The University of Memphis

Security and Protection of Electronic Information Resources



POLICIES

Issued: January 25, 2008
Responsible Official: Vice President for Information Technology
Responsible Office: Information Technology Division

Policy Statement


Policy Statement

The University of Memphis (U of M) has established and maintains an array of information technology resources (e.g. software and systems, networks, servers, pcs, printers and other devices) collectively known as the University of Memphis IT Commons.  This IT Commons exists to serve the needs of the faculty, staff, and students at the U of M. The U of M communication networks are a critical component of the IT Commons.

Access to U of M technology resources is a privilege, not a guarantee, and may be revoked at any time for violation of acceptable use (see policy UM1535.)

The University requires that all equipment that attaches to the U of M network meets certain minimum standards to assure the operational integrity and security of the U of M IT Commons.

Each member of the campus community is responsible for the security and protection of electronic information resources over which he or she has control or use.   Resources to be protected include networks, computers, software, and data.  The physical and logical integrity of these resources must be protected against threats such as unauthorized intrusions, malicious misuse, or inadvertent compromise.  Activities outsourced to off-campus entities must comply with the same security requirements as in-house activities.



Purpose


 

To define standards for the security and protection of university electronic information resources, as well as to define security action processes during a state of emergency.



Procedures


Detection and Prevention

The Information Technology Division (ITD) is responsible for operating and managing campus communications networks as a campus resource available to all members of the campus community.  ITD is authorized to monitor network activity and usage as necessary to detect potential network abuse or threats to the availability or integrity of campus information resources.  Upon detecting a security breach, ITD, in consultation with the Office of Legal Counsel,  shall exercise due diligence in the timely investigation of suspected security incidents and promptly communicate with Local Support Providers (LSPs) and other campus users regarding actions that may be required to protect campus information resources.

To prevent security breaches, LSPs have an ongoing responsibility:
  • to work closely with ITD staff to securely and consistently maintain and support IT commons.
  • to be knowledgeable of relevant security threats and remediation strategies.
  • to analyze potential or actual threats to their business units.
  • to put in place security measures that protect their business units.
  • to provide recommendations to appropriate ITD officials.

Response to Threats to the IT Commons

The Vice President/Chief Information Officer (VP/CIO), or designee, in consultation with the Office of Legal Counsel, has the authority to limit and/or suspend network privileges of individuals or systems to halt any activities that adversely disrupt network services or that create security incidents as defined by relevant laws and University policy.  This authority includes temporary isolation of systems or devices from the network and revocation of network privileges of individuals without advance notice. 

The VP/CIO has the authority to evaluate the seriousness and immediacy of any threat to campus information system resources or the Internet and to take necessary action to mitigate that threat.  Actions taken will be responsible and prudent based on the risk associated with that threat and the potential negative impact to the campus IT Commons.


IT State of Emergency

In the event of an actual attack on the network, or a credible warning of an impending attack, the university's VP/CIO will mobilize all available resources, including LSPs, to counter the attack and/or threat, or to recover from an attack. The VP/CIO will determine if an attack/threat rises to the level of a "state of emergency."  During a declared IT State of Emergency, ITD will provide leadership and supervision for all ITD and LSP personnel until the attack/threat has been eliminated and the network has been restored to normal operations.

Once an IT State of Emergency is declared, and for its duration, the VP/CIO will review the situation with the President and executive staff, and provide regular, periodic briefings on status.

After an IT State of Emergency ceases, the VP/CIO will prepare an impact report for the President and executive staff.


Local Support Provider Responsibilities During a Declared IT State of Emergency

For the duration of any declared IT State of Emergency, all LSPs will report operationally to the VP/CIO.  These actions are critical to ensure the University's IT Commons is protected and restored as quickly as possible to normal operations. 

LSPs will

  • as directed by ITD, implement security measures to mitigate threats
  • follow the directives of designated ITD staff during the declared state of emergency

ITD will assign campus IT staff resources (LSPs as well as ITD Staff) to priorities of greatest need.  In all cases, ITD will task LSP staff to respond to the needs of their home department/units as quickly as possible.      



FAQs


What are examples of threats serious enough to invoke a Declaration of an IT State of Emergency?
  • Levels of illicit network activity cause serious degradation in the performance of the network.
  • System administrative privileges have been acquired by an unauthorized individual(s).
  • An attack on U of M computers or the network has been launched, or U of M staff has reason to believe such an attack is imminent.
  • Unauthorized capture of confidential, private or proprietary electronic information or communications has been detected.
  • U of M receives external reports of illegal, illicit activities emanating from U of M that are threatening other networks.


Links


University of Memphis Acceptable Use of Information Technology Resourceshttp://policies.memphis.edu/UM1532.htm

Tennessee Board of Regents Policy on Information Technologyhttp://www.tbr.edu/policies/default.aspx?id=4862 

University of Memphis Crisis Management Planning

http://policies.memphis.edu/UM1532.htm

 


Revision Dates


 UM1566 - Issued: January 25, 2008


Subject Areas:

AcademicFinanceGeneralHuman ResourcesInformation TechnologyStudent Affairs
    XX     XX