent to ensure that Extension change management security procedures are implemented in their respective divisions.

8.02 Incident Management

A. General. This section describes the requirements for dealing with computer security incidents. Security incidents include, but are not restricted to: malicious code detection, unauthorized use of computer accounts and computer systems, theft of computer equipment or theft of information, accidental or planned disruption or denial of service as well as complaints of improper use of information resources as outlined in the security monitoring procedures, the intrusion detection procedures, the internet/intranet procedures, and the acceptable use procedures.

B. Controls and Responsibilities

1. Whenever a security incident is suspected, the appropriate incident management procedures must be followed. Incidents involving Ag Program IT services, should be reported at http://shasta.tamu.edu/SIRS

2. The information security officer is responsible for notifying the agency director and initiating the appropriate action including restoration as defined in the incident management procedures.

3. The information security officer is responsible for initiating, completing, and documenting the incident investigation.

4. The information security officer shall report the security incidents that may involve criminal activity under Texas Penal Code Chapters 33 (Computer Crimes) or 33A (Telecommunications Crimes) to Extension Associate Director for Finance and Administration.

5. If fraud or theft is suspected as part of security incident detection, the person detecting the incident shall follow System Policy 21.04 Control of Fraud and Fraudulent Actions.

6. The information security officer is responsible for reporting the incidents to Department of Information Resources as outlined in Texas Administrative Code 202.

8.03 Intrusion Detection

A. General. Intrusion detection plays an important role in implementing and enforcing an organizational security policy. As information systems grow in complexity, effective security systems must evolve. With the proliferation of the number of vulnerability points introduced by the use of distributed systems some type of assurance is needed that the systems and network are secure. Intrusion detection systems can provide part of that assurance. Intrusion detection provides two important functions in protecting information resources:

1. Feedback: information as to the effectiveness of other components of the security system. If a robust and effective intrusion detection system is in place, the lack of detected intrusions is an indication that other defenses are working.

2. Trigger: a mechanism that determines when to activate planned responses to an intrusion incident.

B. Controls and Responsibilities.

1. Operating system, user accounting, and application software audit logging processes shall be enabled on all host and server systems where resources permit.

2. Alarm and alert functions and audit logging of any firewalls and other network perimeter access control systems shall be enabled.

3. Audit logs from the perimeter access control systems shall be monitored and reviewed periodically by the system administrator.

4. System integrity checks of the firewalls and other network perimeter access control systems shall be performed on a routine basis.

5. Audit logs for servers and hosts on the internal, protected, network shall be reviewed on a routine basis.

6. All suspected and/or confirmed instances of successful and/or attempted intrusions shall be immediately reported according to the incident management procedures.

8.04 Network Configuration

A. General. Extension network infrastructure is provided by Texas A&M University and TTVN. It is important that the infrastructure, which includes cabling and the associated 'active equipment', continues to develop with sufficient flexibility to meet Extension demands while at the same time remaining capable of exploiting anticipated developments in high speed networking technology to allow the future provision of enhanced user services. The purpose of Extension network configuration procedures is to establish the process for the expansion and use of the network infrastructure.

B. Controls and Responsibilities.

1. Texas A&M University and TTVN owns and is responsible for Extension network infrastructure and will continue to manage further developments and enhancements to this infrastructure.

2. All network connected equipment shall be configured to a specification approved by Texas A&M University or TTVN, as appropriate.

3. Users shall not extend or re-transmit network services in any way. This means a user shall not install a router, switch, hub, or wireless access point to the network without Texas A&M University or TTVN approval.

4. Users shall not install network hardware or software that provides network services without Texas A&M University or TTVN approval.

5. Users shall not alter network hardware in any way.

8.05 Portable Computing

A. General. Portable computing devices are becoming increasingly powerful and affordable. Their small size and functionality are making these devices ever more desirable to replace traditional desktop devices in a wide number of applications. However, the portability offered by these devices may increase the security exposure to groups using the devices. The purpose of Extension portable computing security procedures is to establish the process for the use of mobile computing devices and their connection to the network.

B. Controls and Responsibilities.

1. Portable computing devices (including laptops, or PDAs) shall be protected from unauthorized access by passwords or other means where possible.

2. All sensitive Agriculture Program data stored on portable computing devices shall be encrypted using approved encryption techniques.

3. Extension data shall not be transmitted via wireless to or from a portable computing device unless approved wireless transmission protocols along with approved encryption techniques are utilized.

4. All remote access (dial in services) to Extension shall be either through an approved modem pool or via an Internet Service Provider (ISP).

5. Non-Extension computer systems that require network connectivity shall conform to Extension Network Connectivity Standards.

6. Unattended portable computing devices shall be kept physically secure.

8.06 Security Monitoring

A. General. Security Monitoring is a method used to confirm that the security practices and controls in place are being adhered to and are effective. Monitoring consists of activities such as the review of: user account logs, application logs, data backup recovery logs, automated intrusion detection system logs, etc. The purpose of the security monitoring policy is to ensure that information resource security controls are in place, are effective, and are not being bypassed. One of the benefits of security monitoring is the early identification of wrongdoing or new security vulnerabilities. The security monitoring procedure applies to all individuals that are responsible for the installation of new information resources, the operations of existing information resources, and individuals charged with information resources security. System administrators are required to report security events detected during the security monitoring process.

Examples of security events include (but are not limited to):

Denial of Service

– An attacker sends specially crafted packets to a Web server, causing it to crash.
– An attacker directs hundreds of external compromised workstations to send as many Internet Control Message Protocol (ICMP) requests as possible to the organization’s network.


Malicious Code

– A worm uses open file shares to quickly infect several hundred workstations within an organization.
– An organization receives a warning from an antivirus vendor that a new virus is spreading rapidly via e-mail throughout the Internet. The virus takes advantage of a vulnerability that is present in many of the organization’s hosts. Based on previous antivirus incidents, the organization expects that the new virus will infect some of its hosts within the next three hours.

Unauthorized Access


– An attacker runs an exploit tool to gain access to a server’s password file.
– A perpetrator obtains unauthorized administrator-level access to a system and then threatens the victim that the details of the break-in will be released to the press if the organization does not pay a designated sum of money.

Inappropriate Usage


– A user provides illegal copies of software to others through peer-to-peer file sharing services.
– A person threatens another person through e-mail.

B. Controls and Responsibilities.

1. Automated tools shall provide real time notification of detected wrongdoing and vulnerability exploitation. Where possible a security baseline shall be developed and the tools shall report exceptions. These tools shall be deployed to monitor:

* Electronic mail traffic
* LAN traffic, protocols, and device inventory
* Operating system security parameters

2. Where possible, the following files shall be checked for signs of wrongdoing and vulnerability exploitation at a frequency determined by risk:

* Automated intrusion detection system logs
* Firewall logs
* User account logs
* Network scanning logs
* System error logs
* Application logs
* Data backup and recovery logs

3. Where possible, the following checks shall be performed at least annually by assigned individuals:

* Password strength
* Unauthorized web servers
* Unauthorized file sharing
* Operating System and Software Licenses

4. Any significant security issues discovered and all signs of wrongdoing shall be reported according to incident management procedure. See section 8.02 for details on the incident reporting process.

8.07 Platform Hardening

A. General. Servers are relied upon to deliver data in a secure, reliable fashion. There must be assurance that data integrity, confidentiality and availability are maintained. One of the required steps to attain this assurance is to ensure that the servers are installed and maintained in a manner that prevents unauthorized access, unauthorized use, and disruptions in service. The purpose of Extension server hardening procedures is to describe the requirements for installing a new server in a secure fashion and maintaining the security integrity of the server and application software.

B. Controls and Responsibilities.

1. System Administrators shall install the operating system only from an information resources approved source.

2. System Administrators shall apply vendor supplied patches.

3. System Administrators shall remove unnecessary software, system services, and drivers.

4. System Administrators shall set security parameters, file protections and enable audit logging.

5. System Administrators shall disable or change the password of default accounts.

8.08 Systems Development and Acquisition

A. General. The purpose of the system development procedure is to describe the requirements for developing and/or implementing new application software in Extension. This procedure is designed according to Texas Administrative Code Rule 202.7 - Information Resources Security Safeguards, section Security Policies.

B. Controls and Responsibilities

1. Extension Information Technology is responsible for developing, maintaining, and participating in a System Development Life Cycle (SDLC) plan for Extension system development projects. All software developed in-house which runs on production systems shall be developed according to the SDLC plan. At a minimum, this plan shall address the areas of preliminary analysis or feasibility study; risk identification and mitigation; systems analysis; general design; detail design; development; quality assurance and acceptance testing; implementation; and post-implementation maintenance and review. This methodology ensures that the software will be adequately documented and tested before it is used for critical Extension information.

2. All production systems shall have designated Owners and Custodians for the critical information they process. EIT shall perform periodic risk assessments of production systems to determine whether the controls employed are adequate.

3. All production systems shall have an access control system to restrict who can access the system as well as restrict the privileges available to these users. A designated access control administrator, who is not a regular user on the system in question, shall be assigned for all production systems.

4. Where resources permit, there shall be a separation between the production, development, and test environments. This ensures that security is rigorously maintained for the production system, while the development and test environments can maximize productivity with fewer security restrictions. Where these distinctions have been established, development and test staff shall not be permitted to have access to production systems.

8.09 Vendor Access

A. General. Vendors play an important role in the support of hardware and software management, and operations for customers. Vendors can remotely view, copy and modify data and audit logs, they correct software and operating systems problems, they can monitor and fine tune system performance, they can monitor hardware performance and errors, they can modify environmental systems, and reset alarm thresholds. Setting limits and controls on what can be seen, copied, modified, and controlled by vendors will eliminate or reduce the risk of loss of revenue, liability, loss of trust, and embarrassment to Extension. The purpose of Extension vendor access procedures is to establish the process for vendor access to Extension information resources and support services (A/C, UPS, PDU, fire suppression, etc.), vendor responsibilities, and protection of Extension information. Extension vendor access procedure applies to all individuals who are responsible for the installation of new information resources assets, and the operations and maintenance of existing information resources and who do or may allow vendor access for maintenance, monitoring and troubleshooting purposes.

B. Controls and Responsibilities.

1. Vendors shall comply with all applicable Extension policies, practice standards and agreements, including, but not limited to:

* Safety Policies
* Privacy Policies
* Security Policies
* Auditing Policies
* Software Licensing Policies
* Acceptable Use Policies

2. Vendor agreements and contracts shall specify:

* Extension information the vendor should have access to
* How Extension information is to be protected by the vendor
* Acceptable methods for the return, destruction or disposal of Extension information in the vendor's possession at the end of the contract.
* The Vendor shall only use Extension information and information resources for the purpose of the business agreement
* Any other Extension information acquired by the vendor in the course of the contract cannot be used for the vendor's own purposes or divulged to others

3. Extension shall provide an information resources point of contact for the vendor. The point of contact will work with the Vendor to make certain the Vendor is in compliance with these policies.

4. Each vendor shall provide Extension with a list of all employees working on the contract. The list shall be updated and provided to Extension within 24 hours of staff changes.

5. Each vendor employee with access to Extension sensitive information shall be cleared to handle that information.

6. Vendor personnel shall report all security incidents directly to the appropriate Extension personnel.

7. If vendor management is involved in Extension security incident management, the responsibilities and details shall be specified in the contract.

8. Regular work hours and duties shall be defined in the contract. Work outside of defined parameters must be approved in writing by appropriate Extension management personnel.

New employees will receive training on information security measures and requirements and be required to acknowledge receipt and acceptance of the provisions of this rule, by signing Agriculture Program Form AG-415, Employee In-Processing Acknowledgment. All employees are expected to review and acknowledge the provisions of this rule on an annual basis, and will do so through classes offered in HRConnect, the online HR site of the TAMUS Human Resources office. Non-employee users of Extension information resources will be issued a copy of these information security guidelines and required to sign an acknowledgment form prior to being granted access to Extension information resources. Questions concerning this procedure should be directed to Extension Information Technology at 979-845-9689

10.00 ADMINISTRATOR/SPECIAL ACCESS

Technical support staff, security administrators, system administrators and others may have special access account privilege requirements compared to typical users. Administrator accounts and other special access accounts have extended and overarching privileges in comparison with typical users. Thus, the granting, controlling and monitoring of these accounts is extremely important to an overall security program. The purpose of the University administrator/special access management procedure is to establish the process for the creation, use, monitoring, control and removal of accounts with special access privilege.

1. TAMU departments shall maintain a list(s) of personnel who have administrator, or special access accounts for departmental information resources systems. The list(s) shall be reviewed at least annually by the appropriate department head, director, or their designee.

2. Electronic files, including e-mail, created, sent, received, or stored on Information Resources owned, leased, administered, or otherwise under the custody and control of Extension are not private and may be accessed by supervisors, administrative heads, authorized administrative personnel, and Agriculture Program Information Technology (IT) employees during the course of their duties or when authorized by the owner or custodian at any time without knowledge of the Information Resources user. Electronic file content may be accessed by appropriate personnel in accordance with the provisions and safeguards provided in the Texas Administrative Code 202, Information Resource Standards. Information, including e-mail files may also be subject to disclosure under the Texas Public Information Act and/or during the discovery phase of a lawsuit.

3. In the course of their normal duties to assure the availability, integrity, utility, authenticity, and confidentiality of IT resources, administrators with special access privileges may routinely access descriptive data to investigate various events related to the performance or security of those resources. Personnel from Computing and Information Services (e.g., CIS Network Group) may also routinely investigate events related to the performance and secure operation of the TAMU network. System Administrators may at times also access user data in maintaining the operational integrity and security of information resources. System Administrators shall, however, maintain the confidentiality of user data to the extent possible and not divulge user data except to authorized University officials (such as described in section 4 below).

4. Use of special access privileges to conduct investigations related to user data shall be directed by:


4.1 Appropriate University management personnel (e.g., Department Head, Dean, Director, Vice President, etc.);

4.2 University officials conducting investigations (e.g., System Internal Audit, Office of General Council, Designated Officer conducting inquiry investigating possible misconduct in research or scholarship, Investigating Authority in a sexual harassment investigation, investigation of Student Rules violations, or representatives of Information Technology Issues Management (ITIM) of Computing and Information Services (CIS), etc.)


Prior to conducting such investigations, the individual with administrator/special access will consult with Information Technology Issues Management (ITIM).

11.00 PRIVACY Privacy policies are mechanisms used to establish the responsibilities and limits for system administrators and users in providing privacy in university information resources. The University has the right to examine information on information resources which are under the control or custody of the University. The general right to privacy is extended to the electronic environment to the extent possible. However, there should be no expectation of privacy beyond that which is expressly provided by applicable privacy laws. Privacy is limited by the Texas Public Information Act, administrative review, computer system administration, and audits.

1. Privacy of information shall be provided to users of university information resources consistent with obligations of Texas and Federal law and/or secure operation of university information resources.

2. In the normal course of their duties, system administrators may examine user activities, files, electronic mail, and printer listings to gather sufficient information to diagnose and correct problems with system software or hardware.

2.1. In order to protect against hardware and software failures, backups of all data stored on university information resources may be made. System administrators have the right to examine the contents of these backups to gather sufficient information to diagnose and correct problems with system software or hardware. It is the user's responsibility to find out retention policies for any data of concern.

2.2. The organization unit head may designate certain individuals or functional areas who may monitor user activities and/or examine data solely to determine if unauthorized access to a system or data is occurring or has occurred. If files are examined, the file owner will be informed as soon as practical, subject to delay in the case of an on-going investigation.

2.3. Files owned by individual users are to be considered as private, whether or not they are accessible by other users. The ability to read a file does not imply consent to read that file. Under no circumstances may a user alter a file that does not belong to him or her without prior consent of the file's owner. The ability to alter a file does not imply consent to alter that file.

2.4. Some individually owned files are by definition open access. Examples include Unix plan files, Web files made available through a system-wide facility and files made available on an anonymous ftp server. Any authorized user that can access these files may assume consent has been given.

3. If access to information is desired without the consent and/or knowledge of the file owner or if inappropriate use of TAMU information resources is suspected, files may be reviewed without the consent and/or knowledge of the file owner if that review is part of the process of Rule 32.01.99.M1, Complaint Procedures for Electronic Information.

4. If criminal activity is suspected, the UPD or other appropriate law enforcement agency must be notified. All further access to information on university information resources must be in accordance with directives from law enforcement agencies.

5. Information resource owners or custodians will provide access to information requested by auditors in the performance of their jobs. Notification to file owners will be as directed by the auditors.

6. Other than exceptions in 2.2, 2.3, 2.4 and 5, access to information by someone other than the file owner requires the owner’s explicit, advance consent.

7. Unless otherwise provided for, individuals whose relationship with the university is terminated (e.g., student graduates; employee takes new job; visitors depart) are considered to cede ownership to the information resource custodian. Custodians should determine what information is to be retained and delete all other.

8. The university collects and processes many different types of information from third parties. Much of this information is confidential and shall be protected in accordance with all applicable laws and regulations (e.g., Gramm-Leach-Bliley Act, Texas Administrative Code 202).

9. Individuals who have special access to information because of their position have the absolute responsibility to not take advantage of that access. If information is inadvertently gained (e.g., seeing a copy of a test or homework) that could provide personal benefit, the individual has the responsibility to notify both the owner of the data and the organizational unit head.

10. University web sites available to the general public shall contain a Privacy Statement such as that found at http://www.tamu.edu/home/statements/privacy.html

11. Users of TAMU information resources shall call CIS Helpdesk (845-3800) to report any compromise of security which could lead to divulging confidential information including, but not limited to, posting social security numbers to the internet.