Office of the Vice Provost for IT:

• Welcome
• Advisory Committee
• Affiliations
• Employment
• IT Internships
• Facilities
• Mission
• News & Events
• Innovation
• Organization (CHART)
  • Administration, Planning, & Finance
  • Academic & Research Computing
  • Enterprise Applications
  • IT Security Office
  • Networking, Telecommunications, & Data Center
  • Systems, Architecture, & Infrastructure
• Policies
• Projects & Programs
• Service Level Agreements

---

Reports:

• 2008 VPIT Report
• Help Desk Statistics

---

IT

IT Self-service

IT Tutorials

Security Policy

Introduction

Policy Statement

The Rice University Information Security Policy describes the role of information security in supporting the academic mission of the university through the recognition of the growing importance of securing electronic resources.  Protecting and preserving these resources and complying with applicable laws and regulations are common, shared responsibilities for all members of the Rice community.

Scope

The policy applies to anyone using Rice University information technology resources, including, but not limited to, students, faculty, staff, visitors, and guests.

Principles and Philosophies

The Information Technology Advisory Committee (ITAC) developed the following principles for the Information Security Policy:

• Protection of Shared Institutional IT Resources
• Develop reasonable mechanisms to protect Rice University’s shared resources while protecting individual resources and providing for intellectual freedom.
• Develop levels of responsibility based upon risk generated by resource access.
• Academic and Intellectual Freedom
• Ensure and facilitate access to and use of information and information resources in a manner consistent with the security of shared resources.
• Prevent unauthorized access or modification to information and information resources, such as intellectual property.
• Access and Confidentiality
• Specify user’s expectations regarding access:

• IT staff will not read user-controlled data without direction from appropriate university officials.
• IT staff will not modify individually-managed computer systems without permission from the user or direction from appropriate University officials.

• Provide IT services to users in a manner that accords confidential treatment to the information and intellectual property of the users.
• Trust, Ethics and Integrity
• Design, create and maintain systems that are trustworthy from both internal and external perspectives.
• Require high ethical standards and integrity of those who maintain IT systems or who have access to confidential and sensitive information.
• Maintain proper export control policies and procedures.

Related Information

Web Information and Location

IT Security Office Website
           http://www.rice.edu/it/security/

The related policies and procedures are located on the Information Security Office’s website:
           http://www.rice.edu/it/security/

This document is available online here:
            http://www.rice.edu/vpit//pdf/Security.pdf

Related Policies and Procedures

Sub-polices and related guidelines and procedures are located here:

Sub Policies
Appropriate Use of Computing Resources Policy
           http://www.rice.edu/vpit/aup.html
Network Policy
            http://www.rice.edu/vpit/policy.html
Systems Policy
            http://www.rice.edu/it/vpit/syspol.pdf
Account Policy
            http://www.rice.edu/vpit/policy.html

Procedures and Guidelines
Reporting Computer Security Incidents
           http://www.rice.edu/it/resources/security/report.html
Safely Disposing of Rice Computing Devices
            http://www.rice.edu/it/security/disposal.html
Quarantine Process
            http://www.rice.edu/vpit/quarantine.html

Contacts

Vice Provost for Information Technology
Kamran Khan
713.348.3500
kamran@rice.edu

Information Technology Security Officer
Marc Scarborough
713.348.5735
marcs@rice.edu

Definitions

IT Resource

IT Resources are involved in the sharing and accessing of electronic resources.  This includes, but is not limited to, computers (desktops, laptops, servers), PDA’s (Palms, PocketPCs), networking devices (routers, switches) and printers.

User

A user is anyone who uses an IT Resource.

IT Support Provider

IT Support Providers are groups or individuals responsible for the installation, maintenance, and operation of IT Resources.  This includes positions such as Systems Administrators, Support Specialists, Network Operators, and others that have similar responsibilities.

Users who manage their IT Resources independently also share in IT Support Provider responsibilities.

Manager

Managers have management or supervisory responsibility, including Deans, Department Chairs, Directors, Managers, and Supervisors, as well as others with similar responsibility.

Collaboration Teams

Collaboration teams are groups created and maintained for the purpose of providing guidance and assistance to the Information Security Office.  These include the Information Technology Advisory Committee (ITAC), the different Computer Incident Response Teams (CIRTs), and the various Policies and Procedures Development Groups.

Roles and Responsibilities

User

Policies and Procedures

All Users are expected to be familiar with and follow University policies, guidelines and procedures related to information and network security.

Other groups on campus, many at the department level, have group-specific policies and guidelines.  If these exist, the Users in those groups are also expected to be familiar with and follow them as well.

University policies, procedures and guidelines are posted on the Information Technology Security Office website:

http://www.rice.edu/it/vpit/policy.html

Data Protection

All Users are responsible for the protection of confidential and other University-related information entrusted to them.  Therefore, Users are to keep such information secure by working with IT Support Providers to physically secure systems that house this information, use appropriately complex passwords when storing the information and use encryption to transmit the information when available.

When systems change ownership, either through disposal or transfer, Users or their designates are expected to ensure that data entrusted to them is removed from the system before the change of ownership.

More information on passwords, encryption and data removal are available in the Polices and Procedures section of the Information Security Website:

http://www.rice.edu/it/resources/security

System Protection

Working with IT Support Providers, all Users are responsible for using systems that are secure, currently supported by the software vendor and have active anti-malware (virus scan, spyware, etc) software installed when available.  Users are also expected to apply system and anti-malware updates when they become available in a timely manner to minimize risk of compromise or infection.

These same expectations apply to systems connecting to IT Resources remotely, such as home computers and computers from non-Rice locations.

Computer Security Incidents

Users are to report suspected computer security incidents, such as evidence of “hacking” and other forms of compromise, to the proper IT Support Provider immediately.

Self Administrators

Users that administer their own systems, that is, Users solely responsible for the maintenance and support for IT Resources independently of the Information Technology Division, have IT Support Provider responsibilities as well (see below).

Exceptions

On rare occasions, situations arise that do not allow this policy to be followed.  The User and the IT Support Provider will document these situations as they arise.

IT Support Provider

University IT Support Providers have the same responsibilities as other Users, with the following additions.

Policies and Procedures

In addition to being familiar with and following the University polices, guidelines, and procedures, IT Support Providers are expected to implement this security on systems for which they are responsible.

IT Support Providers are also expected to work with any groups within their User community to develop, document and implement any other group-specific policies as needed.

IT Support Providers also have the responsibilities of documenting deficiencies when they are found and informing supported users when systems are not in compliance.

Data Protection          

As the entity responsible for the implementation of information security for systems across campus, the protection of confidential and other University-related data is extraordinarily important.  IT Support Providers are responsible for working with their User communities to determine the following:

• Where IT Resources are physically kept;
• On which IT Resources data is stored;
• Who is authorized to access this data;
• How Users should access to this data.

The IT Support Provider should also work with their User community to ensure data is removed from systems marked for disposal.

System Protection

IT Support Providers are expected to ensure that systems for which they are responsible are configured with the following in mind:

• Use appropriate physical security;
• Use appropriate passwords;
• Enable security logging for all capable IT Resources;
• Monitor system logs on servers;
• Keep periodic auditing and change logs on servers and other critical systems.

Occasionally, limited exceptions to the policies and procedures are necessary.  The IT Support Provider is expected to document these exceptions and maintain the security of them as best as possible.

Information Technology Code of Ethics

Everyone acting in an IT Support Provider role is also responsible for maintaining and protecting the confidentiality of data as defined by the IT Code of Ethics.  Specifically, IT Support Providers will not, without authorization from an appropriate University official or direction from a University policy or guideline, use elevated systems administrator privileges to willfully access data to which they would not otherwise have access.

Security Feedback and Participation

A successful implementation of a campus information security program depends on feedback and participation from those providing information technology services.

Those providing these services are expected to actively participate in the process of defining other IT policies, procedures and guidelines.

Computer Security Incidents

IT Support Providers are expected to report computer security incidents to the IT Security Office immediately, as any computer security incident potentially affects many others on campus.

Managers and Supervisors

Members of University management have the same responsibilities as other Users, with the following additions.

Policies and Procedures

Some groups or departments have special information security needs, such as more limited access or tighter physical security.  If this is the case, the management of that group or department should work with the appropriate IT Support Provider or the IT Security Office to develop, document and implement these policies.

These policies should reflect the nature and goal of existing University policies and procedures.

User Awareness and Training

Working with the IT Security Office, management should participate in user awareness and training programs to ensure that the Users they manage have read and understand the policies and procedures that apply to them.

This is especially critical for new or transferring staff.

Computer Security Incidents

Management is to report suspected computer security incidents, such as evidence of “hacking” and other forms of compromise, to the proper IT Support Provider immediately.

Information Technology Security Office (ITSO)

Policies and Procedures

Working with representative groups on campus, develop, implement and review University-wide information security policies, procedures, and guidelines.

User Awareness and Training

The IT Security Officer is to implement a University-wide security program, including policy, procedure and best practice development, user education and training and ongoing network and security risk analysis.

Computer Security Incidents

The IT Security Officer will lead investigations and reporting of information security incidents, acting as the point of contact when working with other University groups.

Working Groups

ITAC Security Sub-Committee

ITAC is an advisory group to IT consisting of faculty representatives from the different schools at Rice University.  The Security Sub-Committee works with the ITSO to develop and maintain this and other University information security policies.

ITAC will also help the ITSO in creating training and user awareness programs as appropriate.

Computer Incident Response Team (CIRT)

The Computer Incident Response Team (CIRT) is responsible for providing the initial investigation to a computer incident on campus.  Members of CIRT will be called upon as necessary and as available.

The CIRT team consists of IT Support Providers in the Systems and Client Services groups and is comprised of Unix, Linux, Windows and Macintosh expertise.

The CIRT is continually trained on new and enhanced forensics and analysis processes and procedures.

Procedures and Practices Development Teams

The Procedures and Practices Development Teams (PPDT) are responsible for the development and documentation of several policies, guidelines and procedures.

Each of the separately defined documents will have review cycles to ensure they are current.  Members of the PPDT’s are occasionally cycled to create a more representative perspective.

Violations

Violations as related to this document are generally considered:

• Any action of malicious intent (breaking into a system, purposefully sending a virus or other piece of malicious software to other computers, etc);
• Any action designed to circumvent applied computer security (accessing data for which the User does not have authorized access, disabling system and security logging, etc);
• Any action that scans, sniffs or logs systems or networks without authorization from the IT Security Office;

Failing to maintain a secure system (failing to install critical updates, relaxing recommended security measures, etc, subsequently putting other Rice Users on the network at risk) may result in loss of network connectivity.

Also, systems that appear to be infected or compromised to the Security Office may be disconnected from the network until the system is remedied. The IT Security Office will attempt to notify the owner or IT Support Provider for the system when it is taken offline.

Enforcement

Violations of this and related policies will be handled according to University disciplinary procedures based on the person or persons responsible for the violation.

Violations of local, state, federal or other laws will be reported to the appropriate, respective authorities.

Other Resources

Review Cycle

This document in its entirety will be reviewed by the Information Technology Executive Committee (ITEC) and the Information Technology Advisory Committee (ITAC) annually.

Other components of this document will be reviewed by IT Collaboration Groups listed above.

Revision History

1.0.0

• 2005-06-27 Draft document version

1.0.1

• 2005-08-07 Revision
• Added information tying the document to the IT Code of Ethics.

1.0.2

• 2005-08-12 Revision
• Incorporated recommendations by Barry Ribbeck

1.0.3

• 2005-10-25 Revision
• Collapsed Web Location and Web Information sections
• Collapsed Related Polices and Related Procedures

1.0.4

• 2005-11-10 Revision
• Added detail on the sub polices and procedures
• Added page numbers

1.0.5

• 2005-11-15 Final
• Document moved from Draft to Final