Computing and Information Services
Network Group

Texas A&M University
Computer Security Policy

December 9, 1994

Computer Security Policy

Policy Applicability

The Computer Security Policy applies to all Texas A&M University personnel accessing mission critical applications and computer systems supporting mission critical applications operated by Computing and Information Services.

The Computer Security Policy also applies to the Texas A&M University System member personnel when they access mission critical applications and computer systems supporting mission critical applications operated by Computing and Information Services.

Texas A&M University information security policies and standards applies to Information Resources owned by others, such as state agencies, political subdivisions of the state, or federal government agencies, in those cases where a contractual or fiduciary duty exists to protect the resources while in the custody of Texas A&M University Computing and Information Services. In the event of a conflict, the more restrictive security measures apply.

These policies and procedures may serve as useful guidelines for departmental LAN administrator, as appropriately defined by department administration.

Policy Statements

It is the policy of Texas A&M University that:

  • Information Resources are valuable assets and unauthorized use, alteration, destruction, or disclosure of these assets is a computer-related crime, punishable under Texas statutes and federal laws which are summarized in Appendix J, Computer Security Rules, Regulations, and Laws.

  • Attempting to circumvent security or administrative access controls for Information Resources is a violation of this policy. Assisting someone else or requesting someone else to circumvent security or administrative access controls is a violation of this policy.

  • Information Resources may be used only for official purposes.

  • Person using Information Resources will acknowledge compliance with the Computer Security Policy when logonids and passwords are assigned, and in some cases, when an administrative application is accessed. Examples of such an acknowledgment are contained in Appendices F, G, and H.

  • Violations of the Computer Security Policy will be reported to the Texas A&M University Computer Security Officer.

  • Violations of the Computer Security Policy that may be violations of state and federal laws will be reported to the University Police Department.

  • Persons violating the Computer Security Policy will be subject to appropriate administrative and criminal sanctions.

  • All employees will receive the Computer Security Policy Summary Statement. All new employees will receive a copy from either the Human Resources Department or the Student Financial Aid office. The summary statement is contained in Appendix M, Computer Security Policy Summary Statement.

  • Logonids and passwords must control access to all Information Resources except for those specific resources identified as having public access such as the On-Line Public Access Catalog of the NOTIS Library System.

  • Passwords must be changed periodically by the logonid owner. All Information Resources used for mission critical applications will require passwords to be changed at least every 90 days.

  • The logonid owner is responsible to manage their password according to the guidelines specified in Appendix C, Password Management.

  • The logonid owner is responsible for all actions and functions performed by their logonid.

  • All Information Resources used for mission critical applications should provide a notice at logon time stating that the computer system is protected by a computer security system; that unauthorized access is not permitted; and that usage may be monitored. The message text for the notice is contained in Appendix B, Security Access Warning Message.

  • The legitimate proprietary interests of intellectual property owners will be upheld and supported.

  • Information which by law is confidential must be protected from unauthorized access or modification. Data which is essential to critical functions must be protected from loss, contamination, or destruction.

  • Confidential information shall be accessible only by personnel who are authorized by the owner on a basis of strict "need to know" in the performance of their duties. Data containing any confidential information shall be readily identifiable and treated as confidential in its entirety.

  • An auditable, continuous chain of custody shall record the transfer of confidential information. When confidential information from a department is received by another department in the connection with the transaction of Texas A&M University business, the receiving department shall maintain the confidentiality of the information in accordance with the conditions imposed by the providing department.

  • All employees accessing a mission critical administrative application must receive appropriate training for using the application and must acknowledge the security and privacy requirements for the data contained in the application. Appendix E, Personnel Security and Security Awareness contains additional information.

  • When an employee terminates employment, their access to Information Resources will be terminated. Similarly, students who are not enrolled will have their access to Information Resources terminated. Appendixes E and I, Personnel Security and Security Awareness and CIS Computer Ethics Statement, contain additional information.

  • All Information Resources used for mission critical applications shall have a cost effective, written contingency plan that will provide for prompt and effective continuation of critical missions in the event of a disaster. Appendix D, Disaster Recovery contains additional information.

  • Microcomputer end-user workstations used in sensitive or critical tasks must have adequate controls to provide continued confidentiality, integrity, and availability of data stored on the system.

  • All microcomputer end-user workstations should have virus protection software installed.

  • Computer software purchased using university or state funds is Texas A&M University property and shall be protected as such.

  • Ownership of computer software developed by faculty, staff, and students is defined in the Texas A&M University System Administrative Policy and Reporting Manual, Section C.10.4.

  • All information processing areas used to house Information Resources supporting mission critical applications must be protected by physical controls appropriate for the size and complexity of the operations and the criticality or sensitivity of the systems operated at those locations. Physical access to these areas shall be restricted to authorized personnel. Authorized visitors should be supervised and their entry and exit recorded in a log.

  • Individuals who believe they have experienced computer generated harassment or illegal discrimination are encouraged to contact the appropriate administrative office to file a complaint. Additional information is provided in Appendix K, Filing Complaints About Computer Generated Harassment or Discrimination.

  • All development staff for mission critical applications are required to adhere to security guidelines contained in Appendix L, Computer Application Development Controls.

  • Internet access to the Texas A&M University Network will be controlled as appropriate under guidelines established by the Computer Security Committee and the Computing and Information Services Networking Group.

Policy Administration

The Computer Security Policy is administered by the Computer Security Officer and the Computer Security Committee. The Computer Security Officer is appointed by the APCIS and has responsibility to:

  • monitor computer security issues.
  • file regular reports on computer security issues.
  • keep users aware of computer security issues.
  • monitor compliance with the this policy.
  • act as primary contact for the Computer Emergency Response Team.
  • chair the Computer Security Committee.

The Computer Security Committee is appointed by the APCIS from the Texas A&M University faculty and staff along with representatives from the support staff for Computing and Information Services projects and major administrative applications.

The Computer Security Policy is maintained by the Computer Security Officer and the Computer Security Committee. The policy will be reviewed annually and updated as appropriate.

Management Responsibility

Each Dean, Director, and Department Head is responsible for the security of information resources in all offices under their jurisdiction and for implementing information security requirements on an office-wide basis.

Administrative Data Ownership

Administrative data is owned by the administrative unit(s) having primary responsibility for creation and maintenance of the data content. The owners of major central administrative data files are:

BPPBPP Operations Center and Fiscal Offices, Budget Offices, Human Resource Offices, and Payroll Offices within Texas A&M University System.
FAMISFAMIS MIS Project Office and Business Offices within Texas A&M University System.
NOTISThe NOTIS System Office and the members of the Texas A&M University System NOTIS Library Consortium.
SIMSAdmissions and Records, Financial Aid, Fiscal Office, and SIMS Executive Committee.
OtherOrganization, research project, or administrative unit that pays for storage of the data.

Non-Administrative Data Ownership

Normally, non-administrative data is owned by the organization or research project that pays the data storage fees. However, when data storage fees are paid by Computer Access Fee funds or VPAA Prefunded General Use Computer funds, the non-administrative data is owned by the person identified by the SSN or Student ID assigned to the logonid associated with the data. In the event the non-administrative data owner is no longer enrolled or employed at Texas A&M University, then:

  • Data ownership will remain with the person identified by the SSN or Student ID assigned to the data.

  • The data owner or their estate must provide explicit authorization for other persons to access the data.

  • The data custodian may archive the data according to established operational and data archival procedures.

Data Owner Responsibilities

The data owner is responsible for:

  • Maintaining the information in the data fil e.

  • Determining how the data may be used within existing policies.

  • Authorizing who may access the data.

Data Custodian Responsibilities

The data custodian is the unit assigned to supply services associated with the data. The custodian is:

  • The Computing and Information Services for centrally supported administrative applications such as BPP, FAMIS, and SIMS.

  • The operator or manager of a departmental computer system, server, or network of microcomputer workstations.

  • The end-user of an individual microcomputer workstation.

The custodian provides services in accordance with the directions from the owner and is responsible for:

  • Implementing owner specified controls over the data.

  • Providing a general security access system.

  • Insuring compliance of its employees with security procedures.

Data User Responsibilities

The data user is the person who has been granted explicit authorization to access the data by the owner. This authorization must be granted according to established procedures. The user must:

  • Use the data only for purposes specified by the owner.

  • Comply with security measures specified by the owner or custodian.

  • Not disclose information in the data nor the access controls over the data unless specifically authorized in writing by the owner.

Electronic Mail Privacy

The following is an interim guideline until the Electronic Newsgroup Study Group issues a final report. When that report becomes available, this section will be updated.

Electronic mail is provided to faculty, staff, and students as part of the Information Resources of Texas A&M University to conduct the business of Texas A&M University.

Electronic mail is intended to be a convenient way for the faculty, staff, and students to communicate with one another and colleagues at other locations. It is not the practice of Texas A&M University to monitor the contents of electronic mail messages. However, the information in electronic mail files may be subject to disclosure under certain circumstances; for example, requests filed under the Texas Open Records Act, or during audit or legal investigations.

Auditor Access

There will be occasions when auditors require access to Information Resources and data files. The access will be permitted according to these guidelines:

Internal Auditors from Texas A&M University and Texas A&M University System:

  • Personnel of the Internal Audit Departments have access to all University activities, records, property, and employees in the performance of their duties. This access is described in Section 1.2.3.1 of the Texas A&M University Policies and Procedures Manual and in Section C.10.3 of the Texas A&M University System Administrative Policy and Reporting Manual.

  • For non-investigative audits, access requests for Information Resources and data files will be made to the data owner and the administrative management of the organization operating the computers and information resources, as appropriate.

  • For investigative audits, access requests for Information Resources and data files will be made to the appropriate administrative management level of the organization operating the computers and information resources.

  • Internal Audit access to data files will be provided as specifically requested by Internal Audit; however, whenever practical, Internal Audit will utilize hard copy output or data file copies. Access is provided to Internal Auditors on all Texas A&M University System applications such as Aggie Bucks, BPP, FAMIS, and SIMS, after appropriate training requirements are met.

  • Read only access will be granted, unless specific instructions are provided, to ensure proper safeguards for continued integrity and availability of data files.

State and Federal Auditors:

  • State and Federal auditors will be granted access to Information Resources and data files on an as needed basis after coordination with the Internal Auditors and data owners, and after proper training requirements are met.