December 03, 2010

FINANCIAL & ADMINISTRATIVE (411A)

New 12/10

411 A

Kansas Athletics IT Information and Security Policy

Kansas Athletics (Athletics) considers security and preserving the privacy of its constituencies critical to fulfilling its mission. Careful consideration of these issues in the design of Athletics computer systems, programs, procedures and facilities has been of the highest priority.

A security policy cannot be successful unless it is a key part of day-to-day operations and mindset at every level of Athletics. At no time will electing more efficient means or processes not sanctioned by this policy be allowed to compromise the security of Athletics. This policy applies to Athletics network usage even in situations when it would not apply to the computer(s) in use. These guidelines are intended to supplement not replace, all existing laws, regulations, agreements, and contracts that currently apply to computing and networking services. The University of Kansas policies serve as the default when the Athletics policies are silent.

Access to the Athletics Network and computer systems is a privilege, not a right. Access to networks and computer systems owned or operated by Athletics requires certain user responsibilities and obligations and is subject to Athletics and the University of Kansas policies and local, state, and federal laws. Appropriate use should always be legal and ethical. Users should reflect honesty, mirror community standards, and show consideration and restraint in the consumption of shared resources. Users should also demonstrate respect for intellectual property; ownership of data; system security mechanisms; and individual rights to privacy and to freedom from intimidation, harassment, and annoyance. Authorized use includes any business-related computing that allows the user to perform his/her job functions.

I. Roles and Responsibilities

All employees, temporary employees, and independent contractors have a responsibility to adhere to the policies set forth in this document. Each department is required to adhere and implement procedures or solutions which provide for compliance and security to the greatest extent possible.

A. Users

Users are Athletics staff members who have been granted access to Athletics information and/or information systems in order to do their jobs. Users can be full or part-time staff members who have a business need that requires access to Athletics information and/or network systems. Temporary staff members, consultants, or independent contractors must receive permission to use Athletics equipment and access Athletics information and network systems. Individuals without authorization to access information and/or information systems must first request and receive permission from the senior athletics administrator with oversight for that department. The senior athletics administrator must contact Athletics IT to grant that user access to the Athletics network. Users are forbidden from using any Athletics information for purposes other than those expressly authorized by Athletics policies. Likewise, users must not disclose Athletics confidential or sensitive information to anyone without the prior authorization of the department’s senior athletics administrator. Users are responsible for the secure handling of information in their immediate possession. For example, users must manage their desktop and portable computers in such a manner that unauthorized access does not take place. This includes keeping both the password-based access control package and the virus detection package enabled on these computers. To further ensure security of information, users are encouraged to store data and documents on the server under “My Documents” rather than on their desktop. Users are additionally responsible for safeguarding all storage media containing information (CD-ROMs, DVD-ROM’s, USB jump or flash drives, etc.). It is strictly prohibited to store any sensitive information on any form of external storage devices, including USB jump or flash drives. Users must report all errors and anomalies in the information to which they have been given access to Athletics IT and their immediate supervisor. Users must also report all suspected information security problems or violations to the Athletics IT staff. The privileges provided to users must be terminated when the business need or employment ends. Human Resources will notify Athletics IT when a user is no longer employed or no longer in a consulting relationship.

II. Use of Kansas Athletics Electronic Communications

A. General

Athletics electronic communications systems should be used for business activities only. Incidental personal use is permissible as long as it is secondary to Athletics business, does not consume more than a trivial amount of system resources, does not interfere with worker productivity, and does not preempt any business activity. No non-business-related, personal files are allowed to be stored on Athletics servers. This includes, but is not limited to, personal pictures, programs, files, videos and music. Personal photos as screen savers are permitted since they appear on the employee’s desktop. Staff members are reminded that the use of Athletics information system resources must never create the appearance or the reality of inappropriate use. It is necessary to ensure security is a part of everyday information systems use. Athletics systems are provided to employees to better meet and complete the business goals of the department. Misuse or abuse of information systems will not be tolerated. The following are provided as examples of unauthorized use of Athletics information systems:

1. Athletics information system resources may not be used to impersonate another person or misrepresent authorization to act on behalf of others, Athletics or its constituency.

2. Athletics information systems may not be used to harass another person. Users should not transmit to others or display images, sounds or messages that may be perceived by a reasonable person as, or have been identified as, offensive or harassing or otherwise violate the departmental harassment policy.

3. Athletics information systems may not be used to invade the privacy of others or make unauthorized use of their work. Users should not attempt to read or copy files belonging to others, or decrypt or translate encrypted material without prior authorization.

4. Users must not attempt to undermine the security or the integrity of information systems and must not attempt to gain unauthorized access.

5. Users may not use any computer program or device to intercept or decode passwords or similar access control information, or any other computer or network traffic unless proper authorization has been received in writing.

6. All Outlook information (contact, calendar, etc.) is lost when employees leave their employment at Athletics. Information stored on the server (“My Documents”) retained by Athletics. Employees who wish to retain their Outlook information such as contact lists should make copies of the information prior to departure.

B. Remote Access

Remote access to Athletics information systems and networks require control procedures which identify the individual accessing a system or resource, what accesses were attempted or granted, and the duration of access. Any remote access must receive prior approval from Athletics IT.

C. No Guaranteed Message Privacy

Athletics and KU cannot guarantee that electronic communications will be private. Staff must be aware that electronic communications can, depending on the technology, be forwarded, intercepted, printed, and stored by others. People other than the intended recipients can access electronic communications. Because messages can be stored in backups, electronic communications actually may be retrievable when a traditional paper letter may have been discarded or destroyed. Staff must be careful about the topics covered in electronic communications, and should generally use communications systems in the same manner in which they use letterhead or formal modes of communication.

D. Contents of Messages

Athletics is not responsible for the content of any material viewed, downloaded, or received by users through the Internet. Electronic mail systems may deliver unsolicited messages that contain offensive content. Users must not use profanity, obscenities, or derogatory remarks in electronic mail messages. As a matter of standard business practice, all Athletics electronic communications must be consistent with conventional standards of ethical and polite conduct.

E. Consent to Monitoring

Athletics routinely engages in monitoring internal communications. It also utilizes intrusion detection technology, and monitors, accesses, retrieves, reads, or discloses internal communications when a legitimate business need exists that cannot be satisfied by other means, the involved individual is unavailable and timing is critical to a business activity, there is reasonable cause to suspect criminal activity or policy violation, or monitoring is required by law, regulation, or third-party agreement. If malicious activity or a compromise of Athletics systems is suspected, system and security personnel may provide logs to management and/or law enforcement officials, and may use this information in any lawful manner. All messages and data transmitted through and stored on Athletics information systems are subject to monitoring and review by authorized personnel. This includes web access and content, email content, text messages, voicemails, phone records, delivery information, and document and file content. By using Athletics systems or networks, all users acknowledge that they are agreeing to and understand this security policy and further that they consent to such monitoring, even if such communications are sent with external email services such as POP mail systems, web-based e-mail (Gmail, Hotmail, Yahoo! Mail) or other email systems. This also applies to message board postings. Athletics may also log web sites visited, files downloaded, and related information exchanges over the Internet. Department supervisors may receive reports detailing the usage of internal information systems, and are responsible for determining that such usage is reasonable. . Evidence of suspicious activity identified while monitoring for unrelated purposes constitutes cause for further monitoring.

Files stored on the Athletics file server are routinely backed up to tape, disk, and other storage media. This means that information stored on the Athletics file server, even if a worker has specifically deleted it, is often recoverable and may be examined at a later date by Athletics IT or others designated by management. At any time and without prior notice, Athletics reserves the right to examine archived electronic mail, personal computer file directories, hard disk drive files, telephone and text messages, and other information stored on Athletics information processing systems. This information may include personal data. Such examinations are typically performed to assure compliance with internal policies, in accordance with legal proceedings, to support the performance of internal investigations, and to assist with the management of Athletics information processing systems.

F. Information Access

By default, all users will be granted basic information systems services such as electronic mail, Internet access and word processing. All other system capabilities must be approved by Athletics administration. If users have any questions about access control privileges, they must direct these questions to their department supervisor. Those requiring access to Athletics information systems or resources will receive approval for access prior to being issued an authentication, user ID, or temporary password. Supervisors will request access to information systems and resources based on the individual’ s access requirements and job duties. In the event of a change in jobs or responsibilities, changes in access will occur via notification from the Human Resources Director.

III. Internet Access Web Browsing Security Policy

1. Computer systems and the Internet should only be used for business purposes. Incidental personal use is permitted, providing all areas of this policy are adhered to and that such use is secondary only to conducting Athletics business. Personal misuse or abuse of Athletics information systems is strictly prohibited.

2. Athletics information systems may not be used to post personal opinions on Internet web sites, news groups, bulletin boards or other public email forums.

3. Users of the information systems and the Internet will, at all times, conduct themselves as a respectable representative of Athletics.

4. Software and other executables shall not be downloaded, installed, or run without approval of Athletics IT.

5. Access to sexually explicit, profane, obscene, racially or sexually harassing, hate crime, terrorist, gambling, drug, doping or steroid use, and other inappropriate or illegal web sites is strictly prohibited. Purposeful access to these sites will result in disciplinary action, which may include dismissal and/or civil or criminal legal action. Athletics retains the right to report access and provide evidence to proper law enforcement officials for investigation of access to illegal sites listed above Athletics IT reserves the right to block websites from being accessed.

6. Downloading or installing non-copyrighted music, video software, programs, or other materials onto Athletics systems is a violation of the rights of the copyright holder and is prohibited. This includes the use of peer-to-peer networks (Limewire, Kazaa, Morpheus, BitTorrent, etc.) for such purposes.

7. Users shall avoid using services that impose an unnecessary risk to the security of Athletics systems or networks. This includes downloading or using programs that are used to facilitate computer hacking, network probing, peer-to-peer file sharing, or opening ports without the authorization of the Athletics IT Department. Athletics IT reserves the right to not install software deemed harmful to the Athletics computer or network.

IV. Email Security Policy

Athletics full time employees will be provided an electronic mail address through The University of Kansas (KU). Athletics and KU encourage the appropriate use of email to further their missions and goals. Athletics employees will be given the opportunity to register for a KU email address after employee orientation. Human Resources will contact Athletics IT when the individual is in the system and has an employee ID number. Athletics IT will assist in getting the employee registered with a KU email.

Registered student and campus affiliates such as Athletics may use their membership list-serves to notify employees of meetings or department related information. KU email may not be used to support external organizations, partisan political candidates, party fundraising, or causes.

Athletics and KU support a climate of trust and respect and do not ordinarily read, monitor, or screen electronic mail. However, complete confidentiality or privacy of email cannot be guaranteed. Confidentiality cannot be guaranteed because of the nature of the medium, the need for authorized staff to maintain email systems, and the KU’s accountability as a public institution. As a public institution, KU (and Athletics as an affiliated corporation of KU) are subject to state and federal open records laws. Any material, including emails, phone records, calendars, etc., in possession of KU or Athletics is subject to release to requesters under the open records laws. The Athletic Director or his designee may authorize access to employee or student email in a number of circumstances including, but not limited to, situations involving the health or safety of people or property; possible violations of Athletics codes of conduct, regulations, or policies; possible violations of state or federal laws; subpoenas and court orders; other legal responsibilities or obligations of the University; or the need to locate information required for Athletics business.

Athletics routinely uses email for both formal and informal communication, including emergency messages. All staff and student-athletes who have access to email, are expected to check their email regularly for Athletics and KU communications. Because use of broadcast email places stress on the email system, it is KU policy to use the broadcast function very sparingly. In addition to the business communications cited above, it is used for messages from the Chancellor’s Office, the Provost’s Office, or other offices about mission-related matters or issues of broad interest to the University community, and for emergency messages dealing with power outages, street closings, or other public safety matters. Any request to use broadcast email to contact students, faculty, or staff, including survey requests, must be approved in advance and in writing or by email by the Office of the Chancellor or the Office of the Provost.

The broadcast function generally is not used to announce events sponsored by KU units or organizations. Public events sponsored by KU units or registered student and campus organizations may be posted on the electronic KU calendar (for instructions, see http://www.ur.ku.edu/news/calendar.shtml.) The Office of University Relations regularly broadcasts a complete KU Calendar of Events.

KU email accounts remain the property of the State of Kansas. The University routinely disables accounts after graduation or termination from the University.

Consequences:

Violation of this policy may result in the full range of sanctions, including, but not limited to the loss of computer or network access privileges, disciplinary action, suspension, termination of employment, dismissal from Athletics, and legal action. Some violations may constitute criminal offenses under local, state, and federal laws. If appropriate, Athletics will carry out its responsibility to report such violations to the appropriate authorities.

V. Use of Encryption Programs

Athletics staff is reminded that electronic communications systems are not encrypted by default. If confidential or sensitive information must be sent by electronic communication systems, please contact Athletics IT to be provided with an encryption process approved by the KU Security Office. These encryption systems must protect the sensitive information from end to end. They must not involve decryption of the message content before the message reaches its intended final destination.

VI. Password Policy

Passwords are an essential aspect of computer security, providing important front-line protection for electronic resources by preventing unauthorized access. Passwords help Athletics limit unauthorized or inappropriate access to various network resources, including user-level accounts, web accounts, email accounts, computer protection, and local router logins.

A poorly chosen password may result in the compromise of Athletics systems, data, or the network. Therefore, all Athletics users are responsible for taking the steps outlined below to select appropriate passwords and protect them.

A. Creation of Passwords

Passwords created by users of Athletics and the KU systems, and on systems where technology makes it possible, should conform to the following guidelines:

Must be different from the user’s login name or the reverse of the name and must avoid use of knowable personal information (names of family, etc.).
Must be at least seven characters.
Must include digits (0-9), and both upper and lower case characters (a-z, A-Z).
Must use a special character (Examples: *, &, %, or $).

B. Changing Passwords

Passwords should be changed once a semester (Fall and Spring). The new password must differ from the old password by at least three characters. Passwords are not allowed to be repeated within one year.

Those entities required to be Payment Card Industry (PCI) Data Security Standard (DSS) or Health Insurance Portability and Accountability Act (HIPAA) compliant by the Information Technology Security Office (ITSO) shall require their user passwords to be changed at a minimum every 90 days.
Those entities required to be PCI/DSS or HIPAA compliant by the ITSO shall require their users may not use a new password that is the same as any of the previous four passwords.
All default passwords shall be changed to meet the current password requirements. No default passwords shall remain in effect after the required initial usage. Default passwords are those that are vendor supplied with hardware or software, or are system generated.

C. Protecting a Password

Passwords should be treated as confidential Athletics information.
Passwords should never be written down or posted for reference.
Passwords should not be included in email messages or other forms of electronic communication.

D. Sharing a Password

Passwords should only be shared with an Athletics information technology professional assisting you with a technical problem. Departmental account passwords should be shared only with appropriately designated departmental personnel.
Passwords may be shared via phone only when necessary. However, users need to beware of “phishing” or other social engineering scams where a user may have his or her password requested over the phone. Password phone communications may be necessary with external information technology professionals.
Approval by the Athletics IT is required prior to sharing a password with a contractor or vendor (approval may be granted on a one-time or continuing basis), and this contractor or vendor access may require implementing the appropriate technology infrastructure to accommodate the access (depending on the circumstance, and as determined by Athletics IT).
It is recommended that passwords be changed after allowing use as permitted in this section.

E. Reporting a Password Compromise

Suspected compromises of passwords must be reported immediately to Athletics IT at 4-8100. The password in question should be changed immediately.

F. Responsibilities of the Athletics IT Office

Athletics IT may require a more restrictive policy, such as stronger passwords, in some circumstances. Athletics or KU IT may perform password assessments on a periodic or random basis. If a password is guessed or cracked during one of these assessments, Athletics IT will promptly notify the listed contact and require the password be changed.

VII. Data Classification and Handling Policy

All Athletics employees and users are responsible for:

Understanding what constitutes Private or Public University information; and
Managing Private or Public University information in a manner consistent with the requirements for confidentiality associated with the data in any form (electronic, documentary, audio, video, etc.) throughout the entire information lifecycle (from creation through preservation or disposal).

All Athletics information whether at rest (i.e., stored in databases, tables, email systems, file cabinets, desk drawers, etc.) or in use (i.e., being processed by application systems, electronically transmitted, used in spreadsheets, or manually manipulated, etc.) must be classified into one of the three data classification levels described in this policy by each unit or department that is the Custodian of Records for that information.

Determining classification levelshould be done according to an assessment of the need for Confidentiality of the information.

Confidentiality: Access to information must be strictly limited to protect the Athletics and individuals from loss. Limiting access to authorized individuals/entities/devices ensures legal obligations are fulfilled and/or protects Athletics and its stakeholders from the disclosure of data which is sensitive in nature

NOTE: The appropriate classification of each data set is based on the classification of the most confidential data stored in the data set (e.g., the database, table, file, etc.), or accessed by systems or people. This is true even if the data set contains other information that would qualify for a lower level of protection if it were stored separately.

The table below summarizes the Data Classification process:

Level I Protection:	STOP! SPECIAL CARE IS REQUIRED


Level II Protection:	BE VERY CAUTIOUS


Level III Protection:	PROCEED WITH AWARENESS

Level I information: High risk of significant financial loss, legal liability, public distrust, or harm if this data is disclosed.

Examples include:

– Data protected by HIPAA (health information)

– Data protected by FERPA (student information including grades, exams, rosters, official correspondence, financial aid, scholarship records, etc.)

– Data protected by GLBA (financial information)

– Data subject to PCI (credit or payment card industry) standards

– Data subject to other Federal or state confidentiality laws

– Donor or prospect information

– Passwords and PINs

– Personally Identifiable Information (“PII”)

– Personnel data

– Data subject to protection pursuant to non-disclosure agreements

– Audit working papers

– Data protected by attorney/client privilege

– Email covering topics listed above

Level II information: Moderate requirement for confidentiality and/or moderate or limited risk of financial loss, legal liability, public distrust, or harm if this data is disclosed.

Examples include:

– Audit reports

– Email addresses

– Other contracts (not included above)

– Competitive business information

Level III information: Low requirement for confidentiality [information is public] and/or low or insignificant risk of financial loss, legal liability, public distrust, or harm if this data is disclosed.

Examples include:

– University directory information, as defined by the Student Records Policy

– Blogs

– Web pages

– Annual reports, etc.

Exceptions to this Policy shall only be allowed if previously approved by the KU Information Technology Security Office and this approval is documented and verified by the Vice Provost for Information Services.

It is strictly prohibited to store any Level I, II, III information on any form of external storage devices, including USB jump or flash drives.

Faculty, staff, and student employees who violate this Athletics/University policy may be subject to disciplinary action for misconduct and/or performance based on the administrative process appropriate to their employment.

Students who violate this Athletics/University policy may be subject to proceedings for non-academic misconduct based on their student status.

Faculty, staff, student employees, and students may also be subject to the discontinuance of specified information technology services based on the policy violation.

VIII. Hardware

A. Backups, Retention, Off-Site Storage

To ensure the availability of critical information, data and system backups will be performed on a regular basis and off-site storage will be used to ensure business continuity in the event of a disaster. The following controls will be followed for ensuring reliable backups exist and that information contained on backup media is adequately protected:

– All backup media assumed to contain private information will be properly labeled to indicate the classification of data on the media.

– Backup media will be tested on a regular basis for restore capability.

– Backup media will be regularly rotated to off-site storage.

– The timing and scope of the retention of backup information will be determined by the criticality of the information on the backup media.

– Some off-site storage facilities used will employ 24×7 security.

– Email can be restored up to 14 days.

– Off-site storage facilities will be environmentally controlled for temperature and humidity.

– Some of the off-site storage facilities are not be located in proximity where a natural disaster could have the same effect as it would on the primary facility.

B. Physical Security

Physical security of Athletics assets is the first line of defense against potential incidents that may interrupt damage or destroy information systems, assets or resources. Physical access to Athletics facilities and information systems will be controlled to ensure the continuous availability and integrity of its information systems assets and resources. Special requirements may be imposed on physical access to areas of Athletics property that house sensitive IT resources. This may include additional identification or badge access, biometric or other access limitation, and enhanced surveillance of such sensitive areas

C. Information Systems Hardware Security

Hardware assets are those which include, but are not limited to mainframe computers, mini computers, servers, PCs, laptops, notebooks, Personal Digital Assistants, cell phones, network transmission equipment, communications equipment, fax machines, telephones, printers, tape drives, etc. Hardware must be protected from loss, theft, damage, environmental hazards (i.e., fire, water, static electricity, power surges, etc.) and from access by unauthorized personnel. Any loss of equipment must be reported immediately to Kansas Athletics IT.

– All personnel are responsible for ensuring all hardware assets within their areas of control are adequately protected.

– When traveling by commercial airlines, laptops must not be checked in luggage.

– Use of employee owned personal computers, laptops and cell phones by personnel while performing their job duties is prohibited unless authorized by the Athletics IT Department. At no time does Athletics assume any obligation to pay for loss or damage of employee owned equipment.

– Athletics’ private information is prohibited from existing on personally owned laptops, cell phones and other storage medium which are not owned by Athletics unless authorized by the Athletics IT Department.

– Private information, including but not limited to information concerning student-athletes, social security numbers, or credit card numbers, must not be stored on the desktop of a laptop. All private information must only be on the server (under the employee’s My Documents folder). Should private information be on a laptop’s desktop and the laptop is lost, the employee may be responsible for all costs related to required federal cyber security protocols.

– Employee and contractor owned personal computers, laptops and cell phones that require connection to the Athletics network or to other Athletics computer systems require the approval of Athletics IT prior to the connection being made.

D. Inventory Control

– All hardware will be inventoried.

– The inventory list will be maintained on a regular basis.

– Any missing item must be immediately reported to Athletics IT.

E. Installation and Testing

The installation and testing of hardware will follow established change control procedures, and hardware may only be installed and configured by Athletics IT personnel. Athletics IT must approve all hardware and software computer systems and devices prior to purchase or connection to Athletics networks or other computer systems. Adequate testing will be performed to ensure the secure operation of new or repaired hardware prior to being used to support live applications which process or store private information.

F. Maintenance

Maintenance activities shall only be scheduled by Athletics IT. All Private Information and licensed software will be removed, destroyed over-written or otherwise made unreadable prior to hardware being released for storage, sale, destruction, donation or maintenance.

IX. Operating Systems and Applications

Operating systems and the applications they run must be protected from unauthorized access and compromise. Therefore, it is essential that operating systems and applications be secured and patched at all times. Internally developed software will be developed in a manner that allows for proper documentation and minimization of vulnerabilities. Only approved and properly licensed operating systems and applications will be installed on Athletics information systems.

A. Security

Athletics IT will dictate the operating system(s) used on its computer systems. Users will not have the capability to install programs, folders, or files in critical information system areas. Super User/Computer Administrator access to all systems will be limited.

B. Patches

All operating system and application patches will be reviewed and appropriate change procedures will be followed. System backups will be completed prior to and immediately following patches to critical information systems.

C. Documentation

The application development methodology will provide detailed documentation and control management that ensures the confidentiality, availability and integrity of information. Audits and quality assurance reviews will be in place to ensure that systems (including applications, networks and equipment configurations) include only approved applications. Change control and implementation on all changes to operating system modules, tables, libraries, application software, etc. will be documented and become a permanent part of the system or application documentation. Change record documentation will reflect the date of change, reason for change, the name of the person making the change and the person who authorized the change. Changes will be adequately tested, independently quality assured, and approved by Athletics IT.

X. Copyrighted Software and Licenses

Athletics employees and users of Athletics information systems and resources are responsible for using only authorized and properly licensed software. Copyrighted software will be used in accordance with the requirements specified within the licensing agreement. Software, which has been illegally copied or downloaded from an unauthorized source, is prohibited from Athletics information systems. Users are not allowed to download software from the Internet for installation on their machines. Any software you feel you require to perform your job duties that has not already been provided must be requested from your department administrator. Only Athletics IT administrators are allowed to copy or modify purchased software, and then only as expressly provided for in the software license.

XI. Internally Developed Software

All computer software, programs, scripts, etc. developed by Athletics employees or contractors on behalf of Athletics are the property of Athletics and may not be distributed outside of Athletics without authorization from Athletics IT and approval of the Director of Athletics.