ITS Security Policy
Computing and Network Security Policy
It is the goal of the UNC-Chapel Hill Information Technology Services (ITS) to provide a reasonable and effective level of security for the users of ITS computer and networking systems, and to use reasonable efforts
1. to protect their data from accidental or deliberate tampering or removal;
2. to prevent access to computer systems, files, and networks by unauthorized individuals or entities;
3. to prevent the use of ITS computing or networking systems to gain unauthorized access to other sites; and
4. to provide recovery mechanisms to minimize damage caused by any such events.
Toward achieving these goals, ITS establishes this policy, which is augmented by various forms needed for account establishment, renewal, project approval, and special access.
I. The Purpose of a Computer and Networking Security Policy for ITS
The purpose of this computer and networking security policy is to describe the efforts of ITS to provide three types of security:
1. Data integrity: ITS will use its best efforts to prevent unauthorized alteration of data.
2. User authentication: ITS will use its best efforts to provide mechanisms to ensure that those who use any of the University's electronic resources and services are accurately identified, when such identification is needed.
3. Information confidentiality: ITS will attempt to ensure that only those authorized by the owner or steward of the information may gain access to the contents of a file or transmission.
Users of ITS systems have a large amount of important and sometimes confidential data that is entrusted to ITS for storage, processing, and retrieval. For anyone to use ITS systems and services for unauthorized purposes, as defined in the documents governing use of these systems and services, is at least inappropriate and a violation of University policy, and may in certain circumstances be illegal. In addition, ITS systems are part of an international network of computers, and consequently must protect other sites from the misuse of our resources to attack their systems.
II. Threats to Computer Security
The complexity of international computer networks and proliferation of communication devices make the prevention of unauthorized intrusion difficult. ITS policies are intended to minimize the impact of attacks from both inside and outside, and from automated attacks as well as human directed ones.
III. The Price of Security
But security has a price. In certain situations the price may involve money for special hardware or software. In other cases the costs are measured in user inconvenience and frustration, reduced productivity, and suppression of creativity. The time that computer support staff put into security efforts must be taken into account. All of these costs must be proportional to the value of what is being protected. ITS policies and practices are a compromise that provide reasonable protection from realistic threats without placing onerous burdens upon the owners, operators, and users of computers and networks.
IV. Issues of Confidentiality
Just as with printed documents, the University owns and archives official electronic communications. Otherwise, the University considers static digital files and dynamic digital streams to be private and does not disclose their contents except as directed by University counsel. Information sent to or through another location (e.g., email) is subject to the policies of other institutions, which may or may not consider such information private.
V. User Responsibilities and Rights
The University expects members of the faculty, staff, and student body to become familiar with individual and institutional responsibilities to protect confidential information and with the risks to privacy inherent in digital technologies. Each ITS user is required to agree to the policies and guidelines governing the use of ITS systems before any usage is granted.
VI. File Backups
ITS regularly backs up all disk files on its centrally maintained systems and servers. The exact schedule depends upon the particular system in question, but in all cases the backup procedure provides a complete copy of all files at periodic intervals and a daily incremental copy of changed files (since the last complete backup).
VII. System Administrator Privileges and Responsibilities
ITS staff who have system administrator responsibilities are entrusted with the special privileges they need to monitor and control the operation of computers and networks in their domain. These privileges are limited by the responsibility of ITS system administrators to maintain the privacy and protect the integrity of user files, electronic mail and printer listings.
VIII. Security Contact and Incident Response
ITS Security Services ( https://www.unc.edu/security/ ) is the principal contact for security matters. Other staff may be designated to deal with particular situations. Security incidents or concerns may be reported to any ITS staff member. In the event of a security incident, affected users and connected network sites will be notified, ITS will make every effort to correct the security vulnerability, and data will be restored if possible and necessary.
Disclaimers
The mission of ITS is academic in nature, and as such, computer systems may be less restrictive than they would be in other environments.
ITS will use all reasonable efforts to maintain the safety and security of all electronic data stored in its computer facilities consistent with these policies. Nevertheless, ITS and the University of North Carolina at Chapel Hill will not be responsible for loss of user's electronic data regardless of the cause of loss.
The policies of Information Technology Services are subject to change as conditions demand.
Document Overview
Tags: security , security objects , security policySubjects: Security , Computer Security
Audience: Everyone
This work is licensed under a Creative Commons Attribution 3.0 United States License.
