ACES/Ag Computer Management and Security Policy

Approved November 1, 2004

Memo from COA/AAES Dean/Director concerning Computer Management and Security Policy

Memo from Extension Director concerning Computer Management and Security Policy

As the principal IT support provider for the ACES/Ag network, the Computer Technology Unit (CTU) is charged with managing and securing IT resources within the AU College of Agriculture, the Alabama Cooperative Extension System, and the Alabama Agricultural Experiment Station. To carry out this responsibility, CTU has established standards and procedures for computer and network management based upon emerging standards from the AU Office of Information Technology (OIT) as well as existing campus-wide policies.

Definitions

Computers: Desktop and laptop/notebook PCs, Macintosh computers, or other computers that are owned by AU or ACES and are assigned to an individual user or departmental workgroup.

Computer Resource Management System: A system that provides for centralized management of computers, including standardized and customized configurations, security, authentication, and shared resources. Currently, AU and ACES/Ag use Microsoft’s Active Directory Services package for Windows-based computers.

Operating System: The basic software that runs a computer. Most Intel-based PCs run a version of Microsoft Windows, while Macintosh computers run a version of Mac-OS.

Peer-to-peer File-sharing Software: Programs that are commonly used to share copyrighted works, such as music or movie files. Examples include Kazaa, Gnutella, BitTorrent, and WinMX.

Server software: Programs that provide multi-user services or login access. Examples include telnet servers such as telnetd, file transfer servers such as ftpd, web servers such as Microsoft Internet Information Services (IIS), and database servers such as MySQL.

Objectives

This policy provides for the following objectives:

Efficient computer management by CTU and OIT via standardized operating systems and configurations;
Security of computers and data via automated operating system updates and patches;
Security of computers and data via authenticated logins;
Security of computers and data by reducing the inherent risk server programs create on both the hosting computer and the campus network in general;
Secure file-sharing between computers;
Convenient availability of shared printer resources and approved, site-licensed software.

Policy

All capable ACES/Ag computer devices will participate in AU’s system for computer resource management (currently Microsoft Active Directory).
Computers that are not capable of participating in AU’s computer resource management system must be configured to automatically download and install operating system (e.g. Microsoft Windows) critical updates and security patches.
Computers running the Microsoft Windows operating system must run an approved version. At the time of this policy, approved versions include Windows 95, 98, 2000, XP Professional, and 2003. Neither Windows ME nor XP Home is supported on the AU or ACES/Ag network. Computers running unsupported operating systems must be upgraded to supported versions.
Individuals will not install or use programs that interfere or conflict with the operation of the computer resource management system or other required software such as virus protection. Programs that may interfere or conflict include personal firewalls, non-approved virus protection, some add-on screensavers that are not part of the standard operating system, and others. Programs may be approved by CTU and OIT on a case-by-case basis.
Server programs will be run only on computers that are specifically placed in a server role dedicated to providing multi-user services and managed or supervised by a qualified information technology specialist. Exceptions may be approved by CTU and OIT on a case-by-case basis.
The installation or use of peer-to-peer (P2P) file-sharing software is expressly forbidden. Apart from placing the user and Auburn University at risk of a lawsuit for illegally sharing copyrighted works, such programs are also notorious for degrading overall network performance.
The sharing of personal AU or ACES/Ag computer accounts is expressly forbidden. Personal passwords are not to be shared with co-workers, friends, family members, etc.
Other AU Information Technology policies related to management and security will be followed. These include the Appropriate Use Policy, the Virus Protection Policy, and the Wireless Networking Policy.

Compliance

The Computer Technology Unit is responsible for responding to situations of non-compliance with this policy. While CTU does not and will not routinely monitor individuals’ network activity, network connections may be subject to monitoring, with cause, for security, legal, or troubleshooting purposes. This may include monitoring for bandwidth usage, security related incidents, or a request from legal/law enforcement authorities. In addition, OIT and CTU reserve the right to scan ACES/Ag systems to assist in identifying and protecting against exploitable security vulnerabilities (e.g., viruses or unpatched systems) in efforts to preserve network integrity. Information gathered in such scans will be used only for the explicit purpose of monitoring ACES/Ag network security.

When an individual or a computer is found to be in violation of this policy, CTU will notify the individual or computer assignee and his or her supervisor to correct the problem. If the problem is resolved by the individual, the matter is over. If corrective action is not taken by the individual within a reasonable timeframe, CTU will then notify the supervisor who will initiate the appropriate disciplinary action policy. CTU and OIT have the responsibility to disconnect from the network any non-compliant computer known to be posing a threat to other computers or the ACES/Ag network. Such a disconnection is an emergency action. CTU will work with the individual to resolve the problem and reconnect the computer to the network.