1.01 Under the provisions of the Information Resources Management Act, Information Resources are strategic assets of the State of Texas that must be managed as valuable state resources. These procedures are established to achieve the following:
Violation of these procedures may result in disciplinary action up to and including termination for employees and temporaries; a termination of employment relations in the case of contractors or consultants; or dismissal for interns and volunteers. Additionally, individuals are subject to loss of the Texas AgriLife Research (AgriLife Research) and other Texas A&M AgriLife (Agrilife) Information Resources access privileges, civil, and criminal prosecution.
1.02 Definitions
A. Owner of an Information Resource - A person responsible for a business function and for determining controls and access to information resources supporting that business function. For AgriLife Research the Director is the owner of all information resources in the agency.
B. Custodian of an Information Resource - A person responsible for implementing owner‑defined controls and access to an information resource. For AgriLife Research accountable property officers are the designated custodians of all information resources for which they are responsible.
C. User of an Information Resource - An individual or automated application authorized to access an information resource in accordance with the owner‑defined controls and access rules.
1.03 Responsibilities
A. The Head, Information Technology, is responsible for the interpretation and administration of these procedures. The Head (or a designee), Information Technology, must:
1. Develop and maintain written procedures necessary to ensure implementation of and compliance with these procedures.
2. Provide appropriate support and guidance to assist employees to fulfill their responsibilities under these procedures.
3. Develop and maintain a business continuity plan so the effects of a disaster will be minimized.
B. Custodians at all levels of the organization must:
1. Ensure that all appropriate personnel are aware of and comply with these procedures.
2. Create appropriate performance standards, control practices, and procedures designed to provide reasonable assurance that all employees observe these procedures.
3. Implement the controls specified by the owner(s).
4. Schedule risk and vulnerability assessments as warranted by the importance of the data processed by the application.<
5. Provide physical and procedural safeguards for the information resources.
6. Assist owners in evaluating the cost-effectiveness of controls and monitoring.
7. Conduct reviews of physical security implementations and develop/update emergency procedures for physical security of IT resources at annual intervals.
8. Ensure information resources are protected from environmental hazards. Designated employees shall be trained to monitor environmental control procedures and equipment. Designated employees shall also be trained in desired response in case of emergencies or equipment problems.
9. Implement a written disaster recovery plan for information resources.
10. Implement system identification and logon banners in accordance with state requirements.
11. Implement the monitoring techniques and procedures for detecting, reporting, and investigating incidents. Incidents should be reported to securityhelp@ag.tamu.edu or via the web form at http://shasta.tamu.edu/SIRS
12. Perform the review of system logs at regular intervals.
C. Owners at all levels of the organization must:
1. Identify IT services/resources critical to the operation of the business and convey that information to the custodians.
2. Approve access and formally assign custody of an information resource asset.
3. Determine an asset’s value.
4. Specify data control requirements and convey them to the users and custodians.
5. Specify appropriate controls, based on risk assessment, to protect the state's information resources from unauthorized modification, deletion, or disclosure. Controls shall extend to information resources outsourced by the state agency.
6. Confirm that controls are in place to ensure the accuracy, authenticity, and integrity of data.
7. Ensure compliance with applicable controls
8. Review access lists based on documented security risk management decisions.
D. Users at all levels (including staff, guests or visitors) of the organization must:
1. Follow requirements for Physical security in section 2.01 of this document
2. Follow requirements for Computer Software Use and installation, copyrights and license agreements in section 3.01 of this document
3. Follow requirements for Accounts and passwords in sections 4.01, 4.02 and 4.03 of this document
4. Follow requirements for Internet and e-mail use in section 5.01 of this document.
5. Follow Acceptable Use regulations in section 5.03 of this document
6. Follow Unacceptable Use rules in section 5.04 of this document
7. Follow Computer virus protection requirements in section 6.02 of this document
8. Follow Backup and recovery guidelines in section 7.01 of this document
1.04 Terms of use
Electronic files created, sent, received, or stored on Information Resources owned, leased, administered, or otherwise under the custody and control of AgriLife Research are the property of the agency.
It is agency policy to protect computer hardware, software, data, and documentation from misuse, theft, unauthorized access, and environmental hazards.
2.01 User Responsibilities:
A. Protect information resources in proportion to the value to AgriLife and AgriLife Research.
B. Physical access to all AgriLife and AgriLife Research information resources shall be documented and managed.
C. Access to AgriLife and AgriLife Research Information resource facilities shall be granted only to departmental personnel, vendors and other authorized personnel whose job responsibilities require access to the facility.
D. Security access codes, access cards, and or keys to AgriLife and AgriLife Research information resource facilities shall not be shared or loaned to others.
E. Appropriate departmental personnel responsible for the physical security of AgriLife and AgriLife Research information resources shall review access rights for the facility on a periodic basis and revoke access for individuals that no longer require such access.
F. Diskettes, CDs, tapes, or DVDs should be stored out of sight when not in use. If they contain highly sensitive or confidential data, they must be locked up.
G. Diskettes, CDs, tapes, or DVDs should be kept away from environmental hazards such as heat, direct sunlight, and magnetic fields.
H. Mission critical computer equipment such as file servers or network servers must be protected by an uninterruptible power supply (UPS). Other computer equipment should be protected by a UPS or a surge suppressor if at all possible.
I. Environmental hazards to hardware such as food, smoke, liquids, high or low humidity, and extreme heat or cold should be avoided.
J. Employees should exercise care to safeguard the valuable electronic equipment assigned to them. Employees who neglect this duty may be accountable for any loss or damage that may result.
Users of AgriLife Research information resources will comply with all laws regarding intellectual property. Further, installation and operation of certain non-business software, even if freeware or properly licensed, can result in poor performance of legitimate business software.
AgriLife Research is legally bound to comply with the Federal Copyright Act (Title 17 of the U. S. Code: http://www4.law.cornell.edu/uscode/17/) and all proprietary software license agreements. Noncompliance can expose AgriLife Research and the responsible user(s) to civil and/or criminal penalties.
This directive applies to all software that is owned by, licensed to, or developed using AgriLife Research resources by employees or non-employee users of AgriLife Research information resources.
3.01 Users Shall:
A. Install on agency computers only that software which is licensed to or owned by AgriLife Research and the license covers installation on the employee’s specific computer.
B. Copy software only if authorized by the specific license agreement governing that software.
C. Install on agency computers only software which has a business or computer maintenance purpose. As such, use of certain screen savers, internet chat, and other software which has a personal purpose should be avoided.
D. Maintain documentation, original media, or other forms of evidence necessary to demonstrate that software installed on agency computers is properly licensed for the specific machines on which it is installed. Such documentation or media should be stored in a binder, pocket file folder, zip lock bag, or other such storage device, and kept in the immediate vicinity of the computer. IT support personnel reserve the right to remove any unlicensed software from any computer system. If such action is taken, the support person will notify the employee and respective supervisor.
The confidentiality and integrity of data stored on agency computer systems must be protected by access controls to ensure that only authorized users have access. This access shall be restricted to only those capabilities that are appropriate to each user's job duties.
4.01 Account Management Guidelines
A. All accounts created must have an associated request and approval signature on file using the Network Users Form: (http://eit.tamu.edu/NetAdmin/index.htm). The approval must be made by the appropriate information resource custodian or a designated representative.
B. All accounts must be uniquely identifiable using the assigned user name.
C. Accounts will not be created for functional or group use unless the Network Users Form is accompanied by statement signed by the unit head or administrator certifying that an analysis has been made of the risks associated with such access, that steps are being taken to mitigate those risks, that safeguards are in place to assure the risk is minimized, and that there is a real organizational benefit to implementing such account and not simply a matter of personal convenience.
D. All passwords for accounts must be constructed in accordance with the password guidelines at http://eit.tamu.edu/passwordinfo/passwords.htm
E. System Administrators and other designated staff:
1. are responsible for modifying the accounts of individuals that change roles or are separated from their relationship with AgriLife and AgriLife Research
2. must have a documented process to modify a user account to accommodate situations such as name changes, accounting changes and permission changes
3. must have a documented process for periodically reviewing existing accounts for validity
4. will remove accounts that cannot be associated with active, recognized retired employees or other entity currently supporting AgriLife and AgriLife Research programs
5. must provide a list of accounts for the systems they administer when requested by authorized AgriLife and AgriLife Research administrators
6. must cooperate with authorized administrators investigating security incidents
4.02. Password Standards
A. All passwords should be constructed and maintained according to the following guidelines:
1. be routinely changed as outlined below
2. be at least 8 characters in length
3. be a combination of upper and lower case alpha and numeric characters
4. not be anything that can easily tied back to the account owner such as: user name, social security number, nickname, relatives, names, birth date
5. not be dictionary words or acronyms
6. not be the same passwords used for personal accounts with services like Yahoo, MSN, AOL, Hotmail, etc.
B. User account passwords should not be divulged to anyone nor displayed in a publicly accessible area. IT support personnel will only ask for user account passwords when necessary to resolve a specific problem.
C. If the security of a password is in doubt, the password must be changed immediately.
D. System administrators must not circumvent the password guidelines for the sake of ease of use.
E. Users should not circumvent password entry with such means as auto logon, auto-complete (also known as 'password remembering'), embedded scripts or hard coded passwords in client software. Exceptions may be made for specific applications (like automated backup).
F. Computing devices should not be left unattended without enabling a password protected screen saver or logging off of the device.
G. System administrator password change procedures must include the following:
1. authenticating the user before changing the password
2. changing to a strong password as described in password guidelines at http://eit.tamu.edu/passwordinfo/passwords.htm
3. requesting the user to change the password after the next login
4.03 Each user:
A. Shall be responsible for all computer transactions that are made with his/her User ID and password.
B. Shall not disclose passwords to others. Passwords must be changed immediately if it is suspected that they may have become known to others. Passwords should not be recorded where they may be easily obtained.
C. Should use passwords that will not be easily guessed by others.
D. Should log out or activate a password protected screen saver when leaving a workstation for an extended period.EIT recommends that an inactivity period of no more than 10 minutes be used before a keyboard lock takes place.
4.04 Employee departures
Within ten (10) business days, information resource custodians must notify EIT through submission of a Network Users Form of user transfers and terminations for all users within their respective units. Information resource custodians must also complete appropriate sections of an AG-442, Property and Termination Checklist which is provided to the AgriLife Human Resources Office following the employee’s departure.
4.05 The agency Information Security Officer will implement a process to periodically monitor compliance with rules regarding both the establishment of accounts as well as the termination of accounts. The results of such periodic monitoring will be documented and provided to the agency Information Resource Manager annually.
The Internet is a very large, publicly accessible network that has millions of connected users and organizations worldwide. One popular feature of the Internet is e‑mail.
Access to the Internet is provided to users for the benefit of AgriLife Research and its customers. Users are able to connect to a variety of educational information resources around the world.
The Internet is also replete with risks and inappropriate material. To ensure that all users are responsible and productive Internet users and to protect AgriLife Research’s interests, users will adhere to the following guidelines when using the Internet and e‑mail:
5.01 Users who access the Internet for e‑mail shall:
A. Ensure that all communications are for professional reasons and that they do not interfere with their productivity.
B. Be responsible for the content of all text, audio, or images that they place or send over the Internet. All official external communications should have the employee's name and contact information included as a signature block. If the communications is personal in nature, the message should include a disclaimer statement indicating that the content of the message does not represent AgriLife Research or any other agency of the Agriculture Program.
C. Not transmit copyrighted materials without permission.
D. Run a virus scan on any file(s) received through the Internet.
E. Not click on any e-mail attachment that is sent from an unknown source.
E. Avoid transmission of private customer or employee information. If it is necessary to transmit private information, employees are required to take steps reasonably intended to ensure that information is delivered to the proper person who is authorized to receive such information for a legitimate use.
F. Understand that e-mail is not a private or secure form of communication and may be viewed in accordance with paragraph 1.02D.
5.02 Users accessing the Internet are not permitted to copy, transfer, rename, add, or delete information or programs belonging to others unless given express permission to do so by the owner. Failure to observe copyright or license agreements may result in disciplinary action by AgriLife Research and/or legal action by the copyright owner.
5.03 Acceptable Use:
Users accessing the Internet are representing AgriLife Research. Users are responsible for ensuring that the Internet is used in an effective, ethical, and lawful manner. Examples of acceptable use are:
A. Using Web browsers to obtain educational information from commercial, governmental, and educational Web sites.
B. Accessing databases for information as needed to support official business.
C. Using e‑mail for official business communication.
D. Using web browsers to access agency databases and reporting systems.
E. Setting up web servers for educational or organizational purposes.
5.04 Unacceptable Use:
Users must not access the Internet for purposes that are illegal, unethical, harmful to AgriLife Research or nonproductive. Examples of unacceptable use are:
A. Sending or forwarding chain e‑mail, i.e., messages containing instructions to forward the message to others.
B. Using AgriLife Research resources for personal use, except to the extent allowed as Aincidental personal use as defined in System Policies & Regulations.
C. Using AgriLife Research resources to promote, or give the appearance of promoting, a personal business; e.g., providing a hypertext link to a family member=s business.
D. Transmitting any content that is offensive, harassing, or fraudulent; e.g., pornographic, sexually harassing, or A ‘get rich quick’ materials.
Computer viruses, trojans, worms, spyware, and other such malicious applications are programs designed to make unauthorized changes to programs and data, and therefore, can cause destruction of agency resources. While technically not the same, the term Avirus@ will be used below to refer to this general class of destructive software.
It is important to know that:
A. Computer viruses are much easier to prevent than to cure.
B. Defenses against computer viruses include protection against unauthorized access to computer systems, using only trusted sources for data and programs, and maintaining virus‑scanning software.
6.01 Extension Information Technology (EIT) shall:
A. Assist users with the acquisition, installation, and maintenance of appropriate antivirus software on all computers.
B. Notify all users of imminent virus attacks, providing them guidance on how to respond, destroy any virus detected, and document each incident
6.02 Users Shall:
A. establish password protection for access to information resources
B. not load diskettes of unknown origin
C. scan incoming diskettes for viruses before they are read
D. IMMEDIATELY disconnect workstations from any network to which they may be connected, run available up-to-date virus scanning software, and notify appropriate computer support personnel if it is suspected that their workstations have been infected by viruses.
E. not connect any web or file servers to the network until they are reasonably certain that they have applied all available software patches and have configured all security settings in the software to the most secure level possible given the purpose and function of the server. If possible, isolated security screening of these servers should be done prior to connecting them to the network.
F. not use nor access any e-mail system other than the GroupWise system administered by Extension Information Technology unless they have installed and keep up to date the latest virus scanning software and security patches available for this alternative e-mail system
G. not use any internet chat software capable of transferring files unless they have installed and keep up to date the latest virus scanning software and security patches available for that software
All electronic information considered of institutional value should be copied onto backup storage media on a regular basis (i.e., backed up) for disaster recovery and business continuity purposes. This section outlines the minimum requirements for the creation and retention of backups. Special backup needs identified through risk analysis which exceed these requirements should be accommodated on an individual basis.
7.01 Users are individually responsible for providing adequate primary backups to ensure the recovery of institutional data and systems in the event of failure or loss. These backup provisions allow AgriLife Research business processes to be resumed in a reasonable amount of time with minimal loss of data. Since hardware and software failures can take many forms, and may occur over time, multiple generations of institutional data backups should be maintained.
7.02 General Guidelines:
A. Backups of institutional data should be retained such that systems are fully recoverable. This may be achieved using a combination of image copies, incremental backups, differential backups, transaction logs, or other techniques.
B. The frequency of backups is determined by the volatility of the data; the retention time for backup copies is determined by the criticality of the data. At a minimum, backups should be retained for 14 days.
C. At least two copies of the data should be maintained.
D. At a minimum, one fully recoverable version of all mission critical data and any required restoration and application software must be stored in a secure, off-site location. Off site location means any location which is not likely to be subject to the same catastrophic event (fire, flood, tornado, etc.) as the primary site.
E. Derived data (i.e., data calculated from a raw data source) should be backed up only if restoring it is more efficient that recreating it from the original source.
F. Mission critical information used on workstations may be placed on networked file server drives to allow for secondary backup. Likewise, mission critical information used on a networked file server may be placed on individual workstations to allow for secondary backup.
G. Backup documentation must include identification of mission critical data, programs, documentation, and support items necessary to perform essential tasks during a recovery process.
H. Documentation of the restoration process must include procedures for the recovery from single-system or application failures or loss as well as a total center or department disaster scenario.
I. Backup and recovery documentation should be reviewed and updated periodically to account for new technology, business changes, and migration of applications to alternative platforms.
J. Recovery procedures should be tested on a periodic basis, but no less than annually.
8.01 Change Management
A. General. Change management procedure describes the requirements for managing changes in a rational and predictable manner so that staff and clients can plan accordingly. Changes require serious forethought, careful monitoring, and follow‑up evaluation to reduce negative impact to the user community and to increase the value of information resources.
B. Controls and Responsibilities
1. Every change to AgriLife Research Information Resources resource such as operating systems, computing hardware, networks, and applications is subject to the change management procedure.
2. Users shall be notified for each scheduled or unscheduled change.
3. A review shall be performed for each change, whether scheduled or unscheduled, and whether successful or not.
4. A change management log shall be maintained for all changes. The log shall contain, but is not limited to:
5. The Agency Director delegates responsibility to all unit heads or their equivalent to ensure that AgriLife Research change management security procedures are implemented in their respective divisions.
8.02 Incident Management
General. This section describes the requirements for dealing with computer security incidents. Security incidents include, but are not restricted to:
B. Controls and Responsibilities
1. Whenever a security incident is suspected, the appropriate incident management procedures must be followed. Incidents involving AgriLife Research IT services, should be reported at http://shasta.tamu.edu/SIRS
2. The information security officer is responsible for notifying the agency director and initiating the appropriate action including restoration as defined in the incident management procedures.
3. The information security officer is responsible for initiating, completing, and documenting the incident investigation.
4. The information security officer shall report the security incidents that may involve criminal activity under Texas Penal Code Chapters 33 (Computer Crimes) or 33A (Telecommunications Crimes) to AgriLife Research Associate Director for Finance and Administration.
5. If fraud or theft is suspected as part of security incident detection, the person detecting the incident shall follow System Policy 21.04 Control of Fraud and Fraudulent Actions.
6. The information security officer is responsible for reporting the incidents to Department of Information Resources as outlined in Texas Administrative Code 202.
8.03 Intrusion Detection
A. General. Intrusion detection plays an important role in implementing and enforcing an organizational security policy. As information systems grow in complexity, effective security systems must evolve. With the proliferation of the number of vulnerability points introduced by the use of distributed systems some type of assurance is needed that the systems and network are secure. Intrusion detection systems can provide part of that assurance. Intrusion detection provides two important functions in protecting information resources:
1. Feedback: information as to the effectiveness of other components of the security system. If a robust and effective intrusion detection system is in place, the lack of detected intrusions is an indication that other defenses are working.
2. Trigger: a mechanism that determines when to activate planned responses to an intrusion incident.
B. Controls and Responsibilities.
1. Operating system, user accounting, and application software audit logging processes shall be enabled on all host and server systems where resources permit.
2. Alarm and alert functions and audit logging of any firewalls and other network perimeter access control systems shall be enabled.
3. Audit logs from the perimeter access control systems shall be monitored and reviewed periodically by the system administrator.
4. System integrity checks of the firewalls and other network perimeter access control systems shall be performed on a routine basis.
5. Audit logs for servers and hosts on the internal, protected, network shall be reviewed on a routine basis.
6. All suspected and/or confirmed instances of successful and/or attempted intrusions shall be immediately reported according to the incident management procedures.
8.04 Network Configuration
A. General. AgriLife Research network infrastructure is provided by Texas A&M University and TTVN. It is important that the infrastructure, which includes cabling and the associated 'active equipment', continues to develop with sufficient flexibility to meet AgriLife Research demands while at the same time remaining capable of exploiting anticipated developments in high speed networking technology to allow the future provision of enhanced user services. The purpose of AgriLife Research network configuration procedures is to establish the process for the expansion and use of the network infrastructure.
B. Controls and Responsibilities.
1. Texas A&M University and TTVN owns and is responsible for AgriLife Research network infrastructure and will continue to manage further developments and enhancements to this infrastructure.
2. All network connected equipment shall be configured to a specification approved by Texas A&M University or TTVN, as appropriate.
3. Users shall not extend or re‑transmit network services in any way. This means a user shall not install a router, switch, hub, or wireless access point to the network without Texas A&M University or TTVN approval.
4. Users shall not install network hardware or software that provides network services without Texas A&M University or TTVN approval.
5. Users shall not alter network hardware in any way.
8.05 Portable Computing
A. General. Portable computing devices are becoming increasingly powerful and affordable. Their small size and functionality are making these devices ever more desirable to replace traditional desktop devices in a wide number of applications. However, the portability offered by these devices may increase the security exposure to groups using the devices. The purpose of AgriLife Research portable computing security procedures is to establish the process for the use of mobile computing devices and their connection to the network.
B. Controls and Responsibilities.
1. Portable computing devices shall be protected from unauthorized access by passwords or other means where possible.
2. All sensitive AgriLife Research data stored on portable computing devices shall be encrypted using approved encryption techniques.
3. AgriLife Research data shall not be transmitted via wireless to or from a portable computing device unless approved wireless transmission protocols along with approved encryption techniques are utilized.
4. All remote access (dial in services) to AgriLife Research shall be either through an approved modem pool or via an Internet Service Provider (ISP).
5. Non AgriLife Research computer systems that require network connectivity shall conform to AgriLife Research Network Connectivity Standards.
6. Unattended portable computing devices shall be kept physically secure.
8.06 Security Monitoring
A. General. Security Monitoring is a method used to confirm that the security practices and controls in place are being adhered to and are effective. Monitoring consists of activities such as the review of: user account logs, application logs, data backup recovery logs, automated intrusion detection system logs, etc. The purpose of the security monitoring policy is to ensure that information resource security controls are in place, are effective, and are not being bypassed. One of the benefits of security monitoring is the early identification of wrongdoing or new security vulnerabilities. The security monitoring procedure applies to all individuals that are responsible for the installation of new information resources, the operations of existing information resources, and individuals charged with information resources security.
B. Controls and Responsibilities.
1. Automated tools shall provide real time notification of detected wrong-doing and vulnerability exploitation. Where possible a security baseline shall be developed and the tools shall report exceptions. These tools shall be deployed to monitor:
2. Where possible, the following files shall be checked for signs of wrong-doing and vulnerability exploitation at a frequency determined by risk:
3. Where possible, the following checks shall be performed at least annually by assigned individuals:
4. Any significant security issues discovered and all signs of wrong-doing shall be reported according to incident management procedure
8.07 Platform Hardening
A. General. Servers are relied upon to deliver data in a secure, reliable fashion. There must be assurance that data integrity, confidentiality and availability are maintained. One of the required steps to attain this assurance is to ensure that the servers are installed and maintained in a manner that prevents unauthorized access, unauthorized use, and disruptions in service. The purpose of AgriLife Research server hardening procedures is to describe the requirements for installing a new server in a secure fashion and maintaining the security integrity of the server and application software.
B. Controls and Responsibilities.
1. System Administrators shall install the operating system only from an information resources approved source.
2. System Administrators shall apply vendor supplied patches.
3. System Administrators shall remove unnecessary software, system services, and drivers.
4. System Administrators shall set security parameters, file protections and enable audit logging.
5. System Administrators shall disable or change the password of default accounts.
6. System Administrators shall implement system identification and logon banners that include the following statements:
a. Unauthorized use is prohibited;
b. Usage may be subject to security testing and monitoring
c. Misuse is subject to criminal prosecution
d. No expectation of privacy except as otherwise provided by applicable privacy laws.
8.08 Systems Development and Acquisition
A. General. The purpose of the system development procedure is to describe the requirements for developing and/or implementing new application software in AgriLife Research. This procedure is designed according to Texas Administrative Code Rule 202.7 ‑ Information Resources Security Safeguards, section Security Policies.
B. Controls and Responsibilities
1. Extension Information Technology is responsible for developing, maintaining, and participating in a System Development Life Cycle (SDLC) plan for AgriLife Research system development projects. All software developed in‑house which runs on production systems shall be developed according to the SDLC plan. At a minimum, this plan shall address the areas of preliminary analysis or feasibility study; risk identification and mitigation; systems analysis; general design; detail design; development; quality assurance and acceptance testing; implementation; and post‑implementation maintenance and review. This methodology ensures that the software will be adequately documented and tested before it is used for critical AgriLife Research information.
2. All production systems shall have designated Owners and Custodians for the critical information they process. EIT shall perform periodic risk assessments of production systems to determine whether the controls employed are adequate.
3. All production systems shall have an access control system to restrict who can access the system as well as restrict the privileges available to these users. An designated access control administrator, who is not a regular user on the system in question, shall be assigned for all production systems.
4. Where resources permit, there shall be a separation between the production, development, and test environments. This ensures that security is rigorously maintained for the production system, while the development and test environments can maximize productivity with fewer security restrictions. Where these distinctions have been established, development and test staff shall not be permitted to have access to production systems. .
8.09 Vendor Access
A. General. Vendors play an important role in the support of hardware and software management, and operations for customers. Vendors can remotely view, copy and modify data and audit logs, correct software and operating systems problems, monitor and fine tune system performance, monitor hardware performance and errors, modify environmental systems, and reset alarm thresholds. Setting limits and controls on what can be seen, copied, modified, and controlled by vendors will eliminate or reduce the risk of loss of revenue, liability, loss of trust, and embarrassment to AgriLife Research. The purpose of AgriLife Research vendor access procedures is to establish the process for vendor access to AgriLife Research information resources and support services (A/C, UPS, PDU, fire suppression, etc.), vendor responsibilities, and protection of AgriLife Research information. AgriLife Research vendor access procedure applies to all individuals who are responsible for the installation of new information resources assets, and the operations and maintenance of existing information resources and who do or may allow vendor access for maintenance, monitoring and troubleshooting purposes.
B. Controls and Responsibilities.
1. Vendors shall comply with all applicable AgriLife Research policies, practice standards and agreements, including, but not limited to:
2. Vendor agreements and contracts shall specify:
3. AgriLife Research shall provide an information resources point of contact for the vendor. The point of contact will work with the Vendor to make certain the Vendor is in compliance with these policies.
4. Each vendor shall provide AgriLife Research with a list of all employees working on the contract. The list shall be updated and provided to AgriLife Research within 24 hours of staff changes.
5. Each vendor employee with access to AgriLife Research sensitive information shall be cleared to handle that information.
6. Vendor personnel shall report all security incidents directly to the appropriate AgriLife Research personnel.
7. If vendor management is involved in AgriLife Research security incident management, the responsibilities and details shall be specified in the contract.
8. Regular work hours and duties shall be defined in the contract. Work outside of defined parameters must be approved in writing by appropriate AgriLife Research management personnel.
New employees will receive training on information security measures and requirements and be required to acknowledge receipt and acceptance of the provisions of this rule, by signing AgriLife Form AG-415, Employee In-Processing Acknowledgment. All employees are expected to review and acknowledge the provisions of this rule every year, and will do so through classes offered in HRConnect, the online HR site of the TAMUS Human Resources office. Non-employee users of AgriLife Research information resources will be issued a copy of these information security guidelines and required to sign an acknowledgment form prior to being granted access to AgriLife Research information resources.
Technical support staff, security administrators, system administrators and others may have special access account privilege requirements compared to typical users. Administrator accounts and other special access accounts have extended and overarching privileges in comparison with typical users. Thus, the granting, controlling and monitoring of these accounts is extremely important to an overall security program. The purpose of the administrator/special access management procedure is to establish the process for the creation, use, monitoring, control and removal of accounts with special access privilege.
10.01. Departments/units shall maintain a list(s) of personnel who have administrator, or special access accounts for departmental/unit information resources systems. The list(s) shall be reviewed at least annually by the appropriate department/unit head or their designee.
10.02. Electronic files, including e-mail, created, sent, received, or stored on Information Resources owned, leased, administered, or otherwise under the custody and control of AgriLife Research are not private and may be accessed by supervisors, administrative heads, authorized administrative personnel, and AgriLife and AgriLife Research Information Technology (IT) employees during the course of their duties or when authorized by the owner or custodian at any time without knowledge of the Information Resources user. Electronic file content may be accessed by appropriate personnel in accordance with the provisions and safeguards provided in the Texas Administrative Code 202, Information Resource Standards. Information, including e-mail files may also be subject to disclosure under the Texas Public Information Act and/or during the discovery phase of a lawsuit.
10.03. In the course of their normal duties to assure the availability, integrity, utility, authenticity, and confidentiality of IT resources, administrators with special access privileges may routinely access descriptive data to investigate various events related to the performance or security of those resources. Personnel from Computing and Information Services (e.g., CIS Network Group) may also routinely investigate events related to the performance and secure operation of the TAMU network. System Administrators may at times also access user data in maintaining the operational integrity and security of information resources. System Administrators shall, however, maintain the confidentiality of user data to the extent possible and not divulge user data except to authorized AgriLife Research officials (such as described in section 4 below).
10.04. Use of special access privileges to conduct investigations related to user data shall be directed by:
A. Appropriate AgriLife Research management personnel (e.g., department/unit Head, Director, etc.);
B. System officials conducting investigations (e.g., System Internal Audit, Office of General Council, Designated Officer conducting inquiry investigating possible misconduct in AgriLife Research or scholarship, Investigating Authority in a sexual harassment investigation, investigation of Student Rules violations, or representatives of Information Technology Issues Management (ITIM) of Computing and Information Services (CIS), etc.)
Prior to conducting such investigations, the individual with administrator/special access will consult with Information Technology Issues Management (ITIM).
Privacy policies are mechanisms used to establish the responsibilities and limits for system administrators and users in providing privacy in AgriLife Research and TAMU information resources. AgriLife Research has the right to examine information on information resources which are under the control or custody of AgriLife Research or TAMU. The general right to privacy is extended to the electronic environment to the extent possible. However, there should be no expectation of privacy beyond that which is expressly provided by applicable privacy laws. Privacy is limited by the Texas Public Information Act, administrative review, computer system administration, and audits.
11.01. Privacy of information shall be provided to users of AgriLife Research or TAMU information resources consistent with obligations of Texas and Federal law and/or secure operation of AgriLife Research or TAMU information resources.
11.02. In the normal course of their duties, system administrators may examine user activities, files, electronic mail, and printer listings to gather sufficient information to diagnose and correct problems with system software or hardware.
A. In order to protect against hardware and software failures, backups of all data stored on AgriLife Research or TAMU information resources may be made. System administrators have the right to examine the contents of these backups to gather sufficient information to diagnose and correct problems with system software or hardware. It is the user's responsibility to find out retention policies for any data of concern.
B. The Director or designee may designate certain individuals or functional areas who may monitor user activities and/or examine data solely to determine if unauthorized access to a system or data is occurring or has occurred. If files are examined, the file owner will be informed as soon as practical, subject to delay in the case of an on-going investigation.
C. Files owned by individual users are to be considered as private, whether or not they are accessible by other users. The ability to read a file does not imply consent to read that file. Under no circumstances may a user alter a file that does not belong to him or her without prior consent of the file's owner. The ability to alter a file does not imply consent to alter that file.
D. Some individually owned files are by definition open access. Examples include Unix plan files, Web files made available through a system-wide facility and files made available on an anonymous ftp server. Any authorized user that can access these files may assume consent has been given.
11.03. If access to information is desired without the consent and/or knowledge of the file owner or if inappropriate use of agency information resources is suspected, files may be reviewed without the consent and/or knowledge of the file owner or file user as identified in section 10.03 of this document.
11.04. If criminal activity is suspected, the UPD or other appropriate law enforcement agency must be notified. All further access to information on AgriLife Research or TAMU information resources must be in accordance with directives from law enforcement agencies.
11.05. Information resource owners or custodians will provide access to information requested by auditors in the performance of their jobs. Notification to file owners will be as directed by the auditors.
11.06. Other than exceptions in 2.2, 2.3, 2.4 and 5, access to information by someone other than the file owner requires the owner’s explicit, advance consent.
11.07. Unless otherwise provided for, individuals whose relationship with the AgriLife Research or TAMU is terminated (e.g., student graduates; employee takes new job; visitors depart) are considered to cede ownership to the information resource custodian. Custodians should determine what information is to be retained and delete all other.
11.08. AgriLife Research and TAMU collect and process many different types of information from third parties. Much of this information is confidential and shall be protected in accordance with all applicable laws and regulations (e.g., Gramm-Leach-Bliley Act, Texas Administrative Code 202).
11.09. Individuals who have special access to information because of their position have the absolute responsibility to not take advantage of that access. If information is inadvertently gained (e.g., seeing a copy of a test or homework) that could provide personal benefit, the individual has the responsibility to notify both the owner of the data and the organizational unit head.
11.10. AgriLife Research or TAMU web sites available to the general public shall contain a Privacy Statement such as that found at http://www.tamu.edu/home/statements/privacy.html
11.11. Users of AgriLife Research or TAMU information resources shall call CIS Helpdesk (979-845-8300) to report any compromise of security which could lead to divulging confidential information including, but not limited to, posting social security numbers to the internet.
Questions concerning this procedure should be directed to the AgriLife Extension Information Technology at 979-845-9689