SlideShare ist ein Scribd-Unternehmen logo

Data management and computer security business manual mainframe (nwrdc) support services - computing _ information technology services _ fsu - information technology services

Krunal Solanki
Krunal Solanki

Data management

TechnologieBusiness
1 von 13
Downloaden Sie, um offline zu lesen
10/23/13 Data Management and Computer SecurityBusiness Manual / Mainframe (NWRDC) Support Services / - Computing / Information TechnologyServices / F… its.fsu.edu/Computing/Mainframe-NWRDC-Support-Services/Data-Management-and-Computer-Security-Business-Manual#6 1/13 ITS Search Information Technology Services / - Computing / Mainframe (NWRDC) Support Services / Data Management and Computer Security Business Manual Data Management and Computer Security Business Manual 1. Section 282.318, Florida Statutes 2. Chancellor's Memorandum,CM-87-001.1 3. Purpose 4. Policy 5. Scope 6. Definitions 7. Ownership, Data Management, and Accountability 8. Delegation of Responsibility 9. Data Management Data Trustee Data Steward Data Custodian Database Administrator Security Administrator Computer Operations 10. Information Systems Development 11. Resolution of Data Disputes 12. Sensitive Data 13. Critical Data 14. Risk Management 15. Risk Analysis 16. Documentation 17. Backup and Recovery 18. Incident Reporting 19. Information System Development and Acquisition 20. Online Data Access and Security Guidelines 21. Online Availability 22. Authorized Access 23. User IDs and Passwords 24. Departmental Security Coordinator 25. Departmental Security Coordinator Responsibilities Home About Us Featured Projects Service Catalog - Classroom Technology - Communications - Computing - Email - IT Security - Network - Public Safety - Software - Storage - Web Services ITS Service Desk - Departments - Employees - Students ITS Policies & Guidelines Student Technology Fee FAQs Information Technology Services QUICKLINKS
10/23/13 Data Management and Computer SecurityBusiness Manual / Mainframe (NWRDC) Support Services / - Computing / Information TechnologyServices / F… its.fsu.edu/Computing/Mainframe-NWRDC-Support-Services/Data-Management-and-Computer-Security-Business-Manual#6 2/13 26. Application Security Manager Responsibilities 27. AIS Responsibilities 28. Online Administrative Information Systems 29. Batch Job Security 30. Data Access and Accountability 31. Microcomputers References: 1. Section 282.318, Florida Statutes This statute created the Security of Information Technology Resources Act to assure an adequate level of security for all governmental data and information technology resources. The Board of Regents is the agency responsible for assuring security for data and information technology resources within the SUS. 2. Chancellor's Memorandum, CM- 87- 001.1 This Memorandum establishes minimum standards for assuring an adequate level of security within State Universities. In addition, the State University System has published a Standard Practice for Security of Data and Information Technology Resources. Purpose In compliance with requirements of the above directives and guidelines, contained herein are the internal policies and procedures necessary to assure the security of administrative data and information technology resources at Florida State University. These data policies and procedures not only comply with state and SUS directives, they are necessary because of the value the university places on its information resources. While the university seeks to make available in a convenient electronic format all university administrative data necessary for the efficient operation of its departments, standards and procedures are necessary to ensure the security and integrity of the information, and to prevent its misuse. Policy The Florida State University grants routine access to administrative systems and data only to those University and direct support organization employees who must use the specific information in the conduct of university business. Individuals who are given access to sensitive data have a position of special trust and as such are responsible for ensuring the security and integrity of that data. A student may be authorized access to their own data, or work related data when the student is also an employee of the university. Individuals outside the university can be authorized access to university data only if that authorization is granted by an Executive Officer of the University. Policies contained in this Business Manual provide the foundation upon which standards and procedures for protection of university information resources are developed. Implementation and adherence to precise standards and procedures for electronic information processing operations is necessary to protect university administrative information. Scope These policies and guidelines govern the management and accessibility of central university administrative data regardless of the environment where the data resides. This includes the central mainframe, departmental mini- computers, individual personal computers, and data as it resides in any other media (print, microfiche, etc.).
10/23/13 Data Management and Computer SecurityBusiness Manual / Mainframe (NWRDC) Support Services / - Computing / Information TechnologyServices / F… its.fsu.edu/Computing/Mainframe-NWRDC-Support-Services/Data-Management-and-Computer-Security-Business-Manual#6 3/13 Access and update capabilities/restrictions apply to all administrative data stored in the Northwest Regional Data Center computer and on mini- and microcomputers across campus. Information resources used for instruction and research purposes (Academic Computing) are exempt from the requirements of the SUS standard practice and the policies and procedures contained herein; however, colleges, schools and departments are responsible for establishing policies and procedures for assuring the physical and electronic security of all information technology resources within their control. Such policies and procedures will assure: Reasonable and accurate equipment inventory control procedures and records are maintained Government owned information technology resources are used only for university administrative, instruction or research purposes Security measures are taken to prevent unauthorized system access Preventative measures are taken to reduce the risk of computer virus infections Only authorized software is used. University policy strictly forbids software piracy and possession or use of illegally acquired software. Definitions Terms and phrases used in this policy are defined as follows: Access Capability Authority granted to an individual which allows viewing or manipulation of data residing in a computer system file. Access capability is managed through assignments of a user id and password. Administrative Data Any data related to the administration of Florida State University. This includes data used by both the central administration and the administrative units of the colleges, schools and departments. Administrative Systems and Applications Any computer system/application programming which supports administrative activities of the university. This includes systems or applications supporting both the central administration and the administrative units of the various colleges, schools and departments. Application Security Manager The individual designated by a data steward to coordinate the granting of access/update capabilities to departmental users. AIS Security Administrator The individual in AIS responsible for coordinating usage of the AIS Security System. AIS Data Administrator The individual in AIS responsible for the coordination of the data administration function. Critical Information Resource Information resources determined by University management to be essential to the University's critical mission and function, the loss of which would have an unacceptable impact. Data Custodian The individual or department responsible for maintaining physical data, monitoring, enforcing, and coordinating institutional data access policies and procedures. AIS is the data custodian for central university data maintained at the NWRDC. Database Manager The individual in AIS responsible for logical and physical data base design services. Data Steward Central administrative office or academic department responsible for a specific subset of university data. Data Trustee
10/23/13 Data Management and Computer SecurityBusiness Manual / Mainframe (NWRDC) Support Services / - Computing / Information TechnologyServices / F… its.fsu.edu/Computing/Mainframe-NWRDC-Support-Services/Data-Management-and-Computer-Security-Business-Manual#6 4/13 The individual responsible for the data in the system, e.g., the President, a Vice President, or division director. Departmental Security Coordinator The individual in an academic or administrative unit responsible for coordinating the creation, monitoring, and deactivation of user ids with AIS and Application Security Managers. Directory Information Basic information on an individual such as name, address, phone number such as is printed in the university telephone directory. Employees and students may request that directory information not be released to the public. Information Resources Data, automated applications, and information technology resources. Public Information Information that is available or distributed to the general public either regularly or upon request. Restricted Information, moderately sensitive/highly sensitive Information intended for use only by individuals who require that information in the course of performing their university responsibilities, or information protected by federal and state regulations. Requests for access to this information must be authorized by the applicable Data Steward. University Data Administrator The university Budget Officer serves as the university Data Administrator and is responsible for coordinating the release of university data to external individuals, businesses or agencies, and university responses to official data requests. University Information Security Manager (ISM) The individual designated to administer the University's information resource security program in accordance with Florida Statutes and SUS/BOR directives, and the University's internal and external point of contact for information security matters. Update Capability Access capability which allows individual to alter, add or delete data in a computer system file. User ID Character string which identifies an individual to a computer system, enabling access and/or update capabilities. Ownership, Data Management, and Accountability Florida State University retains the exclusive right and use of all computer assets, including data. In this context, FSU is considered the legal owner of all university data. Delegation of Responsibility Sound business practices hold the owner of computer assets responsible for their control. The President of FSU delegates Data Trustee responsibility to specific university administrative officers. The structure for university data accountability shall be as follows: Data Trustee Data Steward Data Custodian Application Security Manager Departmental Security Coordinator AIS Security Coordinator AIS Database Manager User
10/23/13 Data Management and Computer SecurityBusiness Manual / Mainframe (NWRDC) Support Services / - Computing / Information TechnologyServices / F… its.fsu.edu/Computing/Mainframe-NWRDC-Support-Services/Data-Management-and-Computer-Security-Business-Manual#6 5/13 Data Management Data Trustee The Florida State University executive structure correlates directly with the major categories of university data, thus the following are Data Trustees for their respective area of responsibility: President Vice President for Academic Affairs and Provost Vice President for Finance and Administration Vice President for Student Affairs Vice President for University Relations Vice President for Research Data Steward Data Stewards are identified by a Data Trustee to manage a subset of data. The designated Data Steward is responsible for the accuracy, privacy, and integrity of a university data subset. All university data must have an identified Steward. Data Trustees, Stewards and Subsets are: Data Trustee Data Stewards Data Subset President Director, Budget & Analysis University Budget Data Institutional Research Data VP for Academic Affairs/Provost Director, Admissions Undergraduate Admissions Data Director, Records & Registration Course Schedule Records Enrollment Records Academic Permanent Records Student Data Base Records Director, Financial Aid Financial Aid Awards Data Financial Aid Applicant Records Dean of the Faculties Faculty Promotion and Tenure Data Faculty Recruitment and Appointment Data Director, Professional Development & Public Service Continuing Education Records VP for Finance and Administration Controller University Financial Data Director, Personnel Faculty and Staff Personnel Data Director, Purchasing University Purchasing Data Director, Property Records Capital Equipment/Property Data Director, Physical Plant Building Construction/Maintenance Data Director, Telecommunications Telecommunications Data Director, Business Services Parking/Business Operations Data Director, Administrative Information Systems IS Security Data VP for Student Affairs Director, University Health Center Student medical records Director, University Housing Student housing records Director, Counseling Center Student counseling records VP for University Relations President, Foundation Gift Management Data Director, Alumni Affairs Alumni records Dir., Seminole Booster's Seminole Booster Gift/Point Data
10/23/13 Data Management and Computer SecurityBusiness Manual / Mainframe (NWRDC) Support Services / - Computing / Information TechnologyServices / F… its.fsu.edu/Computing/Mainframe-NWRDC-Support-Services/Data-Management-and-Computer-Security-Business-Manual#6 6/13 VP for Research Director, Contracts & Grants Accounting Data C&G Payroll Data Data Steward Responsibilities: Data Stewards evaluate and approve requests for access to their data subset by other university users and outside agencies. This function may be delegated to Application Security Managers appointed by the Data Steward. Data Stewards determine the degree of data access (interactive query only, interactive update, downloading of specific data) to be granted to users and assuring compliance with access security standards as developed in support of this policy. Data Stewards define or describe each data element within their data subset. The creation of data element definitions must be coordinated with the AIS Data Administrator and the applications development manager responsible for providing applications systems support. Data Stewards must understand the content of their data base and how its elements functionally or logically interrelate. Stewards will maintain, document, and communicate data definitions (dictionary) to users granted access to their departmental data subset. Stewards provide guidance and assistance in appropriate interpretation of their data. Data Custodian The Data Custodian administers information resource in accordance with established policies and procedures, but does NOT dictate usage of university data, nor determine individual access rights to elements, records, or files contained within the data base; however, custodians will assist in the mediation and resolution of disputes regarding data policies/procedures. The Data Custodian may delegate specific custodial responsibility to the following persons: Database Administrator The Database Administrator (DBA) has custodial responsibility for all data contained within their respective data base management system. The AIS DBA is responsible for data contained within the university centralized data base management system and related data which exists in production. DBA's also assist in the mediation and resolution of data disputes. Security Administrator The Security Administrator enforces and executes established standards, procedures, and guidelines necessary to ensure security of information resources containing or processing university data. Computer Operations Computer Operators have custodial responsibility for implementing, monitoring, and coordinating procedures necessary to control the transfer of data and scheduling of production activities by valid users. Information Systems Development Information Systems developers are responsible for implementing, monitoring, and coordinating procedures for accessing all test data files used in the development of administrative applications. Resolution of Data Disputes At the present time, University data resides in a variety of independent functional files. These files are, to varying degrees, interconnected; however, AIS has not yet implemented a centralized relational data base environment. As a result, it is possible that a data element could exist in more than one data category. In this case, a data element could be claimed by or considered to have more than one Data Trustee.
10/23/13 Data Management and Computer SecurityBusiness Manual / Mainframe (NWRDC) Support Services / - Computing / Information TechnologyServices / F… its.fsu.edu/Computing/Mainframe-NWRDC-Support-Services/Data-Management-and-Computer-Security-Business-Manual#6 7/13 It is anticipated that on occasion it may be necessary to resolve data control or access issues when the affected Data Stewards do not agree as to how the data should be used. If this occurs, the Data Custodian represented by the AIS Data Administrator shall convene a meeting of the appropriate Data Stewards and/or Trustees to resolve the dispute. AIS is formulating plans that call for data migration to relational data base technology. The advantage of a centrally managed relational data base is improved data integration, which reduces data redundancy and permits more effective and efficient management reporting and analysis. Sensitive Data Sensitive information is confidential by law and requires protection from unauthorized access by virtue of its legal exemption from the Public Records Act. Much of the data collected and managed at FSU is sensitive or confidential. AIS security procedures ensure that computer files, whether on-line or batch, are accessed only by authorized personnel as required in the performance of their duties. In the case of computer generated reports or other hard-copy documents that contain sensitive data, users must develop procedures to provide an auditable chain of custody. Computer data or documents classified as sensitive are: All student related data and records EXCEPT: Name Date of birth Major field of study Permanent address Telephone listing Classification Participating in official university activities and sports Weight and height of members of athletic teams Dates of attendance at the university Degrees, honors and awards received The most previous educational institution attended Employee Evaluations Information security management/data access control documentation and records Printouts containing sensitive data that identifies a student or employee must be delivered/picked-up in person by a departmental representative. Such materials are not sent via campus mail. All employees handling sensitive data must read and sign a statement regarding the privacy issues of sensitive data. Extreme care must be exercised in the disposition of printed materials containing sensitive data. Sensitive data must not be released to persons not affiliated with FSU. In areas where large volumes of such data is managed, paper shredding is the most appropriate method of disposal. Critical Data The SUS defines critical information as the data that is critical to the mission and function of the university, the loss of which would have an unacceptable impact. The four data applications determined by the SUS to be critical are: Personnel, payroll, and budget records, Student records, Financial Aid records, and Finance and accounting records
10/23/13 Data Management and Computer SecurityBusiness Manual / Mainframe (NWRDC) Support Services / - Computing / Information TechnologyServices / F… its.fsu.edu/Computing/Mainframe-NWRDC-Support-Services/Data-Management-and-Computer-Security-Business-Manual#6 8/13 Risk Management Risks to critical and sensitive administrative information resources must be managed. Such risks may relate to the physical security of computer and communications systems, the integrity of data maintained or transmitted within those systems, as well as to the stability and reliability of the associated application. Absolute security which assures protection against all potential threats is unachievable; therefore, a means of weighing possible loses which could occur, against the cost of mitigating controls, is required. This weighing of potential risks verses control costs involves use of a systematic risk analysis methodology for evaluating vulnerabilities and threats to information resources. Risk analysis is the basis for risk management; i.e., assumption of risks and potential losses, or selection and implementation of cost effective controls and safe guards to reduce risks to an acceptable level. The SUS Board of Regents provides an approved risk analysis program and methodology for accomplishing the assessment of risk to university administrative information resources. Risk Analysis The University Information Security Manager (ISM) periodically performs a risk analysis of all critical and sensitive central university systems and data. Data custodians who operate and maintain other administrative information resources (i.e., not resident at NWRDC or within the data custodial control of AIS), which process critical or sensitive information, must periodically perform the risk analysis for those information resources. Risk Analysis and security measures apply to administrative systems developed and/or maintained by university departments, as well as those acquired from or maintained by an outside vendors. Documentation The security risk to University data is also related to the stability and reliability of the associated administrative systems and applications, which in turn, is related to the quality and accessibility of the technical documentation of those systems and applications. The level of detail required within such documentation is a function of the size, complexity and criticality of the system/application. System/application documentation should be viewed as "work in progress" and evolutionary, and thus must be constantly revised and updated through out the life cycle of the system/application. In keeping with paperwork reduction objectives, and to facilitate documentation currency, it is desirable that administrative system/application documentation, to the maximum degree possible, be maintained on- line. Although no specific format can address all cases, documentation of critical and sensitive administrative systems and applications should, as a minimum, include: Business case/analysis, or process description, System description/design/architecture, Data/database design and dictionary, Programming logic/programmer notes, and Operational procedures/help Backup and Recovery It is prudent to prepare for potential loss of critical information resources and processing capabilities. Plans to recover from such losses may range from routine backing up of data and software, to comprehensive disaster recovery and business resumption exercises. NWRDC, in conjunction with AIS provides for data and software back-up and recovery of critical central university administrative systems which reside at NWRDC. The data custodian of critical data which does not reside at the NWRDC is responsible for providing appropriate back-up and recovery for the associated information resources. In either case, the security control of back-up resources/data must be equivalent to the
10/23/13 Data Management and Computer SecurityBusiness Manual / Mainframe (NWRDC) Support Services / - Computing / Information TechnologyServices / F… its.fsu.edu/Computing/Mainframe-NWRDC-Support-Services/Data-Management-and-Computer-Security-Business-Manual#6 9/13 controls required of the primary resources/data. Incident Reporting Analysis of trends and types of security incidents and breaches is important to the integrity of University data management and computer security. All security incidents and breaches must be reported to data custodians for investigation and analysis. Information System Development and Acquisition Adding security controls after a system is operational is normally more expensive and less effective than when security requirements are considered in the initial system design. As such, systems development/acquisition decisions must include consideration of security requirements during each phase of the development/acquisition process. Online Data Access and Security Guidelines Specific Federal, State and university regulations, guidelines, policies and procedures govern the access and distribution of student, employee and other institutional data. Such data may not be released to any outside individual or organization without the explicit knowledge and approval of the University Data Administrator. As mandated by the Board of Regents (BOR), the University Data Administrator is the custodian of all official university data. Online Availability Florida State University's On-line Administrative Systems (CICS and SAMAS) are generally available between 8:00 a.m. and 6:00 a.m. seven days per week. (NOTE: Every effort will be made to keep on-line files available, however, nightly batch processing and file updating MUST take precedence. Files taken down for batch processing will be brought up for on-line access when batch processing has been completed.) Authorized Access Employees are authorized access to university data only to fulfill their job responsibilities. The Federal Privacy Act prohibits releasing information about any student to unauthorized persons without the written consent of that student. Board of Regents and university regulations prohibit release of any university data to unauthorized persons without proper approval. (NOTE: If you have access to institutional data, you are prohibited from divulging such data to anyone unless they are also authorized to use it. You should exercise extreme caution in releasing data to any individual or organization.) User IDs and Passwords Each employee must have a unique user ID. For central university administrative systems user IDs are assigned by AIS. Each user also chooses their own system and application passwords. Passwords can be 4 to 7 alpha-numeric characters and must be kept confidential and protected at all times. (NOTE: Initial passwords are the same as the user ID. The system will force a new password entry the first time a user signs on.) User IDs and passwords cannot be shared or reused, and passwords must be changed every 90 days or the system will force such a change. Users should sign-off of their terminal when leaving it unattended for an extended period
10/23/13 Data Management and Computer SecurityBusiness Manual / Mainframe (NWRDC) Support Services / - Computing / Information TechnologyServices / F… its.fsu.edu/Computing/Mainframe-NWRDC-Support-Services/Data-Management-and-Computer-Security-Business-Manual#6 10/13 of time. When an employee transfers from one department to another, they carry their User ID with them. However, their "old" DSC should request the AIS Security Manager to deactivate their old file access and their "new" DSC should request the AIS Security Manager to activate their new file access. AIS will update the employee's security records to reflect a change in departments and DSCs. When an employee leaves the university, their user-id will be deactivated but maintained in the security system for historical and audit purposes. User-ids can not be reused by another employee. (NOTE: Please refer to the University Data Management and Security System Procedures Manual for specific instructions on employee transfers, terminations, or application access changes.) Departmental Security Coordinator Each department or major organizational unit must have a designated Departmental Security Coordinator (DSC). The function of the DSC is to communicate and coordinate access to administrative systems for employees in their department as follows: To request new user-ids or authorization for departmental employees to access On-line Administrative Systems files, the DSC should complete and sign the Request for On-line user-id and Administrative System Access form and mail to AIS. Authorized file access can be granted only by the appropriate Application Security Manager (ASM). Each ASM will contact the DSC to discuss specific access and update authority to be granted users. (NOTE: Please refer to University Data Management and Security System Procedures Manual for instructions on how to obtain user- ids and gain access to administrative applications.) Departmental Security Coordinator Responsibilities Departmental Security Coordinators are responsible for: Teaching new employees the basics of terminal usage--signing on, changing passwords, locating keys. etc. Instructing new employees regarding data access, security and confidentiality and having them review the University Data Access and Security Business Manual. Impressing upon all users, new and existing, the necessity for preserving confidentiality of university data. Ensuring users periodically change their passwords. Especially, should they suspect someone else knows it. Encouraging users to sign-off their terminal anytime they leave it unattended. Maintaining current records of their department's terminal users via the AIS Access Form. Application Security Manager Responsibilities The Application Security Manager (ASM) is responsible for: Developing and documenting specific criteria to be used in determining access levels and update authority. Collecting appropriate data from the user to determine the access level and update authority to be granted. Granting access to university data to departmental users by updating the AIS Security System to explicitly grant update, or view only access. Monitoring a comprehensive list of users and their individual access privileges provided by AIS.
10/23/13 Data Management and Computer SecurityBusiness Manual / Mainframe (NWRDC) Support Services / - Computing / Information TechnologyServices / F… its.fsu.edu/Computing/Mainframe-NWRDC-Support-Services/Data-Management-and-Computer-Security-Business-Manual#6 11/13 AIS Responsibilities AIS is responsible for: Ensuring compliance with all Federal, State and University regulations regarding security of computer files. Approving and establishing user-ids, which define the user to the AIS Security System and forwarding the Access Form to the appropriate ASM(s). Providing monthly, each DSC a current list of all user-ids in their department identifying the files each users can access and/or update. Online Administrative Information Systems Access to the university's online administrative systems is accomplished by logging on to the Northwest Regional Data Center (NWRDC) and CICS. All administrative applications have been converted to the FSU CICS region (selection '1' on the NWRDC main menu). Other access which specific users may require includes: SAMAS (the State Automated Management Accounting System); TSO (where applications such as computer based training, FOCUS, and SAS reside). Following is a short description of many of the specific applications which may be accessed via the on-line administrative system master menu (FSMM). (A complete list of these may also be found by pressing the HELP key [PF1] on the AIS FSMM screen.) Student Academic This set of applications provides access to such student-oriented files as the Student Data Base, Admissions File, Stop File, Electronic Transcript Transfer, University Catalog, Course Schedule File, Enrollment File, Withdrawal, Academic Permanent Records and Test Scores. Student Affairs Contains applications supporting the Housing Office, University Health and Counseling Centers (both highly restricted) and the Orientation Office. Student Financial Provides access to the University Cashiering System. The Cashiering System is the central collection point for departmental deposits, student fees, student loans and other financial functions. Financial Aid Provides information related to a student's application for financial aid and subsequent data collection, processing, packaging and aid awards. Personnel/Payroll Provides information related to university employees, class codes, applicants and payroll processing. Auxiliary Systems Provides access to various applications such as the Seminole ACCESS Crossover File, listings of Departmental Representatives, and on-line Telecommunications applications. Finance & Accounting (Currently being developed) Addresses Contains various addresses such as local, permanent, university PO-box and emergency contact for current and former students. University Support Provides information related to support applications such as the Production Calendar, Security, Project Management System (ProMIS) and DataShare. Batch Job Security Authority to execute batch jobs at the NWRDC is granted to FSU employees who have a demonstrable need for such authority. Each person who is authorized to execute batch
10/23/13 Data Management and Computer SecurityBusiness Manual / Mainframe (NWRDC) Support Services / - Computing / Information TechnologyServices / F… its.fsu.edu/Computing/Mainframe-NWRDC-Support-Services/Data-Management-and-Computer-Security-Business-Manual#6 12/13 jobs to access FSU data sets is required to have a personal account number (logon-ID) assigned by the AIS Security Manager. Logon-IDs are organized into various Security Groups and defined to the ACF/2 security system at NWRDC. Requests for authority to submit batch jobs should be submitted to the AIS Security Manager for approval and the assignment of the logon-ID, security group and access privileges. Data Access and Accountability Datashare System Access The DataShare system gives authorized users access to a wide range of student data which can be downloaded to departmental microcomputers for use in local (non-AIS supported) data bases. Users of this system must submit a DataShare request form to the University Registrar, and read the Registrar's Guidelines for Confidentiality and Release of Student Records. Access to sensitive student data downloaded via the DataShare system is restricted to personnel requiring the data to perform their duties at the university. DataShare data must be used solely for the legitimate business of the university. Individual users are responsible for storing data under secure conditions, making every reasonable effort to ensure data privacy, and not divulging user-ids or passwords. Centrally-managed university files are the official data of the university and downloaded files represent only a snapshot of this data at a given point in time. Users of DataShare files agree not to circumvent nor delay the normal updating of centrally-managed university files. Furthermore, individual users of DataShare files agree to periodic audits of their local downloaded data by appropriate Application Security Managers or the AIS Security Manager. User Accountability The individual faculty and staff, regardless of the means of accessing the data, is the critical link in ensuring the integrity and security of University data. Ultimately, only the user can prevent unauthorized access and ensure responsible use of University data. Administrative and judicial penalties may be imposed for illegal or unauthorized modification, destruction, disclosure or use of University data. Unauthorized access may relate to any of the following: Hard copy reports issued by various administrative offices. Interactive terminal access to the NWRDC. Data downloaded and accessed from a college/departmental computer. Data downloaded and accessed from a user's individual personal computer. Microcomputers Magnetic Media Magnetic media, including diskettes, fixed disks, and tapes are subject to corruption. The information on these media are recorded by the application of magnetic fields, and are subject to disruption by other magnetic influences. These media must be kept in a place that will diminish the possibility of magnetic interference. Deliberately Destructive Software (Viruses) The usage of externally acquired diskettes or the downloading of files from remote sites is accompanied by the real possibility of permitting viruses to be introduced to your system. These viruses are potentially destructive to your system and are likely to destroy your
10/23/13 Data Management and Computer SecurityBusiness Manual / Mainframe (NWRDC) Support Services / - Computing / Information TechnologyServices / F… its.fsu.edu/Computing/Mainframe-NWRDC-Support-Services/Data-Management-and-Computer-Security-Business-Manual#6 13/13 files on any media with which they are used. It is not uncommon that all information on a sizable fixed disk is corrupted by the introduction of a virus from an external source. This possibility is even greater where several users are utilizing the same system. The potential damage of such a destructive invasion is increased in the use of local area networks (LANs). It is the responsibility of each user to use due caution to prevent the invasion of viruses into their systems, and the possible further destruction of additional systems by sharing foreign information with other users. Thus, installation and use of anti-virus software on all microcomputers is highly recommended. AIS maintains a site license for a PC anti-virus program. This program is available from Administrative User Services (AUS) (644-1760). Should preventative measures fail, contact AUS Helpdesk (644-8502) for assistance. Backup Because PC based magnetic media are subject to corruption it is advisable that all information and programs stored on them be retained in at least two different places. A second copy of all information stored on diskettes should be made and kept in a safe location. Information stored on a fixed or hard disk should be copied onto diskettes or magnetic tape for backup purposes. The size of the files of information will likely greatly influence the media used for backup. Programs that are utilized by the user should be copied and stored safely when the program is first acquired. Data that is entered into the computer should be stored in two different places to prevent the loss of information should the primary copy be corrupted or lost. Besides the possibility of magnetic interference, there is a possibility that a disk drive can fail and ruin the magnetic media that it is using at that time. Users should frequently store/save information when data is being entered into the computer. Again there is a possibility that a component of the computer or electrical power could fail. Immediately after the completion of entering large volumes of information, that information should be copied to a back-up media for safe keeping. Software Piracy Almost all purchased or leased software is acquired with a usage license. Much software is acquired with only a single user license, though some may have multiple user licenses. It is the responsibility of the administrative officer who authorizes the acquisition to insure that the license is not violated. The user has the ultimate responsibility to adhere to the conditions of the license, but accountability must be insured by supervision and management. AIS and university policy strictly forbid software piracy. AIS will not provide assistance to university departments that knowingly violate copyright laws. © Information Technology Services, Florida State University C6100 University Center Tallahassee, FL 32306-2620 | 850/644-4357 Privacy Policy | Contact ITS | Maps to ITS Locations

Empfohlen

List of possible policies for inter institution dialogue be
List of possible policies for inter institution dialogue beList of possible policies for inter institution dialogue be
List of possible policies for inter institution dialogue beJacob Adams
 
A1802030104
A1802030104A1802030104
A1802030104IOSR Journals
 
Electronic Case Management System(eCMS) proposal
Electronic Case Management System(eCMS) proposalElectronic Case Management System(eCMS) proposal
Electronic Case Management System(eCMS) proposalLaud Randy Amofah
 
Fyp presentation slide pku management system
Fyp presentation slide pku management systemFyp presentation slide pku management system
Fyp presentation slide pku management systemFatin Shafiqah Shafee
 
Security issues and framework of electronic medical record: A review
Security issues and framework of electronic medical record: A reviewSecurity issues and framework of electronic medical record: A review
Security issues and framework of electronic medical record: A reviewjournalBEEI
 
An Intelligent Electronic Patient Record Management System (IEPRMS)
An Intelligent Electronic Patient Record Management System (IEPRMS)An Intelligent Electronic Patient Record Management System (IEPRMS)
An Intelligent Electronic Patient Record Management System (IEPRMS)IJCSIS Research Publications
 
N018138696
N018138696N018138696
N018138696IOSR Journals
 
IRJET- Privacy, Access and Control of Health Care Data on Cloud using Recomme...
IRJET- Privacy, Access and Control of Health Care Data on Cloud using Recomme...IRJET- Privacy, Access and Control of Health Care Data on Cloud using Recomme...
IRJET- Privacy, Access and Control of Health Care Data on Cloud using Recomme...IRJET Journal
 

Empfohlen

List of possible policies for inter institution dialogue be
List of possible policies for inter institution dialogue beList of possible policies for inter institution dialogue be
List of possible policies for inter institution dialogue beJacob Adams
 
A1802030104
A1802030104A1802030104
A1802030104IOSR Journals
 
Electronic Case Management System(eCMS) proposal
Electronic Case Management System(eCMS) proposalElectronic Case Management System(eCMS) proposal
Electronic Case Management System(eCMS) proposalLaud Randy Amofah
 
Fyp presentation slide pku management system
Fyp presentation slide pku management systemFyp presentation slide pku management system
Fyp presentation slide pku management systemFatin Shafiqah Shafee
 
Security issues and framework of electronic medical record: A review
Security issues and framework of electronic medical record: A reviewSecurity issues and framework of electronic medical record: A review
Security issues and framework of electronic medical record: A reviewjournalBEEI
 
An Intelligent Electronic Patient Record Management System (IEPRMS)
An Intelligent Electronic Patient Record Management System (IEPRMS)An Intelligent Electronic Patient Record Management System (IEPRMS)
An Intelligent Electronic Patient Record Management System (IEPRMS)IJCSIS Research Publications
 
N018138696
N018138696N018138696
N018138696IOSR Journals
 
IRJET- Privacy, Access and Control of Health Care Data on Cloud using Recomme...
IRJET- Privacy, Access and Control of Health Care Data on Cloud using Recomme...IRJET- Privacy, Access and Control of Health Care Data on Cloud using Recomme...
IRJET- Privacy, Access and Control of Health Care Data on Cloud using Recomme...IRJET Journal
 
ELECTRONIC COURT CASE MANAGEMENT SYSTEM_Project
ELECTRONIC COURT CASE MANAGEMENT SYSTEM_ProjectELECTRONIC COURT CASE MANAGEMENT SYSTEM_Project
ELECTRONIC COURT CASE MANAGEMENT SYSTEM_ProjectLaud Randy Amofah
 
It seminar isr
It seminar isrIt seminar isr
It seminar isrASNA p.a
 
IRJET- A Framework for Disease Risk Prediction
IRJET- A Framework for Disease Risk PredictionIRJET- A Framework for Disease Risk Prediction
IRJET- A Framework for Disease Risk PredictionIRJET Journal
 
Dependability requirements for LSCITS
Dependability requirements for LSCITSDependability requirements for LSCITS
Dependability requirements for LSCITSIan Sommerville
 
Director of Information Technology
Director of Information Technology Director of Information Technology
Director of Information Technology William V.S. Tubman University
 
Health Information Privacy and Security
Health Information Privacy and SecurityHealth Information Privacy and Security
Health Information Privacy and SecurityNawanan Theera-Ampornpunt
 
Legal and Ethical Considerations in Nursing Informatics
Legal and Ethical Considerations in Nursing InformaticsLegal and Ethical Considerations in Nursing Informatics
Legal and Ethical Considerations in Nursing InformaticsKimarie Brown
 
Secure Your Career Shift With Computer-Security Training
Secure Your Career Shift With Computer-Security TrainingSecure Your Career Shift With Computer-Security Training
Secure Your Career Shift With Computer-Security TrainingCCI Training Center
 
Survey of open source health information systems
Survey of open source health information systemsSurvey of open source health information systems
Survey of open source health information systemshiij
 
Electronic Healthcare Record Security and Management in Healthcare Organizations
Electronic Healthcare Record Security and Management in Healthcare OrganizationsElectronic Healthcare Record Security and Management in Healthcare Organizations
Electronic Healthcare Record Security and Management in Healthcare Organizationsijtsrd
 
PACE-IT, Security+2.6: Security Related Awareness and Training
PACE-IT, Security+2.6: Security Related Awareness and TrainingPACE-IT, Security+2.6: Security Related Awareness and Training
PACE-IT, Security+2.6: Security Related Awareness and TrainingPace IT at Edmonds Community College
 
Data Security
Data SecurityData Security
Data Securityankita_kashyap
 
INFORMATION SECURITY SYNTHESIS IN ONLINE UNIVERSITIES
INFORMATION SECURITY SYNTHESIS IN ONLINE UNIVERSITIES INFORMATION SECURITY SYNTHESIS IN ONLINE UNIVERSITIES
INFORMATION SECURITY SYNTHESIS IN ONLINE UNIVERSITIES IJNSA Journal
 
Database Security—Concepts,Approaches, and ChallengesElisa
Database Security—Concepts,Approaches, and ChallengesElisaDatabase Security—Concepts,Approaches, and ChallengesElisa
Database Security—Concepts,Approaches, and ChallengesElisaOllieShoresna
 
Carl Binder Resume Myrtle Beach address 1-24-17
Carl Binder Resume Myrtle Beach address 1-24-17Carl Binder Resume Myrtle Beach address 1-24-17
Carl Binder Resume Myrtle Beach address 1-24-17Carl Binder
 
Cyber_Security_Policy
Cyber_Security_PolicyCyber_Security_Policy
Cyber_Security_PolicyMrinal Dutta
 
Effective Date August 25, 2014Chapter Information Manag.docx
Effective Date August 25, 2014Chapter Information Manag.docxEffective Date August 25, 2014Chapter Information Manag.docx
Effective Date August 25, 2014Chapter Information Manag.docxLinaCovington707
 
5757912.ppt
5757912.ppt5757912.ppt
5757912.pptMuhammad Mazhar
 
Information security
Information securityInformation security
Information securitySanjay Tiwari
 
Capstone Finished
Capstone FinishedCapstone Finished
Capstone FinishedKapricia Morris
 
Policy on ia 1st assignment
Policy on ia 1st assignmentPolicy on ia 1st assignment
Policy on ia 1st assignmentTimir Shah
 
Case Study
Case StudyCase Study
Case Studylneut03
 

Weitere ähnliche Inhalte

Was ist angesagt?

ELECTRONIC COURT CASE MANAGEMENT SYSTEM_Project
ELECTRONIC COURT CASE MANAGEMENT SYSTEM_ProjectELECTRONIC COURT CASE MANAGEMENT SYSTEM_Project
ELECTRONIC COURT CASE MANAGEMENT SYSTEM_ProjectLaud Randy Amofah
 
It seminar isr
It seminar isrIt seminar isr
It seminar isrASNA p.a
 
IRJET- A Framework for Disease Risk Prediction
IRJET- A Framework for Disease Risk PredictionIRJET- A Framework for Disease Risk Prediction
IRJET- A Framework for Disease Risk PredictionIRJET Journal
 
Dependability requirements for LSCITS
Dependability requirements for LSCITSDependability requirements for LSCITS
Dependability requirements for LSCITSIan Sommerville
 
Legal and Ethical Considerations in Nursing Informatics
Legal and Ethical Considerations in Nursing InformaticsLegal and Ethical Considerations in Nursing Informatics
Legal and Ethical Considerations in Nursing InformaticsKimarie Brown
 
Secure Your Career Shift With Computer-Security Training
Secure Your Career Shift With Computer-Security TrainingSecure Your Career Shift With Computer-Security Training
Secure Your Career Shift With Computer-Security TrainingCCI Training Center
 
Survey of open source health information systems
Survey of open source health information systemsSurvey of open source health information systems
Survey of open source health information systemshiij
 
Electronic Healthcare Record Security and Management in Healthcare Organizations
Electronic Healthcare Record Security and Management in Healthcare OrganizationsElectronic Healthcare Record Security and Management in Healthcare Organizations
Electronic Healthcare Record Security and Management in Healthcare Organizationsijtsrd
 

Was ist angesagt? (10)

ELECTRONIC COURT CASE MANAGEMENT SYSTEM_Project
ELECTRONIC COURT CASE MANAGEMENT SYSTEM_ProjectELECTRONIC COURT CASE MANAGEMENT SYSTEM_Project
ELECTRONIC COURT CASE MANAGEMENT SYSTEM_Project
 
It seminar isr
It seminar isrIt seminar isr
It seminar isr
 
IRJET- A Framework for Disease Risk Prediction
IRJET- A Framework for Disease Risk PredictionIRJET- A Framework for Disease Risk Prediction
IRJET- A Framework for Disease Risk Prediction
 
Dependability requirements for LSCITS
Dependability requirements for LSCITSDependability requirements for LSCITS
Dependability requirements for LSCITS
 
Director of Information Technology
Director of Information Technology Director of Information Technology
Director of Information Technology
 
Health Information Privacy and Security
Health Information Privacy and SecurityHealth Information Privacy and Security
Health Information Privacy and Security
 
Legal and Ethical Considerations in Nursing Informatics
Legal and Ethical Considerations in Nursing InformaticsLegal and Ethical Considerations in Nursing Informatics
Legal and Ethical Considerations in Nursing Informatics
 
Secure Your Career Shift With Computer-Security Training
Secure Your Career Shift With Computer-Security TrainingSecure Your Career Shift With Computer-Security Training
Secure Your Career Shift With Computer-Security Training
 
Survey of open source health information systems
Survey of open source health information systemsSurvey of open source health information systems
Survey of open source health information systems
 
Electronic Healthcare Record Security and Management in Healthcare Organizations
Electronic Healthcare Record Security and Management in Healthcare OrganizationsElectronic Healthcare Record Security and Management in Healthcare Organizations
Electronic Healthcare Record Security and Management in Healthcare Organizations
 

Ähnlich wie Data management and computer security business manual mainframe (nwrdc) support services - computing _ information technology services _ fsu - information technology services

INFORMATION SECURITY SYNTHESIS IN ONLINE UNIVERSITIES
INFORMATION SECURITY SYNTHESIS IN ONLINE UNIVERSITIES INFORMATION SECURITY SYNTHESIS IN ONLINE UNIVERSITIES
INFORMATION SECURITY SYNTHESIS IN ONLINE UNIVERSITIES IJNSA Journal
 
Database Security—Concepts,Approaches, and ChallengesElisa
Database Security—Concepts,Approaches, and ChallengesElisaDatabase Security—Concepts,Approaches, and ChallengesElisa
Database Security—Concepts,Approaches, and ChallengesElisaOllieShoresna
 
Carl Binder Resume Myrtle Beach address 1-24-17
Carl Binder Resume Myrtle Beach address 1-24-17Carl Binder Resume Myrtle Beach address 1-24-17
Carl Binder Resume Myrtle Beach address 1-24-17Carl Binder
 
Cyber_Security_Policy
Cyber_Security_PolicyCyber_Security_Policy
Cyber_Security_PolicyMrinal Dutta
 
Effective Date August 25, 2014Chapter Information Manag.docx
Effective Date August 25, 2014Chapter Information Manag.docxEffective Date August 25, 2014Chapter Information Manag.docx
Effective Date August 25, 2014Chapter Information Manag.docxLinaCovington707
 
Information security
Information securityInformation security
Information securitySanjay Tiwari
 
Policy on ia 1st assignment
Policy on ia 1st assignmentPolicy on ia 1st assignment
Policy on ia 1st assignmentTimir Shah
 
Case Study
Case StudyCase Study
Case Studylneut03
 
Nur3563group8 cis
Nur3563group8 cisNur3563group8 cis
Nur3563group8 cistb45004
 
Ch08 8 Information Security Process it-slideshares.blogspot.com
Ch08 8 Information Security Process it-slideshares.blogspot.comCh08 8 Information Security Process it-slideshares.blogspot.com
Ch08 8 Information Security Process it-slideshares.blogspot.comphanleson
 
IRJET- Data Leak Prevention System: A Survey
IRJET- Data Leak Prevention System: A SurveyIRJET- Data Leak Prevention System: A Survey
IRJET- Data Leak Prevention System: A SurveyIRJET Journal
 
FEDERAL LEARNING BASED SOLUTIONS FOR PRIVACY AND ANONYMITY IN INTERNET OF MED...
FEDERAL LEARNING BASED SOLUTIONS FOR PRIVACY AND ANONYMITY IN INTERNET OF MED...FEDERAL LEARNING BASED SOLUTIONS FOR PRIVACY AND ANONYMITY IN INTERNET OF MED...
FEDERAL LEARNING BASED SOLUTIONS FOR PRIVACY AND ANONYMITY IN INTERNET OF MED...IRJET Journal
 
Chapter 6 Security of Information and Cyber Security(FASS)
Chapter 6 Security of Information and Cyber Security(FASS)Chapter 6 Security of Information and Cyber Security(FASS)
Chapter 6 Security of Information and Cyber Security(FASS)Md Shaifullar Rabbi
 
Final Exam Case Study (3)
Final Exam Case Study (3)Final Exam Case Study (3)
Final Exam Case Study (3)Kathy_67
 
A survey of confidential data storage and deletion methods
A survey of confidential data storage and deletion methodsA survey of confidential data storage and deletion methods
A survey of confidential data storage and deletion methodsunyil96
 

Ähnlich wie Data management and computer security business manual mainframe (nwrdc) support services - computing _ information technology services _ fsu - information technology services (20)

PACE-IT, Security+2.6: Security Related Awareness and Training
PACE-IT, Security+2.6: Security Related Awareness and TrainingPACE-IT, Security+2.6: Security Related Awareness and Training
PACE-IT, Security+2.6: Security Related Awareness and Training
 
Data Security
Data SecurityData Security
Data Security
 
INFORMATION SECURITY SYNTHESIS IN ONLINE UNIVERSITIES
INFORMATION SECURITY SYNTHESIS IN ONLINE UNIVERSITIES INFORMATION SECURITY SYNTHESIS IN ONLINE UNIVERSITIES
INFORMATION SECURITY SYNTHESIS IN ONLINE UNIVERSITIES
 
Database Security—Concepts,Approaches, and ChallengesElisa
Database Security—Concepts,Approaches, and ChallengesElisaDatabase Security—Concepts,Approaches, and ChallengesElisa
Database Security—Concepts,Approaches, and ChallengesElisa
 
Carl Binder Resume Myrtle Beach address 1-24-17
Carl Binder Resume Myrtle Beach address 1-24-17Carl Binder Resume Myrtle Beach address 1-24-17
Carl Binder Resume Myrtle Beach address 1-24-17
 
Cyber_Security_Policy
Cyber_Security_PolicyCyber_Security_Policy
Cyber_Security_Policy
 
Effective Date August 25, 2014Chapter Information Manag.docx
Effective Date August 25, 2014Chapter Information Manag.docxEffective Date August 25, 2014Chapter Information Manag.docx
Effective Date August 25, 2014Chapter Information Manag.docx
 
5757912.ppt
5757912.ppt5757912.ppt
5757912.ppt
 
Information security
Information securityInformation security
Information security
 
Capstone Finished
Capstone FinishedCapstone Finished
Capstone Finished
 
Policy on ia 1st assignment
Policy on ia 1st assignmentPolicy on ia 1st assignment
Policy on ia 1st assignment
 
Case Study
Case StudyCase Study
Case Study
 
Nur3563group8 cis
Nur3563group8 cisNur3563group8 cis
Nur3563group8 cis
 
Ch08 8 Information Security Process it-slideshares.blogspot.com
Ch08 8 Information Security Process it-slideshares.blogspot.comCh08 8 Information Security Process it-slideshares.blogspot.com
Ch08 8 Information Security Process it-slideshares.blogspot.com
 
IRJET- Data Leak Prevention System: A Survey
IRJET- Data Leak Prevention System: A SurveyIRJET- Data Leak Prevention System: A Survey
IRJET- Data Leak Prevention System: A Survey
 
FEDERAL LEARNING BASED SOLUTIONS FOR PRIVACY AND ANONYMITY IN INTERNET OF MED...
FEDERAL LEARNING BASED SOLUTIONS FOR PRIVACY AND ANONYMITY IN INTERNET OF MED...FEDERAL LEARNING BASED SOLUTIONS FOR PRIVACY AND ANONYMITY IN INTERNET OF MED...
FEDERAL LEARNING BASED SOLUTIONS FOR PRIVACY AND ANONYMITY IN INTERNET OF MED...
 
Chapter 6 Security of Information and Cyber Security(FASS)
Chapter 6 Security of Information and Cyber Security(FASS)Chapter 6 Security of Information and Cyber Security(FASS)
Chapter 6 Security of Information and Cyber Security(FASS)
 
Final Exam Case Study (3)
Final Exam Case Study (3)Final Exam Case Study (3)
Final Exam Case Study (3)
 
A survey of confidential data storage and deletion methods
A survey of confidential data storage and deletion methodsA survey of confidential data storage and deletion methods
A survey of confidential data storage and deletion methods
 
Procedural Controls
Procedural ControlsProcedural Controls
Procedural Controls
 

Kürzlich hochgeladen

Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Allon Mureinik
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...apidays
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Igalia
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonAnna Loughnan Colquhoun
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure servicePooja Nehwal
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Servicegiselly40
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...Martijn de Jong
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Enterprise Knowledge
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Paola De la Torre
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)Gabriella Davis
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024Rafal Los
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking MenDelhi Call girls
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxKatpro Technologies
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptxHampshireHUG
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking MenDelhi Call girls
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processorsdebabhi2
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024The Digital Insurer
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsRoshan Dwivedi
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationRadu Cotescu
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfEnterprise Knowledge
 

Kürzlich hochgeladen (20)

Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)Injustice - Developers Among Us (SciFiDevCon 2024)
Injustice - Developers Among Us (SciFiDevCon 2024)
 
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
Apidays Singapore 2024 - Building Digital Trust in a Digital Economy by Veron...
 
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
Raspberry Pi 5: Challenges and Solutions in Bringing up an OpenGL/Vulkan Driv...
 
Data Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt RobisonData Cloud, More than a CDP by Matt Robison
Data Cloud, More than a CDP by Matt Robison
 
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure serviceWhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
WhatsApp 9892124323 ✓Call Girls In Kalyan ( Mumbai ) secure service
 
CNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of ServiceCNv6 Instructor Chapter 6 Quality of Service
CNv6 Instructor Chapter 6 Quality of Service
 
2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...2024: Domino Containers - The Next Step. News from the Domino Container commu...
2024: Domino Containers - The Next Step. News from the Domino Container commu...
 
Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...Driving Behavioral Change for Information Management through Data-Driven Gree...
Driving Behavioral Change for Information Management through Data-Driven Gree...
 
Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101Salesforce Community Group Quito, Salesforce 101
Salesforce Community Group Quito, Salesforce 101
 
A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)A Domino Admins Adventures (Engage 2024)
A Domino Admins Adventures (Engage 2024)
 
The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024The 7 Things I Know About Cyber Security After 25 Years | April 2024
The 7 Things I Know About Cyber Security After 25 Years | April 2024
 
08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men08448380779 Call Girls In Civil Lines Women Seeking Men
08448380779 Call Girls In Civil Lines Women Seeking Men
 
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptxFactors to Consider When Choosing Accounts Payable Services Providers.pptx
Factors to Consider When Choosing Accounts Payable Services Providers.pptx
 
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
04-2024-HHUG-Sales-and-Marketing-Alignment.pptx
 
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
08448380779 Call Girls In Diplomatic Enclave Women Seeking Men
 
Exploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone ProcessorsExploring the Future Potential of AI-Enabled Smartphone Processors
Exploring the Future Potential of AI-Enabled Smartphone Processors
 
Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024Partners Life - Insurer Innovation Award 2024
Partners Life - Insurer Innovation Award 2024
 
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live StreamsTop 5 Benefits OF Using Muvi Live Paywall For Live Streams
Top 5 Benefits OF Using Muvi Live Paywall For Live Streams
 
Scaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organizationScaling API-first – The story of a global engineering organization
Scaling API-first – The story of a global engineering organization
 
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdfThe Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
The Role of Taxonomy and Ontology in Semantic Layers - Heather Hedden.pdf
 

Data management and computer security business manual mainframe (nwrdc) support services - computing _ information technology services _ fsu - information technology services

  • 1. 10/23/13 Data Management and Computer SecurityBusiness Manual / Mainframe (NWRDC) Support Services / - Computing / Information TechnologyServices / F… its.fsu.edu/Computing/Mainframe-NWRDC-Support-Services/Data-Management-and-Computer-Security-Business-Manual#6 1/13 ITS Search Information Technology Services / - Computing / Mainframe (NWRDC) Support Services / Data Management and Computer Security Business Manual Data Management and Computer Security Business Manual 1. Section 282.318, Florida Statutes 2. Chancellor's Memorandum,CM-87-001.1 3. Purpose 4. Policy 5. Scope 6. Definitions 7. Ownership, Data Management, and Accountability 8. Delegation of Responsibility 9. Data Management Data Trustee Data Steward Data Custodian Database Administrator Security Administrator Computer Operations 10. Information Systems Development 11. Resolution of Data Disputes 12. Sensitive Data 13. Critical Data 14. Risk Management 15. Risk Analysis 16. Documentation 17. Backup and Recovery 18. Incident Reporting 19. Information System Development and Acquisition 20. Online Data Access and Security Guidelines 21. Online Availability 22. Authorized Access 23. User IDs and Passwords 24. Departmental Security Coordinator 25. Departmental Security Coordinator Responsibilities Home About Us Featured Projects Service Catalog - Classroom Technology - Communications - Computing - Email - IT Security - Network - Public Safety - Software - Storage - Web Services ITS Service Desk - Departments - Employees - Students ITS Policies & Guidelines Student Technology Fee FAQs Information Technology Services QUICKLINKS
  • 2. 10/23/13 Data Management and Computer SecurityBusiness Manual / Mainframe (NWRDC) Support Services / - Computing / Information TechnologyServices / F… its.fsu.edu/Computing/Mainframe-NWRDC-Support-Services/Data-Management-and-Computer-Security-Business-Manual#6 2/13 26. Application Security Manager Responsibilities 27. AIS Responsibilities 28. Online Administrative Information Systems 29. Batch Job Security 30. Data Access and Accountability 31. Microcomputers References: 1. Section 282.318, Florida Statutes This statute created the Security of Information Technology Resources Act to assure an adequate level of security for all governmental data and information technology resources. The Board of Regents is the agency responsible for assuring security for data and information technology resources within the SUS. 2. Chancellor's Memorandum, CM- 87- 001.1 This Memorandum establishes minimum standards for assuring an adequate level of security within State Universities. In addition, the State University System has published a Standard Practice for Security of Data and Information Technology Resources. Purpose In compliance with requirements of the above directives and guidelines, contained herein are the internal policies and procedures necessary to assure the security of administrative data and information technology resources at Florida State University. These data policies and procedures not only comply with state and SUS directives, they are necessary because of the value the university places on its information resources. While the university seeks to make available in a convenient electronic format all university administrative data necessary for the efficient operation of its departments, standards and procedures are necessary to ensure the security and integrity of the information, and to prevent its misuse. Policy The Florida State University grants routine access to administrative systems and data only to those University and direct support organization employees who must use the specific information in the conduct of university business. Individuals who are given access to sensitive data have a position of special trust and as such are responsible for ensuring the security and integrity of that data. A student may be authorized access to their own data, or work related data when the student is also an employee of the university. Individuals outside the university can be authorized access to university data only if that authorization is granted by an Executive Officer of the University. Policies contained in this Business Manual provide the foundation upon which standards and procedures for protection of university information resources are developed. Implementation and adherence to precise standards and procedures for electronic information processing operations is necessary to protect university administrative information. Scope These policies and guidelines govern the management and accessibility of central university administrative data regardless of the environment where the data resides. This includes the central mainframe, departmental mini- computers, individual personal computers, and data as it resides in any other media (print, microfiche, etc.).
  • 3. 10/23/13 Data Management and Computer SecurityBusiness Manual / Mainframe (NWRDC) Support Services / - Computing / Information TechnologyServices / F… its.fsu.edu/Computing/Mainframe-NWRDC-Support-Services/Data-Management-and-Computer-Security-Business-Manual#6 3/13 Access and update capabilities/restrictions apply to all administrative data stored in the Northwest Regional Data Center computer and on mini- and microcomputers across campus. Information resources used for instruction and research purposes (Academic Computing) are exempt from the requirements of the SUS standard practice and the policies and procedures contained herein; however, colleges, schools and departments are responsible for establishing policies and procedures for assuring the physical and electronic security of all information technology resources within their control. Such policies and procedures will assure: Reasonable and accurate equipment inventory control procedures and records are maintained Government owned information technology resources are used only for university administrative, instruction or research purposes Security measures are taken to prevent unauthorized system access Preventative measures are taken to reduce the risk of computer virus infections Only authorized software is used. University policy strictly forbids software piracy and possession or use of illegally acquired software. Definitions Terms and phrases used in this policy are defined as follows: Access Capability Authority granted to an individual which allows viewing or manipulation of data residing in a computer system file. Access capability is managed through assignments of a user id and password. Administrative Data Any data related to the administration of Florida State University. This includes data used by both the central administration and the administrative units of the colleges, schools and departments. Administrative Systems and Applications Any computer system/application programming which supports administrative activities of the university. This includes systems or applications supporting both the central administration and the administrative units of the various colleges, schools and departments. Application Security Manager The individual designated by a data steward to coordinate the granting of access/update capabilities to departmental users. AIS Security Administrator The individual in AIS responsible for coordinating usage of the AIS Security System. AIS Data Administrator The individual in AIS responsible for the coordination of the data administration function. Critical Information Resource Information resources determined by University management to be essential to the University's critical mission and function, the loss of which would have an unacceptable impact. Data Custodian The individual or department responsible for maintaining physical data, monitoring, enforcing, and coordinating institutional data access policies and procedures. AIS is the data custodian for central university data maintained at the NWRDC. Database Manager The individual in AIS responsible for logical and physical data base design services. Data Steward Central administrative office or academic department responsible for a specific subset of university data. Data Trustee
  • 4. 10/23/13 Data Management and Computer SecurityBusiness Manual / Mainframe (NWRDC) Support Services / - Computing / Information TechnologyServices / F… its.fsu.edu/Computing/Mainframe-NWRDC-Support-Services/Data-Management-and-Computer-Security-Business-Manual#6 4/13 The individual responsible for the data in the system, e.g., the President, a Vice President, or division director. Departmental Security Coordinator The individual in an academic or administrative unit responsible for coordinating the creation, monitoring, and deactivation of user ids with AIS and Application Security Managers. Directory Information Basic information on an individual such as name, address, phone number such as is printed in the university telephone directory. Employees and students may request that directory information not be released to the public. Information Resources Data, automated applications, and information technology resources. Public Information Information that is available or distributed to the general public either regularly or upon request. Restricted Information, moderately sensitive/highly sensitive Information intended for use only by individuals who require that information in the course of performing their university responsibilities, or information protected by federal and state regulations. Requests for access to this information must be authorized by the applicable Data Steward. University Data Administrator The university Budget Officer serves as the university Data Administrator and is responsible for coordinating the release of university data to external individuals, businesses or agencies, and university responses to official data requests. University Information Security Manager (ISM) The individual designated to administer the University's information resource security program in accordance with Florida Statutes and SUS/BOR directives, and the University's internal and external point of contact for information security matters. Update Capability Access capability which allows individual to alter, add or delete data in a computer system file. User ID Character string which identifies an individual to a computer system, enabling access and/or update capabilities. Ownership, Data Management, and Accountability Florida State University retains the exclusive right and use of all computer assets, including data. In this context, FSU is considered the legal owner of all university data. Delegation of Responsibility Sound business practices hold the owner of computer assets responsible for their control. The President of FSU delegates Data Trustee responsibility to specific university administrative officers. The structure for university data accountability shall be as follows: Data Trustee Data Steward Data Custodian Application Security Manager Departmental Security Coordinator AIS Security Coordinator AIS Database Manager User
  • 5. 10/23/13 Data Management and Computer SecurityBusiness Manual / Mainframe (NWRDC) Support Services / - Computing / Information TechnologyServices / F… its.fsu.edu/Computing/Mainframe-NWRDC-Support-Services/Data-Management-and-Computer-Security-Business-Manual#6 5/13 Data Management Data Trustee The Florida State University executive structure correlates directly with the major categories of university data, thus the following are Data Trustees for their respective area of responsibility: President Vice President for Academic Affairs and Provost Vice President for Finance and Administration Vice President for Student Affairs Vice President for University Relations Vice President for Research Data Steward Data Stewards are identified by a Data Trustee to manage a subset of data. The designated Data Steward is responsible for the accuracy, privacy, and integrity of a university data subset. All university data must have an identified Steward. Data Trustees, Stewards and Subsets are: Data Trustee Data Stewards Data Subset President Director, Budget & Analysis University Budget Data Institutional Research Data VP for Academic Affairs/Provost Director, Admissions Undergraduate Admissions Data Director, Records & Registration Course Schedule Records Enrollment Records Academic Permanent Records Student Data Base Records Director, Financial Aid Financial Aid Awards Data Financial Aid Applicant Records Dean of the Faculties Faculty Promotion and Tenure Data Faculty Recruitment and Appointment Data Director, Professional Development & Public Service Continuing Education Records VP for Finance and Administration Controller University Financial Data Director, Personnel Faculty and Staff Personnel Data Director, Purchasing University Purchasing Data Director, Property Records Capital Equipment/Property Data Director, Physical Plant Building Construction/Maintenance Data Director, Telecommunications Telecommunications Data Director, Business Services Parking/Business Operations Data Director, Administrative Information Systems IS Security Data VP for Student Affairs Director, University Health Center Student medical records Director, University Housing Student housing records Director, Counseling Center Student counseling records VP for University Relations President, Foundation Gift Management Data Director, Alumni Affairs Alumni records Dir., Seminole Booster's Seminole Booster Gift/Point Data
  • 6. 10/23/13 Data Management and Computer SecurityBusiness Manual / Mainframe (NWRDC) Support Services / - Computing / Information TechnologyServices / F… its.fsu.edu/Computing/Mainframe-NWRDC-Support-Services/Data-Management-and-Computer-Security-Business-Manual#6 6/13 VP for Research Director, Contracts & Grants Accounting Data C&G Payroll Data Data Steward Responsibilities: Data Stewards evaluate and approve requests for access to their data subset by other university users and outside agencies. This function may be delegated to Application Security Managers appointed by the Data Steward. Data Stewards determine the degree of data access (interactive query only, interactive update, downloading of specific data) to be granted to users and assuring compliance with access security standards as developed in support of this policy. Data Stewards define or describe each data element within their data subset. The creation of data element definitions must be coordinated with the AIS Data Administrator and the applications development manager responsible for providing applications systems support. Data Stewards must understand the content of their data base and how its elements functionally or logically interrelate. Stewards will maintain, document, and communicate data definitions (dictionary) to users granted access to their departmental data subset. Stewards provide guidance and assistance in appropriate interpretation of their data. Data Custodian The Data Custodian administers information resource in accordance with established policies and procedures, but does NOT dictate usage of university data, nor determine individual access rights to elements, records, or files contained within the data base; however, custodians will assist in the mediation and resolution of disputes regarding data policies/procedures. The Data Custodian may delegate specific custodial responsibility to the following persons: Database Administrator The Database Administrator (DBA) has custodial responsibility for all data contained within their respective data base management system. The AIS DBA is responsible for data contained within the university centralized data base management system and related data which exists in production. DBA's also assist in the mediation and resolution of data disputes. Security Administrator The Security Administrator enforces and executes established standards, procedures, and guidelines necessary to ensure security of information resources containing or processing university data. Computer Operations Computer Operators have custodial responsibility for implementing, monitoring, and coordinating procedures necessary to control the transfer of data and scheduling of production activities by valid users. Information Systems Development Information Systems developers are responsible for implementing, monitoring, and coordinating procedures for accessing all test data files used in the development of administrative applications. Resolution of Data Disputes At the present time, University data resides in a variety of independent functional files. These files are, to varying degrees, interconnected; however, AIS has not yet implemented a centralized relational data base environment. As a result, it is possible that a data element could exist in more than one data category. In this case, a data element could be claimed by or considered to have more than one Data Trustee.
  • 7. 10/23/13 Data Management and Computer SecurityBusiness Manual / Mainframe (NWRDC) Support Services / - Computing / Information TechnologyServices / F… its.fsu.edu/Computing/Mainframe-NWRDC-Support-Services/Data-Management-and-Computer-Security-Business-Manual#6 7/13 It is anticipated that on occasion it may be necessary to resolve data control or access issues when the affected Data Stewards do not agree as to how the data should be used. If this occurs, the Data Custodian represented by the AIS Data Administrator shall convene a meeting of the appropriate Data Stewards and/or Trustees to resolve the dispute. AIS is formulating plans that call for data migration to relational data base technology. The advantage of a centrally managed relational data base is improved data integration, which reduces data redundancy and permits more effective and efficient management reporting and analysis. Sensitive Data Sensitive information is confidential by law and requires protection from unauthorized access by virtue of its legal exemption from the Public Records Act. Much of the data collected and managed at FSU is sensitive or confidential. AIS security procedures ensure that computer files, whether on-line or batch, are accessed only by authorized personnel as required in the performance of their duties. In the case of computer generated reports or other hard-copy documents that contain sensitive data, users must develop procedures to provide an auditable chain of custody. Computer data or documents classified as sensitive are: All student related data and records EXCEPT: Name Date of birth Major field of study Permanent address Telephone listing Classification Participating in official university activities and sports Weight and height of members of athletic teams Dates of attendance at the university Degrees, honors and awards received The most previous educational institution attended Employee Evaluations Information security management/data access control documentation and records Printouts containing sensitive data that identifies a student or employee must be delivered/picked-up in person by a departmental representative. Such materials are not sent via campus mail. All employees handling sensitive data must read and sign a statement regarding the privacy issues of sensitive data. Extreme care must be exercised in the disposition of printed materials containing sensitive data. Sensitive data must not be released to persons not affiliated with FSU. In areas where large volumes of such data is managed, paper shredding is the most appropriate method of disposal. Critical Data The SUS defines critical information as the data that is critical to the mission and function of the university, the loss of which would have an unacceptable impact. The four data applications determined by the SUS to be critical are: Personnel, payroll, and budget records, Student records, Financial Aid records, and Finance and accounting records
  • 8. 10/23/13 Data Management and Computer SecurityBusiness Manual / Mainframe (NWRDC) Support Services / - Computing / Information TechnologyServices / F… its.fsu.edu/Computing/Mainframe-NWRDC-Support-Services/Data-Management-and-Computer-Security-Business-Manual#6 8/13 Risk Management Risks to critical and sensitive administrative information resources must be managed. Such risks may relate to the physical security of computer and communications systems, the integrity of data maintained or transmitted within those systems, as well as to the stability and reliability of the associated application. Absolute security which assures protection against all potential threats is unachievable; therefore, a means of weighing possible loses which could occur, against the cost of mitigating controls, is required. This weighing of potential risks verses control costs involves use of a systematic risk analysis methodology for evaluating vulnerabilities and threats to information resources. Risk analysis is the basis for risk management; i.e., assumption of risks and potential losses, or selection and implementation of cost effective controls and safe guards to reduce risks to an acceptable level. The SUS Board of Regents provides an approved risk analysis program and methodology for accomplishing the assessment of risk to university administrative information resources. Risk Analysis The University Information Security Manager (ISM) periodically performs a risk analysis of all critical and sensitive central university systems and data. Data custodians who operate and maintain other administrative information resources (i.e., not resident at NWRDC or within the data custodial control of AIS), which process critical or sensitive information, must periodically perform the risk analysis for those information resources. Risk Analysis and security measures apply to administrative systems developed and/or maintained by university departments, as well as those acquired from or maintained by an outside vendors. Documentation The security risk to University data is also related to the stability and reliability of the associated administrative systems and applications, which in turn, is related to the quality and accessibility of the technical documentation of those systems and applications. The level of detail required within such documentation is a function of the size, complexity and criticality of the system/application. System/application documentation should be viewed as "work in progress" and evolutionary, and thus must be constantly revised and updated through out the life cycle of the system/application. In keeping with paperwork reduction objectives, and to facilitate documentation currency, it is desirable that administrative system/application documentation, to the maximum degree possible, be maintained on- line. Although no specific format can address all cases, documentation of critical and sensitive administrative systems and applications should, as a minimum, include: Business case/analysis, or process description, System description/design/architecture, Data/database design and dictionary, Programming logic/programmer notes, and Operational procedures/help Backup and Recovery It is prudent to prepare for potential loss of critical information resources and processing capabilities. Plans to recover from such losses may range from routine backing up of data and software, to comprehensive disaster recovery and business resumption exercises. NWRDC, in conjunction with AIS provides for data and software back-up and recovery of critical central university administrative systems which reside at NWRDC. The data custodian of critical data which does not reside at the NWRDC is responsible for providing appropriate back-up and recovery for the associated information resources. In either case, the security control of back-up resources/data must be equivalent to the
  • 9. 10/23/13 Data Management and Computer SecurityBusiness Manual / Mainframe (NWRDC) Support Services / - Computing / Information TechnologyServices / F… its.fsu.edu/Computing/Mainframe-NWRDC-Support-Services/Data-Management-and-Computer-Security-Business-Manual#6 9/13 controls required of the primary resources/data. Incident Reporting Analysis of trends and types of security incidents and breaches is important to the integrity of University data management and computer security. All security incidents and breaches must be reported to data custodians for investigation and analysis. Information System Development and Acquisition Adding security controls after a system is operational is normally more expensive and less effective than when security requirements are considered in the initial system design. As such, systems development/acquisition decisions must include consideration of security requirements during each phase of the development/acquisition process. Online Data Access and Security Guidelines Specific Federal, State and university regulations, guidelines, policies and procedures govern the access and distribution of student, employee and other institutional data. Such data may not be released to any outside individual or organization without the explicit knowledge and approval of the University Data Administrator. As mandated by the Board of Regents (BOR), the University Data Administrator is the custodian of all official university data. Online Availability Florida State University's On-line Administrative Systems (CICS and SAMAS) are generally available between 8:00 a.m. and 6:00 a.m. seven days per week. (NOTE: Every effort will be made to keep on-line files available, however, nightly batch processing and file updating MUST take precedence. Files taken down for batch processing will be brought up for on-line access when batch processing has been completed.) Authorized Access Employees are authorized access to university data only to fulfill their job responsibilities. The Federal Privacy Act prohibits releasing information about any student to unauthorized persons without the written consent of that student. Board of Regents and university regulations prohibit release of any university data to unauthorized persons without proper approval. (NOTE: If you have access to institutional data, you are prohibited from divulging such data to anyone unless they are also authorized to use it. You should exercise extreme caution in releasing data to any individual or organization.) User IDs and Passwords Each employee must have a unique user ID. For central university administrative systems user IDs are assigned by AIS. Each user also chooses their own system and application passwords. Passwords can be 4 to 7 alpha-numeric characters and must be kept confidential and protected at all times. (NOTE: Initial passwords are the same as the user ID. The system will force a new password entry the first time a user signs on.) User IDs and passwords cannot be shared or reused, and passwords must be changed every 90 days or the system will force such a change. Users should sign-off of their terminal when leaving it unattended for an extended period
  • 10. 10/23/13 Data Management and Computer SecurityBusiness Manual / Mainframe (NWRDC) Support Services / - Computing / Information TechnologyServices / F… its.fsu.edu/Computing/Mainframe-NWRDC-Support-Services/Data-Management-and-Computer-Security-Business-Manual#6 10/13 of time. When an employee transfers from one department to another, they carry their User ID with them. However, their "old" DSC should request the AIS Security Manager to deactivate their old file access and their "new" DSC should request the AIS Security Manager to activate their new file access. AIS will update the employee's security records to reflect a change in departments and DSCs. When an employee leaves the university, their user-id will be deactivated but maintained in the security system for historical and audit purposes. User-ids can not be reused by another employee. (NOTE: Please refer to the University Data Management and Security System Procedures Manual for specific instructions on employee transfers, terminations, or application access changes.) Departmental Security Coordinator Each department or major organizational unit must have a designated Departmental Security Coordinator (DSC). The function of the DSC is to communicate and coordinate access to administrative systems for employees in their department as follows: To request new user-ids or authorization for departmental employees to access On-line Administrative Systems files, the DSC should complete and sign the Request for On-line user-id and Administrative System Access form and mail to AIS. Authorized file access can be granted only by the appropriate Application Security Manager (ASM). Each ASM will contact the DSC to discuss specific access and update authority to be granted users. (NOTE: Please refer to University Data Management and Security System Procedures Manual for instructions on how to obtain user- ids and gain access to administrative applications.) Departmental Security Coordinator Responsibilities Departmental Security Coordinators are responsible for: Teaching new employees the basics of terminal usage--signing on, changing passwords, locating keys. etc. Instructing new employees regarding data access, security and confidentiality and having them review the University Data Access and Security Business Manual. Impressing upon all users, new and existing, the necessity for preserving confidentiality of university data. Ensuring users periodically change their passwords. Especially, should they suspect someone else knows it. Encouraging users to sign-off their terminal anytime they leave it unattended. Maintaining current records of their department's terminal users via the AIS Access Form. Application Security Manager Responsibilities The Application Security Manager (ASM) is responsible for: Developing and documenting specific criteria to be used in determining access levels and update authority. Collecting appropriate data from the user to determine the access level and update authority to be granted. Granting access to university data to departmental users by updating the AIS Security System to explicitly grant update, or view only access. Monitoring a comprehensive list of users and their individual access privileges provided by AIS.
  • 11. 10/23/13 Data Management and Computer SecurityBusiness Manual / Mainframe (NWRDC) Support Services / - Computing / Information TechnologyServices / F… its.fsu.edu/Computing/Mainframe-NWRDC-Support-Services/Data-Management-and-Computer-Security-Business-Manual#6 11/13 AIS Responsibilities AIS is responsible for: Ensuring compliance with all Federal, State and University regulations regarding security of computer files. Approving and establishing user-ids, which define the user to the AIS Security System and forwarding the Access Form to the appropriate ASM(s). Providing monthly, each DSC a current list of all user-ids in their department identifying the files each users can access and/or update. Online Administrative Information Systems Access to the university's online administrative systems is accomplished by logging on to the Northwest Regional Data Center (NWRDC) and CICS. All administrative applications have been converted to the FSU CICS region (selection '1' on the NWRDC main menu). Other access which specific users may require includes: SAMAS (the State Automated Management Accounting System); TSO (where applications such as computer based training, FOCUS, and SAS reside). Following is a short description of many of the specific applications which may be accessed via the on-line administrative system master menu (FSMM). (A complete list of these may also be found by pressing the HELP key [PF1] on the AIS FSMM screen.) Student Academic This set of applications provides access to such student-oriented files as the Student Data Base, Admissions File, Stop File, Electronic Transcript Transfer, University Catalog, Course Schedule File, Enrollment File, Withdrawal, Academic Permanent Records and Test Scores. Student Affairs Contains applications supporting the Housing Office, University Health and Counseling Centers (both highly restricted) and the Orientation Office. Student Financial Provides access to the University Cashiering System. The Cashiering System is the central collection point for departmental deposits, student fees, student loans and other financial functions. Financial Aid Provides information related to a student's application for financial aid and subsequent data collection, processing, packaging and aid awards. Personnel/Payroll Provides information related to university employees, class codes, applicants and payroll processing. Auxiliary Systems Provides access to various applications such as the Seminole ACCESS Crossover File, listings of Departmental Representatives, and on-line Telecommunications applications. Finance & Accounting (Currently being developed) Addresses Contains various addresses such as local, permanent, university PO-box and emergency contact for current and former students. University Support Provides information related to support applications such as the Production Calendar, Security, Project Management System (ProMIS) and DataShare. Batch Job Security Authority to execute batch jobs at the NWRDC is granted to FSU employees who have a demonstrable need for such authority. Each person who is authorized to execute batch
  • 12. 10/23/13 Data Management and Computer SecurityBusiness Manual / Mainframe (NWRDC) Support Services / - Computing / Information TechnologyServices / F… its.fsu.edu/Computing/Mainframe-NWRDC-Support-Services/Data-Management-and-Computer-Security-Business-Manual#6 12/13 jobs to access FSU data sets is required to have a personal account number (logon-ID) assigned by the AIS Security Manager. Logon-IDs are organized into various Security Groups and defined to the ACF/2 security system at NWRDC. Requests for authority to submit batch jobs should be submitted to the AIS Security Manager for approval and the assignment of the logon-ID, security group and access privileges. Data Access and Accountability Datashare System Access The DataShare system gives authorized users access to a wide range of student data which can be downloaded to departmental microcomputers for use in local (non-AIS supported) data bases. Users of this system must submit a DataShare request form to the University Registrar, and read the Registrar's Guidelines for Confidentiality and Release of Student Records. Access to sensitive student data downloaded via the DataShare system is restricted to personnel requiring the data to perform their duties at the university. DataShare data must be used solely for the legitimate business of the university. Individual users are responsible for storing data under secure conditions, making every reasonable effort to ensure data privacy, and not divulging user-ids or passwords. Centrally-managed university files are the official data of the university and downloaded files represent only a snapshot of this data at a given point in time. Users of DataShare files agree not to circumvent nor delay the normal updating of centrally-managed university files. Furthermore, individual users of DataShare files agree to periodic audits of their local downloaded data by appropriate Application Security Managers or the AIS Security Manager. User Accountability The individual faculty and staff, regardless of the means of accessing the data, is the critical link in ensuring the integrity and security of University data. Ultimately, only the user can prevent unauthorized access and ensure responsible use of University data. Administrative and judicial penalties may be imposed for illegal or unauthorized modification, destruction, disclosure or use of University data. Unauthorized access may relate to any of the following: Hard copy reports issued by various administrative offices. Interactive terminal access to the NWRDC. Data downloaded and accessed from a college/departmental computer. Data downloaded and accessed from a user's individual personal computer. Microcomputers Magnetic Media Magnetic media, including diskettes, fixed disks, and tapes are subject to corruption. The information on these media are recorded by the application of magnetic fields, and are subject to disruption by other magnetic influences. These media must be kept in a place that will diminish the possibility of magnetic interference. Deliberately Destructive Software (Viruses) The usage of externally acquired diskettes or the downloading of files from remote sites is accompanied by the real possibility of permitting viruses to be introduced to your system. These viruses are potentially destructive to your system and are likely to destroy your
  • 13. 10/23/13 Data Management and Computer SecurityBusiness Manual / Mainframe (NWRDC) Support Services / - Computing / Information TechnologyServices / F… its.fsu.edu/Computing/Mainframe-NWRDC-Support-Services/Data-Management-and-Computer-Security-Business-Manual#6 13/13 files on any media with which they are used. It is not uncommon that all information on a sizable fixed disk is corrupted by the introduction of a virus from an external source. This possibility is even greater where several users are utilizing the same system. The potential damage of such a destructive invasion is increased in the use of local area networks (LANs). It is the responsibility of each user to use due caution to prevent the invasion of viruses into their systems, and the possible further destruction of additional systems by sharing foreign information with other users. Thus, installation and use of anti-virus software on all microcomputers is highly recommended. AIS maintains a site license for a PC anti-virus program. This program is available from Administrative User Services (AUS) (644-1760). Should preventative measures fail, contact AUS Helpdesk (644-8502) for assistance. Backup Because PC based magnetic media are subject to corruption it is advisable that all information and programs stored on them be retained in at least two different places. A second copy of all information stored on diskettes should be made and kept in a safe location. Information stored on a fixed or hard disk should be copied onto diskettes or magnetic tape for backup purposes. The size of the files of information will likely greatly influence the media used for backup. Programs that are utilized by the user should be copied and stored safely when the program is first acquired. Data that is entered into the computer should be stored in two different places to prevent the loss of information should the primary copy be corrupted or lost. Besides the possibility of magnetic interference, there is a possibility that a disk drive can fail and ruin the magnetic media that it is using at that time. Users should frequently store/save information when data is being entered into the computer. Again there is a possibility that a component of the computer or electrical power could fail. Immediately after the completion of entering large volumes of information, that information should be copied to a back-up media for safe keeping. Software Piracy Almost all purchased or leased software is acquired with a usage license. Much software is acquired with only a single user license, though some may have multiple user licenses. It is the responsibility of the administrative officer who authorizes the acquisition to insure that the license is not violated. The user has the ultimate responsibility to adhere to the conditions of the license, but accountability must be insured by supervision and management. AIS and university policy strictly forbid software piracy. AIS will not provide assistance to university departments that knowingly violate copyright laws. © Information Technology Services, Florida State University C6100 University Center Tallahassee, FL 32306-2620 | 850/644-4357 Privacy Policy | Contact ITS | Maps to ITS Locations