utech security policy february2010
DESCRIPTION
Computer Security Assignment. Design a Security Policy for The University of Technology/TRANSCRIPT
♠♣
♠
The University of Technology
Jamaica
Security Policy
Security Expert
Wayne Jones0500005BSCIT 4C
2010
The University of Technology, Jamaica | Computer Security Policy
February 12, 2010
Table of Contents
Disclaimer..................................................................................................................................................................... 3
Case Study..................................................................................................................................................................... 4
Introduction................................................................................................................................................................. 5
Security in Distributed Systems.....................................................................................................................6
Cloud Computing Overview............................................................................................................................. 6
Security Policy............................................................................................................................................................. 9
Overview................................................................................................................................................................... 9
Scope.......................................................................................................................................................................... 9
Risk Assessment Matrix.................................................................................................................................. 11
Access Control Policy....................................................................................................................................... 13
Adhering to Legal Procedures...........................................................................................................................14
General Policies...................................................................................................................................................14
Orange Book Security Standard..............................................................................................................14
Complying with Computer Misuse Act................................................................................................15
Complying with Data Protection Act....................................................................................................16
Complying with COBIT Standard........................................................................................................... 16
Complying with BS77999 Standard......................................................................................................17
Complying with the ISO 27001 Standard...........................................................................................17
Legal Obligations Awareness...................................................................................................................18
Complying with the Copyright Licensing Legislation...................................................................18
Specific Policies........................................................................................................................................................ 19
Student Computer Systems........................................................................................................................... 19
Staff Computer Systems.................................................................................................................................. 20
References.................................................................................................................................................................. 24
Author: Wayne Jones (0500005)- BSCIT-4C Page 2 of 24
The University of Technology, Jamaica | Computer Security Policy
February 12, 2010
Disclaimer
Confidentiality of information is mandated by common law, formal statute, explicit
agreement, or convention. Different classes of information warrant different degrees of
confidentiality.
The hardware and software components that constitute the university’s IT assets represent
a sizable monetary investment that must be protected. The same is true for the information
stored in its IT systems, some of which may have taken huge resources to generate, and
some of which can never be reproduced.
The use of university IT assets in other than in a manner and for the purpose for which
they were intended represents a misallocation of valuable university resources, and
possibly a danger to its reputation or a violation of the law.
Finally, proper functionality of IT systems is required for the efficient operation of the
university. Some systems, such as the HRS, Finance, Student Administration, ISAS, and
Library systems are of paramount importance to the mission of the university. Other
systems (e.g. somebody’s PC) are of less importance.
Author: Wayne Jones (0500005)- BSCIT-4C Page 3 of 24
The University of Technology, Jamaica | Computer Security Policy
February 12, 2010
Case Study
Cloud computing has become extremely popular , but security of such systems are
likely to pose serious challenges in the years to come. You have been hired to
setup a distributed security policy within the University of technology where all
system resources will be managed as a part of an open public cloud and private
cloud. To maintain the ubiquity of all these resources within the UTECH , you are
hired as the new security personnel within the IS and Audit department with
responsibility for UTECH’s cloud security . Highlight all the salient issues of a
security policy that you would have to develop in managing all these resources.
Author: Wayne Jones (0500005)- BSCIT-4C Page 4 of 24
The University of Technology, Jamaica | Computer Security Policy
February 12, 2010
Introduction
Computer Security encompasses the safe keeping of information which is just as critical as
any other asset to a business, if not the most important and sensitive asset. Information
security is an effort that comprises of security policies, products & technologies and
procedures.
Software applications which provide firewall information security and virus scanners are
not enough on their own to protect information. A set of procedures and systems needs to
be applied to effectively deter access to information (Crystal, G. 2010).
Cloud computing is a type of computing that is comparable to grid computing, relies on
sharing computing resources rather than having local servers or personal devices to handle
applications. The goal of cloud computing is to apply traditional supercomputing power
(normally used by military and research facilities) to perform tens of trillions of
computations per second.
In an effort to do this, companies engaging in Cloud computing network large groups of
servers with specialized connections to spread data-processing chores across them. This
shared IT infrastructure contains large pools of systems that are linked together. Often,
virtualization techniques are used to maximize the power of cloud computing (Veal, B.
2010).
Cloud Computing is the convergence of three major trends: Virtualization, Utility Computing
and Software-as-a-Service. Virtualization is where applications are separated from
infrastructure. Utility Computing is the packaging of computer resources and offering the
service on a metered price rate. Software-as-a-Service is when software available on
demand on a subscription basis.
Companies such as IBM, Google and Amazon are pioneering the emergence of the new IT
strategy. Amazon.com launched a company called Amazon Web Services (AWS) in July
2002 that provides a range of cloud computing services. Google offers a number of web
services such as Picaso-to host pictures, Gmail-stores emails and Google Docs stores
documents.
Author: Wayne Jones (0500005)- BSCIT-4C Page 5 of 24
The University of Technology, Jamaica | Computer Security Policy
February 12, 2010
Security in Distributed Systems
The security of information stored on computers is of extremely high priority for
large corporations such as The University of Technology, Jamaica. In protecting
information from unauthorized access, especially in a scenario such as this where we
intend to practice cloud computing, the Confidentiality, Integrity and Availability (C.I.A
triad) of information has to be preserved.
Modern distributed systems contain a large number of objects, and must be capable
of evolving, without shutting down the complete system, to cater for changing
requirements. There is a need for distributed, automated management agents whose
behavior also has to dynamically change to reflect the evolution of the system being
managed. Policies are a means of specifying and influencing management behavior within a
distributed system, without coding the behavior into the manager agents (Lupu, E. 1999).
According to Lupu (Lupu, E. 1999), new components and services are added or removed
from the system dynamically, thus changing the requirements of the management system
over a potentially long lifetime. There has been considerable interest recently in policy-
based management for distributed systems (Sloman 1994a; DSOM 1994; Magee 1996;
Koch 1996).
Cloud Computing Overview
Open Cirrus is a cloud-computing research platform for experimentation designed to
support research into design, provisioning, and management of services of an open source
cloud computing infrastructure on a global, multi-datacenter scale. “It is a collaboration
between HP, Intel, Yahoo!, and a number of academic institutions” (Jones, E. 2009).
According to Campbell, R (2009),
Pay-as-you-go utility computing services by companies such as Amazon, and new
initiatives by Google, IBM, and NSF, have begun to provide applications researchers in
areas such as machine learning and scientific computing with access to large scale cluster
resources. However, system researchers, who are developing the techniques and software
infrastructure to support cloud computing, still find it difficult to obtain low-level access to
Author: Wayne Jones (0500005)- BSCIT-4C Page 6 of 24
The University of Technology, Jamaica | Computer Security Policy
February 12, 2010
large scale cluster resources and that gave rise to the Open Cirrus Project. While the
researchers of the Open Cirrus Project work on developing wide scale cloud computing
systems, pioneers such as Google have already made available basic concepts of cloud
computing.
The idea of cloud computing certainly isn't a new one as Oracle's Larry Ellison launched the
New Internet Computer (NIC) company back in 2000 to lead the industry forward to that
goal. The concept was very simple: On your desk, you would have a very low-cost computer
with just a processor, a keyboard and a monitor without any hard drive or CD/DVD drive. It
would be connected to the Internet and would link to a central supercomputer, which
would host all of your programs and files. The idea, however, was ahead of its time. The NIC
sold very poorly, probably due to a dearth of broadband availability in the United States
and subsequent lead to the company folding in 2003 (Pollette, C. 2008).
The potential for cloud computing is compelling. For business, it promises faster access to
technology and better alignment to demand. That offers agility, which can deliver
significant competitive advantage. Cloud computing has the potential to make that extra
computing capacity available in minutes or hours and provide the flexibility to turn it off as
soon as it’s no longer needed without the residual capital asset and operating costs (Smillie,
K. 2010).
The rewards to be reaped by the University of Technology, Jamaica by implementing a
distributed system via cloud computing is endless. The concept of cloud computing is a new
one and people are catching on globally at an alarming rate. Rewards to be earned from
investing in a cloud computing infrastructure are but not limited to:
Reduced Cost
Cloud technology is paid incrementally, which would save the university money.
Money could also be saved on software as it relates to licensing.
Increased Storage
because data is not stored on the individual machines, but on ‘clouds’, the university
can store more data than on private computer systems.
Author: Wayne Jones (0500005)- BSCIT-4C Page 7 of 24
The University of Technology, Jamaica | Computer Security Policy
February 12, 2010
Highly Automated
the job of IT personnel keeping software updated would be easier seeing that there
would be less independent instances of the software.
More Mobility
Employees can access information wherever they are, rather than having to remain
at their desk which is one of the major underlying reason for Google and Apple’s
collaboration.
Author: Wayne Jones (0500005)- BSCIT-4C Page 8 of 24
The University of Technology, Jamaica | Computer Security Policy
February 12, 2010
Security Policy
Overview
The purpose of this policy is to secure and protect the information assets owned by The
University of Technology, Jamaica (UTECH). The University of Technology, Jamaica
provides computer devices, networks, and other electronic information systems to meet
missions, goals, and initiatives. The University of Technology, Jamaica grants access to
these resources as a privilege and must manage them responsibly to maintain the
confidentiality, integrity, and availability of all information assets. This policy specifies the
conditions that wireless/wired infrastructure devices must satisfy to connect to The
University of Technology, Jamaica network. Only those wireless/wired infrastructure
devices that meet the standards specified in this policy.
Scope
All employees, contractors, consultants, temporary and other workers at The University of
Technology, Jamaica, including all personnel affiliated with third parties that maintain a
wireless/wired infrastructure device on behalf of The University of Technology, Jamaica,
must adhere to this policy. This policy applies to all wireless/wired infrastructure devices
that connect to UTECH’s network or reside on a UTECH’s site that provide wireless/wired
connectivity to endpoint devices including, but not limited to, laptops, cellular phones, and
personal digital assistants (PDAs). This includes any form of wireless communication
device capable of transmitting packet data. The Human Resource Management Department
must approve exceptions to this policy in advance.
The corporate assets that must be protected include:
Computer and Peripheral Equipment,
Computing and Communications Premises,
Power and Communications equipment.
Author: Wayne Jones (0500005)- BSCIT-4C Page 9 of 24
The University of Technology, Jamaica | Computer Security Policy
February 12, 2010
Supplies and Data Storage Media.
System Computer Programs and Documentation.
Application Computer Programs and Documentation.
Information.
This policy will deal with the following domains of security:
Computer system security: CPU, Peripherals, OS. This includes data security.
Physical security: The premises occupied by personnel and computer equipment (labs, offices, etc).
Operational security: Power equipment and operation activities.
Communications security: Communications equipment, personnel, transmission paths, and adjacent areas.
Author: Wayne Jones (0500005)- BSCIT-4C Page 10 of 24
The University of Technology, Jamaica | Computer Security Policy
February 12, 2010
Risk Assessment Matrix
CategoryFREQUENTLikely to occur
immediately or in a short period of time;
expected to occur frequently
LIKELYQuite likely to occur
in time
OCCASSIONALMay occur in time
SELDOMNot likely to occur
but possible
UNLIKELYUnlikely to occur
CATASTROPHIC
May result in death E E H H M
CRITICALMay cause severe injury, major property damage, significant financial loss, and/or result in negative
publicity for the organization and/or
institution.
E H H M L
MARGINALMay cause minor injury,
illness, property damage, financial loss and/or result in negative publicity for the
organization and/or the institution.
H M M L L
NEGLIGABLEHazard presents a minimalthreat to safety, health and well-being of participants;
trivial.
M L L L L
RISK DEFINITIONSMany events, without proper planning, can have unreasonable levels of risk. However, by applying risk management strategies, you can reduce the risk to an acceptable level.
E Extremely High RiskActivities in this category contain unacceptable levels of risk, including catastrophic and critical injuries that are highly likely to occur. Organizations should consider whether they should eliminate or modify activities that still have an “E” rating after applying all reasonable risk management strategies.
H High RiskActivities in this category contain potentially serious risks that are likely to occur. Application of proactive risk management strategies to reduce the risk is advised. Organizations should consider ways to modify or eliminate unacceptable risks.
M Moderate RiskActivities in this category contain some level of risk that is unlikely to occur. Organizations should consider what can be done to manage the risk to prevent any negative outcomes.
L Low Risk Activities in this category contain minimal risk and are unlikely to occur. Organizations can proceed with these activities as planned.
Author: Wayne Jones (0500005)- BSCIT-4C Page 11 of 24
RIS
K A
SSES
SMEN
T
PROBABILITY OF OCCURENCE
The University of Technology, Jamaica | Computer Security Policy
February 12, 2010
Author: Wayne Jones (0500005)- BSCIT-4C Page 12 of 24
TH
REA
T A
SSES
SMEN
T
ASS
ET
FUR
NIT
UR
E
FUR
NIT
UR
E
HA
RD
WA
RE
HA
RD
WA
RE
NET
WO
RK
EMP
LOY
EES
AG
ENT
/EV
ENT
NA
TU
RA
L D
ISA
STE
R
STO
LEN
NA
TU
RA
L D
ISA
STE
R
STO
LEN
HA
CKED
RES
IGN
Giv
ing
out
impo
rtan
t in
form
atio
n
CLA
SS O
F T
HR
EAT
DES
TR
UCT
ION
REM
OV
AL,
IN
TER
UPT
ION
DES
TR
UCT
ION
REM
OV
AL,
IN
TER
UPT
ION
MO
DIF
ICA
TIO
N,
DES
TR
UCT
ION
, R
EMO
VA
L
INT
ERR
UPT
ION
DIS
CLO
SUR
E
LIK
ELIH
OO
D
OF
OCC
UR
REN
CE
ME
DIU
M
VE
RY
LOW
ME
DIU
M
LOW
ME
DIU
M
ME
DIU
M
LOW
CON
SEQ
UEN
CE O
F O
CCU
RR
ENCE
Inco
nven
ienc
e to
em
ploy
ees
Inco
nven
ienc
e to
em
ploy
ees
Loss
of v
alua
ble
data
an
d eq
uipm
ent
Loss
of v
alua
ble
data
an
d eq
uipm
ent
Com
peti
tors
gai
ning
ad
vant
age.
Los
s of
cu
stom
ers
beca
use
of
cred
it c
ard
info
bei
ng
used
. Hac
ker
may
st
eel p
assw
ords
and
th
us g
ain
free
in
tern
et a
cces
s he
nce
loss
of r
even
ue
Loss
of p
rodu
ctiv
ity
as r
epla
cem
ent i
s re
crui
ted
and
trai
ned
Com
prom
ise
of
secu
rity
if im
med
iate
ch
ange
s of
pas
swor
ds
and
othe
r se
nsit
ive
area
s ar
e no
t eff
ecte
d
IMP
ACT
(I
NJU
RY
)
VE
RY
LOW
VE
RY
LOW
CRIT
ICA
L
CRIT
ICA
L
HIG
H
LOW
CRIT
ICA
L
RIS
K A
SSES
SMEN
T
EXP
OSU
RE
RA
TIN
G
L L E E E M H
EXIS
TIN
G
SAFE
GU
AR
DS
NO
NE
NO
NE
NO
NE
Gua
rdsm
an
Secu
rity
Putt
ing
Tec
hnic
al
Supp
ort o
n a
diff
eren
t ne
twor
k fr
om
the
Mai
n Se
rver
s. U
sing
Fr
ee B
SD fo
r op
erat
ing
mai
n
NO
NE
NO
NE
REC
OM
MEN
DA
TIO
NS
VU
LNER
AB
ILIT
IES
Floo
ds, f
ires
and
ot
her
such
dis
aste
rs
are
not p
rote
cted
ag
ains
t
Floo
ds, f
ires
and
ot
her
such
dis
aste
rs
are
not p
rote
cted
ag
ains
t
Use
of a
ny
mec
hani
sm to
byp
ass
swip
e ca
rd a
cces
sW
alki
ng o
ut o
f the
bu
ildin
g w
ith
smal
l eq
uipm
ent s
uch
as
Use
of F
ree
BSD
do
esn’
t gua
rant
ee
that
no
one
will
hac
k sy
stem
Empl
oyee
s m
ay
choo
se to
res
ign
wit
hout
not
ice
Empl
oyee
s th
at h
ave
resi
gned
may
dis
clos
e se
nsit
ive
info
rmat
ion
to th
ird
part
ies
RIS
K
2 2 3 4 5 5 2
PR
OP
OSE
D
SAFE
GU
AR
DS
SECU
RIT
Y G
UA
RD
SECU
RIT
Y G
UA
RD
INSU
RA
NCE
/
BA
CKU
P
INSU
RA
NCE
/
BA
CKU
P
Use
of A
udit
ing
Soft
war
e an
d H
oney
Pots
Cont
ract
ual
requ
irem
ent o
f ad
equa
te
noti
ce
Non
-dis
clos
ure
clau
se in
co
ntra
ct
PR
OJE
CTE
D
RIS
K L L M M M M M
EXP
ECT
AT
ION
OF
EFFE
CTIV
ENES
S O
F P
RO
PO
SED
SA
FEG
UA
RD
S
Com
plet
ely
Sati
sfac
tory
Com
plet
ely
Sati
sfac
tory
Sati
sfac
tory
Sati
sfac
tory
Sati
sfac
tory
Com
plet
ely
Sati
sfac
tory
Com
plet
ely
Sati
sfac
tory
The University of Technology, Jamaica | Computer Security Policy
February 12, 2010
Access Control PolicyAccess Control Policy
Personnel Hardware Software Physical access to Rooms
Managers Full Access Full Access Physical access to RoomsSupervisors Use Only No Access Physical access to RoomsCustomer Support Representatives Use Only Only Payments section Physical access to RoomsLab Tech Use Only Use Only Physical access to RoomsNetwork Administrators Full Access No Access Physical access to RoomsSenior Technician Full Access No Access Physical access to RoomsAccountants Use Only Full Access Physical access to RoomsSecurity Guards No Access No Access Full Access To Entire FacilitySenior Finance Staff Use Only Full Access No Access to Server Room
Author: Wayne Jones (0500005)- BSCIT-4C Page 13 of 24
The University of Technology, Jamaica | Computer Security Policy
February 12, 2010
Adhering to Legal Procedures
An employee found to have violated this policy may be subject to disciplinary action, up to
and including termination of employment. A violation of this policy by a temporary worker,
contractor or vendor may result in the termination of their contract or assignment with
The University of Technology, Jamaica referred to as UTech from here in.
The following legal policy considerations outline legal issues that govern the operation of
UTech for incorporation into the security policy. The following policies are examined with
specific attention to the systems the university’s distributed system incorporates.
There are some general policies and legal procedures that govern the entire IT arena as it
relates to computer security. We will classify these as general policies. However, the nature
of distributed systems attract specific guidelines that to secure distributed systems because
the traditional concept of a security policy for the entire computer system is not practical
for a distributed system. These policies will be classified as specific policies.
General PoliciesOrange Book Security Standard:
The University of Technology, Jamaica intends to comply fully with the requirements of
Orange Book Security Standard as it affects the immediate business of the university.
Orange Book was first published in 1983, by the Department of Defence Trusted Computer
System Evaluation Criteria in the USA. The Orange Book is the benchmark for computer
security. This policy shows that the Mandatory Security Policy enforces access control rules
based directly on an individual's clearance, authorization for the information and the
confidentiality level of the information being sought. Other indirect factors are physical and
environmental. This policy also accurately reflects the laws, general policies and other
relevant guidance from which the rules are derived. Discretionary Security Policy enforces
a consistent set of rules for controlling and limiting access based on identified individuals
who have been determined to have a need-to-know for the information.
Author: Wayne Jones (0500005)- BSCIT-4C Page 14 of 24
The University of Technology, Jamaica | Computer Security Policy
February 12, 2010
Complying with Computer Misuse Act:
The University of Technology, Jamaica will implement computer use policies which all
employees will be required to comply with. The H R Manager is responsible for ensuring
that all staff members are fully aware of these policies as they relate to their duties.
The University of Technology, Jamaica provides all employees with computer access and
internet services.
However, employees need to exercise discretion, and ensure that they do not engage in
illegal activities in fulfilment of the provision of support to users. Such activities include,
but are not limited to: viewing pornography, visiting sites promoting illegal computer
access activities (crack sites), viewing material advocating terrorism or other sites that
threaten national security. The issue of terrorism is of special importance in light of
Jamaica’s conformance to international terrorism prevention legislation. These terrorists
acts may include:
Unauthorized Access – the offender knowingly gains unauthorized access to a computer or
data,
Unauthorized Access with Intent – the offender knowingly gains unauthorized access to a
computer or data with malicious intent,
Unauthorized Acts with Intent to Impair – described case involving distributed denial of
service attacks on a computer system or information,
Making, supplying or obtaining articles – describes cases involving those who produce, for
example, malicious scripts or software designed to enable modification.
It is therefore imperative that all employees exercise full discretion as it regards to use of
UTech’s property during or after working hours.
ISO 17799 and BS 7799 References
12.1.5 Prevention of Misuse of Information Processing Facilities
See Computer Misuse Act of 1990
Author: Wayne Jones (0500005)- BSCIT-4C Page 15 of 24
The University of Technology, Jamaica | Computer Security Policy
February 12, 2010
Complying with Data Protection Act:
The University of Technology, Jamaica intends to comply fully with the requirements of
Data Protection legislature in so far as it affects the immediate business of the university.
This act is a security standard that gives individuals the right to know what information is
held about them, as well as providing a framework to ensure that personal information is
handled properly. This therefore means that anyone who handles personal information
must comply with these important principles. It also gives individuals rights over their
personal information. These rights are comprised of access, compensation and the
prevention of processing. These two ways in which the act is employed is broken down into
sub-groups as follows:
1. The Act provides individuals with important rights, including the right to find
out what personal information is held on computer and most paper records.
2. Anyone who processes personal information must comply with eight
principles, which ensures that personal information is Fairly and lawfully
processed, Processed for limited purposes, Adequate, relevant and not
excessive, Accurate and up to date, Not kept for longer than is necessary,
Processed in line with your rights, Secure and not transferred to other countries without
adequate protection.
Complying with COBIT Standard:
The Control Objectives for Information related Technology (COBIT) “provides good
practices across a domain and process framework and presents activities in a manageable
and logical structure” (IT Governance Institute, 2007). COBIT is the IT governance
framework and supporting tool set that allows IT managers to bridge the gap between
control requirements, technical issues and business risks. It enables clear policy
development and good practice for IT governance in organizations. COBIT 4.1, has 34 high
level processes that cover 210 control objectives these are broken into four categories:
Planning and Organization
Author: Wayne Jones (0500005)- BSCIT-4C Page 16 of 24
The University of Technology, Jamaica | Computer Security Policy
February 12, 2010
Acquisition and Implementation
Delivery and Support
Monitoring and Evaluation
The “good practices” of COBIT are “strongly focused more on control, and less on
execution.” In other words, it specifies measures for the management, monitoring and
control of the technology to be used to implement the distributed system must be properly
monitored and controlled under the specifications of the practices of COBIT.
Implementation of these practices will “help optimise IT-enabled investments, ensure
service delivery and provide a measure against which to judge when things do go wrong.
Complying with BS77999 Standard:
The University of Technology, Jamaica intends to comply fully with the requirements of
Data Protection legislature in so far as it affects the immediate business of the university.
BS77999 is based on a comprehensive set of controls that is comprised of the best
practices in Information Security. It is an internationally recognized generic information
security standard covering 10 subject domains, 36 management objectives, 127 controls
and 500 detail controls. It was developed in the UK by the government to promote
confidence in inter-company trading. Shell, BOC, BT, Marks & Spencer, Midland Bank,
Nationwide and Unilever were all contributors to this security standard. This security
standard began to acquire increasing international acceptance as the primary de facto
industry security standard.
Complying with the ISO 27001 Standard:
The University of Technology, Jamaica intends to comply fully with the requirements of
Data Protection legislature in so far as it affects the immediate business of the university.
ISO 27001 is the international standard for an Information Security Management System
(ISMS). In Great Britain, it also still has its original designation: BS7799-2. ISO27001 is the
first in a family of international information security standards that will underpin and
protect IT worldwide over the next decade. It is designed to harmonise with ISO9001 and
ISO14001 so that management systems can be effectively integrated. It implements the
Author: Wayne Jones (0500005)- BSCIT-4C Page 17 of 24
The University of Technology, Jamaica | Computer Security Policy
February 12, 2010
Plan-Do-Check-Act (PDCA) model and reflects the principles of the 2002 OECD guidance on
the security of information systems and networks. ISO27001 can also help create a
framework that helps UK sales and marketing departments comply with the
Telecommunications Regulations 1998 (Data Protection and Privacy). This standard helps
organizations reduce their total information security expenditure, while increasing its
effectiveness.
Legal Obligations AwarenessAll employees of the organization should be informed and made aware of all the legal
obligations that directly affect them with respect to the information assurance, computer
use and misuse, computer data, its usage, handling and protection, and information
systems and services.
“The Human Resource Manage or Senior Personnel Officer of UTech is responsible for
ensuring that all employees area aware of legal obligations that affect computer use,
computer data and information systems. Individuals should be made aware of legal
obligations that the university has to adhere to and be informed of their responsibilities as
it regards to compliance with these obligations. These requirements should be outline in
staff documentations such as Terms and Conditions of Employment and Organization Code
of Conduct documents.”
Complying with the Copyright Licensing Legislation
“UTech must ensure that all software used on its computers and systems is properly
licensed and is being used in accordance with the lincense. It is the responsibility of the
Human Resource Manager or Senior Personnel officer to prepare guidelines for employees
on important aspects of Software Copyright and Licensing Legislation.”
Explanation
The university uses Microsoft based applications, such as Microsoft Windows Systems. The
Windows operating system licenses are provided with each workstation upon purchase. An
Enterprise License which allows one copy of the software to be installed on several devices
Author: Wayne Jones (0500005)- BSCIT-4C Page 18 of 24
The University of Technology, Jamaica | Computer Security Policy
February 12, 2010
and distributed throughout the organization. The same licensing packages are used for the
Antivirus and Intrusion detection system. It is imperative that UTech adheres to the license
agreement and also ensure that its use of software is in compliance with the respective End
User License Agreements (EULA).
ISO 17799 and BS 7799 References
12.1.2 Intellectual Property Rights (IPR)
Copyright, Act, 01/09/1993 (Jamaica)
Specific Policies
Student Computer Systems
Security Responsibilities.
The day-to-day managers of student-based systems must:
Be thoroughly familiar with the University IT Security Policy in its entirety.
Ensure compliance to this policy by all of its users.
Report any serious breaches of security to the Head of Security.
Physical Security.
The following standards of physical security of student based platforms must be
met:
Premises must be physically strong and free from unacceptable risk from
flooding, vibration, dust, etc.
There must not be an inordinate amount of combustible material (e.g. paper)
stored in the same room as the computer system.
Air temperature and humidity must be controlled to within acceptable limits.
Computing equipment should be electrically powered via UPS to provide the
following:
Author: Wayne Jones (0500005)- BSCIT-4C Page 19 of 24
The University of Technology, Jamaica | Computer Security Policy
February 12, 2010
Minimum of 15 minutes’ operation in the event of a power blackout.
Adequate protection from surges and sags.
Trigger an orderly system shutdown when deemed necessary.
Physical Access.
There must be procedures in place to assure that only authorized staff or
student enter the premises.
User Access.
New userid’s should be handled as follows:
Students should direct requests to lab technician.
The applicant must present suitable personal identification.
The new userid and password must be given orally to the applicant; unless
special delivery has been authorized due to special circumstances (e.g. applicant
is overseas).
If the Operating System supports a password aging facility then it should be set
to force password change on the first login.
Fire Detection and Control.
There should be smoke and thermal detectors on the premises.
Under floor areas should have smoke and water detectors.
Staff Computer Systems
General Obligations
Users and custodians of Desktop computers are subject to the "Conditions of Use"
and "Code of Practice" specified in the university’s IT Security Policy.
Hardware Security
Lock offices. Office keys should be registered and monitored to ensure they
are returned when the owner leaves the University.
Author: Wayne Jones (0500005)- BSCIT-4C Page 20 of 24
The University of Technology, Jamaica | Computer Security Policy
February 12, 2010
Secure Desktops in public areas. Equipment located in publicly accessible areas
or rooms that cannot be locked should be fastened down by a cable lock system
or enclosed in a lockable computer equipment unit or case.
Secure hard disks. External hard disks should be secured against access,
tampering, or removal.
Locate computers away from environmental hazards.
Store critical data backup media in fireproof vaults or in another building.
Register all University computers.
Access Security
Utilize password facilities to ensure that only authorized users can access the
system. Where the Desktop is located in an open space or is otherwise difficult to
physically secure then consideration should be given to enhanced password
protection mechanisms and procedures.
Password guidelines:
Avoid words found in the dictionary and include at least one numeric character.
(Six-character passwords may suffice for non-dictionary words.)
Choose passwords not easily guessed by someone acquainted with the user.
(For example, passwords should not be maiden names, or names of children,
spouses, or pets.)
Do not write passwords down anywhere.
Change passwords periodically.
Do not include passwords in any electronic mail message.
Data and Software Availability
Back up and store important records and programs on a regular schedule.
Check data and software integrity.
Fix software problems immediately.
Confidential Information.
Author: Wayne Jones (0500005)- BSCIT-4C Page 21 of 24
The University of Technology, Jamaica | Computer Security Policy
February 12, 2010
Encrypt sensitive and confidential information where appropriate.
Monitor printers used to produce sensitive and confidential information.
Overwrite sensitive files on fixed disks, floppy disks, or cartridges.
Software
Software is protected by copyright law. Unauthorized copying is a violation of
University Copyright policy. Anyone who uses software should understand and
comply with the license requirements of the software. The university is subject to
random license audits by software vendors.
Viruses
Computer viruses are self-propagating programs that infect other programs. Viruses
and worms may destroy programs and data as well as using the computer's memory
and processing power. Viruses, worms, and Trojan horses are of particular concern
in networked and shared resource environments because the possible damage they
can cause is greatly increased. Some of these cause damage by exploiting holes in
system software. Fixes to infected software should be made as soon as a problem is
found.
To decrease the risk of viruses and limit their spread:
Check all software before installing it.
Use software tools to detect and remove viruses.
Isolate immediately any contaminated system.
Computer Networks.
Networked computers may require more stringent security than stand-alone
computers because they are access points to computer networks.
While IT Department has responsibility for setting up and maintaining appropriate
security procedures on the network, each individual is responsible for operating
their own computer with ethical regard for others in the shared environment.
The following considerations and procedures must be emphasized in a network
environment:
Author: Wayne Jones (0500005)- BSCIT-4C Page 22 of 24
The University of Technology, Jamaica | Computer Security Policy
February 12, 2010
Check all files downloaded from the Internet. Avoid downloading shareware
files.
Test all software before it is installed to make sure it doesn't contain a
virus/worm that could have serious consequences for other personal computers
and servers on University networks.
Choose passwords with great care to prevent unauthorized use of files on
networks or other personal computers.
Always BACK-UP your important files.
Use (where appropriate) encrypting/decrypting and authentication services to
send confidential information over a University network.
Never store University passwords or any other confidential data or information
on your laptop or home PC or associated floppy disks or CD’s. All such
information should be secured after any dialup connection to the University
network.
Author: Wayne Jones (0500005)- BSCIT-4C Page 23 of 24
The University of Technology, Jamaica | Computer Security Policy
February 12, 2010
Referenceshttp://www.wisegeek.com/what-is-information-security.htm
http://www.webopedia.com/DidYouKnow/Internet/2008/terms_to_know_2009.asp
http://evanjones.ca/opencirrus.html
http://opencirrus.intel-research.net/doc/droh-opencirrus-whitepaper-hotcloud09.pdf
Pollette, Chris. "How the Google-Apple Cloud Computer Will Work." 06 February 2008.
HowStuffWorks.com. <http://computer.howstuffworks.com/google-apple-cloud-
computer.htm> 11 February 2010
http://www.cioinsight.com/c/a/Expert-Voices/Cloud-Computing-Demystifying-150976/
Author: Wayne Jones (0500005)- BSCIT-4C Page 24 of 24