Introduction
Opportunities and Risks—The wide array of new resources, services, and inter-connectivity available through the Internet all introduce new business opportunities, and new security and privacy risks. In response to the risks, this policy describes the Misericordia University’s official policy regarding Internet security.
Applicability—This policy applies to all employees, contractors, consultants, temporaries, and volunteers, who use the Internet with Misericordia University computing or networking resources. The policy applies to all those who use the Internet and represent themselves as being connected in some way with Misericordia University. All of these Internet users are expected to be familiar with and fully comply with this policy. Questions about the policy should be directed to the Information Technology Security manager. Violations of this policy can lead to revocation of system privileges or additional disciplinary action. Violations of the University Internet Security Policy are treated like any other ethical violation as outlined in relevant contractual agreements and applicable faculty and staff handbooks. Penalties may include but are not limited to, restricted access, no access, suspended access, or other University actions as deemed necessary. Violators may also be subject to prosecution under applicable Federal and Commonwealth of Pennsylvania statutes.
Prior Management Approval—Access to the Internet, aside from electronic mail, will be provided to only those employees who have a legitimate business need for such access. The ability to access the Internet and engage in other Internet activities is not a fringe benefit to which all employees are entitled. If an employee does not have sufficient Internet access, but needs access for a particular project, he or she can use the special shared systems found in the computer labs.
Information Reliability—All information acquired from the Internet must be considered suspect until confirmed by separate information from another source. Before using free Internet-supplied information for business decision-making purposes, employees must corroborate the information by consulting other sources.
Spoofing Users—Before employees release any internal Misericordia University information, enter into any contracts, or order any products through public networks, the identity of the individuals and organizations contacted must be confirmed. Identity confirmation is ideally performed through digital signatures or digital certificates, but in cases where these are not available, other means such as letters of credit, third-party references, and telephone conversations may be used.
User Anonymity—Misrepresenting, obscuring, suppressing, or replacing a user’s identity on the Internet or any Misericordia University electronic communications system is forbidden. The user name, electronic mail address, organizational affiliation, and related information included with messages or postings must reflect the actual originator of the messages or postings. Use of anonymous FTP logons, HTTP or web browsing, and other access methods established with the expectation that users would be anonymous are permissible.
Electronic Mail Attachments—Employees must not open electronic mail attachments unless they were expected from a trusted sender. When they are expected from a known and trusted sender, attachments must be scanned with a virus package prior to being opened.
Web Page Changes—Employees must not establish new Internet pages dealing with Misericordia University business, or make modifications to existing web pages dealing with Misericordia University business, unless they have obtained the approval of the Misericordia University Marketing Department or if it is a departmental web page. Modifications include the addition of links to other sites, updating the information displayed, and altering the graphic layout of a page. The Marketing Department ensures that all posted material has a consistent and University appearance, is aligned with business goals, and is protected with adequate security measures.
Information Exchange—Misericordia University software, documentation, and all other types of internal information must not be sold or otherwise transferred to any non-Misericordia University party for any purposes other than business purposes expressly authorized by management. Exchanges of software or data between Misericordia University and any third party must not proceed unless a written agreement has been signed. Such an agreement must specify the terms of the exchange, and the ways that the software or data is to be handled and protected. Regular business practices, such as shipment of a product in response to a customer purchase order, need not involve such a specific agreement since the terms and conditions are implied.
Posting Materials—Employees must not post Misericordia University material on any publicly-accessible Internet computer that supports anonymous FTP or similar publicly-accessible services, unless the posting of these materials has been approved by the director of Public Relations. Misericordia University internal information must not be placed in any computer unless the persons who have access to that computer have a legitimate business need to know the involved information.
Message Interception—Critical, or private University information, such as passwords or student and employee information, must not be sent over the Internet in emails.
Security Parameters—Unless a connection is known to be secured, credit card numbers, telephone calling card numbers, and logon passwords that can be used to gain access to Misericordia servers, should not be sent over the Internet in emails.
Inbound User Authentication—All users wishing to establish a real-time connection with Misericordia University internal computers through the Internet must employ a virtual private network (VPN) product approved by the Information Technology Networking Department that can encrypt all traffic exchanged. These VPN products also must authenticate remote users at a firewall before permitting access to the Misericordia University internal network. This authentication process must be achieved through a password system approved by the Information Technology Security manager. If you need access via a VPN you should contact the Information Technology Networking Department.
Network Access—Employees who have not installed required software patches or upgrades, or whose systems are virus-infested must be disconnected from the Misericordia University network until they have reestablished a secure computing environment.
Restriction Of Third-Party Access—Inbound Internet access privileges must not be granted to third-party vendors, contractors, consultants, temporaries, outsourcing organization personnel or other third parties unless the relevant system manager determines that these individuals have a legitimate business need for such access. These privileges must be enabled only for specific individuals and only for the time period required to accomplish approved tasks.
Internet Service Providers—Employees must not employ Internet service provider accounts and dial-up lines to access the Internet with Misericordia University computers unless the computer is protected with a firewall. All Internet activity on the University campus must pass through Misericordia University firewalls so that access controls and related security mechanisms can be applied.
Establishing Network Connections—Unless the prior approval of the Information Technology Networking Department has been obtained, employees must not establish Internet or other external network connections that could permit non-Misericordia University users to gain access to Misericordia University systems and information. These connections include the establishment of multi-computer file systems, Internet pages, Internet commerce systems, and FTP servers.
Business and Educational Use— Misericordia University computer and communication systems are intended to be used for business and educational purposes only. Incidental personal use is nonetheless permissible if the use does not consume more than a trivial amount of resources that could otherwise be used for business purposes, does not interfere with employee productivity, does not preempt any business activity, and does not cause distress, legal problems, or morale problems for other employees. Permissible incidental use of a computer would, for example, involve responding to an electronic mail message about a luncheon, purchasing a gift online, and paying bills through the Internet. Offensive material that might cast Misericordia University in a bad light, including, but not limited to, sexist, racist, violent, or other content, is strictly forbidden from all computer devices on Misericordia University campus. Employees must not employ the Internet or other internal information systems in such a way that the productivity of other employees is eroded. Examples of this include chain letters and broadcast charitable solicitations. Misericordia University computing resources must not be resold to other parties or used for any personal business purposes such as running a consulting business on off-hours.
Offensive Web Sites—Misericordia University is not responsible for the content that employees may encounter when they use the Internet. When and if users make a connection with web sites containing objectionable content, they should promptly move to another site or terminate their session.
Blocking Sites and Content Types—The ability to connect with a specific web site does not in itself imply that users of Misericordia University systems are permitted to visit that site. Misericordia University may, at its discretion, restrict or block the downloading of certain file types that are likely to cause network service degradation.
No Default Protection—Employees using Misericordia University information systems or the Internet must realize that their communications are not automatically protected from viewing by third parties. Unless encryption is used, employees must not send information over the Internet if they consider it to be confidential or private.
Junk Electronic Mail—Employees must not use Misericordia University computer systems for the transmission of unsolicited bulk electronic mail advertisements or commercial messages that are likely to trigger complaints from the recipients. These prohibited messages include a wide variety of unsolicited promotions and solicitations such as chain letters, pyramid schemes, and direct marketing pitches. When employees receive unwanted and unsolicited electronic mail, they must refrain from responding directly to the sender. They must forward the message to the spam administrator at Misericordia University who then can take steps to prevent further transmissions.
Notification Process—If sensitive Misericordia University information is lost, disclosed to unauthorized parties, or suspected of either, the Information Technology Security manager must be notified immediately. If any unauthorized use of Misericordia University information systems has or is suspected of taking place, the Information Technology Security manager must be notified immediately. Whenever passwords or other system access control mechanisms are lost, stolen, or disclosed, or are suspected of being lost, stolen, or disclosed, the Information Technology Security manager must be notified immediately. All unusual systems behavior, such as missing files, frequent system crashes, and misrouted messages must be immediately reported to the help desk. The specifics of security problems must not be discussed widely but should instead be shared on a need-to-know basis.
False Security Reports—Employees in receipt of information about system vulnerabilities must forward it to the Information Technology Security manager, who then will determine what if any action is appropriate. Employees must not personally redistribute system vulnerability information to other users.
Testing Controls—Employees must not test or probe security mechanisms at either Misericordia University or other Internet sites unless they have obtained written permission from the Information Technology Security manager. The possession or the usage of tools for detecting information system vulnerabilities, or tools for compromising information security mechanisms, are prohibited without the advance permission of the Information Technology Security manager.
Controls— Every employee who has access to Misericordia University information or information systems has an important information security role in the organization. For example, each one of these employees is personally responsible for the protection of information that has been entrusted to their care. All employees who come into contact with sensitive Misericordia University internal information are expected to familiarize themselves with these data classification levels and to consistently use these same ideas in their daily Misericordia University business activities. Sensitive information is either Confidential or Critical information, and both are defined later in this document. Employees should treat all information as though it has a data classification level. The following classification levels as used:
CONFIDENTIAL or CRITICAL—This classification label applies to sensitive business information that is intended for use within Misericordia University. Its unauthorized disclosure could adversely impact Misericordia University or its customers, suppliers, business partners, or employees. Information that some people would consider to be private is included in this classification. Examples include employee performance evaluations, customer transaction data, strategic alliance agreements, unpublished internally-generated market research, computer passwords, identity token personal identification numbers, and internal audit reports.
FOR INTERNAL USE ONLY—This classification label applies to all other information that does not clearly fit into the other two classifications. While its unauthorized disclosure is against policy, it is not expected to seriously or adversely impact Misericordia University or its employees, suppliers, business partners, or its customers. Examples include the Misericordia University telephone directory, dial-up computer access numbers, new employee training materials, and internal policy manuals.
PUBLIC—This classification applies to information that has been approved by Misericordia University management for release to the public. By definition, there is no such thing as unauthorized disclosure of this information and it may be disseminated without potential harm. Examples include product and service brochures, advertisements, job opening announcements, and press releases.