GSCIS Information Security Policy

Computer and network security has become an important asset to Nova Southeastern University as viruses, Trojans and other means to compromise the network are growing at a rapid pace. Attacks and security incidents represent a risk to the university’s academic operation. The Graduate School of Computer and Information Sciences (GSCIS) have taken a proactive approach in meeting the security needs of our faculty, staff, students and computer equipment.

To provide a secure academic computing environment, GSCIS has adopted the following Computing and Network Policy.  This policy is set forth for all GSCIS faculty, staff and students to abide by along with all other computer policies set forth by Nova Southeastern University.

1. Overview

• This document is the “School of Computer and Information Sciences (GSCIS) Computing and Network Policy.”
• All GSCIS facility users agree to read and follow all procedures and or policies set for in this document.
• GSCIS faculty, staff and students should direct any questions they may have that pertain to this security policy to Network and Software Services (NSS) at scisweb@nsu.nova.edu or 954-262-2015

 2. Goals

          The goals of the Computing Network Policy are to:

• Provide Department-wide policies to protect all aspects of the university’s network and computer system from improper use.
• Create and implement procedures to identify and prevent abuse of department computer system and its network.
• Support existing policies set forth by the university.

3. Computer and Network Access

• NSS assigns a unique username to each employee that will be using a GSCIS computer.  At the first login, the employee is required to change their password.  For further information on passwords please see section 4. This username is to access the GSCIS domain.
• Depending on the employee’s assigned group they will only be allowed to access the appropriate files and folders associated with their position.
• The Operations department will notify NSS of any employee that leaves GSCIS so that the employee’s user account is disabled.  Once disabled the employee will no longer be able to login to any computer or access the GSCIS domain.

4. Passwords

• All GSCIS computer passwords expire after 180 days.  User must create a new password different from the last two previous passwords.  If user does not rest password within 180 days their account will automatically be disabled.
• All passwords must consist of a minimum of 8 characters in length.
• NSS will reset GSCIS employee passwords upon request.
• If employee forgets password it will have be to be rest as NSS is not aware of user’s password.
• After 7 invalid login attempts, user will be locked out of domain for ten minutes.

5. Software Licensing and Hardware Installation

• Software Installation is disabled to all staff members using global policies set forth on the GSCIS domain.
• If a particular software title is needed, only NSS staff can install the software on the computer.
• All software must have the proper licensing on file before installation begins.
• All computers are locked down to the desk using computer lock-down cables provided by the university.  Only NSS staff has the ability to unlock or lock the lock-down cable.

6. Inventory Control

• The University maintains a database of all computer equipment, its NSU ID, serial number, description of equipment and its location.  Inventory is performed at the discretion of the university’s policy.
• NSS maintains department level inventory database of all computer equipment including NSU ID, serial number, description, location, purchase date and last time inventoried by NSS.
• If computer equipment is scrapped or moved NSS notifies OIT of the move at which time OIT updates their university inventory database.  All necessary property control forms are properly filled out for all computer equipment located outside of the university.

7.  GSCIS Equipment Checkout

• GSCIS faculty and staff may check out computer equipment if their immediate supervisor has approved the check out and the equipment will be used for work related purposes.
• All equipment must be checked out with the NSS Director’s notification. 
• Equipment information, (Serial number, NSUID and description), employees name, return date, and signature must be obtained before equipment is placed in the employee’s possession.
• The NSS Director has the right to limit the equipment’s availability for checkout to fulfill the needs of the department. 
• Equipment is available on a first come, first served basis.

8. Anti-Virus Software

• GSCIS is currently (October 2004) running McAfee VirusScan 8.0. with ePolicy Orchestrator 3.5 running on all Windows based computers.
• All Windows based computers are updated every fifteen minutes with the latest virus signatures. 
• Policies are set to not allow the disabling of the VirusScan
• Every evening a full hard disk scan is done.
• If a virus is identified, McAfee will attempt to clean the virus.  If the file cannot be cleaned it is deleted.
• The NSS Director is notified by VirusScan of any virus identified on the domain.

9. Backup and Restore

• Procedures Used to Back Up Network:

All SCIS data is backed up using a Dell LTO 120 Tape Backup unit.  All critical data is backed up each night. The current configuration is a full backup (reset archive bit) done on Sunday of each week.  Every day thereafter, for that week, a differential backup is done.  By doing so, fewer medium are used while still allowing quick access to the data in case a restoration is needed.

• Retention of Backups:

SCIS currently has 16 LTO tapes that hold a maximum of 100GB each of compressed data. Being that 2 tapes are used each week for backup, this allows for a retention span of 8 weeks. 

• Proprietary of Backup Information Being Sent to an Off-site Location:

Current procedures in place are for the following week’s tapes (2) to be taken off-site using a third party company, “The Data Bank Company”.  Any necessary changes to this procedure will be made if needed.

• Restoration Procedures:

When a restoration is needed, the process is to restore the newest backup on file. Restore the operating system and check the integrity of the file systems. The steps are briefly outlined below:

• Restore the OS file system using a tape containing the latest full backup.
• Restore all file systems from the last full backup and the last differential backup from the date of the crash
• Check the integrity of the restored files.
• Protection against Environmental and/or Physical Threats:

A separate air conditioner is installed in the server room.  This will allow for the temperature of the server room to be constant 24 hours a day.  Dell’s management software is installed on the servers to detect any abnormalities of temperature or hardware conditions.  If any irregularities are discovered the system notifies The Network & Software Services department by text messaging (cell phone).  All servers are also monitored for online status.  This allows for instant notification of any network, operating system or hardware failures.  The Server room is locked and is only accessible by NSS staff.

• Testing of Backup and Recovery Procedures:

All backups are tested for recovery reliability on a monthly basis.

10. Acceptable Network Traffic

• All GSCIS users will act in a fashion that represents Nova Southeastern University and the Graduate School of Computer and Information Sciences in a professional manner in all forms of electronic communication (e.g., e-mail, web pages, forums and bulletin boards).  GSCIS users are responsible for using these systems appropriately.  Inappropriate use could result in disciplinary action.