Computer Labs and Networking: Security

Important Information Regarding Information Security Awareness

Passwords
"Upon receiving permission to access TAMU System component networks, systems and related databases, I acknowledge my responsibility for strictly adhering to the Texas A&M University System Policy and Regulations, as well as State and Federal regulations. I understand that I will be subject to disciplinary action and criminal prosecution to the full extent of the law (Chapter 33, Title 7 of the Texas Penal Code), if I gain or help others gain unauthorized access to these services. I agree that I shall not attempt to circumvent the computer security system by using or attempting to use any unauthorized information or transactions. I acknowledge that neither I nor anyone else possesses the authority to allow anyone to use my user-id or my password."

Your login ID and password are the first line of defense against unauthorized access and consequently to the safety of valuable data. Please protect them carefully. Don't leave them lying around or on a sticky-note in your office. The bad guys know all the hiding places. You don't want to explain how your ID and password were used to break into University systems!

Make your passwords strong by keeping them at least eight characters long, mixing in numbers and capitals, and by avoiding using common English words. Hackers use dictionary files to break passwords - make it as hard on them as you can!

Physical Security
When you leave your computer unattended to go to the restroom or lunch, lock the computer by typing CTRL-ALT-DELETE and clicking on the Lock Computer button. This will require your password to log back into the computer and prevent unauthorized people from using your computer while you are away from your desk.

Be especially carefully when traveling with a notebook computer. It is a very tempting target of thieves and in addition, your passwords and login IDs may be compromised.

Public Places
Be careful what you say in public places. Information you divulge there can be used to help a hacker obtain illegal access to the University network. If you are on a plane and using a notebook computer, think about what would happen if the information on your screen was seen by the wrong person.

Home Computers and Networks
Dialup and broadband networks like cable and DSL connections from home to the University, are just like having your home computer directly connected to the University network. If you home computer becomes compromised, you can be the source of infection for office computers as well. Therefore, there are certain precautions you should take.

Home computers used to access University networks should be protected by anti-virus software. This software should be kept up-to-date. Anti-virus software with old data files no longer protects the computer and gives a false sense of security. Keep you home systems safer by using security update sites like Microsoft's Windows Update site (http://windowsupdate.microsoft.com) and making sure you system has all of the critical updates installed.

E-mail
Email provided by the University System is intended for the purpose of facilitating your work as an employee. It is illegal to use email services provided by the State of Texas for private business purposes. Incidental, non-profit use is acceptable.

Email carries its own security problems. You are very likely to receive email that is crafted to get you to something to reveal sensitive information, to entice you to buy a product or to get you to delete files off your computer that are part of the operating system.

Scams, such as sending you information that your credit card is going to be charged for a purchase you did not make, in the hope of enticing you to send them you credit card number and expiration date, are increasingly common. Never give credit card numbers to anyone via email.

SPAM (commercial unsolicited email) is very common. Our experience is to just delete it and never respond to it. Doing so just verifies your address as being valid and thus become more valuable to those who sell email lists.

Hoaxes are very common and can often be destructive. These emails typically start with a claim the there is a new virus threat that Norton and MacAfee anti-virus software won't catch and that it is the worst computer virus ever created and other hyperbole. It then usually instructs you to delete a file off your computer that is a sure sign it is infected. Of course, very rarely is this actually true. If you receive such a message, don't pass it on to anyone except your computer administrator. He or she will advise you as to its authenticity.

Human Engineering
It is a common attack method to call someone on the phone and attempt to get them to reveal their password by claiming to be from the computer help desk or some security authority and claiming to be investigating a security violation. Never reveal your password to anyone and report any such attempts to your Network Administrator.

Using State Property for Personal Gain
It is not permissible to use the computer systems and/or software belonging to the State or Texas for personal gain. You may not use these resources for consulting or other profit making enterprises.

Use of TEES Provided Internet and Intranet Services
Permissible Internet and Intranet resource use varies by individual departments, as set by the department head. You may only use these resources as permitted by your department head.

Removal of TEES Software upon Termination
Any TEES software installed on home machines as a part of your employment should be removed from your computer upon your leaving employment with TEES. The software is the property of TEES and may not be used after termination.

Security Violations
If you notice any weaknesses in TEES computer security or you are aware of any incidents or violation of the information security you are required to report that to your management.

Internet/ Intranet Use

Software for browsing the Internet/Intranet is provided to authorized users for business and research use only. This software must incorporate all vendor provided security patches. All files downloaded from the Internet must be scanned for viruses using current virus detection software.

No offensive or harassing material or personal commercial advertising may be made available via TEES Web sites. All sensitive TEES material transmitted over external network must be encrypted. No files or documents may be sent or received that may cause legal liability for, or embarrassment to TEES.

Incidental personal use of Internet access is restricted to TEES approved users; it does not extend to family members or other acquaintances. Incidental use must not result in direct costs to TEES. Incidental use must not interfere with the normal performance of an employee’s work duties.

TEES Rule 21.99.10.E1 Licensed Software

Approved April 10, 2003

Supplements

System Regulation 21.99.10

1.1 GENERAL

All computer software under the control of and used by the Texas Engineering Experiment Station (TEES) must be appropriately licensed. There are varying degrees of copyright protection afforded different classes of computer software. All TEES employees are expected to be familiar with the licenses on the software they use. The licensing agreements for software packages purchased and installed on division or center equipment shall be maintained and are the responsibility of the division head or center director. Software licensed for use on TEES network servers shall be maintained by and is the responsibility of the TEES network administrator.

2.0 CONTROLS AND RESPONSIBILITIES

2.1 No computer software may be copied, altered, transmitted, or stored, except as permitted by law or by the contract, license agreement, or express written consent of the owner of the software license. The use of software on a local network or on multiple computers must be in accordance with the license agreement.

2.2 When an employee or researcher leaves employment with TEES, the division head or center director shall instruct the departing employee or researcher to return all software under the control of or used by TEES, and all copies thereof, and to deliver to the division head or center director a certification that the software has been returned and that all copies located outside the control of TEES have been deleted or destroyed and its use discontinued.

2.3 There are significant penalties both criminal and civil for noncompliance with copyright laws for computer software. These penalties can be applied to the division or center and/or the employee.

2.4 The Agency Director delegates responsibility to all division heads, center directors, or their equivalent to insure that all computing software on generally accessible computing equipment belonging to TEES or under TEES control is appropriately licensed and complies with System Regulation 21.99.10. Division heads or center directors shall conduct regular checks of computing resources, including microcomputers at least annually or when general maintenance is conducted on each piece of equipment. Any violations of this Rule or System Regulation 21.99.10 shall be reported to the division head or center director who is authorized to take, and shall take, reasonable action to implement and enforce correction of any violation discovered.

TEES Rule 24.99.99.E0.01 Security of Electronic Information Resources

October 17, 2003, Pending

1.0 General

TEES electronic information resources are vital research and administrative assets which require appropriate safeguards. Computer systems, networks, and data are vulnerable to a variety of threats. These threats have the potential to compromise the integrity, availability, and confidentiality of the information.

Effective security programs must be implemented to appropriately eliminate or mitigate the risks posed by potential threats to the TEES information resources. Measures shall be taken to protect these resources against unauthorized access, disclosure, modification or destruction whether accidental or deliberate.

TEES, as a state agency, is required to comply with the Texas Administrative Code (TAC) on "Information Security Standards". The Texas Administrative Code assigns responsibility for protection of informational resources to the Agency Director. For the purposes of this rule, the authority and responsibility regarding the agency compliance with the Texas Administrative Code on Information Security Standards has been delegated by the Director to the Chief Information Officer.

2.0 Controls and Responsibilities

2.1 TEES divisions having ownership or custodial responsibility for electronic information systems shall ensure that on an annual basis, a security risk management plan and a disaster recovery plan are sent to the Office of Chief Information Officer. The report shall be filed by the designated system administrator or custodian of the information system.

2.2 The division head is responsible for ensuring that an appropriate security program is in effect and that compliance with this rule and TAC Standards is maintained for information systems owned and operationally supported by the division.

2.3 Operational responsibility for compliance with TAC Standards may be delegated by the division head to the appropriate information system support personnel (e.g. System Administrators) within the department.

2.4 Mission Critical or Confidential Information maintained on an individual workstation or personal computer must be afforded the appropriate safeguards stated in the TAC Standards. It is the responsibility of the operator, or owner, and/or division Systems Administrator of that workstation or personal computer to insure that adequate security measures are in place.

If you encounter a problem with one of the machines, please immediately email staff@ne.tamu.edu.