University of Maryland Eastern Shore
Information Information Technology
Policies and Procedures
Subject: UMES IT Security Program
Effective Date: 08/16/2018
The purpose of this program is to establish a framework necessary to protect University of Maryland Eastern Shore (UMES) data and information systems by implementing a comprehensive IT Security Program. The IT Security Program, as implemented by the Information Technology Department (ITD), will enhance and protect the integrity, confidentiality, and availability of information resources by providing access controls to computing environments and information to authorized users.
1. Planning for Security
o Vulnerability Assessment
o Consultation Services
2. Designing for Security
o System Hardware and Application Architecture
o Firewall Hardware/Software
3. Access Control
o Physical Security
o Virtual Desktop Services
o Authentication/ Authorization
o Identity Management
4. Monitoring & Response
o Intrusion Prevention and Detection
o Incident Reporting and Response
o Patch Diligence
o Disaster Recovery Planning
5. End User Diligence
o IT Security Awareness and Training
o E-mail Filtering (Spam & Virus), White Lists/Black Lists
o Risk Alerts- Viruses, Phishing Scams
o IT Security Officer
o IT Related Policies/Standards
o Intellectual Property (IP)/Illegal File Sharing Policy
PLANNING FOR SECURITY
The Information Technology Department provides consultation services for UMES
During the system development process, security architecture of the desired system is designed after completion of a security assessment in order to refine logical and physical security components to include:
• Logical architecture: Includes processes, technology and people and consists of system perimeter security, risk and threat analysis, incident response, antivirus policy, security administration, Disaster Recovery Plans (DRP), data security, application security, and infrastructure security.
In order to promote and maintain the security of University of Maryland Eastern Shore (UMES) data and its network infrastructure, firewalls have been strategically installed as part of the overall network architecture. Requests for the opening or closing specific firewall ports to support applications are reviewed, researched, and acted upon by the Information Technology Department, who manages this service. Modifications to security protocols are made only upon review of requirements to ensure all changes meet UMES Security standards.
As part of a comprehensive security program, physical security of information technology assets includes placement of equipment in locations with controlled access, as well as locations less likely to be impacted by floods, fires, and other calamities. Physical security also includes access to back-up power supplies where applicable.
Assets within the data center secured under this policy are listed in the UMES Disaster Recovery Plan (DRP). Risks associated
with these assets are addressed in the University of Maryland Eastern Shore Disaster Recovery Plan.
As part of maintaining access control, UMES is responsible for:
University of Maryland Eastern Shore (UMES) employs a centralized and integrated means of managing identity management for faculty, staff, and students. Identity management includes the provisioning of network accounts to new faculty, staff, and students, as well as role management, account termination, and password resets and synchronization.
MONITORING & RESPONSE
Intrusion Prevention and Detection
All University of Maryland Eastern Shore system users shall be provided an overview of fundamental security practices in use at UMES in order minimize risk when using IT systems. The training shall include a discussion including, but not limited to:
Passwords - The use of strong passwords.
Usernames - In conjunction with a valid password, the use of a unique identifier that will provide access to authorized systems.
Screen Saver Locks - Users shall be encouraged to utilize automated screen savers that employ a lock that requires them to enter a password after a period of inactivity.
Sensitive information – Protection of sensitive information.
Logoff – Protection of assets and information through timely system logoff.
Use by Proxy - Users shall be reminded never to access systems on behalf of someone else by logging into systems with another individual’s username and password.
Users shall not copy, download, store, or share unauthorized copyrighted material (e.g. music and videos) on UMES computers, IT systems or networks. In addition, users shall not engage in the sharing of copyrighted material through the use of peer-to-peer networks.
All members of the campus community including faculty, staff, and students shall:
• Observe the copyright law as it applies to music, videos, games, images, texts and other media in both personal and academic use.
• Be aware that file sharing in violation of copyright is prohibited.
• Not use, copy, or share copyrighted works unless possessing a legal right to do so.