资讯保安政策
The purpose of this policy is to ensure the protection of 科罗拉多大学’s 信息 resources from accidental or intentional access or damage while also preserving and nurturing the open, 高校学术文化的信息共享需求. 这项政策适用于所有学生, 教师, and 工作人员 and to all others granted use of 科罗拉多大学 信息 resources. Every user of 科罗拉多大学’s 信息 resources has a general responsibility to protect those assets, 虽然有些办公室和个人有具体的责任. This policy refers to all college 信息 resources whether individually controlled or shared, 独立或联网. 它适用于所有拥有的计算机和通信设备, 租赁, 操作, 或者由学院承包. 这包括所有联网设备, 包括但不限于个人数字助理, 手机, 个人电脑, 工作站, 微型计算机, 其他无线设备,如ipad, 以及任何相关的外围设备和软件, 不管是否用于管理, 研究, 教学或其他用途. 今天, 信息技术(IT)渗透到教学的各个方面, 学习, 研究, 学院的外展、商业和设施功能. Safeguarding 信息 and 信息 systems is essential to preserving the ability of the college to perform its mission and meet its responsibilities to students, 教师, 工作人员, 以及它所服务的公民. 州和联邦法规, 规则, 法规, college policies and other explicit agreements also mandate the security of 信息 and 信息 systems. Failure to protect the college’s 信息 technology assets could have financial, 法律, 道德后果. 科罗拉多大学 acknowledges its obligation to ensure appropriate security for 信息 systems in its domain of ownership and control. 此外, the college recognizes its responsibility to promote security awareness among the members of the 科罗拉多大学 community. This policy establishes the general principles of 信息 security that will be applied throughout the college.
范围
All financial and administrative policies involving community members across campus, 包括志愿者在内,都在这项政策的范围内. If there is a variance between departmental expectations and the common approach described through college policy, 学院将依靠校园社区, including volunteers to support the spirit and the objectives of college policy. 除非学校政策里特别提到, 学院的董事会受其章程管辖.
政策
授权和保留的权力/行政责任
The President of the College delegates administration of the college’s 资讯保安政策 to the 首席技术官/信息技术副总裁.
资讯保安目标
Information security is critical to the interests of the college and the many constituencies it serves. The following list provides some of the objectives of 信息 security at 科罗拉多大学. This list is representative and is not meant to suggest the full range of objectives of the college’s 信息 security policy or program.
- 支持和维护学院的正常运作. As an increasing percentage of the college’s functions are handled electronically, 再加上街区规划的严格性, it is critical that 信息 and 信息 systems be protected so the college can operate without interruption.
- 保护大学资产. 该学院拥有包括知识产权在内的许多资产, 研究和教学数据系统, 还有实物资产. Loss of these assets could have significant financial impact as well as major negative impact on critical 研究 and instructional programs.
- 保障个人及资料的私隐. With the increasing risk of identity fraud and other potential misuses of personal 信息, it is paramount that the college safeguard personal 信息 entrusted to its stewardship.
- 保护金融交易和电子通讯. The college is the custodian of financial records and transactions; safeguarding these records is critical to maintaining trust relationships essential to our business function. 电子通讯受可接受使用政策规管.
- 维护机构的诚信和声誉. 安全 breaches reflect negatively on the capability of the college to 管理 entrusted resources. In addition, security breaches could result in the potential for criminal or civil action.
- 防止利用大学系统进行恶意行为. The open nature of the college and the desire to provide ease of access to a large and diverse group of constituents makes us a target for unauthorized users to utilize college resources inappropriately. The college must prevent the use of 科罗拉多大学 systems and infrastructure for malicious acts against its own systems as well as attacks against other individuals and organizations.
- 遵守州和联邦法律. State and federal laws 法规 require the college to take reasonable steps to ensure the security of the data (FERPA, 健康保险流通与责任法案, GLBA). Failure to safeguard this 信息 could result in the 法律 action or cause the college to lose its ability to offer services.
责任及问责
首席技术官
The college’s 首席技术官 (CTO) has overall responsibility for the security of the college’s 信息 technologies. Implementation of security policies is delegated throughout the college to various college services, departments and other units; and to individual users of campus 信息 resources.
信息安全工程师
The 信息安全工程师 is responsible for providing interpretation of this and other related policies, 传播相关信息, 在整个校园执行信息安全政策.
大学服务
Various officers within the college have the primary responsibility and authority to ensure 科罗拉多大学 meets external and internal requirements for intellectual property, 研究和机构数据, 机密和商业信息的隐私和安全. Multiple departments are responsible for general security issues (法律 issues, 安全合规, 物理安全, 通信, 及资讯科技基建保安). These individuals or departments are responsible for assisting in the development of college 信息 security policies, 标准, 以及他们职责范围内的最佳实践. They are also responsible for advising departments and individuals in security practices related to areas they oversee, 如下:
- 人事信息和保密-人力资源
- 学生信息和保密-注册办公室
- 财务信息和交易-财务和管理
- 财政援助信息-财政援助
- 珀金斯贷款信息-学生账户
- 基础设施、通信和系统安全与审计——ITS
- Legal Issues - Finance and Administration division for engaging 法律 counsel service
- 健康资讯-学生生活
- 校友,家长和捐赠者信息-进步办公室
- 其他资料-资讯保安主任
部门及其他单位
部门 and other units are responsible for the security of any 信息 they create, 管理, 或储存, and for any 信息 they acquire or access from other college systems (i.e. 学生档案、人事档案、业务资料).
Note: The security of applications and data administered by departments and individuals outside of the ITS: Division is the responsibility of the administering department. ITS: 工作人员 will provide advice and support for implementing security measures when requested.
数据管理
数据访问
学生, 教师, and 工作人员 who use personally-owned systems to access college resources are responsible for the security of their personally-owned computers and other network devices and are subject to the following: the provisions of the college’s security policies, 标准 and guidelines for best practices for users of college computing and network facilities as well as all other laws, 规定, 或者针对单个用户的策略.
(1)未经授权的帐户或系统访问
- 您不得访问或使用, 或试图访问或使用, any computer accounts other than your own assigned account or any computer system for which you have not been granted access. 换句话说, 用户只能使用自己的文件, 被指定为公共物品的, or those that have been made available to them with the knowledge and consent of the owner. The College’s Academic Honor System and its prohibitions against plagiarism and cheating, 除此之外, applies to student use of any files and 信息 obtained on CC’s computing resources used in the preparation of academic coursework.
- 用户不得访问计算机, 软件, 数据或信息, 或未经适当授权的网络, 不管是否有任何损坏或是否电脑, 软件, data, 信息, 或者这个网络属于学院所有.
(2) Campus community members all share in the commitment to safeguarding the college’s data. The college will rely on the principle of ‘least privilege’ in granting access to data and 信息.
- Initial access to data and 信息 must be authorized by the appropriate Data Steward;
- 校园社区成员的访问需求可能会因新职位而改变, 现有职位职责的变更, 或终止. Human Resources and ITS: shall collaborate to ensure appropriateness of ongoing access;
- 特权用户(系统管理员), database administrators) access to data shall be periodically reviewed to ensure that access to data remains appropriate;
- 有时, the campus community needs to provide external individuals or groups (auditors, 承包商, 供应商)有访问权限. 在这些情况下, an access start date and an access termination date shall be simultaneously identified. 是否需要在终止日期之后访问, the Data Steward or designee initially 批准访问 should be consulted.
提供有效安全的操作控制
The college controls internal access by segregating the entities gaining access, 批准访问, 提供访问权限. 当一个实体与学院分离时,访问权就被取消了.
报告资讯保安事故
Reporting incidents is an ethical responsibility of all members of the 科罗拉多大学 community. All the 信息 related to 信息 security incidents should be reported promptly to the ITS: Division by contacting the Help Desk.
丧失电脑特权/纪律影响
Protecting the security of college 信息 and 信息 systems is the responsibility of every member of the college community. 每一个学生, 教师, and 工作人员 is responsible for understanding and complying with all current and future approved IT policies and procedures including this 资讯保安政策. Failure to comply with these policies may result in loss of computing privileges and/or disciplinary action, 直至并包括终止. 不合规的例子包括但不限于:
- 不恰当地访问和/或使用大学数据;
- No person may store or use programs on college-owned systems that violate or hamper another person's use of computing resources. Examples of such programs are ones that attempt to obtain another user's password, 获取其他用户的文件, 规避系统安全措施, 或者使计算机系统崩溃.
教育
Creating a heightened awareness of the importance of 信息 technology security is an important component in establishing an environment in which each individual feels responsible and empowered to act in their own and the community’s best interests. All departments will provide opportunities for individuals to learn about their roles in creating a secure IT environment.
程序
没有一个
定义
安全 -没有不可接受风险的状态. 因此,信息安全的重点是降低计算系统的风险, 通信系统, 信息被滥用, 摧毁了, 因故意或意外而不适当地修改或披露的.
独立的 -没有连接到网络的计算机.
网络资源 -参考数据的形式, 信息 and hardware devices that can be accessed by a group of users through the use of a shared connection.
数据管理员 Data stewards are administrators with direct operational responsibility for one or more types of institutional data and have been designated by the data trustees. 它们决定管理单元中的数据访问.
数据分类级别- See the college’s Data Classification 政策 for classification level definitions, 以及具体的角色和职责.
数据完整性- 存储数据的准确性和一致性, indicated by an absence of any variance in data between two updates of a data record.
受托人的数据 – cabinet members or their senior level designees who have policy-making and planning responsibilities for data. They designate data stewards and assign data 管理ment roles for their units and set priorities for external reporting for their academic or administrative units.
最小特权 用户访问仅限于为学院执行工作所需的资源.
〇入侵防御 process of performing intrusion detection and attempting to stop detected possible incidents
入侵检测—— process of monitoring computer system or networks for unusual events and analyzing them to determine if an incident has occurred.
加密, the use of an algorithm to transform data into a form where the content is masked and can only be viewed by those having a key or other confidential means to reveal the data.