Back to Top

Technology Policies

  •  

    Acceptable use Policy for Technology Resources

    The Acceptable use Policy for Technology Resources  establishes what constitutes the acceptable use of these resources in order to assure that they are available to everyone as needed for the University's business needs.

  •  

    Computer Account Policy

    Computer Account Policy explains the computer account and eligibility guidelines.
  •  

    Computer Crime Policy

    Information Technology takes a very serious view regarding misuse of CSU-Pueblo's hardware, software, or network. This applies to misuse of facilities located on-campus or sites accessed through the CSU-Pueblo network.

    Misuse is further defined by the CSU-Pueblo Electronic Communications Policy and various other official documents such as the CSU-Pueblo Catalog, Faculty Handbook, etc.

    Information Technology has and will continue to work with campus police as well as external law enforcement agencies in cases of suspected or confirmed misuse.

    Information Technology does not hesitate to press for suspension of privileges, suspension from the University, or various legal actions when the situation warrants.

    Our primary goal in this regard is to protect the safety and privacy of our patrons. Our secondary goal is to provide consistent and quality service. We will utilize appropriate legal resources at our disposal to meet these goals

  •  

    Email and Electronic Mass Communications Policy

    Email and Electronic Mass Communications Policy provides the guidelines for using the email systems owned and/or controlled by CSU-Pueblo and the use of electronic mass communications.

    Guidelines for the Email Digest.

  •  

    Password Policy

    Overview

    Passwords are an important aspect of computer security. They are the front line of protection for user accounts. A poorly chosen password may result in the compromise of CSU-Pueblo's entire network. As such, all CSU-Pueblo employees (including contractors and vendors with access to CSU-Pueblo systems) are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

    Purpose

    The purpose of this policy is to establish a standard for creation of strong passwords, the protection of those passwords, and the frequency of change. The scope of this policy includes all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any CSU-Pueblo facility, has access to the CSU-Pueblo network, or stores any non-public CSU-Pueblo information.

    Policy

    • All passwords (e.g.; network, e-mail, web, etc.) must be changed at least every 180 days.
    • All passwords must conform to the rules described below.
    • Passwords can not be reused for a period of one year
    • Initial passwords will be required to be changed on the first login

    Password Rules:

    • Minimum length of 6
    • Maximum is 16 characters
    • Case sensitive
    • Must have 3 of the 4 below:
      • Uppercase alpha characters (A-Z)
      • Lowercase alpha characters (a-z)
      • Digits (0-9)
      • Special characters ` ~ ! # $ % ^ & * ( ) _ + - = { } | [ ] : ; ' < > ? ,

    Password Restrictions (the following cannot be used):

    • Spaces
    • Non-English Characters
    • Username
    • First or last name
    • The answer to the Windows Live ID secret question that helps users reset their password. For example, if the Windows Live ID secret question is Mother's birthplace, and Seattle is the answer, the password can't contain Seattle. This restriction isn't case-sensitive, so SEATTLE or seattle can't be used in the password.

    Password Protection Standards

    Do not use the same password for CSU-Pueblo accounts as for other non-CSU-Pueblo access (e.g.; personal ISP account, option trading, benefits, etc.). Do not share CSU-Pueblo passwords with anyone, including supervisors, administrative assistants or co-workers. All passwords are to be treated as sensitive, Confidential CSU-Pueblo information. 
     
    Here is a list of "don'ts":

    • Don't reveal a password over the phone to ANYONE
    • Don't reveal a password in an email message
    • Don't reveal a password to your boss
    • Don't talk about a password in front of others
    • Don't hint at the format of a password (e.g.; "my family name")
    • Don't reveal a password on questionnaires or security forms
    • Don't share a password with family members
    • Don't reveal a password to co-workers while on vacation

    If someone demands a password, refer them to this document or have them call someone at the Information Technology Help Desk.
     
    Do not use the "Remember Password" feature of applications (e.g.; Outlook, Internet Explorer, etc.)
     
    Again, do not write passwords down and store them anywhere in your office. Do not store passwords in a file on ANY computer system (including Palm Pilots or similar devices) without encryption.
     
    If an account or password is suspected to have been compromised, report the incident to the Information Technology Help Desk immediately and change all passwords.

    Changing Passwords

    Passwords may be changed while logged on to a computer on campus by pressing the CTRL, ALT, and DEL keys simultaneously and choosing the "Change Password" button. The existing password will be required and then the new password twice to complete the process. From on/off campus, the password may be changed by visiting this link.

    Application Development Standards

    Application developers must ensure their programs contain the following security precautions. Applications:

    • Should support authentication of individual users, not groups.
    • Should not store passwords in clear text or in any easily reversible form.
    • Should provide for some sort of role management, such that one user can take over the functions of another without having to know the other's password.

    Enforcement

    Any employee found to have violated this policy may be subject to disciplinary action, up to and including termination of employment.

  •  

    Security Guidelines and Procedures

    Introduction

    Colorado State University-Pueblo collects information of a sensitive nature to facilitate and enable its business functions. Unauthorized access to such information may have many severe negative consequences, including adversely affecting the reputation of the University. Protection of such personally identifiable information from unauthorized access is required by various federal and state mandates, including among others the Health Insurance Portability and Accountability Act (HIPAA), the Graham-Leach-Bliley (GLB) Act, and the Family Educational Rights to Privacy Act (FERPA), which require various classes of sensitive information to be protected from unauthorized access. The campus' Chief Information Officer is responsible for oversight of the following IT security measures, policies, and procedures.

    Definitions

    Application is a computer software program run on a computer for the purposes of providing a business function.

    Computer server systems (Servers) are computers accessed by multiple individuals and/or computers.

    Local Area Network (LAN) is an internal network within an institution, e.g. at Colorado State University-Pueblo.

    Personal computers are comprised of desktop, laptop, tablet, personal digital assistants and other such devices of all brands, used principally by one individual at a time.

    Sensitive information includes social security information, personally identifiable health information, personally identifiable financial information, personnel and student performance information, proprietary research and academic information, and any other information that through disclosure would adversely affect the integrity of an individual or detract from the reputation of the University.

    Virtual Private Network (VPN) is a mechanism for encrypting the information sent from an individual computer to a VPN concentrator that typically exists in a "secure" network location. Alternatively, VPNs may be implemented between subnetworks (subnets) to encrypt all of the traffic flowing between the subnets, in other words from LAN to WAN to LAN.

    Wide Area Network (WAN) is an external network that provides connectivity between two LANs.

    Other Resources


    The Information Technology (IT) web page (see http://www.csupueblo.edu/information-technology/) provides a variety of information regarding IT security that is useful in the implementation of these policies. Two particularly valuable resources that exist as clickable links on that page are the Server Policy, the IT Security Guidelines and Procedures. The various user policies identify the security risks and measures required by all campus constituents that use the campus IT resources. 

    Applicability

    These policies encompass best practices that are in general to be applied comprehensively in the University's IT environment. However, common sense judgment is used in their application regarding the balance between security and reasonable access.

    IT Security Policies

    1. Servers

    Servers that contain sensitive information in aggregate form, for example, that encompassing many individuals, are subject to the policies of this section. Personal computers are covered by the policies in the next section. ITS is responsible for all servers in the Central Computer Center and for oversight of any decentralized server that resides on the campus. ITS is responsible for ensuring that servers containing sensitive information are secured in accordance with these policies. Such servers shall be protected as follows:

    1. Such servers shall be housed in a physically secure facility where access is limited to only those individuals requiring access to perform routine or emergency maintenance on the system.
    2. To the degree practicable, only operating systems and applications that provide high levels of security shall be used, and security updates (patches) shall be applied in a timely manner.
    3. Campus virus protection shall be implemented and kept up to date. In particular, where practicable, server side virus protection should be implemented, to complement client-side virus protection programs.
    4. Services and applications offered shall be the minimum necessary to accomplish the required business functions. Periodically, services and applications shall be reviewed to be in conformance with this aspect of the policy.
    5. Network access shall be limited to only those services necessary. Periodically, network access shall be reviewed to be in conformance with this aspect of the policy.
    6. Individual access shall be limited to only those needing access for legitimate business purposes. Individual access shall be reviewed to be in conformance with this aspect of the policy on an ongoing basis.
    7. The amount of sensitive information collected and stored shall be the minimum amount required for the efficient and effective conduct of business.
    8. Sensitive data will be isolated from open access; for example, on a separate back-end database server accessible only from a front-end web server that has been diligently protected.
    9. To the degree practicable, only secure connections and file transfers shall be allowed.
    10. Server files shall be backed up on a regular schedule, and off-site storage of back-ups in a secure location shall be performed on a regular schedule.
    11. To the degree practicable, network access to such servers shall be secure, for example, encrypted, especially when access is from external (non-CSU) networks.
    12. To prevent the inadvertent release of sensitive information stored on hard drives, all drives must be sanitized prior to removal from service or release to other agencies. The University has determined that one pass of rewriting the drive is adequate protection.

    2. Personal Computers

    Personal computers as defined above shall be protected in accordance with a balance between the risks of not protecting them, the cost (effort and expense) of protecting them, and the required functionality. ITS and the departments owning the personal computers are responsible for ensuring that personal computers containing sensitive information are secured in accordance with these policies. In general, personal computers are subject to the following policies:

    1. Only operating systems and applications that provide high levels of security shall be used, and security updates (patches) shall be applied in a timely manner.
    2. Campus virus protection shall be implemented and kept up to date.
    3. Services and applications offered shall be the minimum necessary to accomplish the desired business or instructional functions.
    4. Network access shall be limited to only those services necessary, and to only those requiring access for legitimate business purposes.
    5. To prevent the inadvertent release of sensitive information stored on hard drives, all drives must be sanitized prior to release to other agencies or disposal. The University has determined that one pass of rewriting the drive is adequate protection. 

    3. Passwords

    Strong passwords that are difficult for others to obtain shall be employed as permitted by the operating system and/or application. Prudent measures are to be used to ensure that strong passwords are employed by the user. This is especially so for administrative accounts, and password refresh on every account is required by the system every three months

    An example of a rule set for passwords that is currently accepted as effective in preventing unauthorized access is:

    1. Avoid using words in either English or foreign language dictionaries.
    2. Passwords shall be at least six characters in length, and
    3. Passwords shall conform to the three following conditions:
      1. Contain one or more upper case characters
      2. Contain one or more lower case characters
      3. Contain one or more numerals (0, 1, 2… 9).

    Other rule sets that are generally recognized by experts to protect unauthorized access are also permissible.

    4. Files and File Storage

    In general, users are responsible for their own files, including the information contained in those files and ensuring that files containing critical data are backed up and/or stored in multiple locations. Sensitive data in individual's files should be kept to a minimum, and reasonable and prudent protection of those files shall be implemented by the server/system administrator. It is the responsibility of the owner of files containing sensitive data that are transmitted via the network to ensure that the files are reasonably protected against unauthorized access.

    5. Personally-owned Computers

    Personally-owned computers that use University IT resources, including access to University networks, servers and/or other IT resources, and/or that contain sensitive University information are subject to the same policies as those computers owned and operated by the University.

    6. Wireless Networks

    Access to wireless networks shall not be via clear text, but instead, all transmissions shall be encrypted so as not to be accessed or easily decoded by others. The administrator of the wireless access point is responsible for reasonably ensuring that unauthorized access to traffic will not be possible, for example through the implementation of encryption methods that are judged to be robust relative to the current state of the art. Unauthorized wireless access points shall not be installed on the University's LAN.

    7. Primary Identifiers

    Social security numbers (SSNs) shall not be used as the primary numeric identifier for individuals. The personal identification (PID) number shall be used for access to all forms of individual information, both electronic and non-electronic, including identification cards.

    8. Communications Rooms

    Communications rooms housing telephone networks, data networks, servers, security systems including surveillance, alarm, and card access systems, and other similar electronic devices and systems shall be physically secure, and access shall be limited only to that personnel directly responsible for operating and maintaining those systems.

    Governance of IT Security Guidelines and Procedures

    The Information Technology department and the Chief Information Officer are responsible for these guidelines and procedures with comment from campus constituencies as well as the Administrative Computing Committee and the Instructional Technology Advisory Committee.

  •  

    Server Policy

    Background

    It is often desirable to attach departmental or application specific servers to CSU-Pueblo.Net, the campus network. This provides the server with access to network resources such as software, printers, and Internet resources. Because of the nature of current technology, the attachment of a server to an Ethernet network can have an impact on other users on the rest of the network. This impact may be in the form of performance, security, or in some cases access to other resources. Causes include a myriad of reasons ranging from software incompatibilities to power outages. The purpose of this policy is to protect the users and the integrity of the network.

    Policy Statement

    CSU-Pueblo departments, schools, or other University organizational units may connect their own servers to the campus backbone under the following conditions.

    • The administrative head of the organizational unit (department chair, etc.) must provide Information Technology with a written notice at least 48 hours prior to connecting a server to the backbone. The request is to include the following information:
    • The date and time the connection is to be made.
    • The physical location of the server.
    • The identity of the wall jack used.
    • The name and phone number of the administrative contact.
    • The name and phone numbers (day and night) of the technical contact.
    • The hardware configuration of the server (brand name, model number, Ethernet address, type, and version of network operating system)
    • The requesting unit is responsible for maintaining server software to be compliant with licensing and copyright laws.
    • The requesting unit is responsible for all maintenance on the server, including hardware, software, upgrades, accounts, backups, security, etc. The same responsibilities apply to any special client modifications to systems owned by the requesting unit.
    • Service to the entire campus community is the priority. A single workstation or server can occasionally cause the entire network or a portion of it to lock up or perform in an erratic or otherwise non-productive manner. In these cases, the good of the many will outweigh the good of the few and the device or segment in question will be logically or physically disconnected from the network until the problem can be resolved. Because networking implies several users sharing portions of the backbone, some users whose functions are totally unrelated to the server in question could be affected. Every effort will be made to minimize the impact of any action taken. This same philosophy will be applied in cases where electronic information appears to be in danger of compromise. This would include but not be limited to data files, e-mail, software, and operating systems.
    • The central system (backbone and campus servers) will not be altered to accommodate functions unique to an individual server. Only standard interfaces will be employed.
    • No server will provide Domain Name Service (DNS) except those operated by Information Technology.
    • Only IP protocol will be provided and maintained on the backbone. All IP addresses will be issued by Information Technology. No bogus or self-generated numbers may be used.
    • Electronic mail for the campus will be centralized. The purpose of this is to present a consistent address format to the outside world for the institution and to establish common functionality internally.
    • Firewall, packet filtering, or other security implementation may alter accessibility to the server from both on and off campus. Information Technology will work with requesting departments to accommodate accessibility in the best way possible. If accessibility to the server creates a "back door" security risk or presents a compromise from the network perspective, network integrity will take precedence.
    (Approved by Provost 3/98)
  •  

    Toll Free Number Policy

    Effective January 1, 2003, requests for Information Technology, Telephone Services Division, for new toll-free telephone numbers must be first approved in writing by the Appointing Authority responsible for the oversight of the requesting unit or department. Existing toll-free numbers beyond January 1, 2003, require approval at the Division level; Athletics at the Presidential level.
  •  

    Wireless Deployment Management Policy

    Overview

    Wireless access on the Colorado State University-Pueblo (CSU-Pueblo) campus is intended to provide convenient mobile access for students, faculty, staff and guests. Wireless access is provided as a supplement to the wired network where mobility is the primary concern and high bandwidth is not required. Wireless is a shared bandwidth technology. Therefore, as the number of users that connect to a given "access point" increases, the available connection throughput is decreased. Available wireless computing bandwidth may also be decreased due to the distance from the access point and/or any obstruction that could possibly block the signal.

    Purpose

    This policy provides the structure for a campus-wide solution for the implementation of wireless technology, which includes centralized determination of identity and authentication for the provision of appropriate levels of security.

    All campus wireless service will conform to the IEEE 802.11 standard. Wireless service is highly sensitive to interference of overlapping frequencies and can be very vulnerable to security breaches without the proper configuration. Because of these characteristics, all wireless use must be planned, deployed, and managed in a very careful and centralized fashion to ensure basic functionality, maximum bandwidth, and a secure network. To ensure the technical coordination required to provide the best possible wireless network for CSU-Pueblo, Information Technology (IT) will be solely responsible for the deployment and management of wireless access points on the campus.

    Policy

    1. Deployment of 802.11 and related wireless standards access points. CSU-Pueblo's Information Technology (IT) will be solely responsible for the deployment and management of 802.11 and related wireless standards access points on the campus.

    2. Provision of wireless service. ITS will offer a standard wireless deployment plan that will meet the needs of most CSU-Pueblo's departments wishing to construct and operate departmental wireless services. Departments requiring a different wireless deployment plan must coordinate with ITS to have ITS construct and operate a custom plan. ITS will work with departments to accommodate special academic needs within the technical constraints of the wireless technology as feasible within the secure environment.

    3. Management of 802.11 and related wireless standards access points. ITS will ensure that all wireless services deployed on campus adhere to campus-wide standards for security and access control. ITS will manage the wireless spectrum to ensure the greatest interoperability and roaming ability for use of campus wireless technology. Using the established eAccount system, ITS will centralize the process of determining identity, authentication, and appropriate levels of security for access to and use of campus wireless technology. Un-authorized (rogue) wireless devices operating in the 802.11 radio frequency spectrum will be removed from service to protect University electronic resources.

    Procedures and Guidelines

    ITS will advise CSU-Pueblo departments on wireless plans, deployment strategies, and management issues upon request. Departments wishing to deploy wireless access must contact the ITS Help Desk and request a work order to begin the process. ITS will recommend hardware and software to be purchased to adhere to campus wireless standards. In the case of existing wireless technology deployments, ITS will work with the departments to convert and integrate the department's equipment into the University's wireless system to ensure maximum security and operability. If the equipment cannot meet the required standards, it must be disconnected or replaced with equipment that will meet the campus wireless standards.

    CSU-Pueblo is currently deploying 802.11 B/G wireless access points. Users are strongly encouraged to use the newer G format which is 54Mbs rate whereas B is 11Mbs. University owned computers being connected to wireless require Windows XP operating system and wireless network cards that support the Wi-Fi Protected Access (WPA) security standard.

    All sensitive data being transmitted across a wireless network will be encrypted. This includes, but is not limited to data protected by the Gramm-Leach-Biley Act (GLB Act), the Health Insurance Portability and Accountability Act (HIPAA), and the Family Educational Rights and Privacy Act (FERPA).

    CSU-Pueblo Classifications of Wireless Access

    Faculty and Staff: Utilizes Windows Operating System authentication, WPA security, and firewall protection. There is no bandwidth limiting. Available only for university owned and managed computers. Used by faculty or staff for full access to campus resources.

    TWOLFnet: Web page authentication with eAccount credentials and has no encryption of transmitted data (internet sites provide encryption when sensitive data is transmitted). Protected by an Intrusion Detection System and bandwidth limited. Used by students or employees for Internet access with personal computer equipment. May be used by outside entities who require Internet access through a special guest account provided by ITS Helpdesk or the department hosting the guest. No access to campus resources (User directories/ Departmental directories, AIS, etc.)

    Wireless Lab: Utilizes Windows Operating System authentication, WPA security, and firewall protection. There is no bandwidth limiting. Available only for university owned and managed computers. Used by departmental wireless labs and has the same access for students as wired labs.

    The use of all Electronic Resources is governed by various University policies, handbooks, local, state, and federal laws. See the CSU-Pueblo Electronic Communication Policy for an overview at www.csupueblo.edu/information-technology/technology-policies.

IT Help Desk

Library and Academic Resources

Staff

Back to Top