HPU Information Security Policy
As advances in technology increase, Hawaii Pacific University’s (HPU) systems and networks have become an increasingly important resource to faculty, staff, and students. Internal and external threats to the confidentiality, integrity, and availability of University information resources have increased dramatically. Multiple forms of security breaches are constantly being deployed and universities are popular targets for attack. Critical University resources, such as student data, research intellectual property, and private employee data are areas that must be protected from intrusion and inappropriate use or disclosure. Systems and policies must be developed and routinely updated so they prevent intrusion and other malicious activities.
The purpose of this policy is to ensure that all individuals utilizing University resources understand their responsibility in reducing risk of compromise and take appropriate security measures to protect University systems, data, and assets. Everyone at HPU has the responsibility to assist with the implementation and enforcement of this policy. The Information Security Officer (ISO) with the assistance of Information Technology Services (ITS) will use the appropriate student, faculty, personnel, vendor, or affiliate policies to adjudicate violations; such as, failure to comply with this policy, refusal to take corrective action when notified, and system or network misuse or improper disclosure of protected information.
This policy applies to individuals using or overseeing University resources, including but not limited to:
- All Hawaii Pacific University Campuses and Affiliates.
- Vice Presidents, Deans, Directors and Department Heads.
- Employees, faculty, staff, students, and other individuals who own or use devices connected to the University network, even if those devices were acquired personally, e.g., not with University or grant funds.
- Research projects, Principal Investigators and their collaborators.
- Affiliates, volunteers, interns, temporary employees.
- Third party vendors, including cases where vendor owned and/or managed equipment is housed or used in departments.
- Visiting Scholars.
This policy is especially focused on protecting critical resources and is intended to require those responsible to safeguard those resources in an appropriate manner. University resources are subject to vulnerability assessment and safeguard verification by the ISO designee(s).
Furthermore, the security policies, guidelines and standards presented in this policy apply to all computer and network systems owned by and/or administered within the University. This is inclusive of but not limited to the following:
- Operating Systems (all platforms)
- Networking Appliances/Devices (firewalls, routers, switches, wireless access points)
- Computers (desktops (including cloud based), workstation, mainframes)
- Mobile Devices (laptops, tablets, music players, thumb drives, cell/smart phones)
- Applications and Data (whether developed in house or purchased from third parties)
- Gaming Systems
Each department will protect University resources and data by adopting and implementing at a minimum, the set of security standards provided as appendices to this document. The minimum standards as set forth in the appendices are required of all departments, but departments are encouraged to adopt standards that exceed the minimum standards for the protection for campus resources. Individuals addressed within the scope of this policy that use University resources are responsible to follow departmental policy, if one exists, or this policy to ensure the security of those resources.
Recourse for Non-Compliance
In cases where University network resources are actively threatened, designee(s) of the ISO will act in the best interest of the University by securing the resources. When possible the ISO designee(s) will work with the appropriate device overseer to mitigate the threat. In an urgent situation requiring immediate action and leaving no time for collaboration, the ISO designee(s) are authorized to disconnect the device from the network. Any student not following this policy is subject to disciplinary procedures, including but not limited to expulsion. Any University employee not following this policy is subject to disciplinary procedures, including but not limited to termination. Anyone included in the scope of this policy is subject to appropriate policy or contract terms.
For assistance in resolving compromises or vulnerabilities, computer users should initially contact the ITS Helpdesk. ITS system administrators or network managers should contact the ISO for guidelines for technical assistance in investigating the incident.
These appendices include the minimal standards necessary to support the information security policy and identification of other related documents. As technology changes or new information is discovered, these standards will be updated or new standards will be added. Notification will be provided when a change to any standard occurs or additions are made. The following appendices are included:
Appendix A. Security Standards for Networked Devices
Appendix B. Incident Handling for Networked Devices
Appendix C. Management Responsibilities for Information Security
Appendix D. Operational Standards for Securing the Campus Network
Appendix E. Wireless Deployment and Management Standards
Appendix A. Security Standards for Networked Devices
The use of networked devices has become a part of everyday life and the use of sensitive data is often necessary. Securing these devices is necessary to ensure the confidentiality, integrity, and availability of University resources. As users of these devices, it is important for everyone to understand and contribute to the overall security of HPU.
The following standards will assist those employed or affiliated with the University in managing, maintaining and securing University-networked devices. Departments and individuals are encouraged to maintain stricter limits where practical or required. These standards should not be used to reduce the level of security that may already exist.
These security standards apply to all devices connected to the University network for the transmission and reception of electronic communications. Devices may include (but not limited to) computers, tablet, cell/smart phones, music devices, printers, network appliances. Also, devices situated behind firewalls, Network Translation devices, using a Virtual Private Network, or Virtual Desktop software.
Software Patch Updates
Any networked device must have all available patches installed that address security vulnerabilities. Vulnerable systems face disconnection from the University network. Delaying installation until a convenient time, such as semester breaks, is unacceptable. Exceptions may be made for patches that compromise the usability of critical applications, provided additional security measures are taken. Computer overseers are responsible for creating and enforcing procedures to ensure that system software is kept current.
All computers connected to the University network must be running current anti-virus software, and must check for updates at least daily. The minimum standard for anti-virus software is to meet or exceed the effectiveness of the software products site-licensed by the University. Noncompliant or infected systems are subject to immediate removal from the network. Computer overseers are responsible for creating and enforcing procedures to ensure that anti-virus software is run at regular intervals and computers are verified to be free of viruses.
Host-based firewall software
Host-based firewalls may be used to provide an additional level of security to individual computer systems. Computer users are encouraged to seek out and follow the advice of their network manager, system administrator, or other technical support person regarding the use of host-based firewall software. The University site-licensed host-based firewall, a firewall appliance, or equivalent measures must be used to protect any computer that cannot receive the latest software security patches.
All networked devices with access to University resources shall require adequate passwords or an alternate secure authentication system (e.g., biometrics or HPU One Card). This standard applies to those employed or affiliated with the University, as well as contractors and vendors, with access to those resources. University computer account owners have a responsibility to construct, secure, and maintain their passwords in accordance with the requirements specified in the Password Policy which may be found on the ITS Nexus site.
University passwords must be safeguarded and may not be shared with anyone including family members, supervisors, co-workers, or subordinates. As a precaution, be aware that the ITS staff will NEVER ask you for your password while providing you with assistance. In the event that you are solicited for any University related password via telephone, email, or in person, please immediately contact a supervisor or send/forward the request to HelpDesk@hpu.edu
All networked devices with access to University resources shall implement the following account management practices where possible:
1. Accounts shall be configured to lock after repeated login failures.
2. Accounts shall be deactivated after separation of affiliation.
3. Accounts shall be assigned to a single individual.
4. Account owners are responsible for any activity initiated from their account.
5. Accounts shall be created with the minimum amount of access necessary to meet the needs of the account holder. Access requirements should be reviewed for changes regularly.
All network devices should use only encrypted authentication mechanisms. In particular, historically insecure services such as Telnet, FTP, and SNMP should be replaced by their encrypted equivalents.
Email Relays and Proxy Servers
Campus devices must not provide an active SMTP service that allows unauthorized third parties to relay e-mail messages. University approved devices will be granted access to communicate via SMTP with the outside world through authorized gateways only. Any unauthorized or unapproved SMTP traffic will be prohibited from leaving the internal network.
Software program default settings in which web or email proxies are automatically enabled must be identified by the system administrator/overseer and reconfigured to prevent unauthorized use.
It is recommended that devices be configured to "lock" or logoff and require a user to re-authenticate if the user leaves the device unattended. The following time limits are recommended maximums:*
Private Office/Cubicle/Shared Workstation
Monitored Computer Lab
Research Lab Workstation
Mission-critical systems and systems containing regulatory-protected data (e.g. FERPA, HIPAA, PCI, etc.) must be located in a locked location accessible only to authorized personnel.
Services and Protocols
Services or protocols that are unnecessary for the operation of a device should be disabled or removed. Assistance identifying services running on a device may be obtained by contacting the University Information Security Office or Help Desk.
Appendix B. Incident Handling for Networked Devices
HPU is increasingly dependent on data and network resources. Proper detection and response to incidents that may impact the confidentiality, integrity, or availability of these resources is critical to the continued operation of the University. Such incidents include, but are not limited to: virus outbreaks, physical or remote security breaches, denial-of-service attacks, and other exploited vulnerabilities. Special care needs to be taken to ensure that personal safety is not jeopardized by an incident or by the response to an incident. Examples of incidents that could endanger personal safety might include loss of access to user data or failure of environmental systems.
The following standards were developed to prepare those employed or affiliated with the University to properly detect and respond to incidents. Departments and individuals are encouraged to implement any additional plans they deem necessary. These recommendations should not be used to reduce the level of preparedness that may already exist.
These minimum standards apply to all HPU departments and affiliates, as well as contractors and vendors handling University systems or data. They represent the recommended minimum planning and cooperative efforts necessary to insure the best incident detection and response possible. This and all other incident handling documents should be stored on a variety of media, including hard copy, so that they are readily accessible when needed.
**Where there is a possibility of physical harm, contact 911 immediately.
Computer users and administrators should be alert for symptoms that indicate an intrusion into their systems. The following points are helpful in detecting intrusions:
Be suspicious of unusual activity – Unusual computer or network activity can be an indicator of a virus, attack, or intrusion. Activities and symptoms to look for include:
- Excessive virus warnings or personal firewall pop-up messages
- Unexpected system reboots and/or sudden degradation of system performance
- Unauthorized new user accounts or altered passwords
- New directories or files, often with unusual names such as "..." or “..”
- Modification or defacement of web sites.
- New open network ports on a system.
- Unexpectedly full disk drives.
- Missing or deleted emails
Listen to complaints received from others – Comments or emails claiming suspicious activity from a computer may indicate the computer is infected or has been compromised and may actively be attacking other computers.
Be aware of the physical environment – Access to secure computing areas, such as, server rooms, telecom closets and research labs, should be restricted. Situations to be aware of include:
- Unauthorized personnel in secure areas
- Unknown users at a computer
- Missing or moved equipment
- Open or unlocked doors
Review logs – Log files are invaluable in detecting and tracking attempted intrusions and other suspicious activity. To maximize the value of logs:
- Ensure that a high level of logging is enabled.
- Check logs regularly for suspicious activity and entries
- Look for missing time spans in logs
- Check for repeated login failures or account lockouts
- Investigate unexpected system reboots
Users who suspect a security breach or violation (e.g. suspicious processes or application, unknown network connections, account lockout, unusual last login time, etc) must communicate their concerns to their direct supervisor immediately. The details surrounding the events must then be communicated to ITS immediately. Users can contact ITS directly via the ITS Helpdesk at 566-2411 or by sending an email to Helpdesk@hpu.edu
All instances of suspected disclosure of confidential information must be reported to ITS and Human Resources (HR) immediately.
If a serious information security vulnerability is known to exist or discovered, it must be reported directly to ITS.
For HPU employees, associates or contractors, disciplinary action will be consistent with the severity of the incident, as determined by an investigation. Disciplinary actions may include, but are not limited to, loss of access privilege to data processing resources, dismissal of consultants, cancellation of contracts, termination of employment, or other actions as deemed appropriate. Disciplinary actions are coordinated through the Human Resources Department.
Evidential procedures will be followed to gather electronic evidence to document any computer related incident as deemed necessary by HPU ITS in conjunction with HR. Any evidence gathered will be kept on file for documentation purposes.
For external incidents or threats, action must be taken to ensure evidential integrity is maintained and the appropriate legal action can be taken, if necessary.
Appendix C. Management Responsibilities for Information Security
Personnel changes are a cause for concern when it comes to protecting HPU’s information resources. Methods must be in place to ensure the protection of these resources as changes occur. All departments must institute a policy regulating employee access to University information resources.
The following standards will assist departments in developing procedures for maintaining and securing information resources related to personnel changes. These standards should not be used to weaken procedures that may already exist.
These standards apply to all departments affiliated with the HPU.
Personnel changes occur for various reasons. Each reason presents its own situations and therefore is covered separately below. There may be some overlap as circumstance requires.
When posting a job vacancy, indicate if the advertised position will have access to sensitive information and systems and whether the applicant will be subject to a criminal background check.
When screening candidates, consider position requirements concerning information security factors in the search process. For example security questions during interviews, reference check requirements, past job responsibilities and experience relating to sensitive information, etc.
Ensure reference check inquiries include questions about access to sensitive information and data, as well as related misconduct.
Prior to hire, conduct background checks in accordance with University policies as they relate to personnel with access to sensitive information and systems.
Provide training for new employees on information security procedures, to include: confidentiality of student records, personnel information, financial information, medical information, research, and other types of sensitive data and information with which they will have contact. Also include information about protecting confidential information from unauthorized individuals, proper disposal of documents that contain sensitive data and information, and prompt reporting of suspected problems. Ensure that employees are aware of the consequences of not following information security policies and procedures.
Ensure access controls to sensitive data and systems are in place that denies employees’ access until appropriate information security training is completed.
Ensure that periodic refresher training is conducted on access and responsibilities relating to sensitive data and information.
Require employees to sign an appropriate statement acknowledging their responsibilities regarding access and protection of sensitive data and systems.
Managers and supervisors are responsible for securing information resources. As such, they are expected to:
- Immediately inform employees about changes in University of departmental information
security policies or protocols.
- Review job announcements, promotions, change of job responsibilities, and employee transfers to ensure that access to sensitive data and information is appropriate to each position.
- Review access privileges at least annually. Access should be revoked for all employees who do not have a business need for access to sensitive data and information.
- Review annually notices, policies, and procedures related to non-disclosure, security and privacy.
- Assess at least annually performance and competencies specifically related to proper handling of sensitive data and information.
- Ensure that subordinate supervisors are aware of their information security and privacy
Internal Promotion or Transfer
Consider the use of any or all guidelines listed under the Hiring section.
Review and change access privileges based on job related and need-to-know criteria. This applies to departments acquiring new employees and those whose employees are moving to other departments.
Train newly hired or transferred employee in accordance with information security guidelines and criteria appropriate for their new job as determined by their supervisor.
Conduct background checks and/or finger print checks for internal promotion and transferred employees in accordance with University policy.
ITS will comply with the Employee Termination Policy in Nexus.
Appendix D. Operational Standards for Securing the Campus Network
As stewards of the campus network infrastructure, ITS will diligently work to protect the campus from external network attacks while providing a network that supports the educational mission of the University and does not impact academic freedom.
The intention of the University and these standards is to establish appropriate rules when using the campus network that will eliminate as much as reasonably possible those unwarranted intrusions, attacks and resulting compromised systems.
These standards apply to all devices connected to the University network for the transmission and reception of electronic communications.
The University hosts several non-University network connections for simple peering with the University and for connection to the commodity internet and where qualified, Internet. All such networks will be outside the University secure perimeter unless the connection would adversely impact their campus relationship. Any network that is connected inside the University perimeter will adhere to the same standards as University networks.
All wireless access points, bridges, repeaters, and point to point connections must be approved or installed by authorized University network administrators. All traffic destined for campus resources using a wireless access point or other radiated media must be encrypted.
The University will host all voice communications centrally. This includes Voice over IP (VoIP) services. Departmental PBXs are not authorized to be used on the University network, except where expressly permitted.
Networks that house sensitive systems (systems containing confidential or personally identifiable information) must be isolated from other networks through the use of firewalls as well as being physically secured, only allowing access that is required to conduct the business of the University. In addition to firewalls these networks will need to employ intrusion detection systems, connection logging, and encryption technologies to the extent necessary to protect sensitive traffic.
Authorization will come from interaction with system administrators to determine the need for certain Internet services to be opened at the campus border via rules on a gatekeeper, a firewall. This interaction can occur by in-person consultation, or completing an online web form. Requestors will describe what is needed, the precautions they have taken to secure the computer offering the services and the probable sources of requests for the service.
The Information Security Officer (ISO) may designate campus entities (or external parties as mandated for compliance) to scan machines or whole subnets at both announced and unannounced times looking for vulnerabilities or compromised machines.
Port throttling or blocking may occur to prevent or alleviate either attacks or excessive bandwidth consumption.
Devices or networks of devices which
1) Pose a security threat to the network
2) Significantly negatively impact the functionality of the network
3) Violate State, Federal or University Policy are subject to service disconnection by the University and designees of the Information Security Officer.
Examples of grounds for service disconnection include, but are not limited to;
- Rogue DHCP servers
- Malware infected devices
- Spam senders/relays
- Unauthorized probing of other network devices.
Common forms of service disconnection are, but are not limited to, by device or port, or in extreme circumstances, by VLAN, floor, or building.
Authorized off campus users need access to on campus services in a safe way. Access for Microsoft Windows File Sharing (WFS) and SSH will be handled in the following ways. WFS will be blocked at the campus border. ITS will enable a specific pass thru for those users that need to use these services from identified locations.
For services needing network access to facilities on campus a Virtual Private Network (VPN) connection or Virtual Desktop connection to campus will be used. Using a VPN or VDI, a user will authenticate on the network before gaining access to the campus network resources.
Appendix E: Wireless Deployment and Management Standards
Wireless in the Local Area Network using the IEEE 802.11 standard is by nature easy to deploy, but highly sensitive to RF interference. Because of these characteristics, all wireless use must be planned, deployed, and managed in a very careful and centralized fashion to ensure basic functionality, maximum bandwidth, and a secure network.
The use of wireless network technology must not reduce the availability, integrity and confidentiality of critical and essential applications and/or the HPU network. Accordingly, any implementation of wireless network systems at HPU should meet or exceed the following standards.
To ensure the technical coordination required to provide the best possible wireless network for HPU, ITS will be responsible for the oversight of all 802.11 and related wireless technology on the campus. No other entity may deploy 802.11 or related wireless technology that attaches to the HPU network without coordination with ITS.
These following minimum standards provide the structure for a campus-wide solution. The implementation of wireless technology includes centralized authentication and authorization.
The standard addresses the following:
- The deployment of 802.11 and related wireless technology.
- The provision of wireless service for campus departments.
- The management of 802.11 and related wireless technology.
ITS has the authority to minimize interference to the common wireless network, and will work with departments to reconfigure or deactivate any departmental wireless networks that interfere with the University wireless network.
The following applies to all University Wireless Access Points:
- All University wireless must use an enterprise level access point compatible with 802.1x and flavors of WPA2.
- External antennas must comply with all federal and state regulations for antennas.
- Equipment mounted on external structures must be approved prior to installation.
- Installation of access points and bridging devices must be consistent with health, building, and fire codes.
All University wireless clients must go through the Wireless Mobility Controller in order to authenticate. The Mobility Controller will act as the captive portal for all users including faculty, staff, students and guests to be granted access to the production wireless environment.
All HPU wireless networks must use a valid Network account to access network resources.
Monitoring & Reporting
The use of wireless network technology is to be monitored on a regular basis for security and performance.
All wireless network service problems should be reported to the Help Desk. For assistance or to report problems contact 544-6111 or send an email to firstname.lastname@example.org
Any unusual wireless network event that may reflect unauthorized use of wireless network services will be immediately reported by the wireless system administrator to the ISO for review and, if appropriate, investigation.
Designee(s) of the ISO and/or ITS will grant exceptions to this policy and/or standards only after detailed review and risk assessment.