The University of Texas at Arlington
Employee Security Manual

{short description of image}
WHY?
Automated information and information resources residing in the various components of The University of Texas System are strategic and vital assets to the people of Texas, and we will not betray the trust that they have given to us.
POLICY
It is the policy of The University of Texas System to protect the information resources assets of the State of Texas in accordance with the Department of Information Resources Information Security and Risk Management Policy Standards and Guidelines as published in the Texas Administrative Code 1 TAC 201.13(b), and as authorized by the Information Resources Management Act (Vernon's Ann. Civ. St. Article 4413(32j).
KEY ROLES

  • Agency Head - Responsible for all information resources within the agency. (President)
  • Information Resources Manager (IRM) - Responsible to the Agency Head for management of the agency's information resources. (Director, Administrative Information Systems)
  • Program Management - Responsible for the information used in carrying out the program(s) under their direction.
  • Technical Management - Assists Program Management in the selection of cost effective controls to be used to protect our information assets. (Administrative Information Systems)
  • Owner - The individual upon whom responsibility rests for carrying out the program that uses the resources. Responsible for establishing the controls that provide the security.
  • Custodian - Implements the controls specified by the owner. (Administrative Information Systems)
  • User - Has the responsibility to
    1. use the resources only for the purpose specified by the owner;
    2. comply with the controls established by the owner; and
    3. prevent disclosure of sensitive information.

    The single most effective control for providing adequate security.

  • Internal and External Audit - Ensure that the agency information assets are being secured adequately.


CLASSIFICATION OF DATA

  • Confidential - Information maintained by the state that is exempt from disclosure under the provisions of the Texas Open Records Act or other state or federal law.
  • Sensitive - Information maintained by the state that requires special precautions, as determined by agency standards and risk management decisions, to assure its accuracy and integrity and to protect it from unauthorized modification or deletion.


STATE LAW

Punishments for
  1. sharing of passwords
  2. unauthorized access
  3. exceeding one's authorized access
  4. disruption of service
  5. computer worms and viruses, and more.


FEDERAL LAW
Applies to any computer that communicates out of the state. many statutes apply.
SIGNIFICANCE OF RISK-BASED SECURITY
The approach for applying security to Texas assets is not just a case of following the rules that someone defined. It is a process of using layers of physical, electronic, and administrative controls to reduce the risks to the assets. Although some of these controls are well established, no two systems are identical so there is not just one set of rules. They vary depending upon the system and the information contained therein. Using this method everyone is responsible for the protection of the information assets. Therefore any opportunity that you see to improve security with less cost or less hassle to the user should be reported to the data owner or IRM.
WHO IS RESPONSIBLE FOR PROTECTING DATA AND INFORMATION?
The statement that "security is everyone's responsibility" is absolutely true. Each owner, developer, operator and user of information systems has a personal responsibility to protect these resources. Functional managers have the responsibility to provide appropriate security controls for any information resources entrusted to them. These managers are personally responsible for understanding the sensitivity and critical nature of their data and the extent of losses that could occur if the resources are not protected. Managers must ensure that all users of their data and systems are made aware of the practices and procedures used to protect the information resources. When you don't know what your security responsiblities are, ask your manager or supervisor.
WHAT RISKS ARE ASSOCIATED WITH THE USE OF COMPUTERS
Over the past several decades, computers have taken over virtually all of our major record-keeping functions. Recently, personal computers have made it cost-effective to automate many office functions. Computerization has many advantages and is here to stay; however, automated systems introduce new risks, and we shold take steps to control those risks.
We should be concerned with the same risks that existed when manual procedures were used, as well as some new risks created by the unique nature of computers themselves. One risk introduced by computers is the concentration of tremendous amounts of data in one location. The greater the concentration, the greater the consequences of loss or damage. Another example is that computer users access information from remote terminals. We must be able to positively identify the user, as as ensure that the user is only able to access information and functions that have been authorized. Newspaper accounts of computer "hackers", virus attacks, and other types of intruders underscore the reality of the threat to government and commercial computer systems.
HOW YOU CAN HELP

  • Understand the inportance of your information and protect it accordingly.
  • Don't leave your terminal unattended while logged on to sensitive information.
  • Challenge unescorted visitors.
  • Keep backup copies of critical files.
  • Select a good password (at least 6 alphanumeric characters and not a word with repeating characters).
  • Don't write your password down.
  • Don't share your password, it authenticates your ID and you are responsible for all actions taken with your ID. Likewise, don't use someone else's ID and password.
  • Exceutable code should be scanned for viruses before you execute it, even off of a floppy diskette.
  • Report all suspected security incidents to your supervisor or the Director of Administrative Information Systems.
  • make suggestions for security improvements to the data owner.
  • make security of our information resources a part of your everyday life.
This page was loaded on Monday December 01 2008 This page was last changed on Friday February 04 2005
Your browser type is
Your IP address is