Information Security Standard Practices
Acceptable Use Agreement —
Personal Computer & Network Security Procedures
Personal computing devices, such as PCs, Laptops, PDAs and similar
devices, are vulnerable to incidents that compromise security and
cause the destruction or loss of data, including data stored on the
network, as well as damage to the equipment. The physical loss of a
personal computer is costly, but the loss of computing power and the data
stored on the computer or the network can be disastrous.
This document details procedures to protect your equipment and data. It is the
responsibility of every computer user to know these procedures and implement
|A large portion of Mt. San Antonio College's business is conducted with
personal computing devices. Protection of these devices and the
stored data is of critical importance to the College. These procedures
apply whether the devices are stand-alone or connected to a network such
as a LAN (Local Area Network) or the intranet.
3.0 Choice of Passwords
|The user-chosen passwords employed by access control software packages,
as well as the keys employed by encryption packages, should be at least
eight characters in length unless restricted by the software. These
passwords and keys must be difficult-to-guess. Words in a dictionary,
derivatives of user-IDs, and common character sequences such as '123456'
must not be employed. Likewise, personal details such as spouse's name,
license plate, social security number, and birthday must not be used
unless accompanied by additional unrelated characters.
4.0 Periodic Back-Up
|All sensitive, valuable, or critical information resident on College
computer systems must be backed-up periodically.
Information and Educational Technology (IET)
provides a facility for backing up computers or departmental servers
over the campus network to a secure storage area. No special hardware is
required and the software is provided by IET. Contact the Help Desk to
schedule installation or to request additional information.
All end-users are responsible for making at least one current back-up
copy of sensitive, critical, or valuable files. These separate back-up
copies should be made each time that a significant number of changes are
made. Selected files from back-ups must be restored periodically to
demonstrate the effectiveness of every back-up process. Department
managers must verify that proper back-up procedures are followed.
All college issued computer equipment will have anti-virus software
installed and configured by IET. If you believe that your system does
not have this software installed, contact the help desk for assistance.
Virus definitions will be updated via an automatic process.
Employees must not abort this download process or disable the software.
The virus definition update frequency must be at least weekly.
If employees suspect infection by a virus, they should immediately stop
using the involved computer, and call the IET Help Desk.
6.0 Handling Alerts About Security
Users must report all information security alerts, warnings, and reported
vulnerabilities to firstname.lastname@example.org as soon as possible. IET is the only organizational unit authorized to
determine appropriate action in response to such notices.
Users are discouraged from forwarding these notices to other users as
many of these notices are hoaxes.
7.0 Tools That Compromise System Security
|Unless specifically authorized by IET, employees must not acquire,
possess, trade, or use hardware or software tools that evaluate or
compromise information systems security, Examples of such tools include
those which defeat software copy-protection, discover secret passwords,
identify security vulnerabilities, examine or intercept network traffic
(sniffer) or decrypt encrypted files.
8.0 Configuration Control
IET has a standard list of supported software packages that users can run
on a College owned computing device.
Documentation about the licenses for software obtained by users must be
retained to receive technical support, qualify for upgrade discounts, and
verify the legal validity of the licenses.
Documentation for software purchased and installed by IET is retained by IET.
Employees must obtain permission from a department manager or computing
facilities supervisor before installing software on a College owned
Employees must not permit automatic software installation routines,
such as internet file sharing software, to be run on
College computers unless these routines have first been approved by IET.
Software may be removed without advance notice to the employee if it is
suspected of causing a technical problem.
9.0 Changes to Operating System Configuration
|Employees must not change operating system configurations, upgrade
existing operating systems, or install new operating systems. If such
changes are required contact the IET Help Desk.
10.0 Changes to Hardware
|Computer equipment supplied by the College must not be altered or added
to in any way (e.g., upgraded processor, expanded memory, or extra
circuit boards.) If such changes are required contact the Help Desk.
11.0 Use Of Encryption Programs
|Employees are reminded that electronic mail is not encrypted by default.
If sensitive information must be sent by electronic mail, encryption or
similar technologies to protect the information must be employed. The IET
Help Desk is available to assist with the installation and configuration
of software to protect data transmission.
12.0 Responsibility for Equipment
|Employees are responsible for any computer equipment provided to them.
If the equipment has been damaged, lost, stolen, borrowed, or
is otherwise unavailable for normal business activities, the employee
must promptly inform their department manager. With the exception of
portable machines, computer equipment must not be moved or relocated
without the approval of the involved department manager.
Portable computer users accept liability for the computer plus the
College-supplied software and its repair or replacement through their own
personal property insurance should the computer be lost or stolen or
severely damaged. Where no insurance coverage is applicable, the user
agrees to repay the College the full amount required to replace the lost,
stolen, or damaged computer or to pay for its repair if severly damaged
but repairable. In the event of loss, theft, or severe damage, the
computer will be replaced or repaired at the sole discretion of the
13.0 Transportation of Portable Equipment
|Employees in the possession of portable, laptop, notebook, palmtop,
personal digital assistant, and other transportable computers containing
sensitive information must take reasonable precautions to ensure the
security of the device and the information it contains.
Likewise if sensitive data is to be transported in computer-readable
storage media, reasonable precautions must be made to ensure the security
of the media and the information it contains. (such as magnetic tapes,
floppy disks, or CD-ROM's).
14.0 Equipment Theft
|All computer equipment is marked with visible identification information
which clearly indicates it is College property. Periodic physical
inventories are used to track the movement of computers and related
equipment. Immediately report any equipment theft to Campus Security,
15.0 Positioning Display Screens
|The display screens for all computers used to handle sensitive or
valuable data must be positioned such that the information cannot be
readily viewed through a window, by persons walking in a hallway, or by
persons waiting in reception and related areas. Care should also be taken
to position keyboards so that unauthorized persons cannot readily see
employees enter passwords, encryption keys, and other security related
16.0 Locking Sensitive Information
|When not being used by authorized employees, or when not clearly visible
in an area where authorized persons are working, all hardcopy sensitive
information must be locked in file cabinets, desks, safes, or other
enclosures. Likewise, when not being used, or when not in a clearly visible and
attended area, all computer storage media containing sensitive information must
be locked in similar enclosures.
17.0 Business Use Only
|Mt. San Antonio College computer devices generally should be used only
for College activities. These devices can only be used by authorized
users. Incidental personal use is permissible so long as: (a) it does not
consume more than a trivial amount of system resources, (b) it does not
interfere with productivity, and (c) it does not preempt any College
activity. Mt. San Antonio College computer devices must not be used for
political advocacy efforts, private business activities, or non-College
related charitable fundraising campaigns. Employees are reminded that the
use of College computing devices should never create either the
appearance or the reality of inappropriate use. When a user's
relationship with Mt. San Antonio College comes to an end,
all privileges on College computing devices will also come to
an immediate end.
18.0 Rights to Programs & Materials Developed
|Without a specific written exception, all computer programs and
documentation generated by, or provided by employees for the benefit of
the College are property of the College. All other material developed by
College employees using College computers is considered a 'work for hire'
and is accordingly the property of the College.
This material includes patents, copyrights, and trademarks.
19.0 Copyright Protection
Violations of the rights of any person or entity protected
by a copyright, patent, trademark or similar law, or regulation is strictly
prohibited. Violations include, but are not limited to, the unauthorized
reproduction of any copyrighted material, including but not limited to
software, text, images, audio, and video. Also included are the installations,
distribution or use of 'pirated' software, as well as the display or
distribution of copyrighted materials over computer networks without the
NOTE:The 'fair use' provisions of the copyright
law, section 107 of the U. S. Copyright Law, may permit
the reproduction of copyrighted work for purposes such as 'criticism, comment,
news reporting, teaching (including multiple copies for classroom use)
scholarship or research.'
20.0 Environmental Considerations
|To reduce the damage done by electrical power problems, all computers in
College offices should use surge suppressers. Those computers running
production applications must also have uninterruptible power supplies
(UPSs) approved by IET.
21.0 Static Discharges and Electromagnetic Fields
|Static discharges can be harmful to computers and storage media.
Magnetic storage media such as floppy disks and magnetic tapes must be
kept at least several inches away from electric fields, such as those
generated by magnets and a telephone when it rings.
22.0 Smoking, Eating & Drinking
|Employees are strongly advised not to smoke, eat, or drink when using
desktop or laptop computers. Storage media such as floppy disks are
damaged by the particles in tobacco smoke; food and drink can also
damage electronic equipment such as keyboards.
23.0 Virtual Private Network
|Mt. SAC will provide a Virtual Private Network (VPN) service as one
mechanism for authorized users to access College computing and network
resources from remote locations. All VPN users will authenticate to the
VPN server using their Mt. SAC network account user ID and password.
Any faculty or staff member may request VPN access by contacting the Help
Desk. A Mt. SAC Administrator may request VPN access for a vendor to
enable remote support of internal Mt. SAC systems.
All users of Mt. SAC's VPN service will be required to install and
maintain firewall and virus protection software. Users must apply regular
software updates and follow other standard practices to keep their VPN
client system(s) secure against unauthorized access. Users may not share
their VPN account or password with others. Mt. SAC reserves the right to
audit all VPN client systems, and all communications between VPN client
systems and Mt. SAC's network, for compliance with all applicable