Policies

 

利记sbo将进行包括脆弱性评估在内的定期审计, penetration tests, network monitoring, and risk assessments against the University’s computing, networking, telephony, and information resources. 大学的信息安全官被授权进行这些审计，并根据需要访问系统和文件，以支持这些审计. In addition, the President of the University may, at his or her discretion, 授权其他大学人员对特别项目进行审计.

 

Audits may be conducted to: 
 

The execution, development, 实施整治方案是校园使用者的共同责任, departments, systems staff, and the group responsible for the systems and areas being assessed. 用户应充分配合对他们负责的系统进行的任何风险评估. 此外，用户应与指定的风险评估小组合作，制定补救计划.

 

 

This policy applies to all Utica University faculty, staff, and students, and covers all of Utica University’s computing, networking, telephony, and information resources.

 

 

该政策旨在主动识别和减轻大学网络的风险, 遵守美国国家标准与技术研究所和财务会计与准则委员会(FASB)规定的最佳实践, and ensure that risk assessments are conducted efficiently and effectively.

 

 

Audit: 为确保数据和/或系统的完整性而设计的系统评价. Audits may be conducted routinely (i.e., 在指定的时间表)或当有合理的证据表明大学的数据或网络已被破坏.

 

Vulnerability Assessment: As defined by the SANS (SysAdmin, Audit, Network, Security) Institute, “Vulnerabilities are the gateways by which threats are manifested.” A system compromise can occur through a weakness found in a system. 漏洞评估是搜索这些弱点/暴露，以便应用补丁或修复以防止泄露(www.SANS.org, 2001).

 

Penetration Testing: 试图利用在漏洞评估期间发现的漏洞来查找/获取相关数据.

 

Risk Assessment: 确定存在哪些需要保护的信息资源的过程, 以及了解和记录资讯科技保安故障可能造成的潜在风险, confidentiality, integrity, or availability (http://policy.ucop.edu/doc/7000543/BFB-IS-3).

 

Risk Assessment Team: 一个灵活的团队，其成员由信息安全官决定(请参阅参考资料/问题), below) based on the task at hand.

 

 

While IITS staff members who oversee specific areas (e.g., email, networking, etc.) are responsible for day-to-day operations, 信息安全干事负责主动进行审计，以识别漏洞, and has been granted the access required to carry out these duties. 在发生可疑活动或作为脆弱性或风险评估的一部分时, or quarterly review, access may include: 
 

When user interaction is required, 在安排和部署任何评估之前，信息安全主任将与有关地区的负责人讨论漏洞评估的细节.

 

If immediate action is required, 信息安全官将在适当情况下与大学员工联系.

 

 

网络扫描可能会影响网络和服务器性能和/或可用性. Prior notification will be made to those possible affected by the process. 将采取措施减少对大学网络性能和可用性的影响，并确保大学运作的连续性.

 

 

在紧急情况下或资讯保安主任不在时, 负责维护有关系统的人员可采取行动. In some cases, this may mean taking actions without prior consultation. These actions may include rendering systems inaccessible. For example, if there is a problem with a user’s email account, 负责邮件管理的主管将采取适当的措施来保护整个系统的完整性.

 

 

信息安全官将使用以下分类来确定采取行动的必要性和时间表:

 

High – Emergency procedures must be enacted immediately. Response time will be within 24 hours.

Medium – Resolution must be scheduled at the earliest possible time. Response time will be within three days.

低分辨率必须在下一个计划维护期间实施. Response time will be within two weeks.

 

 

信息安全官负责本文件的年度审查. IITS将根据相关系统确保适当的保护措施到位. 信息安全官及其指定人员负责遵循本文档中定义的策略. 

 

 

执行Utica大学的政策是每个政策的“资源/问题”部分列出的办公室或办公室的责任. 负责办公室将联系有关教职员工的适当当局, students, vendors, or visitors who violate policies.

 

利记sbo承认，大学的政策可能无法预料到可能出现的每一个问题. 因此，大学保留就本政策的执行作出合理和相关决定的权利. All such decisions must be approved by an officer of the University (i.e. President, Provost and Vice President for Academic Affairs, Executive Vice President and Chief Advancement Officer, Vice President for Financial Affairs, or Vice President for Legal Affairs and General Counsel).

 

 

For more information, contact the Information Security Officer.

 

请注意，其他利记sbo的政策可能适用或与此政策相关. 如果需要查询相关策略，请使用在线策略手册中的“关键字查询”功能.