Technology Policies

Policies and Procedures

Click here‌ to download the Acceptable Use of Information Technology Resources Policy.

As with nearly all other corporations and educational institutions, the rapid emergence of the Internet, the growth of the World Wide Web, the incorporation of electronic mail in various curricula, and the availability of distributed information resources across a common network has caused Texas Wesleyan University to examine the many issues involved in the responsible use of information technology using institutional resources. This policy is the product of that study, and adherence by all Texas Wesleyan University students and staff is necessary. Adherence to this policy will ensure a computing environment that will perpetuate Texas Wesleyan University's academic and service mission. It is imperative that the campus community accepts that technological resources require responsible behavior from all its users. Simply stated, the continued and efficient accessibility of computer resources is the responsibility of the entire campus community.

This policy in conjunction with the Policy for the Acceptable Use of Network Resources will govern the use of information technology resources at Texas Wesleyan University.

Purpose
Information technology, including systems, software, and data, plays an increasingly important role in education and administration at Texas Wesleyan University. This policy is designed to define the appropriate and responsible use of the campus computing and network facilities by students and staff. (Faculty council will draft a faculty acceptable use policy.) Further, it is the intent of this policy to allow the greatest access of campus computing resources consistent with generally accepted principles of ethics that govern the Texas Wesleyan University community. In support of its mission of education and public service, Texas Wesleyan University seeks to provide access to its information technology for students, faculty, and staff within institutional priorities and financial capabilities.

Scope
Access to Texas Wesleyan University-owned computer facilities, equipment, hardware, software, printing services, and Information Technology Services staff-provided user support is a privilege, not a right. This privilege is extended to all students, faculty, and staff. Accepting access to this technology carries an associated expectation of responsible and acceptable use. Since technology now serves as a major source of information and interaction for research and education, this policy applies to all students and staff at Texas Wesleyan University who utilize any University information resource.

Definitions
The following terms are defined to add clarity to this policy:

Chief Information Officer: The administrator responsible for the administration and support of the University's information technology resources. The chief information officer reports to the senior vice president of Finance and Administration.

Computer: An electronic device that performs logical, arithmetic, and memory functions by manipulating electronic or magnetic impulses, and that includes all input, output, processing, storage, software, and communication facilities that are connected or related to an electronic system or communication network.

Computer hardware: Any and all tangible or physical devices attached to or used in conjunction with a computer system.

Computer network: The interconnection of communication lines with a computer through remote terminals or a complex consisting of two or more interconnected computers.

Computer program: An ordered set of instructions or statements that, when executed by a computer, causes the computer to process data.

Computer resources: Any and all computerized institutional data, computer hardware, and computer software owned by or operated at Texas Wesleyan University.

Computer software: A set of computer programs, procedures, or associated documentation used in the operation of a computer system.

Computer supplies: Paper tape, magnetic tape, tape cartridges, diskettes, floppy diskettes, compact discs, and computer output, including paper and magnetic media.

Computer system: A set of related computer equipment, hardware or software.

Data: A representation of information, knowledge, facts, concepts, or instructions that have been prepared or are being prepared in a formalized manner and have been processed, are being processed, or are intended to be processed in a computer system or computer network. Data may be in any form including computer printouts, magnetic storage media, compact discs, and as stored in the memory of Texas Wesleyan University computers. Data are property.

Information technology: Any and all computer or electronic resources that are utilized in the search, access, acquisition, transmission, storage, retrieval, or dissemination of data.

Property: Anything of value, including but not limited to financial instruments, information, electronically produced data, computer software, and computer programs.

Responsible use: Any action or behavior of an individual that does not cause accidental or unauthorized destruction, disclosure, misuse, or modification of or access to the information technology or computer resources owned or operated by Texas Wesleyan University.

User: Any person authorized to access and utilize the information technology resources at Texas Wesleyan University.

User account: Any physical area of any Texas Wesleyan University computer system that has been specifically established and set aside for any user.

Compliance
All student and staff users of Texas Wesleyan University information technology resources are required to comply with and, by using any such resources, agree to comply and be subject to this Policy for the Acceptable Use of Information Technology Resources (hereafter referred to as "policy"). Texas Wesleyan University, through an appropriate review and amendment process, reserves the right to amend this policy at any time, and without prior notice, in order to better provide information technology access to students, faculty, and staff. Texas Wesleyan University reserves the right to limit, restrict, or extend computing privileges and access to its information technology resources.

Limitations
Texas Wesleyan University computing resources and associated user accounts are only to be used for Texas Wesleyan University activities for which they are assigned, intended, or approved by a University official. Texas Wesleyan University computing systems are not to be used for any non-University related commercially public or private purpose, either for profit or non­profit. When accessing any remote resources utilizing Texas Wesleyan University information technology, users are required to comply with both the policies set forth in this document and all applicable policies governing the use and access of the remote computer system.

User Accounts
User accounts are designed only 1) to establish a system control mechanism for user identification, and 2) to afford users a physical location where they can store relevant academic and administrative data. At no time should user accounts be used to execute any computer software or computer programs other than those programs specifically granted and offered for user execution by Texas Wesleyan University. Physical storage in user accounts of any information, data, or programs not congruent with the mission of Texas Wesleyan University is prohibited.

All users are responsible for both the protection of their user account password and the data stored in their user account. Users are prohibited from sharing their user account password with anyone at anytime; thereby granting unauthorized access to Texas Wesleyan University computer systems. It is required that users change their user account password periodically to help prevent compromise and unauthorized access of their user account. Any suspected unauthorized access of a user account should be reported immediately to the chief information Officer or other University authority. User accounts are deactivated and removed from further access and use when the user's affiliation (e.g., employment, matriculation, current enrollment, etc.) is terminated. All data, files, or messages are removed from user accounts when account deactivation occurs.

Ownership
Texas Wesleyan University owns and operates the computers, computer networks, software, data files, messages, connections to external computer networks, and subscriptions to external computer services. Users cannot claim ownership of any data stored in Texas Wesleyan University computer systems.

These information technology resources are provided for the use of Texas Wesleyan faculty, staff, and students in support of its programs and are to be used for education, research, academic development, administrative functions, and public service. Use of these resources is a privilege, not a right. When using these resources, individuals agree to abide by the applicable policies of the University, as well as federal, state, and local laws.

Privacy
User privacy is not guaranteed. When University information systems are functioning properly, a user can expect the files and data he or she generates and stores in his or her user account to be private information, unless the creator of the file or data takes action to reveal it to others. Users should be aware, however, that no information system is completely secure. Persons both within and outside of the University may find ways to access files. Accordingly, the University cannot and does not guarantee user privacy and users should be continuously aware of this fact.

Texas Wesleyan University firmly supports all users' privacy as long as the user adheres to this policy defining the responsible use of information technology resources. Authorized Information & Communication Technology Department personnel have the right to examine stored information and communications when investigating cases of abuse of this policy, dealing with mis-addressed e-mail, and when troubleshooting technical problems with the system.

The University will not routinely monitor the content of electronic communications or personal WWW home pages, but will investigate properly identified allegations of misuse and will comply with applicable University regulations and state and federal laws.

The University reserves the right to access and disclose the contents of the electronic communications of its employees and other authorized users, but will do so only when it has a legitimate business need and after authorization from the senior vice president and provost or his designee. The contents of electronic communications, properly obtained for legitimate business purposes, may be disclosed without permission of the employee.

Authorized Information & Communication Technology Department personnel may routinely log usage data for system management purposes. The University does not archive contents of shared system disks or e-mail communications. However, disks on system computers are regularly backed up with "snapshot captures" for the purpose of being able to recover from crashes. These backups are only retained for a brief period. Note that this means that the University does not guarantee the integrity or permanence of material stored on system disks.

Data Security
Texas Wesleyan University provides reasonable security against unauthorized intrusion and damage to data, information, files, and messages stored on its computer systems within institutional priorities and financial capabilities. The University maintains facilities for archiving and retrieving data stored in user accounts. If a user needs to recover data after an accidental loss, Information & Communication Technology Department personnel should be contacted. Every reasonable attempt will be made to recover the lost or corrupted data. Due to variables associated with the magnetic storage of data, however, Texas Wesleyan University cannot guarantee full restoration in every instance. Further, other users can hold neither Texas Wesleyan University nor any Information & Communication Technology Department personnel accountable for unauthorized access, nor can they guarantee data protection in the event of media failure, fire, criminal acts, or natural disaster.

Copying Software
Respect for the intellectual work and property of others has traditionally been essential to the mission of academic institutions. As members of the university community, Texas Wesleyan University values the free exchange of ideas. Just as Texas Wesleyan University does not tolerate plagiarism, it does not condone the unauthorized copying of software, including programs, applications, operating systems, and databases. Software should not be copied. This refers to any and all software found on Texas Wesleyan University computer systems, encompassing all network servers, personal computers (to include all campus computer lab systems), and computer networks operating on campus. To copy software without the permission of its owner is illegal and a criminal offense.

Copyright Laws-Software
Unless placed in public domain by its owners, software programs are protected by Section 117 of the 1976 Copyright Act. Educational institutions and their constituencies are not exempt from the law. Software is also protected by the license agreement between the owner and purchaser. It is illegal to duplicate, copy, or distribute software or its documentation without the permission of the copyright owner. Violations of authorial integrity, including plagiarism and copyright violations, may be grounds for sanctions against members of the University community.

Liability for Errors
Texas Wesleyan University makes every effort to maintain an error-free hardware and software environment for its authorized users. Nevertheless, it is impossible to ensure that hardware or system software errors will not occur or that staff will always give the most correct advice. Texas Wesleyan University presents no warranty, either expressly stated or implied, for the services or access provided to its authorized users. Damages resulting directly or indirectly from the use of Texas Wesleyan University information technology resources are the responsibility to the authorized user.

Right to Monitor
Texas Wesleyan University owns the campus computer systems networked together on a common fiber-optic network. Every computer attached to the campus network for any reason (e.g., Internet connectivity, e-mail accessibility, etc.) is subject to monitoring by Information & Communication Technology Department personnel. Due to the exponential growth of the number of data packets transmitted through Texas Wesleyan University network, this monitoring is required in order to detect and correct network problems as they occur, thereby ensuring the continued stability of the campus-wide computing environment. Even with the right to monitor, users should continue to expect that their data, files, and e-mail will remain private. System monitoring is a mechanism for monitoring computer system or user activities, not a method for accessing private information. Texas Wesleyan University reserves the right to monitor any computer action or any system record of any action that a user performs while utilizing the campus network.

Campus Computing Facilities
Computer labs on the Texas Wesleyan University campus are not available for general use during the periods when the rooms have been reserved for teaching purposes unless otherwise specified by the professor. It is the responsibility of every user to utilize these facilities in a responsible manner and in accordance with posted computer lab rules and policies. Accidental damage or damage caused by other parties should be reported as soon as possible so that corrective action can be taken.

Specific Issues of Responsible Use
In addition to the issues of responsible user behavior already described in this policy, the following more specific practices applicable to all Texas Wesleyan University computer systems/network users are prohibited:

  1. access, use, inspection, or modification of data or functions that are neither allotted nor authorized as a part of the user's account or specified as public domain information
  2. access, use, inspection, or modification of data that refer to computer utilization, computer access authorization, or security
  3. abuse or improper use of computer hardware, software, or network resources whether located on the Texas Wesleyan University campus or elsewhere on the Internet
  4. installing or executing unauthorized software on any computer resource
  5. any activity that might inject a computer virus on to the computer or network systems
  6. causing noise, displaying abusive or inappropriate behavior towards other users, or creating other disturbances in any campus computing area
  7. to cause or purposefully allow a computer malfunction or interruption of operation
  8. sending, printing, or storing obscene, pornographic, fraudulent, harassing, threatening, abusive, racist, or discriminatory images, files, or messages for non-educational purposes
  9. displaying or printing sexually explicit, graphically disturbing, discriminating, racist, or sexual harassing images or text for non-educational purposes in any campus computing facility or any campus location that can potentially be in view of other individuals
  10. access or use of another user's account and the data contained in that account
  11. theft, destruction, or removal of data or University-owned computer resources
  12. physical or electronic interference with other computer systems users
  13. dissemination or distribution of a user account password to any other person
  14. unauthorized use, access, duplication, disclosure, alteration, damage, or destruction of data contained in any electronic file or program, or on any computer, network, or library resource
  15. use of University information technology resources and associated user accounts that are not assigned, intended, or approved by a University official
  16. any other practice or user activity that, in the opinion of the chief information officer or the senior vice president and provost, constitutes irresponsible behavior, promotes illegal activities, results in the misuse of computer resources, or jeopardizes the operation of computer or network systems

Violations
This policy applies to all units of Texas Wesleyan University. It is expected that enforcement will require cooperation between such departments as ICT, Human Resources, and Student Services. Prior to any prolonged denial of access or other disciplinary action, a user shall be provided with such due process as may be recommended by University Legal Counsel.

In accordance with established University practices, policies, and procedures, confirmation of inappropriate use of University technology resources may result in termination of access, disciplinary review, suspension, expulsion, termination of employment, legal action, or other disciplinary action. If disciplinary action is deemed necessary, the case will be handled as follows:

  1. Policy violations by a student will be referred to the associate vice president of student life and will be handled as outlined in the Student Handbook.
  2. Policy violations by a staff member will be referred to the appropriate staff supervisor and/or vice president and will be handled as outlined in the Staff Policy Manual.
  3. It is understood that University policy does not preclude enforcement under the laws and regulations of the United States of America or the state of Texas.

Information & Communication Technology Department personnel will, when necessary, work with other University offices such as the Judiciary Board (in cases involving students), Campus Security, directors/department heads, deans of the schools, the University Legal Counsel, and others in the resolution of problems. Anyone who breaks the law may face criminal and/or civil legal action.

Summary
Computer and network resources are of significant value, and their abuse can have a negative impact on other users and the mission of the University as a whole.

Each authorized user of information technology resources at Texas Wesleyan University must assume responsibility for their own behavior while utilizing these resources. Users of information technology at Texas Wesleyan University should accept that the same morality and ethical behavior that serve as guides in our non-computing environments should also serve as guides in our computing and networking environment as well.

The Information & Communication Technology Department of Texas Wesleyan University gratefully acknowledges the model and selected text from "Policy for the Responsible Use of Information Technology," Nichols College (CAUSE Information Resources Library document number CSD1182).

Click here‌ to download the Network Protection and Information Security Policy.

Purpose
The purpose of this policy is to establish administrative direction, procedural requirements, and technical guidance to ensure the appropriate protection of Texas Wesleyan information handled by computer networks.

Scope
This policy applies to all who access Texas Wesleyan computer networks. Throughout this policy, the word “user” will be used to collectively refer to all such individuals. The policy also applies to all computer and data communication systems owned by or administered by Texas Wesleyan or its partners.

Policy
All information traveling over Texas Wesleyan computer networks that has not been specifically identified as the property of other parties will be treated as though it is a Texas Wesleyan asset. It is the policy of Texas Wesleyan to prohibit unauthorized access, disclosure, duplication, modification, diversion, destruction, loss, misuse, or theft of this information. In addition, it is the policy of Texas Wesleyan to protect information belonging to third parties that have been entrusted to Texas Wesleyan in a manner consistent with its sensitivity and in accordance with all applicable agreements.

Responsibilities
The Chief Information Officer (CIO) is responsible for establishing, maintaining, implementing, administering, and interpreting organization-wide information systems security policies, standards, guidelines, and procedures. While responsibility for information systems security on a day-to-day basis is every employee’s duty, specific guidance, direction, and authority for information systems security is centralized for all of Texas Wesleyan in the Information Technology department. This department will perform information systems risk assessments, prepare information systems security action plans, evaluate information security products, and perform other activities necessary to assure a secure information systems environment.

The Security Manager (person in charge of physical security and individual safety) is responsible for coordinating investigations into any alleged computer or network security compromises, incidents, or problems with the IT Infrastructure Services director. All compromises or potential compromises must be immediately reported to the Information Technology department. The IT Infrastructure Services director is responsible for contacting the Security Manager. System administrators are responsible for acting as local information systems security coordinators. These individuals are responsible for establishing appropriate user privileges, monitoring access control logs, and performing similar security actions for the systems they administer. They also are responsible for reporting all suspicious computer and network-security-related activities to the Security Manager. System administrators also implement the requirements of this and other information systems security policies, standards, guidelines, and procedures. In the event that a system is managed or owned by an external party, the department manager of the group leasing the services performs the activities of the system administrator.

Directors and Deans are responsible for ensuring that appropriate computer and communication system security measures are observed in their areas. Besides allocating sufficient resources and staff time to meet the requirements of these policies, departmental managers are responsible for ensuring that all employee users are aware of Texas Wesleyan policies related to computer and communication system security.

The Dean of Students is responsible for ensuring that appropriate computer and communication system security measures are observed by students. The Dean is responsible for ensuring that all student users are aware of Texas Wesleyan policies related to computer and communication system security.

Users are responsible for complying with this and all other Texas Wesleyan policies defining computer and network security measures. Users also are responsible for bringing all known information security vulnerabilities and violations that they notice to the attention of the Information Technology department.

System Access Control

End-User Passwords
Users must have passwords that are difficult to guess. This means that passwords should not be related to a user’s job or personal life. For example, a car license plate number, a spouse’s name, or fragments of an address should not be used. This also means passwords should not be a word found in the dictionary or some other part of speech. For example, proper names, places, technical terms, and slang should not be used.

The requirements for creating passwords means that users must create a password that is at least 8 characters long, contains at least one uppercase letter and one number or special character.
Users can choose easily-remembered passwords that are difficult for unauthorized parties to guess if they:

  • String together several words into a pass phrase.
  • Shift a word up, down, left, or right one row on the keyboard.
  • Bump characters in a word a certain number of letters up or down the alphabet.
  • Transform a regular word according to a specific method, such as making every other letter a number reflecting its position in the word.
  • Combine punctuation or numbers with a regular word.
  • Create acronyms from words in a song, a poem, or another known sequence of words.
  • Deliberately misspell a word.
  • Combine a number of personal facts like birth dates and favorite colors.

When a password change is required, users should create a new password that is not identical to the last two passwords previously employed.

Passwords may not be stored in readable form in batch files, automatic logon scripts, software macros, terminal function keys, in data communications software, in web browsers, on hard drives, or in other locations where unauthorized persons might discover them.

Passwords may not be written down and left in a place where unauthorized persons might discover them. Aside from initial password assignment and password-reset situations, if there is reason to believe that a password has been disclosed to someone other than the authorized user, the password should be changed immediately.

Passwords may never be shared or revealed to anyone else besides the authorized user. If users need to share computer resident data, they should use electronic mail, local area network servers, and other secure mechanisms. This policy does not prevent the use of default passwords, typically used for new user ID assignment or password reset situations, which are then immediately changed when the user next logs onto the involved system. All passwords must be immediately changed if they are suspected of being disclosed or known to have been disclosed to anyone other than the authorized user.

Password System Set-Up
All computers permanently or intermittently connected to Texas Wesleyan local area networks must have password access controls. If the computers contain confidential or protected information, an extended user authentication system approved by the Information Technology department must be used. Multi-user systems (servers) should employ user IDs and passwords unique to each user, and user privilege restriction mechanisms with privileges based on an individual’s need to know. Network-connected, single-user systems must employ hardware or software controls approved by Information Technology that prevent unauthorized access.

Wherever systems software permits, the display and printing of fixed passwords should be masked, suppressed, or otherwise obscured such that unauthorized parties will not be able to observe or subsequently recover them.

Wherever systems software permits, the initial fixed passwords issued to a new user by a system administrator must be valid only for the user’s first online session. At that time, the user should be required to choose another password. This same process applies to the resetting of passwords in the event that a user forgets a password.

All vendor-supplied default fixed passwords must be changed before any computer or communications system is used in production. This policy applies to passwords associated with end-user user IDs and passwords associated with privileged user IDs.

Where systems software permits, the number of consecutive attempts to enter an incorrect password must be strictly limited. After five unsuccessful attempts to enter a password, the involved user ID must be suspended until reset by a system administrator or temporarily disabled for no less than three minutes. The VPN and Outlook Web Mail constant connections must have a time-out period of 30 minutes and should log out upon reaching the threshold.

Whenever system security has been compromised or if there is a reason to believe that it has been compromised, the involved system administrator must immediately take measures to ensure that passwords are properly protected. This may involve resetting all user passwords and requiring users to change them prior to next system log on.

Whenever system security has been compromised or if there is a reason to believe that it has been compromised, the involved system administrator must take measures to restore the system to secure operation. This may involve reloading a trusted version of the operating system and all security-related software from trusted storage media or original source-code disks/sites. The involved system then would be rebooted. All changes to user privileges taking effect since the time of suspected system compromise must be reviewed by the system administrator for unauthorized modifications.

Logon and Logoff Process
All users must be positively identified prior to being able to use any Texas Wesleyan multi-user computer or communications system resources. Positive identification for internal Texas Wesleyan networks involves a user ID and password, both of which are unique to an individual user, or an extended user authentication system.

Positive identification for all Internet and remote lines involves the use of an approved extended user authentication technique. The combination of a user ID and fixed password does not provide sufficient security for Internet or remote connections to Texas Wesleyan systems or networks. Modems, wireless access points, routers, switches or other devices attached to network-connected workstations located in Texas Wesleyan offices are forbidden unless they meet all technical requirements and have a user authentication system approved by the Information Technology department.

The logon process for network-connected Texas Wesleyan computer systems must simply ask the user to log on, providing prompts as needed. Specific information about the organization managing the computer, the computer operating system, the network configuration, or other internal matters may not be provided until a user has successfully provided both a valid user ID and a valid password.

If there has been no activity on a computer terminal, workstation, or personal computer for a certain period of time, the system should automatically blank the screen and suspend the session. Re-establishment of the session must take place only after the user has provided a valid password. The recommended period of time is 30 minutes. An exception to this policy will be made in those cases where the immediate area surrounding a system is physically secured by locked doors, secured-room badge readers, or similar technology or if the suspended session interferes with the ability of an instructor to complete his/her classroom instructional activities.

With the exception of electronic bulletin boards or other systems where all regular users are anonymous, users are prohibited from logging into any Texas Wesleyan system or network anonymously. If users employ systems facilities that permit them to change the active user ID to gain certain privileges, they must have initially logged on employing a user ID that clearly indicates their identity or affiliation.

System Privileges

Limiting System Access
The computer and communications system privileges of all users, systems, and independently-operating programs such as agents, must be restricted based on the need to know. This means that privileges must not be extended unless a legitimate academic/business-oriented need for such privileges exists.

Default user file permissions must not automatically permit anyone on the system to read, write, execute or delete a system file. Although users may reset permissions on a file-by-file basis, such permissive default file permissions are prohibited. Default file permissions granted to limited groups of people who have a genuine need to know are permitted.

Users with personally-owned computers are responsible for administering a screen saver program securing access to their machine’s hard disk drive, and setting passwords for all applications and systems software that provide the capability of connecting to Texas Wesleyan resources.

Texas Wesleyan computer and communications systems must restrict access to the computers that users can reach over Texas Wesleyan networks. These restrictions can be implemented through routers, gateways, firewalls, wireless access points, and other network components. These restrictions must be used to, for example, control the ability of a user to log on to a certain computer then move from that computer to another.

Process for Granting System Privileges
Requests for new user IDs and changed privileges must be in writing and approved by the user’s manager before a system administrator fulfills these requests. Documents reflecting these requests must be retained for a period of at least one year.

Individuals who are not Texas Wesleyan employees, students, or partners may not be granted a user ID or be given privileges to use Texas Wesleyan computers or networks unless the written approval of a current employee has been obtained and the employee agrees to full responsibility for all activities carried out by the individual(s) she or he is sponsoring. This can be accomplished using the Sponsored Account Request form.

Privileges granted to users who are not Texas Wesleyan employees must be granted for periods of 180 days or less. As needed, users who are not Texas Wesleyan employees must have their privileges reauthorized by the sponsoring department head every 180 days.

Special privileges, such as the default ability to write to the files of other users, must be restricted to those responsible for systems administration or systems security. An exception to this policy may be made if there is a justified business/academic need and permission is acquired through the exception process, using the Exception form. Configuration changes, operating system changes, and related activities that require system privileges must be performed by system administrators.

Third-party vendors must not be given Internet or remote privileges to Texas Wesleyan computers or networks unless the system administrator determines that they have a legitimate business/academic need. These privileges must be enabled only for the time period required to accomplish the approved tasks, such as remote maintenance. If a perpetual or long-term connection is required, then the connection must be established by approved extended user authentication methods.

All users wishing to use Texas Wesleyan internal networks or multi-user systems that are connected to Texas Wesleyan internal networks signify their agreement to comply with all applicable policies by their logon to the network.

Process for Revoking System Access
All user IDs should have the associated privileges revoked after a certain period of inactivity not exceeding 180 days.

If a computer or communication system access control subsystem is not functioning properly, it should default to denial of privileges to users. If access control subsystems are malfunctioning, the systems should remain unavailable until such time as the problem has been rectified.

Users must not test or attempt to compromise computer or communication system security measures unless specifically approved in advance and in writing by the IT Infrastructure Services director. Incidents involving unapproved system hacking, password guessing, file decryption, bootleg software copying, or similar unauthorized attempts to compromise security measures may be unlawful, and will be considered serious violations of Texas Wesleyan policy. Customer/student requests that Texas Wesleyan security mechanisms be compromised must not be satisfied unless the IT Infrastructure Services director approves in advance or Texas Wesleyan is compelled to comply by law. Short-cuts bypassing systems security measures, pranks, and practical jokes involving the compromise of systems security measures are absolutely prohibited.

The privileges granted to users, based on their role within the organization, should be reevaluated by administration every 12 months. In response to feedback from executives, department managers, the Human Resources department, or the IT Infrastructure Services director, system administrators must promptly revoke all privileges no longer needed by users.

Department managers must report all significant changes in employee duties or employment status promptly to the Information Technology department or system administrators (for non-IT managed systems) responsible for user IDs associated with the involved persons. For all terminations, the Human Resources department must issue a notice of status change to the Information Technology department and all system administrators who might be responsible for a system on which the involved employee might have a user ID.

Establishment Of Access Paths
Changes to Texas Wesleyan internal networks include loading new software, changing network addresses, reconfiguring routers, and adding remote lines. With the exception of emergency situations, all changes to Texas Wesleyan computer networks must use the formal change management process and be documented in a work order request. In addition, the Request for Change (RFC) must be approved in advance by the Information Technology Infrastructure Services Director except as delegated Emergency changes to networks must be made by persons who are authorized by Information Technology. This process prevents unexpected changes from leading to denial of service, unauthorized disclosure of information, and other problems. This process applies not only to employees, but also to vendor personnel.

Employees must not establish electronic bulletin boards, local area networks, FTP servers, web servers, modem connections to existing local area networks, illegal Peer-to-Peer sharing or other multi-user systems for communicating information without the specific approval of the IT Infrastructure Services director. New types of real-time connections between two or more in-house computer systems must not be established unless such approval is obtained.

Participation in external networks as a provider of services that external parties rely on is prohibited unless Texas Wesleyan legal counsel has identified the legal risks involved and the Chief Information Officer has expressly accepted these and other risks associated with the proposal.

Acquisition of technology services or relying on an external party for network or computing services is prohibited unless Texas Wesleyan legal counsel has identified the legal risks involved, the Chief Information Officer has expressly accepted these and other risks associated with the proposal, and the service provider meets the security and technology requirements identified by the Information Technology department.

All Texas Wesleyan computers that connect to an internal or external network must employ password-based access controls or an extended user authentication system. Multi-user systems should employ software that restricts access to the files of each user, logs the activities of each user, and has special privileges granted to a system administrator. Single-user systems should employ access control software approved by the Information Technology department that includes boot control and an automatic screen blanker that is invoked after a certain period of no input activity. Portable computers and home/personally-owned computers that contain Texas Wesleyan information are also covered by this policy, as are network devices such as firewalls, gateways, routers, and bridges.

Remote maintenance ports for Texas Wesleyan computer and communication systems must be disabled until the time they are needed by the vendor. These ports must be disabled immediately after use.

Portable devices (smartphones, tablet computers, etc.) using WiFi
or commercial data networks should not be used for data transmissions containing Texas Wesleyan confidential information unless the connection is encrypted. Such links may be used for electronic communications as long as users understand that confidential information must not be transmitted using this technology.

Computer Viruses, Worms, And Trojan Horses
Users must keep approved and current virus-screening software enabled on their computers. This software must be used to scan all software coming from third parties or other Texas Wesleyan departments and must take place before the new software is executed. Users must not bypass scanning processes that could stop the transmission of computer viruses.

Users are responsible for damage occurring because of viruses on computer systems under their control. As soon as a virus is detected, the involved user must immediately call the Information Technology department to assure that no further infection takes place and that any experts needed to eradicate the virus are promptly engaged (817-531-4428).

All personal computer software must be copied prior to its initial usage, and such copies must be stored in a safe place. These master copies must not be used for ordinary business/academic activities, but must be reserved for recovery from computer virus infections, hard disk crashes, and other computer problems. These master copies also must be stored in a secure location.

Texas Wesleyan computers and networks must not run software that comes from sources other than business/academic partners, knowledgeable and trusted user groups, well-known systems security authorities, computer or network vendors, or commercial software vendors. Software downloaded from electronic bulletin boards, shareware, public domain software, and other software from untrusted sources must not be used unless it has been subjected to a rigorous testing regimen approved by the IT Infrastructure Services director.

Data And Program Backup
Personal computer users are responsible for backing up the information stored on their local machines. For multi-user computer (servers) and communication systems, a system administrator is responsible for making periodic backups.

All sensitive information resident on Texas Wesleyan computer systems and networks must be periodically backed up. To ensure that all Confidential, valuable, or critical data is backed up it must be stored on network servers managed by the Information Technology department or a trusted partner.

Texas Wesleyan requires the use of industry-standard media, techniques, and timelines in executing all backups. For multi-user computer systems, whenever systems software permits, backups must be performed without end-user involvement, over an internal network and during the off hours.

Storage of backup media is the responsibility of the office computer user or multi-user computer system administrator involved in the backup process. Media should be stored in fireproof safes, at a separate location at least several city blocks away from the system being backed up.

Unless the type of information is specifically identified by those in charge of risk management and legal compliance, information must be retained for as long as necessary but for no longer. Information listed on the Information Retention Schedule maintained by the Business Office, must be retained for the period specified. Other information must be destroyed when no longer needed, which is generally within two years.

Department managers are responsible for preparing, testing and periodically updating user department contingency plans to restore service for all non-IT managed production applications and systems. The Information Technology department is responsible for preparing, testing and periodically updating network service contingency plans.

All Texas Wesleyan Confidential information stored on backup media should be encrypted using approved encrypting methods.

Portable Computers
Employees in the possession of portable, laptop, notebook, handheld, tablet and other transportable computers containing Confidential Texas Wesleyan information must not leave these computers unattended at any time unless the information is stored in encrypted form.

Employees in the possession of transportable computers containing unencrypted Confidential Texas Wesleyan information must not check these computers in airline luggage systems or with hotel porters. These computers must remain in the possession of the traveler as hand luggage.

Whenever Confidential information is written to a disk or other storage media, the storage media should be suitably marked with the highest relevant sensitivity classification. When not in use, this media should be stored in a locked safe, locked furniture, or a similarly secured location.

Remote Printing
Printers must not be left unattended if Confidential information is being printed or soon will be printed. The persons attending the printer must be authorized to examine the information being printed.

Unattended printing is permitted if the area surrounding the printer is physically protected such that persons who are not authorized to see the material being printed may not enter.

Privacy
Unless contractual agreements dictate otherwise, messages sent over Texas Wesleyan computer and communications systems are the property of Texas Wesleyan. Administration reserves the right to examine all data stored in or transmitted by these systems. Because Texas Wesleyan computer and communication systems are to be used for business/academic purposes, users are to have no expectation of privacy associated with the information they store in or send through these systems.

When providing computer-networking services, Texas Wesleyan does not provide default message protection services such as encryption. No responsibility is assumed for the disclosure of information sent over Texas Wesleyan networks, and no assurances are made about the privacy of information handled by Texas Wesleyan internal networks. In those instances where session encryption or other special controls are required, it is the user’s responsibility to ensure that adequate security precautions have been taken. Nothing in this paragraph must be construed to imply that Texas Wesleyan policy does not support the controls dictated by agreements with third parties, such as organizations that have entrusted Texas Wesleyan with confidential information.

Logs And Other Systems Security Tools
Every multi-user computer or communications system must include sufficient automated tools to assist the system administrator in verifying a system’s security status. These tools must include mechanisms for the recording, detection, and correction of commonly-encountered security problems.

Whenever cost justifiable, automated tools for handling common security problems must be used on Texas Wesleyan computers and networks. For example, software that automatically checks personal computer software licenses through a local area network should be used on a regular basis.

To the extent that systems software permits, computer and communications systems handling sensitive, valuable, or critical Texas Wesleyan information must securely log all significant security relevant events. Examples of security relevant events include users switching user IDs during an online session, attempts to guess passwords, attempts to use privileges that have not been authorized, modifications to production application software, modifications to system software, changes to user privileges, and changes to logging system configurations.

Logs containing computer or communications system security relevant events must be retained for at least three months. During this period, logs must be secured such that they cannot be modified, and such that only authorized persons can read them.

Certain information must be captured whenever it is suspected that computer or network related crime or abuse has taken place. The relevant information must be securely stored offline until such time as it is determined that Texas Wesleyan will not pursue legal action or otherwise use the information. The information to be immediately collected includes the system logs, application audit trails, other indications of the current system states, and copies of all potentially involved files.

Although system administrators are not required to promptly load the most recent version of operating systems, they are required to promptly apply all security patches to the operating system that have been released by knowledgeable and trusted user groups, well-known systems security authorities, or the operating system vendor. Only those systems security tools supplied by these sources or by commercial software organizations may be used on Texas Wesleyan computers and networks. Additionally, only vendor-supported versions of operating systems and applications should be used on production systems. This will generally require periodic upgrades to the current release or the most recent prior version (current -1).

Handling Network Security Information
From time to time, the IT Infrastructure Services director will designate individuals to audit compliance with this and other computer and network security policies. At the same time, every user must promptly report any suspected network security problem, including intrusions and out-of-compliance situations, to the IT Infrastructure Services director or his/her designee.

Provided that no intent to damage Texas Wesleyan systems existed, if users report a computer virus infestation immediately after it is noticed, even if their negligence was a contributing factor, no disciplinary action should be taken.

All network or systems software malfunctions must be reported immediately to the Information Technology department or the involved external service provider.

Information about security measures for Texas Wesleyan computer and communication systems is confidential and must not be released to people who are not authorized users of the involved systems unless the permission of the IT Infrastructure Services director has been obtained. For example, publishing system access information in directories is prohibited.

Physical Security Of Computer And Communications Gear
All Texas Wesleyan network equipment must be physically secured. Access to data centers, telephone wiring closets, network switching rooms, and other areas containing Confidential information must be physically restricted.

All employees who must keep Confidential Texas Wesleyan information offsite in order to do their work must possess lockable furniture for the proper storage of this information. At the time of separation from Texas Wesleyan, all Confidential information must be returned immediately.

Exceptions
Texas Wesleyan acknowledges that under rare circumstances, certain users may need to employ systems that are not compliant with these policies. All such instances must be approved in writing and in advance using the Exception process and form.

Violations
Texas Wesleyan network users who willingly and deliberately violate this policy will be subject to disciplinary action up to and including termination, expulsion from the university, and/or legal action.

Terms and Definitions
Access control: A system to restrict the activities of users and processes based on the need to know.

Agents: A new type of software that performs special tasks on behalf of a user, such as searching multiple databases for designated information.

Algorithm: A mathematical process for performing a certain calculation. In the information security field, it is generally used to refer to the process for performing encryption.

Badge reader: A device that reads employee identity badges and interconnects with a physical access control system that may control locked doors.

Booting: The process of initializing a computer system from a turned-off or powered-down state.

Bridge: A device that interconnects networks or that otherwise permits networking circuits to be connected.

Compliance statement: A document used to obtain a promise from a computer user that such user will abide by system policies and procedures.

Confidential information: A sensitivity designation for information, the disclosure of which is expected to damage Texas Wesleyan or its partners.

Critical information: Any information essential to Texas Wesleyan business activities, the destruction, modification, or unavailability of which would cause serious disruption to Texas Wesleyan business.

Cryptographic challenge and response: A process for identifying computer users involving the issuance of a random challenge to a remote workstation, which is then transformed using an encryption process and a response is returned to the connected computer system.

Default file permission: Access control file privileges, read, write, execute, and delete, granted to computer users without further involvement of either a security administrator or users.

Default password: An initial password issued when a new user ID is created, or an initial password provided by a computer vendor when hardware or software is delivered.

Dynamic password: A password that changes each time a user logs on to a computer system.

Encryption key: A secret password or bit string used to control the algorithm governing an encryption process.

Encryption: A process involving data coding to achieve confidentiality, anonymity, time stamping, and other security objectives.

End User: A user who employs computers to support Texas Wesleyan business/academic activities, who is acting as the source or destination of information flowing through a computer system.

Extended user authentication technique: Any of various processes used to bolster the user identification process typically achieved by user IDs and fixed passwords, such as hand-held tokens and dynamic passwords.

Firewall: A logical barrier stopping computer users or processes from going beyond a certain point in a network unless these users or processes have passed some security check, such as providing a password.

Front-end processor (FEP): A small computer used to handle communications interfacing for another computer.

Gateway: A computer system used to link networks that can restrict the flow of information and that employ some access control method.

Hand-held token: A commercial dynamic password system that employs a smart card to generate one-time passwords that are different for each session.

Information retention schedule: A formal listing of the types of information that must be retained for archival purposes and the time frames that these types of information must be kept.

Isolated computer: A computer that is not connected to a network or any other computer. For example, a stand-alone personal computer.

Logon banner: The initial message presented to a user when he or she makes connection with a computer.

Logon script: A set of stored commands that can log a user onto a computer automatically.

Master copies of software: Copies of software that are retained in an archive and that are not used for normal business activities.

Multi-user computer system: Any computer that can support more than one user simultaneously.

Password guessing attack: A computerized or manual process whereby various possible passwords are provided to a computer in an effort to gain unauthorized access.

Password reset: The assignment of a temporary password when a user forgets or loses his or her password.

Password-based access control: Software that relies on passwords as the primary mechanism to control system privileges.

Password: Any secret string of characters used to positively identify a computer user or process.

Positive identification: The process of definitively establishing the identity of a computer user.

Privilege: An authorized ability to perform a certain action on a computer, such as read a specific computer file.

Privileged user ID: A user ID that has been granted the ability to perform special activities, such as shut down a multi-user system.

Router: A device that interconnects networks using different layers of the Open Systems Interconnection (OSI) Reference Model.

Screen blanker or screen saver: A computer program that automatically blanks the screen of a computer monitor or screen after a certain period of inactivity.

Security patch: A software program used to remedy a security or other problem, commonly applied to operating systems, database management systems, and other systems software.

Sensitive information: Any information, the disclosure of which could damage Texas Wesleyan or its business associates.

Shared password: A password known by or used by more than one individual.

Software macro: A computer program containing a set of procedural commands to achieve a certain result.

Special system privilege: Access system privileges permitting the involved user or process to perform activities that are not normally granted to other users.

Suspending a user ID: The process of revoking the privileges associated with a user ID.

System administrator: A designated individual who has special privileges on a multi-user computer system, and who looks after security and other administrative matters.

Terminal function keys: Special keys on a keyboard that can be defined to perform certain activities such as save a file.

User IDs: Also known as accounts, these are character strings that uniquely identify computer users or computer processes.

Valuable information: Information of significant financial value to Texas Wesleyan or another party.

Verify security status: The process by which controls are shown to be both properly installed and properly operating.

Virus screening software: Commercially-available software that searches for certain bit patterns or other evidence of computer virus infection.

Related Documents
Acceptable Use Policy
Information Security Policy

Click here‌ to download the Computer Administrator Access Policy

Purpose
This document defines Texas Wesleyan University's policy regarding local administrator rights to University-owned computers and provides information related to the University's desire to provide the University community with secure, reliable technology in stable operating condition while balancing the need for individual empowerment in an academic environment.

Scope
The Computer Administrator Access Policy applies to all who are granted "Administrator" access on University-owned computers.

Terms and Definitions
Administrator access level allows the user to have complete and unrestricted access to the computer. This includes the ability to install any hardware or software, edit the registry, manage the default access accounts and change file level permissions. Manipulating these may cause serious stability issues with your system.

General access level allows most administrative powers with some restrictions. Installation of software or hardware that makes changes to the underlying operating system will require the assistance of IT. General Access Level will generally assure the highest level of stability for a computer.
Policy Statements

By default all UNIVERSITY employees are assigned General access level rights on University-provided computers. Exceptions may be granted to an employee who requires Administrator level access to perform his/her job related tasks. Individuals may request administrator level access through the Technology Help Desk by completing and submitting the Exception Request form.

Guidelines

  • University-owned computers are university property and are intended for university business and classroom activities.
  • Individuals should only install software related to university business and classroom activities.
  • Individuals should not install software that may damage files and expose University's network to virus attacks and malicious coding.
  • Individuals should refrain from installing software that may result in a system slowdown or degradation of performance.
  • Individuals should not install applications that consume network bandwidth and have the potential to cause network congestion and degradation of network performance.
  • Individuals should not download or install applications (software) that are illegal, improperly licensed, or unlicensed on university owned equipment.
  • Individuals who download or install applications (software), other than those included in the standard configuration for all university computers, are responsible for retaining and producing documentation of appropriate licenses.
  • Individuals are responsible for re-installing and configuring all non-standard software, as necessary.
  • If required to restore normal system functionality, non-standard software will be removed as part of a repair process.
  • If a computer enabled with Administrator access is linked to a network performance issue, the computer will be restored to its original standard configuration.
  • If a computer enabled with Administrator access results in repeated (three) service calls to restore system functionality, General access rights will be restored to the system.

Related Documents
Exception Request form

Click here‌ to download the Firewall Policy.

Purpose
Firewalls are an essential component of the Texas Wesleyan information systems security infrastructure. Firewalls are defined as security systems that control and restrict network connectivity and network services. Firewalls establish a control point where access controls may be enforced. Connectivity defines which computer systems are permitted to exchange information. A service is sometimes called an application, and it refers to the way for information to flow through a firewall. Examples of services include file transfer protocol (FTP) and web browsing (HTTP). This policy defines the essential rules regarding the management and maintenance of firewalls at Texas Wesleyan and it applies to all firewalls owned, rented, leased, or otherwise controlled by Texas Wesleyan employees.

Scope
This policy applies to all firewalls on Texas Wesleyan networks, whether managed by employees or by third parties. Departures from this policy will be permitted only if approved in advance and in writing by the IT Infrastructure Services Director.

In some instances, systems such as routers, air gaps, telecommunications front ends, or gateways may be functioning as though they are firewalls when they are not formally known as firewalls. All Texas Wesleyan systems playing the role of firewalls, whether they are formally called firewalls, must be managed according to the rules defined in this policy. In some instances this will require that these systems be upgraded so that they support the minimum functionality defined in this policy.

Specific Requirements

Required Documentation - Prior to the deployment of every Texas Wesleyan firewall, a diagram of permissible paths with a justification for each, and a description of permissible services accompanied by a justification for each, must be submitted to the IT Infrastructure Services Director. Permission to enable such paths and services will be granted by the IT Infrastructure Services Director only when these paths or services are necessary for important business reasons, and sufficient security measures will be consistently employed. The conformance of actual firewall deployments to the documentation provided will be periodically checked by the Security Engineer or his/her designee. Any changes to paths or services must go through this same process as described below.

Default To Denial - Every connectivity path and service that is not specifically permitted by this policy and supporting documents issued by the Information Technology department must be blocked by Texas Wesleyan firewalls. The list of currently approved paths and services must be documented and distributed to all system administrators with a need to know by the Information Technology department. An inventory of all access paths into and out of Texas Wesleyan internal networks must be maintained by the Information Technology department.

Connections Between Machines - Real-time connections between two or more Texas Wesleyan computer systems must not be established or enabled unless the Information Technology department has determined that such connections will not unduly jeopardize information security. In many cases, firewalls or similar intermediate systems must be employed. This requirement applies no matter what the technology employed, including wireless connections, microwave links, cable modems, integrated services digital network lines, and digital subscriber line connections. Any connection between an in-house Texas Wesleyan production system and any external computer system, or any external computer network or service provider, must be approved in advance by the Information Technology department.

Regular Testing - Because firewalls provide such an important control measure for Texas Wesleyan networks, their strength and proper configuration must be tested on a regular basis. Where vendor software supports it, this testing must include the use of software agents that automatically check to determine whether firewalls remain configured and running in a manner that is consistent with both Texas Wesleyan security policies and the Texas Wesleyan Information Architectural plan. This testing process must include consideration of defined configuration parameters, enabled services, permitted connectivity paths, current administrative practices, and adequacy of the deployed security measures. These tests must include the regular execution of vulnerability identification software and the regular performance of penetration tests. These tests must be performed by technically proficient persons, either in the Information Technology department or working for a third-party contractor. Those responsible for either the administration or management of the involved firewalls must not perform these tests.

Logs - All changes to firewall configuration parameters, enabled services, and permitted connectivity paths must be logged. All suspicious activity that might be an indication of either unauthorized usage or an attempt to compromise security measures also must be logged. The integrity of these logs must be protected with checksums, digital signatures, encryption, or similar measures. These logs must be promptly removed from the recording systems and stored in a physically protected container for at least six months after the time they were recorded. These logs must be reviewed periodically to ensure that the firewalls are operating in a secure manner.

Intrusion Detection - All Texas Wesleyan firewalls must include intrusion detection systems approved by the Information Technology department. Each of these intrusion detection systems must be configured according to the specifications defined by the Information Technology department. Among other potential problems, these intrusion detection systems must detect unauthorized modifications to firewall system files, and detect denial of service attacks in progress. Such intrusion detection systems must also immediately notify by pager the technical staff that is in a position to take corrective action. All technical staff working on firewalls must be provided with remote access systems and privileges so that they can immediately respond to these incidents even when they are physically removed from the firewall.

Contingency Planning - Technical staff working on firewalls must prepare and obtain Information Technology department approval for contingency plans that address the actions to be taken in the event of various problems including system compromise, system malfunction, system crash, system overload, and Internet service provider unavailability. These contingency plans must be kept current to reflect changes in the Texas Wesleyan information systems environment. These plans must be periodically tested to ensure that they will be effective in restoring a secure and reliable networking environment.

External Connections - All in-bound real-time Internet connections to Texas Wesleyan internal networks or multi-user computer systems must pass through a firewall before users can reach a logon banner. Aside from personal computers that access the Internet on an outbound single-user session-by-session dial-up basis, no Texas Wesleyan computer system may be attached to the Internet unless it is protected by a firewall. The computer systems requiring firewall protection include web servers, electronic commerce servers, and mail servers. All personal computers with digital subscriber line or cable modem connectivity must employ a firewall approved by the Information Technology department. Wherever a firewall supports it, logon screens must have a notice indicating that the system may be accessed only by authorized users, users who log on represent that they are authorized to do so, unauthorized system usage or abuse is subject to disciplinary action including criminal prosecution, and system usage will be monitored and logged.

Extended User Authentication - Inbound traffic, with the exception of Internet electronic mail, regular news distributions, and push broadcasts previously approved by the Information Technology department, that accesses Texas Wesleyan networks through a firewall must in all instances involve extended user authentication measures approved by the Information Technology department.

Virtual Private Networks - To prevent unauthorized disclosure of sensitive and valuable information, all inbound traffic, with the exception of Internet mail, approved news services, and push broadcasts, that accesses Texas Wesleyan networks must be encrypted with the products approved by the Information Technology department. These connections are often called virtual private networks (VPNs). The VPNs permissible on Texas Wesleyan networks combine extended user authentication functionality with communications encryption functionality [https:\\uconnect.txwes.edu].

Firewall Access Mechanisms - All Texas Wesleyan firewalls must have unique passwords or other access control mechanisms. The same password or access control code must not be used on more than one firewall. Whenever supported by the involved firewall vendor, those who administer Texas Wesleyan firewalls must have their identity validated through extended user authentication mechanisms. In certain high security environments designated by the IT Infrastructure Services Director, such as the Texas Wesleyan Internet commerce site, remote access for firewall administrators is prohibited. All firewall administration activities must take place in person and on site.

Firewall Access Privileges - Privileges to modify the functionality, connectivity, and services supported by firewalls must be restricted to a few technically-trained individuals with a business need for these same privileges. Unless permission from the IT Infrastructure Services Director has been obtained, these privileges must be granted only to individuals who are full-time permanent employees of Texas Wesleyan, and not to temporaries, contractors, consultants, or outsourcing personnel. All firewalls must have at least two staff members who are adequately trained to make changes, as circumstances require. Such training includes periodic refresher training course or conference attendance to permit these staff members to stay current with the latest developments in firewall technology and firewall operations. Care must be taken to schedule out-of-town vacations so that at least one person capable of effectively administering the firewall is readily available at all times.

Secured Subnets - Portions of the Texas Wesleyan internal network that contain sensitive or valuable information, such as the computers used by the Human Resources department, should employ a secured subnet. Access to this and other subnets should be restricted with firewalls and other access control measures. Based on periodic risk assessments, the Information Technology department will define the secured subnets required in the Information Architecture.

Demilitarized Zones - All Internet commerce servers including payment servers, database servers, and web servers must be protected by firewalls, and be located within a demilitarized zone (DMZ), a subnet that is protected from the Internet by one or more firewalls. An internal network, such as an intranet, is also protected from the DMZ subnet by one or more firewalls.

Network Management Systems - Firewalls must be configured so that they are visible to internal network management systems. Firewalls also must be configured so that they permit the use of remote automatic auditing tools to be used by authorized Texas Wesleyan staff members. Unless deliberately intended as a test, such automatic auditing tools must not trigger a response sequence through firewall-connected intrusion detection systems.

Disclosure Of Internal Network Information - The internal system addresses, configurations, products deployed, and related system design information for Texas Wesleyan networked computer systems must be restricted such that both systems and users outside the Texas Wesleyan internal network cannot access this information.

Secure Backup - Current offline back-up copies of firewall configuration files, connectivity permission files, firewall systems administration procedural documentation files, and related files must be kept close to the firewall at all times. A permissible alternative to offline copies involves online encrypted versions of these same files. Where systems software permits it, the automatic reestablishment of approved copies of these systems files must proceed whenever an unauthorized modification to these files has been detected.

Virus Screening and Content Screening - Virus screening software approved by the Information Technology department must be installed and enabled on all Texas Wesleyan firewalls. Because the files passing through a firewall may be encrypted or compressed, firewall-based virus detection systems may not detect all virus-infected files. For this reason, virus-screening software is also required at all Texas Wesleyan mail servers, departmental servers, and desktop personal computers. Both content screening software and software that blocks users from accessing certain non-business web sites must also be enabled on all Texas Wesleyan firewalls.

Firewall Dedicated Functionality - Firewalls must run on dedicated machines that perform no other services, such as acting as a mail server. Sensitive or critical Texas Wesleyan information must never be stored on a firewall. Such information may be held in buffers as it passes through a firewall. Firewalls must have only the bare minimum of operating systems software resident and enabled on them. Where the supporting operating system permits it, all unnecessary and unused systems software must be removed from firewalls. Texas Wesleyan does not permit its internal information to be resident on or processed by any firewall, server, or other computer that is shared with another organization at an outsourcing facility. Outsourcing organization-provided shared routers, hubs, modems, and other network components are permissible.

Firewall Change Control - Because they support critical Texas Wesleyan information systems activities, firewalls are considered to be production systems. All changes to the firewall software provided by vendors, excluding vendor-provided upgrades and patches and fixes must go through the Change Management Process. A firewall policy, defining permitted and denied services and connections, should be documented and reviewed at least twice a year by the Security Engineer. Major changes to the Texas Wesleyan internal networking environment, any changes to the production business applications supported, and any major information security incident must trigger an additional and immediate review of the firewall policy. The same documentation that is required for changes on production systems must also be prepared for firewall changes.

Posting Updates - Texas Wesleyan firewalls must be running the latest release of software to repel these attacks. Where available from the involved vendor, all Texas Wesleyan firewalls must subscribe to software maintenance and software update services. Unless approved in advance by the IT Infrastructure Services Director, staff members responsible for managing firewalls must install and run these updates within two business days of receipt.

Monitoring Vulnerabilities - Texas Wesleyan staff members responsible for managing firewalls should stay current with information about firewall vulnerabilities. Any vulnerability that appears to affect Texas Wesleyan networks and systems must promptly be brought to the attention of the IT Infrastructure Services Director.

Standard Products - Unless advance written approval is obtained from the IT Infrastructure Services Director, only those firewalls appearing on the list of approved vendors and products may be deployed with Texas Wesleyan networks. All firewall interfaces and features deployed, such as virus screening, must be consistent with the Information Architecture issued by the Information Technology department.

Firewall Physical Security - All Texas Wesleyan firewalls must be located in locked rooms accessible only to those who perform authorized firewall management and maintenance tasks approved by the IT Infrastructure Services Director. The placement of firewalls in an open area within a general purpose data processing center is prohibited, although placement within separately locked rooms or areas, which themselves are within a general data processing center is acceptable. These rooms must be equipped with alarms and an automated log of all persons who gain entry to the room.

Click here‌ to download the Virtual Private Network Policy.

Purpose
The purpose of this policy is to provide guidelines for Virtual Private Network (VPN) connections to access Texas Wesleyan's internal network. Texas Wesleyan's VPN server is designed to provide off-campus access to network resources available on the Texas Wesleyan campuses.

Scope
This policy applies to employees with demonstrated need to access resources internal to the university network.

Terms and Definitions
Virtual Private Network (VPN) is a method for accessing a remote network uses encryption and tunneling to connect users securely over a public network, usually the Internet.

Policy Statements
VPN access will be enabled only via methods approved and managed by the Information Technology department.

All requests for VPN service begin with submitting a request to the Help Desk (helpdesk@txwes.edu) for installation.

By using the VPN technology, employees must understand that all VPN-connected devices are an extension of the Texas Wesleyan network, and as such are subjects to the same rules and policies that apply to university computers on campus.

Users of this service are responsible for procurement and cost associated with acquiring basic Internet connectivity, and any associated service issue. VPN services work best over broadband connections.

It is the responsibility of the employee with VPN privileges to ensure that unauthorized users are not allowed access to the Texas Wesleyan network.

All VPN services are to be used solely for the approved business/academic support purpose. All users are subject to auditing of VPN usage.

VPN users will be automatically disconnected from the Texas Wesleyan network after 30 minutes of inactivity.

All computers connected to the Texas Wesleyan network via VPN must use the university approved anti-virus software and are subject to scanning before establishing a connection.

Enforcement
Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

Related Documents
Network Protection Policy

Click here‌ to download the Computer Lab Software Installation Policy.

Purpose
Texas Wesleyan University wishes to ensure that the software needed to support instructional activities is readily available to students and employees in computer labs and classrooms and that all software installed in these labs is properly licensed in compliance with local, state and federal laws.

This policy serves to assure that properly licensed software is available in labs and classrooms at Texas Wesleyan.

Scope
This policy applies to the all University Computer Labs and Classroom Computers.

Policy
Texas Wesleyan Faculty and Staff responsible for providing instruction or services to students may request software applications be installed and made available in computer labs and classrooms at the University.

Requirements for Installation
The Faculty or Staff member requesting the software installation must provide the following to the Technology Help Desk:

  1. A completed on-line software installation request form submitted prior to the applicable deadline.
  2. Original or copied software media (disks and/or CD-ROMs).
  3. Software installation documentation (if available).
  4. Original software license agreement (also known as an end user / network license agreement), documented maximum number of users (if available), and software usage expiration date.

Software Exempt from the Requirements for Installation
Request submissions are not required for campus-licensed software packages, such as Microsoft Office and SPSS. These software packages are part of the base image of every computer and remain installed on all systems regardless of whether a specific request was received.

Related Documents
Acceptable Use Policy
Information Security Policy
Lab and Classroom Software Installation Form
Technology Replacement and Upgrade Policy

Click here‌ to download the Security Incident Reporting and Response Policy.

Purpose
Confidential personal information compromised by a security breach may lead to identity theft and invasion of privacy for affected individuals. The University may be required by law to take specific action in the event of a breach to the confidentiality of such information.

This document outlines the actions required for notification of and response to a security breach involving unencrypted personal information processed and/or maintained by the University.

Scope
This policy applies to all Texas Wesleyan University employees and contractors who process, store, transmit or otherwise use confidential personal information entrusted to the University.

Policy
Actual or suspected security breaches involving confidential personal information must be reported immediately to the Chief Information Officer. Once the nature and extent of the breach has been determined, the University will notify affected individuals as necessary.

Personal information that is lawfully available to the public from a government record is not subject to this breach notification policy. In addition, personal information rendered unreadable to an unauthorized party through use of encryption is not subject to this breach notification policy. Accordingly, all computers and other electronic data storage devices where confidential personal information may reside must be protected in accordance with the Information Security Policy. Personnel who work with personal data also must follow the requirements set forth in the Data Classification Security Policy.

Affected individuals shall be notified in a manner compliant with the State's Security Breach Notification Law.

Terms and Definitions
Confidential Personal Information – an individual's first name or first initial and last name in combination with any one or more of the following items, if the name and the items are not encrypted:

  1. Social Security Number;
  2. Driver license number or government-issued ID number; or
  3. Account number or credit card number or debit card number in combination with any required security code, access code, or password that would permit access to an individual's financial account.

Confidential Personal Information also includes information that identifies an individual and relates to:

  1. The physical or mental health or condition of the individual;
  2. The provision of health care to the individual; or
  3. Payment for the provision of health care to the individual.

Confidential information does not include publicly available information that is lawfully made available to the general public from the federal government or a state or local government.

Security Breach - unauthorized acquisition of data that compromises the security, confidentiality, or integrity of confidential personal information maintained by the University, including data that is encrypted if the person accessing the data has the key required to decrypt the data.

Related Documents
Data Classification Security Policy
Information Security Policy
Security Breach Notification Laws by State
Texas Wesleyan University Privacy Policy

Click here‌ to download the Technology Equipment Replacement Policy

Purpose
Adequate computer and network hardware and software are essential to the delivery of instruction, student learning, research and creative activities, and to the efficient and effective management of the institution. Rapid changes in technology require that a well-managed university have a systematic plan for upgrading and replacing technology to ensure that it offers access to the most basic services.

This document defines Texas Wesleyan University's (TW) policy regarding the replacements of all TW-owned technology equipment at the end of its life cycle and upgrades of institution-wide software.

Scope
This Policy applies to all TW-owned workstations, laptop computers, desktop peripherals (printers, scanners, projectors, and interactive whiteboards), network hardware (servers, switches, routers, bridges, and other key network devices), cable plant and physical infrastructure, and the institution-wide software (Microsoft Operating System, Microsoft Office Suite, Ellucian Colleague UI, SPSS, and other site-licensed desktop applications) running on those devices.

Roles and Responsibilities
Administration/Department Heads - Each department head is responsible for identifying any exceptions (earlier or delayed replacements/upgrades) necessary to ensure an employee can effectively perform his/her job duties. The senior manager/VP over the reporting line is responsible for reviewing and approving requested exceptions and divisional budgets.

Information Technology Department – This group is responsible for generating and monitoring inventories, budgeting for replacements and upgrades and executing equipment replacements and upgrades to institution-wide software according to the replacement cycle. This group also makes technical decisions on equipment and software standards and upgrades and replacements based on industry trends, software development cycles, costs and risks to systems stability.

Policy Statement
Texas Wesleyan University will maintain modern computer and network hardware and software capable of supporting its educational and business activities.

To accomplish this, technology hardware will be budgeted for replacement through the University IT budget and replaced and upgraded according to the schedule below.

Category

Description

Replacement Timeframe

High-performance Servers

This category encompasses all high-performance and high-use servers. These servers perform mission critical activities and/or provide access to critical services on a daily basis.

Fiscal year immediately after 3rd year of use

Laptop Computers

This category encompasses all laptop systems and includes all associated docking stations and monitors as a single unit.

Fiscal year immediately after 4th year of use

Workstation Computers

This category encompasses all desktop computer systems and includes the CPU and monitor as a single combined unit.

Fiscal year immediately after 5th year of use

General Use Servers

This category encompasses all servers not classified as "high-performance". These servers provide mission-essential services and perform activities supporting the academic, service and business goals of the institution.

Fiscal year immediately after 5th year of use

Network Hardware

Network hardware includes repeaters, routers, switches, bridges, access points and other communication devices.

Fiscal year immediately after 5th year of use

Desktop Peripherals

Desktop peripherals include printers, scanners, projectors, and interactive whiteboards.

Fiscal year immediately after 7th year of use

Cable Plant and Physical Infrastructure

The copper and fiber optic wires that connect data/information stations together and comprise the network infrastructure are the components identified in this last category.

Fiscal year immediately after 10th year of use

If a hardware item is determined to be irreparable by IT or if the cost to repair exceeds the current market value of the item, the item may be replaced earlier than indicated in the table above with all costs for replacement covered by the University IT budget.

If a department elects to replace an item earlier than the identified replacement cycle, both the budget officer and VP over the reporting line must approve the request and the electing department assumes all costs for replacing the item.

Software Upgrades
Related to software, all systems should be running the current version or most recent prior (current -1) version of manufacturer-released software packages. If a university-owned system is found to be running an older version (current -2 or older) of any institution-wide software package (Microsoft Operating System, Microsoft Office Suite, Ellucian Colleague UI, SPSS, or other site-licensed desktop application), it will be upgraded to the most recent version as soon as possible.

Replacement Requirements
All replacements will adhere to a single standard for each equipment type. Departments must surrender a like device (computer, peripheral, etc.) for each device replaced. Departments may not repurpose existing devices to expand the number of technology devices supported. All enhancements to or changes from the standard resulting in a cost-higher than that of the standard will be charged to the requesting department's budget.

If a department keeps or maintains any special-purpose software or peripherals, they must be compatible with the new equipment and all institution-wide software packages. Otherwise, the department is required to purchase the software or peripheral upgrade.

Related Documents
Exception Request Form

| Contact Us
Information Technology

Phone: 817-531-4428
Email: helpdesk@txwes.edu

Office Hours

Monday - Friday
8 a.m. - 5 p.m.

Smaller. Smarter.

Ramlink   |   BlackBoard   |   Email   |   Faculty & Staff   |   Emergencies
Privacy Policy   |   Calendar   |   Maps   |   Employment   |   West Library

A Methodist Institution Since 1890
1201 Wesleyan Street | Fort Worth, TX 76105
817.531.4444 © 2012 All Rights Reserved
Or Find it Here:   Campus Directory