Security Guide

Contact Sean Atkinson at 278-7683 for additional information.

NOTE: On Monday September 8, 2003, President Gordon and his Administrative Board, prompted by recent campus experience with SoBig virus and Blaster worms, approved the Security Practices and Standards for all University Networks and Network-attached Systems. In order to have a robust and secure network, PAB has directed IT to immediately implement these practices and standards.

Computer Security is the responsibility of all computer users. Universities should continue the job of security by teaching professional ethics in the use of computers and taking appropriate actions once misuses are discovered. This document is intended to serve as a guide and includes reference material that addresses most circumstances.

A security guide cannot act as a substitute for common sense in handling certain situations.  The policies and instructions set forth in this manual comply with the CSU Board of Trustees and Office of Chancellor policies, and are consistent with the Information Practices Act and California Civil Code. (July 1999).

1. PURPOSE OF COMPUTER SECURITY

2. RESPONSIBILITY FOR COMPUTER SECURITY

3. GOAL OF COMPUTER SECURITY

4. DEFINITION OF COMPUTER SECURITY

5. SCOPE OF SECURITY GUIDE

6. SECURITY POLICY

All mainframe, mini, and microcomputers are governed by this security policy.  It is enforced by federal and state laws.  Violation of policies may result in disciplinary action (cancellation of accounts, dismissal of employment, etc.) or legal action (fines or imprisonment or both according to California Penal Code, Sec. 502 - see Appendix J). NOTE: A separate micro-computer policy has been developed by the CSU Chancellor's Office and is included in this Security Guide (see Appendix G).

a.   Policy Distribution - This document is distributed to major computing users and posted in computer labs and other locations frequented by faculty, students and administrative users. All users should read this document in order to be advised of the legal implications and penalties associated with the misuse of the computing facility and resources.

b. Authorized Computer Use - All use of CSUF computer systems is for University authorized activities only.

c. Unauthorized Computer Use - The use of CSUF computer systems for unauthorized activities is against State law and violations will be prosecuted to the maximum extent possible.

d. Sale of Computer Time - The use or sale of CSUF computer time, supplies, or services to any non-CSUF user must be approved in writing by the Chief Information/Technology Officer.

e. Proprietary Software - In lieu of other arrangements, all CSUF-developed software and data bases are the property of the State.  Leased software is strictly controlled by Information Technology in accordance with the provisions of the contract.  The prudent duplication of leased software, e.g., backup copy, should also be governed by the contract.

f. Release of Software - Software shall not be loaned, traded, sold, given away, or otherwise divulged. Copies of CSUF or leased software and data can only be released from Information Technology for non-university use by the written approval of the Chief Information/Technology Officer.

g. Unauthorized Software - Faculty, staff, students, and vendors should delete unauthorized software or data files from CSUF computer systems that do not conform to the above guidelines.

h. Monitoring of Computer Usage - Upon request of faculty or administrative manager, Information Technology shall produce reports that will permit them to review and detect excessive or improper usage by account owners. Reports may be furnished to administrative managers to monitor access of critical data files.

i. Safeguarding Accounts and Passwords - Access to accounts and passwords shall be protected by each user of the computer. Accounts and passwords assigned by blocks to class instructors shall be distributed individually to students. Faculty should ensure that passwords are made available only to the user.

j. Data Security and Individual Privacy - Security measures herein shall be strictly observed by Information Technology and administrative staff to protect critical, personal, or sensitive data files from accidental or intentional disclosure to unauthorized users. In addition, all users should respect the privacy of other users' software and data.

k. Discontinuance of Computer Use - The service to a particular account, password or terminal shall be suspended when security violations are discovered. Service may be restored when security has been assured.

l. Reporting of Security Problems - Individuals who desire to report instances of security violations, or who discover or know of an unauthorized or attempted intrusion, or wish to suggest improvements, are encouraged to contact one of the individuals below:

7. SECURITY OF COMPUTER FACILITIES

Access to Information Technology - Refers to controls required to ensure that only authorized personnel have physical access to Information Technology. Access to User Equipment Areas - Refers to physical access to instructional and administrative user areas having terminals or microcomputers. Theft Prevention of Equipment - Refers to precautions required to retain terminals, microcomputers, or other items. Disasters & Contingency Plan - Refers to potential emergencies against which safeguards must be provided. The emergencies include environmental hazards (e.g. earthquake), accidents (e.g. fire), human acts (e.g. bomb explosion), or unintentional acts (e.g. power failure/damage).

a. Access to Information Technology - To protect the interests of CSUF and users who depend upon the computer, it is necessary to restrict access to some areas of Information Technology. Limiting access is a security measure to protect sensitive data and the equipment.

(1)  Access to Computer Room - Only computer operators work full time in this area. Other Information Technology staff, vendor maintenance personnel, and building custodians shall be provide limited access on a need-to-enter basis. Access shall be denied to other personnel unless proper authorization is granted by the Chief Information/Technology Officer, or his designee, and an authorized escort is provided by Information Technology staff.

(2)  Access to Computing Operations Area - The hallway door to this area must be kept locked at all times. Only computer operations staff are assigned keys to the offices in this area. Other Information Technology staff and departmental users shall be provided limited access on a need-to-enter basis.

(3)  Access to Programming Area - Entry to this area is restricted to official business and the doors are posted with "Restricted Area - Authorized Personnel Only" signs. Security is maintained by staff during duty hours and individual offices are kept locked when not occupied. Administrative and Instructional staff are provided access to consult staff.

(4)  Access to Production Services - The Production Services and Data Entry areas are open during duty hours and must be locked during non-duty hours. Students, faculty, and administrative users drop off their input data and pick-up output at the Input-Output counter. Those having large quantities of printout are permitted to bring carts behind the counter under the supervision of I/O staff.

(5)  Visitor Escorts - All non-Computing & Communications Service personnel visiting the Computer Room or Operations Area shall be escorted by the Information Technology person they are visiting and that person shall be responsible for the visitor until they depart.

(6)  Vigilance - Information Technology reserves the right to request inspection of visitors' briefcases, tool cases, and packages upon entering and before leaving Information Technology. Staff should question and offer to assist all visitors who appear to be unescorted and not on official business. Report all violations to the Public Safety (278-2515) and Chief Information/Technology Officer.

(7)  Computer Tours - The computer room is a production environment and processes sensitive data, e.g. check writing. Numerous incidents have been reported in professional journals where equipment has been damaged and data destroyed during tours. To avoid this possibility, it is in the best interest of the university and all users to prohibit tours.

(8)  Authorized Access List - Information Technology employees are identified in the "IT Telephone List" and part-time employees in the "Student Payroll List". Both listings are maintained by and distributed within Information Technology.

b.  Access to User Equipment Areas - Supervisors should assign responsibility for security of remote terminals and microcomputers in departments, schools, and computer labs. Rooms housing the equipment must be locked when employees are not present, and the equipment should not be left running. When security infractions are discovered, please notify:  Public Safety 278-2515 or Chief Information/Technology Officer 278-3921

c.  Theft Prevention of Equipment - All theft, attempted theft, or vandalism must be reported to the Public Safety (278-2515) and the Chief Information/Technology Officer (278-3921).

(1) Microcomputer Protection - Prior to installation, arrangements should be made to house microcomputers in a locked room. The micro should be secured to the table by anchor pads or similar anti-theft device.

(2) Terminal Protection - Remote equipment should be anchored where possible and installed in a secure room, preferably some distance from doors near hallways and building exits.

(3) Ownership Identification - All equipment should be marked with large "CSUF" letters and engraved with identification denoting university equipment.

(4) Inventory of Equipment - The inventory of computing equipment is described in the Property Accounting section of the State Administrative Manual (SAM). Departments are advised to control micros and dial-up terminals loaned to staff by using the Equipment Use Authorization form or other check in/out means. Departments should closely monitor keys to the equipment rooms.

d. Disasters - Instructions for dealing with fire, smoke, water damage, power outages, explosion, earthquake, sabotage and similar hazards are discussed in Appendix B. back to Contents

8. SECURITY OF DATA & SOFTWARE Threats to data and software stored in the computer can be in the form of accidental or intentional disclosure, modification, or destruction. Unauthorized access by an illegal user is also a threat.

a. Protective Measures - CSUF security shall provide several layers of technical protection to safeguard the data and software (programs, JCL, utilities, and operating system). These technical security levels, in addition to surveillance by employees, are designed to provide an acceptable degree of security to accomplish the following:

(1) Detect illegal penetration and prevent unauthorized access to the computer system. (2) Prevent unauthorized access to the stored data.

b. Authorized Access - Generally, the owner or user of the account and password is the only person permitted to access their files. Access by others should be on a "need to know" basis with authorization from the data owner.

c. Ownership of Data - The data resident on disk and tape files are generally the property of the user holding the account number. Administrative files generally belong to the department owning the file (department which maintains and controls updating of the data and has authority to permit others to access the file).

d. Release of Data - Information Technology acts as custodian of the tape and disk files it stores in the restricted-access library. Accordingly, Information Technology shall not release data entrusted to its care unless authorized by the individual or department owner having control of the data.

e. Permission to Access Data - Departments must sometimes extract administrative data from files owned and maintained by another department. As a matter of security and coordination, the requesting department must obtain written approval from the department owning the file, generally on the Request For Computing Services Form (RCS).

f. Disposition of Printed Output - All confidential data and related administrative software listings, carbons, and microfiches which are not to be retained must be kept in a secure area until destruction by shredding or other procedure. Each department and office is responsible for properly disposing of confidential material.

g. Passwords - Users are required to use the initial password issued by Information Technology. Subsequently, passwords to accounts having permanent and critical administrative data should be changed regularly. University employees and students are advised to change their password periodically. Passwords shall be changed whenever a security infraction has been discovered. The appearance of passwords on the terminal screen and paper shall be suppressed.

h. Invalid Password Attempts - After a certain number of invalid access attempts, the system automatically logs off the user. Information about the invalid attempt is recorded by the computer system and investigated by Information Technology (Systems Programming) as appropriate.

i. Tape Access - Administrative and permanent tape files shall be internally labeled to prevent unauthorized access. Instructional users are encouraged to use labeled tapes, however unlabeled tapes are allowed.

j. Back-up of Software - The prudent duplication and off-site storage of otherwise irreplaceable data and programs is the responsibility of the user. Information Technology copies all disk fires daily (inhouse backup) and weekly (off-site backup). back to Contents

 9. INDIVIDUAL PRIVACY In order to protect the privacy of individuals, the maintenance and dissemination of personal information must be subject to strict limits. The protection of individual privacy places special responsibilities on those departments which determine when and how systems are used.

a.  Definition of Personal Information - The term means confidential data maintained by the university about an individual including but not limited to their education, financial transactions, medical, or employment history that contains the individual's name, ID number, or other identifying data.

b. Legitimate Data Collection - Personal information on individuals should not be collected and maintained unless needed to operate and manage those CSUF functions for which the collecting unit is legally responsible.

c. Responsibility for Protecting Data - Departments that generate, use, or have access to automated personal information shall ensure its confidentiality and accuracy, and properly dispose of the data when no longer needed.

d. Disposition of Confidential Reports - All output listings, carbon, microfiche, etc. which are not to be retained should be destroyed by shredding or other procedures.

e. Security by Administrative/Instructional Users - Each department, group, office, or person shares with Information Technology the many responsibilities outlined in this manual. In addition, the following are suggested:

(1) Protection of Removed Data - The user assumes responsibility for confidentiality of all printed reports, microfiche, tapes, etc. when the file is removed from Information Technology.

(2) Accuracy & Use of Data - Users creating, maintaining, using, or disseminating records or identifiable personal data should ensure the reliability of the data for its intended use and take precautions to prevent misuse of the data.

(3) Authorized Release of Data - Users should ensure that data are used only for lawful purposes within the California State University system and not released to outside agencies, groups, or individuals except as provided by law and properly authorized. Insofar as possible, released data should be in an anonymous form where personal identity is removed.

(4) Purge of Unneeded Data - Files containing personal information should be audited periodically to ensure their continued need.

(5) Security Reviews - Users should frequently audit their areas where personal data are used and stored to insure adequate safeguards against theft, penetration by unauthorized persons, destruction, or alteration of files, reports, microfiche, input data, etc.

(6) Individual Right to Correction - Procedures should exist for an individual to correct personal data recorded incorrectly.

(7) Individual Queries - Departments should have a procedure whereby an individual can ascertain what personal information is contained in his/her record and how it is used.

(8) Individual Consent to Reuse Data - A means should exist for an individual to prevent personal information obtained for one purpose from being used or made available for other purposes without the consent or knowledge of the individual.

back to Contents

10. SECURITY REVIEWS Review and evaluation of CSUF security is required to determine if policies and procedures are being followed and to identify suggestions for improvement of existing procedures.

a. Information Security Officer - This person is designated by and is responsible to the President of CSUF. This person cannot be an employee of Information Technology or have responsibility for confidential/privacy information.

b. Security Officer Responsibilities - In general, this person is responsible for the adequacy of implemented safeguards, the extent to which security standards and procedures are being adhered to, and the authenticity of reported security violations.

c. Management Responsibilities – The Chief Information/Technology Officer is responsible for establishing controls needed to prevent unauthorized access and damage to the hardware, software, and data as defined in the security guide.

d. Review Team - The CSUF President may appoint a review team to ensure compliance with the laws contained in this guide. The team is typically composed of the Security Officer, a member of the administrative staff (excluding Information Technology), and a faculty member. Their report will be submitted to the President with copies to the Chief  Information/Technology Officer and Security Officer.

e. Scope of Reviews - The review team shall evaluate the following:

(1) Security and confidentiality of computer-based information. (2) Physical security of the Information Technology hardware. (3) Protection of data files against deliberate or accidental destruction or modification. (4) Access control to stored data on the basis of identity of user and authorization to know. (5) Audit of data files regarding continued need. (6) Physical security (including theft protection) of equipment located in departments and labs.

Appendix A
Security Guide

INTERNAL SECURITY

Because of the valuable information entrusted to the Information Technology staff, employees must exercise caution and care in their jobs and adhere to the security requirements of this manual.

1. Confidentiality Statement - In order to effectively communicate this policy and emphasize the importance placed on confidentiality of data and software residing in Information Technology, all employees are required to sign the statement in Appendix E. New employees must sign the statement before they are hired. One copy is kept in the employee personnel folder and one copy is given to the employee.

2. Security Briefings - In order to ensure understanding of existing and new procedures, Information Technology staff shall receive periodic briefings on security and professional ethics including review of the security guide.

3. Separation of Duties - Insofar as practical, one person should not have complete control over an entire transaction or series of processing operations. One example is separation of duties by functions (e.g., programmers should not operate the computer or run production). Another example is to assign program modules processing sensitive data to different programmers.

a. Operating- Systems - Only systems programmers are authorized to modify the vendor operating system software.

b. Application Software - Only applications analysts/programmers will have access to programs and JCL and must be given permission by their supervisor (via an approved Request For Information Technology - RCS Form) to modify the software.

4. Responsibilities by Information Technology Functions - Although separated by functional areas, all staff should be familiar with the following guidelines and instructions.

Computer Operations

1. Emergency Procedures - All computer operators will be trained in the emergency procedures in Appendix B and the Emergency Handbook located in the Computer Room. Other staff members should read them.

2. Power-Down Procedures - All computer operators will be trained in the use of power-down procedures and emergency switches explained in the Emergency Handbook located in the computer room. Other staff members should understand the procedures.

3. Practice Drills - Regularly scheduled drills and reviews should be held for computer operators to test the emergency procedures.

4. Emergency Procedures Review - The Director for Computing Operations should review and update the emergency procedures periodically.

5. Emergency Lighting - In event of power failure, the battery operated lights automatically turn on. The system should be tested periodically. Portable lights are available in the Computer Room if the emergency lighting fails.

6. Computer Operation - Only authorized employees should operate the computers. Students normally are not permitted access to the area or to operate the computers.

7. Protecting the Environment - Smoking, eating, and drinking is not permitted in the computer room or tape library. Magnets and tape recorders are also prohibited. The area should be kept clean and uncluttered. Excess paper, boxes, etc., should be removed.

8. Hardware Malfunctions - Whenever the computer system malfunctions (halts, errors, etc.) a Problem Summary form is prepared. The Director of Computing Operations is responsible for inspecting the Problem Summaries each work day.

Tape Library

1. Library Access - Production Services employees are specifically designated as custodians of data files. Access to the storage area is generally restricted to the production services and computer operations staff.

2.  Tape/Disk Storage - Data not in use shall be kept in the library, which must maintain the same controls as the computer room (air conditioned, fire/smoke alarms and halon protected).

3.  Release of Tapes - A log shall be kept of data received from or sent to agencies outside Information Technology. The log should include identification of the tape, IN and OUT entries, the agency sending or receiving the tape, date returned to CSUF or the sender, etc. Follow-up to retrieve tapes not returned within expected time limits shall be part of the procedure.

4.  Unneeded & Scratch Files - A procedure shall exist to identify and release files no longer needed or with a past expiration date. Tapes should be degaussed, blanked, or overwritten before reuse.

5.  Off-site Storage & File Backup - Copies of important data and software tapes/disks will be maintained in a location other than Information Technology for disaster recovery.

6. Demagnetizing Confidential Files - Erasure of confidential data when no longer needed provides a useful security measure. These tapes, diskettes, or other magnetic media must be degaussed once the confidential file has been replaced and the data can be destroyed.
 

Production Services

Input & Output - Production Services

1.  Protection of Data - Production Services staff shall exercise special caution to protect data in administrative pickup boxes since they usually contain confidential material.

2.  Identification for Pickup - If the person picking up administrative output is not recognized, Production Services staff shall require identification or contact the department for verification.

OPERATING SYSTEMS PROGRAMMING

1. Software Backup - Critical data residing on tapes and permanent disks should be duplicated and maintained at a site or building separate from Information Technology.

2. Penetration of Operating System - Precautions shall be taken to use all operating system capabilities that will prevent and detect bypassing of security utilities.

3. System Logs - Files or printouts that the computer generates to record its actions should be spot checked frequently for unauthorized access attempts.

APPLICATIONS PROGRAMMING

1. Design of Software - The integrity of data begins in the design process. Consequently, analysts and programmers should design security into their systems.

a.   Programmed controls should include measure such as editing for oversized amounts, record totals checked against batch headers, record counts in and out of utilities and programs, etc.

b.   Exception reports should print unacceptable transactions, errors, and warning messages.

c.   Where appropriate programs should be functionalized to minimize disclosure of information, e.g., an update program should be limited to updating and does not display/print records.

2. Backup of Software - Analysts and programmers shall, upon design of new systems or making major modifications to existing systems, be responsible for duplicating master files and transactions after update processing in order to store before and after images of files, tables, etc. Source programs should also be backed up with the prior version when a new production version is implemented.

3. Access Security - Analysts and programmers shall take precautions to maintain security of data files when giving other programmers and users access permission to read or write production files. The permission to access any file will be limited and based upon a "need-to-know".

4. Permitted Files - Administrative production files for one system which are permitted access to another system must be authorized on an individual basis.

5. Change of Passwords - The existing procedure covering the periodic change of passwords to administrative production accounts shall be strictly adhered to.

6. Documentation - An up-to-date master copy of all hardware and applications and operating systems software documentation shall be kept in Information Technology. The master copy may be hardcopy, microfiche or stored in a computer.

back to Contents

CSUF INFORMATION TECHNOLOGY

Appendix B EMERGENCY PROCEDURE

Information Technology staff must be trained to deal effectively with the following incidents:

ACCIDENTS & MEDICAL EMERGENCIES

1.   Dial 278-2515 for assistance.

2.   Ask for paramedic ambulance if needed.

3.   Render first aid as required.

4.   A first aid kit is located in the computer room.

5.   Notify your supervisor.

FIRE or SMOKE or WATER EMERGENCIES

1.   Detection Alarms - The computer area is protected by alarms and you will be alerted when an emergency occurs.

2.   Halon Fire Protection - The computer room no longer has a halon system.  There is an “FM-2000” carbon dioxide system that will flood the area under the raised floor.  There is an override switch near the north door that will prevent release if the operator presses the button within 30 seconds.

3.   Evacuate the area if danger is present.

4.   Pull the fire alarm.

5.   Report the fire at 278-2515.

6.   Power down the equipment if time permits.

7.   Water Protection - In event of flooding by broken pipes or water from fire-fighting on floors above or in the computer area, drape the equipment with plastic covers if time permits.

EARTHQUAKE

1.   Refer to the CSUF Emergency Preparedness Plan.

BOMB THREAT/EXPLOSION OR DEMONSTRATION/RIOT

      1.   Dial 278-2515 to report the incident.

      2.   Evacuate the immediate area if danger is present.

      3.   If a demonstration or riot, keep doors locked and avoid encounters with demonstrators.

      4.   Phone your supervisor.

      5.   Also, refer to the CSUF Emergency Preparedness Plan.

POWER FAILURES

1.   See the Emergency Handbook located in the computer room.

back to Contents

CSUF INFORMATION TECHNOLOGY

COMPUTING PRACTICES and SECURITY AWARENESS for USERS

1.   Security is the concern of all California State University, Fullerton (CSUF) computing users. You are encouraged to use the CSUF mainframe, mini and micro-computers for legitimate educational or administrative computing. However, some may be tempted to abuse this privilege yet not be aware of the legal aspects of computer crime. CSUF Information Technology is responsible for securing the computer systems and informing you of expected standards of conduct and the punitive measures if not followed:

a. COMPLIANCE WITH SECURITY GUIDE - Users accessing CSUF computers must follow the policies in the Security Guide published by California State University, Fullerton Information Technology. The document is available in all computer Labs for your reference. Disciplinary actions will be based upon violations as explained in the Security Guide.

b. UNAUTHORIZED COMPUTER USE - The use of CSUF computer systems for personal and unauthorized activities is forbidden by state law. You are responsible for the proper usage of your computer account and must use it only for the purposes for which it was authorized. Examples of unauthorized uses are attempts to modify the operating system, access of files not permitted to your account (unless authorized), use of the computer for profit, use of someone else's account, etc.

c. DISCONTINUANCE OF SERVICE - The service to your account, password, or terminal shall be suspended when security violations described in the Security Guide are discovered and restored when security has been assured.

d.   PRIVACY - You should respect other users' rights to the privacy of their programs and data. That is, you should not access, copy, modify, or destroy the computer work of others.

e. PASSWORDS - You should protect your password and account number to keep someone else from accessing and tampering with your programs and data.

f. COURTESY - You should use the resources available from Information Technology as efficiently as possible so as not to adversely impact other users. You should not deprive other users access to the resources by attempting to crash the system, playing unauthorized computer games, etc.
2.   For your awareness, the following penal information is provided:

a.  COMPUTER CRIME DEFINITION - California Penal Code Section 502 states that any person is guilty of a public offense who:

(1) knowingly accesses and without permission alters, - damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer network in order to either (A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain money, property, or data.

(2) knowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network.

(3) knowingly accesses and without permission adds, alters, damages, deletes, or destroys any data, computer software, or computer programs which reside or exist internal or external to a computer, computer system, or computer network.

(4) knowingly and without permission disrupts or causes the disruption of computer services or denies or causes the denial of computer services to an authorized user of a computer, computer system, or computer network.

(5) knowingly introduces any computer contaminant into any computer, computer system, or computer network.

b. VIOLATION OF CALIFORNIA PENAL CODE SECTION 502 - If you illegally the CSUF computer system you may:

(1) be found guilty of a felony which is punishable by a fine not exceeding ten thousand dollars ($10,000), or by imprisonment in the state prison for 16, 24, or 36 months, or by both such fine and imprisonment; or (2) guilty of a misdemeanor which is punishable by a fine not exceeding five thousand dollars ($5,000), or by imprisonment in the county jail not exceeding one year, or by both such fine and imprisonment. (2) be found guilty of violating university student conduct policies and regulations that may subject a student to disciplinary sanctions up to and including dismissal from the academic institution.

c. THE COMPLETE TEXT OF CALIFORNIA PENAL CODE SECTION 502 APPEARS IN APPENDIX J. 3.   Reporting of security problems - Any person who wishes to report an unauthorized computer intrusion, or security violation, or wishes to suggest improvements should contact the Chief Information/Technology Officer 4.   This document applies to all computing users and is distributed with each Account Request Form approved by Information Technology. back to Contents

CSUF INFORMATION TECHNOLOGY

Appendix D
Security Guide

CONFIDENTIALITY STATEMENT Information Technology (IT) considers all account numbers and passwords, data files, programs, and documentation which reside in IT facilities to be confidential. The user has full and complete proprietary interests in his/her data and is the only person who can authorize access or release of such data to others.

IT personnel, as well as vendors, are required to respect the confidentiality of data processed. They are expressly required not to divulge any such information available to them as a result of their employment or affiliation with IT.

Violations of security and confidentiality standards are punishable by law. The Information Practices Act of 1977 states: (Civil Code Section 1798, etc).

"Article 10. Penalties" 1798.55. The intentional violation of any provision of this chapter or of any rules or regulations adopted thereunder by an officer or employee of any agency, shall constitute a cause for discipline, including termination of employment.

_____________________________________________________________________________

I have read the above statement and the CSUF Security Guide and will comply with the provisions of these policies.

I realize that intentional violations of security or confidential policies may be grounds for denial of access privileges to IT facilities or disciplinary action.

___________________________
NAME (Please Print)

____________________________
Signature

____________________________
Date

back to Contents

CSUF INFORMATION TECHNOLOGY

Appendix E
Security Guide

DEFINITIONS

Hardware or Computer System - means a mainframe, mini, or micro computer or collection of machines which contain computer programs and data that performs the functions of arithmetic, data storage and retrieval, communication, and control.

Software or Computer Program - means an ordered set of instructions or statements, and related data that, when automatically executed in a computer system, causes it to perform specified functions. Software in general is the totality of programs, utility routines, and documentation including that supplied by the vendor.

Data - means a representation of information, knowledge, facts, concepts, or instructions which are being or have been prepared formally and are intended for use in a computer system.

Data, modified - means the file can appear to be perfectly usable but contains erroneous fields.

Data, destructed - means the file, either on-line or off-line, has been physically eliminated or removed/stolen from the site.

Data, access - means to instruct, communicate with, store data in or retrieve data from a computer system.

Data, Personal - means confidential data maintained by the university about an individual including but not limited to their education, financial transactions, medical, or employment history that contains the individual's name, ID number, or other identifying data.

Data, Confidential - means data held in confidence (see above).

Person or Individual - means an employee or student of California State University, Fullerton.

Record - means any grouping of data, e.g., on a person.

File - means a collection of records containing related data.

System - means a collection of files containing related data.

Automated - means records, files, and systems maintained through the use of the computer.

Administrative - a general meaning referring to administrative functions of CSUF (as opposed to academic/instructional), software produced to support administrative functions, data processed by the computer for administrative offices, etc.

back to Contents

CSUF INFORMATION TECHNOLOGY

Appendix F
Security Guide

The compact size, relatively high cost, and ready marketability of the personal computers owned by the State make them an attractive target for thieves. The theft of a personal computer from a State agency can involve not only property loss but also a serious threat to individuals' privacy or to the integrity of State operations. State policy requires that agencies implement appropriate safeguards to secure these systems and their associated files from theft. The purpose of this Management Memo is to summarize applicable policy and highlight specific means of complying with that policy.

BACKGROUND Nearly five thousand personal computers are now in use in State agencies. They are employed to enhance individual productivity and as network workstations. Many of these systems connect directly with large mainframe computers in the State's data centers and have the ability to download copies of files from the mainframes to their own data storage units.

Personal computer data storage includes hard disk units with capacities of up to 60 million characters--the equivalent of thousands of pages of text. These units, which usually are built into the computer, store both programs and data files. Unlike floppy disks, which can be removed when the system is unattended and keep under lock and key, most hard disks are not removable: they are a permanent fixture within the computer.

If  the computer is stolen, any files and programs that are resident on a hard disk (or on floppy disks that are left in the computer) are stolen too. Thus, depending upon the nature of the files that are contained in the system, the theft of a personal computer can involve a serious breach of personal privacy or can jeopardize the integrity of State operations.

STATE POLICY The Model Agency Policy for Personal Computers (SAM Section 4990.1) defines the minimum standard for the management of personal computers and has been adopted by the vast majority of agencies. This policy mandates that the use of personal computers within the agency shall be in accordance with all applicable provisions of the State Administrative Manual dealing with Confidentiality and Security of information systems (Sections 4841 through 4847).

Further, the Model Policy requires that proposals to use a personal computer to maintain or access files containing sensitive data as defined in SAM Section 4846.1 must be approved by the agency's Information Security Officer. The Information Security Officer must certify that the proposal complies with all applicable provisions of the State Administrative Manual dealing with Confidentiality and Security of sensitive data.

The policy also requires that personal computers be located in secure areas within the agency and that consideration be given to providing suitable locking devices to anchor desktop computers to desks or tables.

Together, these requirements define the same standard of security for personal computers and their associated files as is required for larger computer systems and their files.

FILES CONTAINING SENSITIVE DATA Files containing sensitive data (as defined in SAM Section 4846.1 ) must not be stored in personal computers the agency demonstrate that doing so is in the interests of the State adequate Security precautions have been taken.

Sensitive files should be maintained at a data center or at a facility having a comparable level of security. The State's data centers have established rigorous security measures that are capable of providing appropriate protection for even the most sensitive files.

In the event that an agency elects to store sensitive files in a personal computer, the agency must be able to demonstrate that doing so is in the interests of the State and that the security measures that have been implemented provide adequate protection -- protection that is comparable to that available through the data centers. As noted above, the agency's Information Security Officer must certify that the agency has complied with all applicable provisions of the State Administrative Manual dealing with the Confidentiality and Security of sensitive data. If a sensitive file is maintained within a local area network, the same provisions apply.

MANAGEMENT RESPONSIBILITIES State policy requires that information maintained in a personal computer must be subjected to the same degree of management control and verification of accuracy that is provided for information that is maintained in other automated and manual files (SAM Section 4990.1). Accordingly, agency management must monitor the nature and content of files stored in personal computers, including those associated with local area networks. Sensitive files may be created as a by-product of statistical or analytical activities or downloaded from a mainframe computer. Individual employees may create data bases for their own convenience, bypassing normal management review. The agency's Information Security Officer, working with the agency's Personal Computer Coordinator, should regularly inventory the files being maintained in personal computers.

Management must also review the measures taken to protect personal computer systems from theft and unauthorized use, with special attention to any systems that are used to store sensitive files.

Finally, management must ensure that agency staff remains alert to the threats to personal computers, particularly those computers that are located in work areas that are accessible to the public. Staff should be encouraged to question the presence of outsiders in work areas and to report any unusual occurrences. Users of personal computers should be cautioned to treat the associated data files with the same degree of care they - would employ for other automated and manual files.

JESSE R. HUFF
Director of Finance

back to Contents

CSUF INFORMATION TECHNOLOGY

Appendix G
Security Guide

TABLE OF CONTENTS

Section - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Page

I. Introduction - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2

II. Security Awareness - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 2

III. Role of the Information Security Administrator - - - - - - - - - - - - - - - - - - - - - - - - - 3

IV. Physical Inventory - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 5

V. Physical security - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 7

VI. Security of Data Stored on Microcomputers - - - - - - - - - - - - - - - - - - - - - - - - - - 9

VII. Risk Assessment - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 11

VIII. Summary - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 12

This section was developed as a complete security package under the auspices of The Office of Computing and Communications Resources at the Chancellor's Office. It is included here only as a reference guide.

I. INTRODUCTION

As operations become more decentralized, so must the ability to process related information and, consequently, controls and procedures become more vital to an institution. Increased remote access and networks designed for processing distributed data to satisfy this need globalize the availability of secured information. The potential for unauthorized access to confidential and proprietary information and theft grows apace. Ultimately, computer security measures must focus on the points of greatest vulnerability -- the accuracy, integrity, safety and theft of stored information.

Each campus President, and ultimately the Chancellor, is responsible for assuring that appropriate computer security mechanisms are in place. The California State University system does maintain a computer security manual for each institution, however, the existing security manuals do not address the issue of microcomputer security. This document is intended to address microcomputer security issues and should be incorporated into each campus' security manual.

It is recognized that each campus operates in its own unique environment and that some of the following recommendations may not be applicable; therefore, each campus should make an effort to substitute mechanisms as appropriate to address its own unique environment.

This decentralized availability of computerized information has made it imperative that upper management be apprised of the difficulty of maintaining data security as long as the responsibility for it is assigned to only one person per campus. The responsibility must be shared by those persons in responsible positions and roles must be clearly defined. Effective microcomputer security is virtually impossible unless specific assignments of responsibility are made by upper management to all essential contributors of the campus. It must, therefore, be recognized that management awareness of the need for computer security is essential to the assignment of the diverse and divided responsibilities requisite to its accomplishment.

To accomplish this, campus Information Security Officers should prepare a Computer Security Policy statement for their respective campus. The policy statement should be issued under the campus President's signature to all department heads with the emphasis directed toward all faculty and staff users.

The protection of computerized information and equipment requires end-user cooperation and compliance with appropriate policies. In order for an information systems' security program to be successful, all end-users must be trained regarding the need for information security and must be made aware of their personal responsibility for the protection of equipment and information.

The Information Security Officer is responsible for the initiation of policies and procedures, the training of end-users, and the monitoring of operations which relate to information and computer equipment security. In this role, the Information Security Officer serves as a resource for the protection of valuable assets.

A. POLICIES AND PROCEDURES

The Information Security officer must play a major role in the making of decisions and policies which affect information security. These policies relate to the physical security of computer equipment, to restrictions regarding data access, to procedures related to data backup and file recovery, and to penalties for the violation of information systems' security regulations.

Policy Development - The Information Security officer is responsible for the development of the University Information Security Manual and for the drafting of policies and procedures relating to information systems' security. These duties require working or consulting with representatives of the campus Computer Center, the Department of Public Safety, the Personnel Office, the facilities planner, and the senior managers of those administrative units which extensively use computerized information.

Update and Re-evaluation of Policies and Procedures- It is necessary to periodically review and update the University Information Security Manual. Some of the circumstances which might prompt this are: security breaches, equipment or significant data losses, new equipment or new data accessing systems installed, conflicting procedures/policies or procedural inefficiencies brought to light. If these or other impacting situations arise, the Information Security Officer should review existing policies to determine if modifications should be made.

B. TRAINING

Policies and procedures designed to provide for information security will only be effective if they are supported by senior level managers and regarded by them as essential to the efficient operation of the university. Such support is the result of effective training programs which are designed to raise awareness of the potential fiscal and operational losses which can result from inadequate controls, and should be coordinated with other programs as appropriate.

Awareness - A primary role of the Information Security Officer, as trainer, is to raise users' security awareness and to assure that information systems' security procedures are regarded by them as necessary components of safe and effective operation.

Coordination With other Programs - Information Security Training should be coordinated with other university units, including: the Computer Center, user support groups, the crime prevention officer of the campus Department of Public Safety, and the Personnel Office.

Training Programs - The Information Security Officer should schedule appropriate training sessions as a part of the orientation of new university employees. In addition, the Officer should schedule follow-up training on an annual basis or as necessitated by the introduction of new equipment, new technologies or changes in procedures. Additional follow-up training efforts should include the distribution of checklists, bulletins or pamphlets, or the introduction of security-related topics into university publications or newsletters routinely distributed to employees. The aim of the Training Program is to maintain visibility and reinforce understanding of the need for security precautions.

C.  MONITORING

Policies and procedures regarding information systems' security can only be effective if they are consistently followed. End-users must remain aware of their personal responsibility for the protection of equipment and information. Therefore, the Information Security officer must conduct an on-going program that monitors compliance with established policies and procedures and maintains awareness of information systems' security related issues.

Initial Assessment - The initial task of the Information Security Officer should be an assessment of the status of current information security. This should include an inventory of existing computer equipment, an appraisal of their locations and their physical security; a review of file and diskette protection, access control, and backup procedures currently in place; and an assessment of current awareness of, and support for, information systems' security policies and procedures.

On-Going Monitoring - Following the initial evaluation, the Information Security Officer must maintain an active role in the monitoring of information systems' security. In order to perform this function, the Information Security Officer must establish procedures which require that he/she be informed of all equipment losses, all security breaches including unauthorized access to computer equipment or sensitive operational data, and all substantial operational data losses which require more than minimal effort to recover.

Annual Review - The Information Security officer should meet with the senior managers of units which utilize computer resources to monitor changes to, or additions of, installed equipment or their locations, data accessibility and sensitivity. This meeting should be scheduled on at least an annual basis, or as changes necessitate. During the meeting the Information Security Officer should review a unit's security checklist with the senior unit manager in order to identify any areas where revised procedures or equipment relocations are advisable.

IV. PHYSICAL INVENTORY

Two separate inventories, one for equipment and the other for software, are recommended. In the event of theft or misplaced equipment (e.g., transfers between offices) an Equipment Inventory System should contain vital information that could identify the missing items and enhance the possibility of their recovery. A simple Software Inventory System would aid in keeping track of data files, and numerous programs, stored on diskettes.

In recent years, the most likely items to be taken from campus offices and instructional facilities have been small microcomputers and their accessories, such as-printers or color video monitors. Such equipment offers an excellent opportunity for theft because of the value, availability, portability and marketability. Too frequently, thefts are due to open and unattended offices.


A. RECOMMENDATIONS FOR SOFTWARE INVENTORY

Record of Diskettes - A log of software floppy diskettes should be kept which lists essential information for each diskette. A11 diskettes should have a unique identifying volume name and number to facilitate the logging and tracking of diskettes.

Missing Diskettes - An inventory of the software should be made periodically. Differences between the log and actual diskettes in diskette files must be resolved to determine whether an administrative error occurred (e.g., diskette was reused without updating the log) or whether a diskette is actually missing. Critical and/or sensitive data that appears to be missing should be reported to the Information Security Officer.

Software Lending Libraries - It is also recommended that procedures for the movement or reassignment of software between users be implemented. This is acutely critical for maintaining software lending libraries for staff and students.

B. RECOMMENDATIONS FOR EQUIPMENT INVENTORY AND HANDLING

Purchase Requisition Process - Campuses should have a procedure that coordinates the ordering of equipment with the Computer Center. This will help to insure that the equipment being ordered is included in the inventory and monitored from initial delivery through final installation.

Receipt of Equipment - once the microcomputer and accessories arrive at the Receiving Department, they should be verified against the purchase order and delivered to the appropriate office responsible for the assembly and installation of the equipment. In turn, ownership is transferred from the Receiving Department to that office and finally to the purchaser for accountability. It is recognized that the receipt of equipment varies procedurally between campuses and that different approaches are acceptable. The intent is to maintain equipment accountability throughout the receiving process.

Inventory of Equipment - When all equipment has been received and works properly, the Receiving Department or Property Control Officer should be notified by the Assembly/installation office and each item of the microcomputer system should be identified with a state tag number as well as engraved with the number in a prominent place. The items are now ready for entry into the campus inventory, as well as sub-inventories that may also be maintained in departments or the Computer Center.

Note: Locating equipment on an inventory list can be difficult unless entries are organized and identified properly. By way of illustration, a microcomputer generally should be listed as "micro" or "PC", leaving the designations "computer" and "processor to larger mini- and mainframe computers. Otherwise, a mixture of micro, PC, computer, and processor would make a confusing inventory list. A separate standardization list of synonyms is essential to minimize confusion when entering additional equipment to the list. Also, separate items, such as the keyboard and monitor, should have their own identification numbers, and where possible, be grouped with their micro.

Ownership Changeover - When a micro is delivered to the purchaser, they should acknowledge receipt of all items on the purchase order. The Inventory System is then updated. This completes the cycle of tracking new equipment. A procedure should also be available to control changes in ownership and movement of equipment when transferred to a different building or room.

Hardware Lending - Sometimes it is possible, or necessary, to keep a system running by swapping extra components that technical support may have on hand until they can repair the original equipment. When this is done a record of identification numbers of the swapped items should be maintained on the repair work orders, noting time and dates of the exchanges and final replacements.

Similarly, if a hardware lending system is established, procedures and records for the temporary loan or reassignment of hardware should be maintained.

V. PHYSICAL SECURITY

The physical protection of desktop computers is more difficult than that of large mainframe computers where physical access to the computer facility can be more easily controlled. Micros are often located in open office environments and may be casually used by several employees.

The micro user community is relatively new to computing and is inexperienced with centralized data center security measures. A well designed security awareness and procedures program for employees can insure against, and minimize, the loss of micro equipment through carelessness, theft or other security laxity.

A. RECOMMENDATION FOR PHYSICAL SECURITY

Location of the Micro - Place the microcomputer in a safe environment. Do not encourage theft by locating the micro near a door with easy access to hallways and building exits. House the micro in a secure room that can be locked when unattended. Put the micro in a spot that is distant from rain coming through open windows, faulty pipes, heat sources and so on.

Theft Protection - The micro should be secured to the table by either anchor pads, locking cables, alarm systems that sound upon unauthorized movement, or similar anti-theft devices.

Ownership Identification - The micro and its detachable components should be engraved with agency letters and serial numbers, and then recorded for future identification needs.

Decentralized Security - People are more easily influenced by individuals they know. Potential employee violators are less likely to compromise security procedures, if they know and respect their local security administrator. Management should encourage an attitude of security awareness at the grass-roots level of their agencies and assign responsibility of security administration to a single individual in an area where many micros are located. Management should also inform the supervisor of each functional area that maintaining reliable security is ultimately their responsibility.

Vigilance - Computer security is the responsibility of all computer users, not just management. Employees should question or offer assistance to unfamiliar people who do not appear to be on official business and report violations to the police or proper security official. Employees at the lowest level who have adopted and accepted security help insure successful security.

Access to Micros - Restricting access to the equipment area may be the easiest security measure, when practical. Also helpful is the practice of maintaining a log for recording multiple users.

Micro Screen Orientation - Terminals located on counters should be oriented so as to prevent visitors from unauthorized reading of information on the screens. The terminal screen should be blank when the operator departs since unattended screens may display sensitive data to unauthorized observers.

Logoff Practice - When accessing confidential data, it may be necessary to require the user to logoff the micro when leaving the area in order to prevent unauthorized observers.

Printer and Hardcopy Protection - The easiest means for unauthorized persons to access sensitive data may be the wastepaper basket. Operators should not leave printers unattended during the printing of sensitive information in unsecured areas. Discarded paper with sensitive data should be shredded or disposed of in an approved manner as soon as possible.

Diskette Protection - Diskettes containing sensitive data, and their backups, should be locked up, as illicit copies can be made easily, or diskettes lost or misplaced.

Data Diskette Identification - All diskettes should be clearly labeled and indicate the file name(s), creation date, project assignment, destruction date, and other appropriate information to aid identification.

Backup Protection - The need for backup is frequently not apparent to some users. Unfortunately they do not backup their files and learn to do so only after they loose valuable data. Users should be trained to frequently execute a "save" command as files are created, and copy files on a regular basis for backup. To have a backup, you must make an additional copy of the same data and store that copy in a safe location. Because backing up a hard disk to many floppy diskettes requires considerable time, a hard disk with built-in tape drive or add-on tape drives should be considered.

Telecommunications Network Security - Microcomputers generally do not have, or need, the full array of security measures found in large computer systems. However, minicomputers as well as Local Area Networks should allow for typical security measures. For example:

Once a file has been downloaded from a mainframe computer to a micro, copies of that file can be made easily. Consideration should be given to limit a file access to "read only", without the ability to "write to" a file.

Capability should be provided for users to select the level of protection their files require, e.g., private, semiprivate or limited user access, or public access.

Provision should be made to disconnect users after inactivity has exceeded a time limit.

If the user turns off the power to the micro or presses the reset key(s), the network system should automatically disconnect the user.

Logon procedures should include password and logon ID e.g., account number) to restrict access.

Password Security - Access to the operating system of stand-alone microcomputers can be protected by software packages which retail for approximately $50. This security product provides for a password and up to four user codes per program in addition to limiting the number of unauthorized attempts someone can make in finding the valid password. Such software can also protect files via encryption. Passwords should be changed on a regular basis.

Care of Micro and Diskettes - Data can become unreadable if diskettes are left near sunny windows or near heat sources, or magnetic fields such as paper clip holders or radio speakers. Diskettes, as well as the micro, should be protected from workplace hazards since smoke and spilled liquids can cause hardware and magnetic media problems in recording and reading data. Micro equipment should be covered when not in use. Diskettes should be stored in protective envelopes and filed in lockable storage cases.
 

VI. SECURITY OF DATA STORED ON MICROCOMPUTERS

The systems design trend is toward large, multi-user micro networks with the capability to electronically transfer data. Consequently, it is essential to protect sensitive information from unauthorized access. Sensitive and personal information consists of data that should not be disclosed according to the California Public Records Act and the California Information Practices Act of 1977. Personal information includes financial (payroll, etc.), personnel (employment histories, etc.), admission to university (education, etc.), and medical (behavioral and physical history, etc.) information.

Each campus, as well as departments associated with the campus, should implement the means to enable processing of, and access to, multiple levels of sensitive information thereby reducing the risks of unauthorized access.

A. RECOMMENDATIONS FOR DATA SECURITY

Ownership of Data - The information resident on diskettes and networks generally belongs to the department that enters, maintains, and controls updating of that data. The owner generally has authority to permit others to access the file.

Authorized Access - Generally, the owner and/or user having the password area only persons permitted to access sensitive data. Access by others should be on a "need-to-know" basis with authorization required from the data owner. It is highly recommended that written records be kept of who has authorization to access sensitive data.

Access by Password - Access control by the micro is the cornerstone of micro security since it provides the capability to grant or deny access to data. Access to all sensitive files should be by password, whenever possible. If the microcomputer is a stand-alone system (i.e., not connected to a Local Area Network which requires password entry), other controlled entry should be considered such as a key lock or a machine-readable access card.

Safeguarding Passwords - The possibility of unauthorized access to sensitive data can be reduced if users of microcomputers protect their passwords. Passwords should be easy to recall and not displayed on or near the terminal or "hidden" in desk drawers.

Change of Passwords - Users should be advised to change their passwords periodically, and should avoid the use of their nickname, initials, date of birth, and other personal codes that can be easily guessed by others.

Backup of Data - Critical and sensitive data files should be copied to a backup-floppy diskette or other file on a routine basis, usually at the end of each day. Backup files should then be safely stored, with sensitive files preferably stored in a safe or locked cabinet.

Authorization to Download/Upload Data - The micro user can download data stored on a mainframe computer and manipulate the data for their own purpose. The loading of new or revised data directly back to the mainframe data base should be discouraged or accomplished only under strict supervision and with the authorization of the owner.

Reporting of Security Problems - Missing diskettes, attempts at unauthorized logons, and other instances of security violations should be reported to the Campus Information Security Officer. Users are also encouraged to suggest improvements to their Security Officer.

VII. RISK ASSESSMENT

Your security should be cost-effective. Yet, many organizations are unaware of the cost to implement security measures or the dollar value of security benefits. It is prudent management, therefore, to determine the dollar value of potential losses and the cost of protection before purchasing or developing security safeguards. Cost might also include liability for not implementing security measures (e.g. lawsuits from copyright infringements for unauthorized copying of programs, misuse of personal data, etc.)

Risk assessment is a systematic approach to 1) identify threats and vulnerabilities to your computer operation, 2) quantify each risk in terms of dollar cost or loss, and 3) determine the costs of remedies to increase security benefits.


A. RECOMMENDED STEPS FOR RISK ASSESSMENT

Step 1:

What Needs Protection - Identify and list the things that are desired to be protected. This includes data files, software, documentation, and an itemized list of equipment, such as personal computers, external harddisk drives, modems, printers, etc.

Step 2:

What Is The Value - Set the cost to replace each item for the equipment, data, software, and documentation listed in Step 1. Consider the consequences if data is lost to theft, fire, etc. Cost can be derived, for example, by estimating overtime pay needed to reconstruct files or re-enter data.

Step 3:

What Is The Risk - Establish the hazards and security threats for each item in Step 1 that could cost money. For example, losses could result from power failures, employee errors or acts by other people, vandalism, and so on.

Step 4:

What Is Probability of Loss - Analyze each item in Step 1 in terms of potential exposure to determine how often various hazards may occur. For example, the exposure from power failures could be "every 3 months, theft of equipment may be "every 36 months, and data reconstruction due to failure to follow backup procedures could be "every 12 months. n Also, another element may be added to identify the probability of each threat as high, medium, or low.

Step 5:

What are the Methods of Protection - Match to each item in Step 1 a single or mix of physical security protection devices or other mechanisms, such as backup/recovery procedures, equipment/audit controls, and so on. As an example, the computer can be secured to the table by an anchor cable.

Step 6:

What is the Cost of Protection - Determine the cost to reduce the existing level of vulnerability for each item in Step 1. For example, the cost to protect a micro from theft could be the price of an anchor mechanism to secure the micro to a table, or the cost of a fire loss could be the expense of transferring operation to a new location plus required new equipment and installation.

Step 7:

What is the Expected Cost or Saving - Compute the cost or savings if security measures are implemented for each item listed in Step 1) In some cases, this can be a simple cost or savings derived from Step 2 (existing value) and Step 6 (cost of protection), while others may be better expressed in benefits attained.

The risk analysis information can be recorded easily in a table format created by spreading the above risk analysis steps across the page in columns.

Risk analysis is only a tool in the decision making process. It is not the decision. The data must first be completed and evaluated, then prudent measures decided upon.

Example

VIII. SUMMARY

In order to adequately address microcomputer security, users must be educated about the vulnerabilities in this area and take appropriate steps to develop a mechanism which addresses these issues. A well defined policy on user responsibility for protecting information is required along with an ongoing program to maintain awareness. The key is for management as well as users alike to develop a security mind-set, with the understanding that information is a critical resource of the university. Once an awareness program is developed and the appropriate commitment is made, microcomputer users will not only identify problem areas on their own; they will assist in the creation of appropriate - and likely innovative solutions. back to Contents

CSUF INFORMATION TECHNOLOGY

Appendix H
Security Guide

NETWORK SECURITY

Networks are designed to be open systems and to facilitate access to networked computer resources. At CSUF, the security of systems and data depends on proper computer system management, not on the network.

Nevertheless, the security policies which pertain to information resources at CSUF also apply to network resources. These include Federal and State regulations pertaining to computer crime (e.g. CPC Section 502) and University policies which describe appropriate use of, and access to, campus computing resources. These policies are described in the "Computing Resources Security Guide," October, 1987, and "Management of Student Records at California State University, Fullerton," October, 1985. The disciplinary procedures described in the "Computing Resources Security Guide" will also apply to violations of, or inappropriate use of, the campus data communications systems.

Departments are responsible for maintaining:

Physical security of cabling between equipment closets and office/laboratory termination points,

Physical security of department-specific network equipment which is not installed in equipment closets,

Software and file security of all department-specific information resources,

Departmental awareness of security risks and appropriate security procedures.

Departments are also responsible for informing IT of any network security violations which could potentially affect the campus network.

IT is responsible for maintaining:

Physical security of all network equipment and data communications cabling in campus equipment closets, between buildings, and in the Computer Center,

The integrity of all software running on backbone network equipment, including network control servers, communications servers, bridges, routers, and gateways,

Procedures for handling network security emergencies.

IT is also responsible for advising Administrative Computing of potential security risks involved in using the campus network for administrative computing applications.

CSUF INFORMATION TECHNOLOGY

Appendix I
Security Guide

Computer Systems Technology

______________________________________________________________________________

NIST Special Publication 500-166

Computer Viruses and Related Threats:

A Management Guide

John P. Wack

Lisa J. Carnahan

A COMPLETE COPY OF THIS PUBLICATION IS AVAILABLE FOR INSPECTION FROM THE CHIEF INFORMATION/TECHNOLOGY OFFICER.

 Ordering information:

Copies can be ordered from:
Superintendent of Documents
Government Printing Office
Washington, D.C. 20402
(202) 783-3238
GPO # 003-003-02955-6

 

Price is $2.50 per copy This TABLE OF CONTENTS included for information purposes. Complete text available for inspection from the Chief Information/Technology Officer.

COMPUTER VIRUSES AND RELATED THREATS

Table of Contents

Executive Summary. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . v
1. Introduction . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .1-1

1.1 Audience and Scope . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-1

1.2 How to Use This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 1-2

2. A Brief Overview on Viruses and Related Threats. . . . . . . . . . . . . . . . . . . . .2-1

2.1 Trojan Horses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .2-1

2.2 Computer Viruses. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-3

2.3 Network Worms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-5

2.4 Other Related Software Threats. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8

2.5 The Threat of Unauthorized Use. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 2-8

3. Virus Prevention in General. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-1

3.1 User Education. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-3

3.2 Software Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-4

3.3 Technical Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-6

3.4 General Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3-8

3.5 Contingency Planning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .3-9

4. Virus Prevention for Multi-User Computers and Associated Networks. . . . . .4-1

4.1 General Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-1

4.2 Software Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-2

4.3 Technical Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 4-4

4.4 Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-7

4.5 Contingency Planning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-9

4.6 Associated Network Concerns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .4-10

5. Virus Prevention for Personal Computers and Associated Networks. . . . . . .5-1

5.1 General Policies. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-2

5.2 Software Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-3

5.3 Technical Controls. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-4

5.4 Monitoring. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-6

5.5 Contingency Planning. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .5-7

5.6 Associated Network Concerns . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 5-9

References. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . A-1
Suggested Reading . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .  B-1

 

COMPUTER VIRUSES AND RELATED THREATS

EXECUTIVE SUMMARY

Computer viruses and related threats represent an increasingly serious security problem in computing systems and networks. This document presents guidelines for preventing, deterring, containing, and recovering from attacks of viruses and related threats. This section acquaints senior management with the nature of the problem and outlines some of the steps that can be taken to reduce an organization's vulnerability.

What Are Computer Viruses and Related Threats?

Computer viruses are the most widely recognized example of a class of programs written to cause some form of intentional damage to computer systems or networks. A computer virus performs two basic functions: it copies itself to other programs, thereby infecting them, and it executes the instructions the author has included in it. Depending on the author's motives, a program infected with a virus may cause damage immediately upon its execution, or it may wait until a certain event has occurred, such as a particular date and time. The damage can vary widely, and can be so extensive as to require the complete rebuilding of all system software and data. Because viruses can spread rapidly to other programs and systems, the damage can multiply geometrically.

Related threats include other forms of destructive programs such as Trojan horses and network worms. Collectively, they are sometimes referred to as malicious software. These programs are often written to masquerade as useful programs, so that users are induced into copying them and sharing them with friends and work colleagues. The malicious software phenomena is fundamentally a people problem, as it is authored and initially spread by individuals who use systems in an unauthorized manner. Thus, the threat of unauthorized use, by unauthorized and authorized users, must be addressed as a part of virus prevention.

What Are the Vulnerabilities They Exploit?

Why Are Incidents of Viruses and Related Threats On the Rise?

Viruses and related threats, while not recent phenomena, have had relatively little attention focused on them in the past. They occurred less frequently and caused relatively little damage. For these reasons, they were frequently treated lightly in computer design and by management, even though their potential for harm was known to be great.

Computer users have become increasingly proficient and sophisticated. Software applications are increasingly complex, making their bugs and security loopholes more difficult to initially detect and correct by the manufacturer. In conjunction with these two factors, some brands of software are now widely used, thus their bugs and security loopholes are often known to users. With the widespread use of personal computers that lack effective security mechanisms, it is relatively easy for knowledgeable users to author malicious software and then dupe unsuspecting users into copying it.

Steps Toward Reducing Risk:

Include the damage potential of viruses, unauthorized use, and related threats in risk analysis and contingency planning. Develop a plan to deal with potential incidents.

Make computer security education a prerequisite to any computer use. Teach users how to protect their systems and detect evidence of tampering or unusual activity.

Ensure that technically oriented security and management staff is in place to deal with security incidents.

Use the security mechanisms that exist in your current software. Ensure that they are used correctly. Add to them as necessary.

Purchase and use software tools to aid in auditing computing activity and detecting the presence of tampering and damage.

 

CSUF INFORMATION TECHNOLOGY

SECTION 502 - CALIFORNIA PENAL CODE [Computer Crimes]

(a)   It is the intent of the Legislature in enacting this section to expand the degree of protection afforded to individuals, businesses, and governmental agencies from tampering, interference, damage, and unauthorized access to lawfully created computer data and computer systems. The Legislature finds and declares that the proliferation of computer technology has resulted in a concomitant proliferation of computer crime and other forms of unauthorized access to computers, computer systems, and computer data.

(b)   For the purposes of this section, the following terms have the following meaning:

(1) "Access" means to gain entry to, instruct, or communicate with the logical, arithmetical, or memory function resources of a computer, computer system, or computer network.

(2) "Computer network" means any system which provides communications between one or more computer systems and input/output devices including, but not limited to, display terminals and printers connected by telecommunications facilities.

(3) "Computer program or software" means a set of instruction or statements, and related data, that when executed in actual or modified form, cause a computer, computer system, or computer network to perform specified functions

(4) "Computer services" includes, but is not limited to, computer time, data processing, or storage functions, or other uses of a computer, computer system, or computer network.

(5) "Computer system" means a device or collection of devices, including support devices and excluding calculators which are not programmable and capable of being used in conjunction with external files, one or more of which contain computer programs, electronic instructions, input data, and output data, that performs functions including, but not limited to logic, arithmetic, data storage and retrieval, communication, and control.

(6) "Data" means a representation of information, knowledge, facts, concepts, computer software, computer programs or instructions. Data may be in any form, in storage media, or as stored in the memory of the computer or in transit or presented on a display device.

(7) "Supporting documentation" includes, but is not limited to, all information, in any form, pertaining to the design, construction, classification, implementation, use, or modification of a computer, computer system, computer network computer program, or computer software, which information is not generally available to the public and is necessary for the operation of a computer, computer system, computer network, computer program, or computer software.

(8) "Injury" means any alteration, deletion, damage, or destruction of a computer, computer system, computer network, computer program, or data caused by the access.

(9) "Victim expenditure" means any expenditure reasonably and necessarily incurred by the owner or lessee to verify that a computer, computer system, computer network, computer program, or data was or was not altered, deleted, damaged, or destroyed by the access.

(10)"Computer contaminant" means any set of computer instructions that are designed to modify, damage, destroy, record, or transmit information within a computer, computer system, or computer network without the intent or permission of the owner of the information. They include, but are not limited to, a group of computer instructions commonly called viruses or worms, which are self-replicating or self-propagating and are designed to contaminate other computer programs or computer data, or in some other fashion usurp the normal operation of the computer, computer system, or computer network.

(c)   Except as provided in subdivision (h), any person who commits any of the allowing acts is guilty of a public offense:

(1)  Knowingly accesses and without permission alters, damages, deletes, destroys, or otherwise uses any data, computer, computer system, or computer network in order to either (A) devise or execute any scheme or artifice to defraud, deceive, or extort, or (B) wrongfully control or obtain money, property, or data.

(2)  Knowingly accesses and without permission takes, copies, or makes use of any data from a computer, computer system, or computer network, or takes or copies any supporting documentation, whether existing or residing internal or external to a computer, computer system, or computer network.

(3)  Knowingly and without permission uses or causes to be used computer services.

(4)  Knowingly accesses and without permission adds, alters, damages, deletes, or destroys any data, computer software, or computer programs which reside or exist internal or external to a computer, computer system, or computer network.

(5)  Knowingly and without permission disrupts or causes the disruption of computer services or denies or causes the denial of computer services to an authorized user of a computer, computer system, or computer network.

(6)  Knowingly and without permission provides or assists in providing a means of accessing a computer, computer system, or computer network in violation of this section.

(7)  Knowingly and without permission accesses or causes to be accessed any computer, computer system, or computer network.

(8)  Knowingly introduces any computer contaminant into any computer, computer system, or computer network.

(d)  (1) Any person who violates any of the provisions of paragraph (1),(2), (4), or (5) of subdivision (c) is punishable by a fine not exceeding ten thousand dollars ($10,000), or by imprisonment in the state prison for 16 months, or two or three years, or by both that fine and imprisonment, or by a fine not exceeding five thousand dollars ($5,000), or by imprisonment in the county jail not exceeding one year, or by both that fine and imprisonment.

(A) For the first violation which does not result in injury, and where the value of the computer services used does not exceed four hundred dollars ($400), by a fine not exceeding five thousand dollars ($5,000), or by imprisonment in the county jail not exceeding one year, or by both that fine and imprisonment.

(B) For any violation which results in a victim expenditure in an amount greater than five thousand dollars ($5,000) or in an injury, or if the value of the computer services used exceeds four hundred dollars ($400), or for any second or subsequent violation, by a fine not exceeding ten thousand dollars ($10,000), or by imprisonment in the state prison for 16 months, or two or three years, or by both that fine and imprisonment, or by a fine not exceeding five thousand dollars ($5,000), or by imprisonment in the county jail not exceeding one year, or by both that fine and imprisonment.

(3)  Any person who violates paragraph (6), (7), or (8) of subdivision (c) is punishable as follows:

(A) For a first violation which does not result in injury an infraction punishable by a fine not exceeding two hundred fifty dollars $250).

(B) For any violation which results in a victim expenditure in an amount not greater than five thousand dollars ($5,000), or for a second or subsequent violation, by a fine not exceeding five thousand dollars ($5,000), or by imprisonment in the county jail not exceeding one year, or by both that fine an imprisonment.

(C) For any violation which results in a victim expenditure in an amount greater than five thousand dollars ($5,000), by a fine not exceeding ten thousand dollars ($10,000), or by imprisonment in the state prison for 16 months, or two or three years, or by both that fine and imprisonment, or by a fine not exceeding five thousand dollars ($5,000), or by imprisonment in the county jail not exceeding one year, or by both that fine and imprisonment.

(e) (1) In addition to any other civil remedy available, the owner or lessee of the computer, computer system, computer network, computer program, or data may bring a civil action against any person convicted under this section for compensatory damages, including any expenditure reasonably and necessarily incurred by the owner or lessee to verify that a computer system, computer network computer program, or data was or was not altered, damaged, or deleted by the access. For the purposes of actions authorized by this subdivision, the conduct of an unemancipated minor shall be imputed to the parent or legal guardian having control or custody of the minor, pursuant to the provisions of Section 1714.1 of the Civil Code.

(2)  In any action brought pursuant to this subdivision the court may award reasonable attorney's fees to a prevailing party.

(3)  A community college, state university, or academic institution accredited in this state is required to include computer-related crimes as a specific violation of college or university student conduct policies and regulations that may subject a student to disciplinary sanctions up to and including dismissal from the academic institution. This paragraph shall not apply to the University of California unless the Board of Regents adopts a resolution to that effect.

(f)  This section shall not be construed to preclude the applicability of any other provision of the criminal law of this state which applies or may apply to any transaction, nor shall it make illegal any employee labor relations activities that are within the scope and protection of state or federal labor laws.

(f)   Any computer, computer system, computer network, or any software or data, owned by the defendant, which is used during the commission of any public offense described in subdivision (c) or any computer, owned by the defendant, which is used as a repository for the storage of software or data illegally obtained in violation of subdivision (c) shall be subject to forfeiture, as specified in Section 502.01.

(h)(1) Subdivision (c) does not apply to any person who accesses his or her employer's computer system, computer network, computer program, or data when acting within the scope of his or her lawful employment.

(i)   No activity exempted from prosecution under paragraph (2) of subdivision (h) which incidentally violates paragraph (2), (4), or (1) of subdivision (c) shall be prosecuted under those paragraphs.

(j)    For purposes of bringing a civil or a criminal action under this section, a person who causes, by any means, the access of a computer, computer system, or computer network in one jurisdiction from another jurisdiction is deemed to have personally accessed the computer, computer system, or computer network in each jurisdiction.

(k)   In determining the terms and conditions applicable to a person convicted of a violation of this section the court shall consider the following:

Added Stats 1987 ch 1499 3.Amended Stats 1989 ch 1076 sec1, ch 1110 sec1,ch1357 sec 1.3.

back to Contents