It is the policy of Illinois State University that information used to support the University's operations be accurate and available for use when appropriate; that the information be used in a manner which protects the integrity of the data and the privacy of those associated with it; and that confidential, sensitive, proprietary information be protected from corruption, loss, unauthorized access and disclosure.
Furthermore, it is the University's policy to promote an open computing environment that allows access for all individuals to computing resources. In order to protect its information assets, the University relies heavily on its computerized information systems and recognizes that all computerized resources, including software programs, data, hardware, and networks, must be protected from misuse and operated and maintained in a secure environment.
Access to information resources and the information technology environment is a privilege and must be treated as such by all users of University computing and network resources. Access to University information and the sharing and security of that information requires that each user accept responsibility to protect the rights of the University and the University community. Any user of University computerized resources who, without authorization, distributes, accesses, uses, destroys, alters, dismantles, disfigures or disables University information resources is a threat to the secure environment of the University community. These actions will be regarded as unethical and unacceptable conduct, and will be subject to the appropriate disciplinary actions.
The Information Resource Access and Security Policy applies to all University information resources and the access to those resources.
Individual - An employee, emeritus or retired staff, student, agent, consultant, or any other person whose services are procured by a contract, appointment or through a temporary personnel agency.
Information Resources - Computer facilities, electronic media, communications networks, software programs of all types, administrative and academic systems, hardware of all types and data. These information resources include, but are not limited to, on-line and batch administrative and academic systems and applications, application software, operating system software, operating support software, security software, data files and databases, mainframe, mini, micro or personal computers, printers, data storage devices and media, video monitors, communications controllers, monitoring equipment, modems, transmission media of all types, gateways, networks (local area, backbone, wide area, etc.) and networks used to communicate to other state, national, and international computerized resources.
Data - Any and all information, regardless of form, that is contained in or processed by the University's information resources.
Data Custodians and LAN Coordinators - Individuals delegated by University management to provide the means for controlling the information resources within their units. Data Custodians are responsible for authorizing access and LAN Coordinators are responsible for administering access.
Computer virus - A computer program that destroys or alters data.
RACF - Resource Access Control Facility.
ISPF - Interactive System Productivity Facility.
NVAS - NetView Access Services.
TSO - Time Sharing Option.
SYSM - Product to support e-mail.
E-mail - Electronic Mail.
The intent of this policy is to ensure the confidentiality, availability, and integrity of University data; reduce the risk of data loss by accidental or intentional modification, disclosure or destruction; prevent the unauthorized use of information for commercial gain or malicious purposes; and to preserve the University's rights and remedies in the event of such a loss. Each individual in the University community is responsible for understanding this policy and complying with its terms.
The University will exercise information resource security precautions based on the following criteria:
Specific precautions and resulting standards and procedures shall be consistent with, and conform to, this policy and the University Policy Manual.
The University will implement information resource security precautions in such a way as to:
Information Systems reserves the right to deny any request, restrict access or remove a person's account for reasons of data security or failure to comply with the policies and procedures of the University. By issuing an account for an individual, Information Systems is not implying that the person should have access to any application, transaction or data on any given computer system(s). Such access must further be granted by the custodian of the application, transaction or data. (See Section 5.0)
The following individuals will be permitted to have user accounts on the computer systems maintained by Information Systems, provided that they complete the appropriate application:
Full or part-time faculty, staff and students of the University will be permitted to have accounts on Illinois State computer systems as long as they maintain their status as employees or students.
Any faculty, staff and students affiliated with another academic institution, working in collaboration with a faculty or staff member of Illinois State, may request an account. That request must be in writing on the Project Number Request Form (Appendix J) initiated by the Illinois State faculty or staff member. Each application will be reviewed and approval or disapproval noted on the form.
Emeritus faculty and retired Administrative/Professional personnel of Illinois State may have an account if the request is submitted to and approved by the Provost's Office.
Retired Civil Service staff of Illinois Statemay have an account if the request is submitted to and approved by the Office of Human Resources.
Access will be granted, on a case-by-case basis, by the faculty or staff member associated with Illinois State.
It is the responsibility of all members of the University community to protect its information assets. Specific responsibilities are listed below.
Individuals who use University information resources are responsible for adhering to all policies, standards, and procedures for securing data, including the following:
The Data Security Administrator shall be an ex-officio member of the University Computing Policy Committee. It is the responsibility of the Data Security Administrator to:
Questions regarding access and security issues and requests for staff training should be directed to the Data Security Administrator.
University management personnel responsible for controlling the acquisition, use, change and deletion of data are responsible for establishing and maintaining security for information resources within their areas of responsibility, which includes the following:
Departmental Data Custodians are delegated by University management the responsibility for controlling the information resources within their areas. Their responsibilities include the following:
Departmental LAN Coordinators are delegated by University management the responsibility for coordinating the LAN access within their departments. Their responsibilities include the following:
Information Systems maintains information resources for many automated functions throughout the University and is responsible for the following:
Internal Auditing is responsible for evaluating controls and procedures; testing compliance with security policies, standards, and procedures; and for reporting to University management the adequacy of information resource access and security controls.
University Police is responsible for investigating instances of computer abuse.
In accordance with the family Educational Rights and Privacy Act of 1974, Illinois State has established the following policy to insure the security and confidentiality of information.
All users of personal computers are responsible for adhering to all policies, standards, and procedures for the use of information resources, including implementing security practices necessary to protect the data stored on the personal computer.
Violations of this Information Resource Access and Security Policy may include, but are not limited to, the following:
Noncompliance or violation of the Information Resource Access and Security Policy will result in revocation of the privilege to access information resources and may also include the following: suspension, termination, civil and/or criminal prosecution, and other disciplinary action, pursuant to all rules and regulations of Illinois State University and State and Federal Laws.
Individual appeals of any of the above University related actions should be made to the University Computing Policy Committee. If the matter cannot be satisfactorily resolved, it will then go through "due-process" systems in place for academic personnel, civil service and students.
Inquiries related to the Information Resource Access and Security Policy or its application shall be referred to the Data Security Administrator or to the University Computing Policy Committee.
Access to information resources requires that specific forms be submitted. Listed below are the forms required to gain access to the different platforms available. Each person should consult with their Data Custodian to determine which forms are required for that unit.
Appendix A: Access to CICS. Must be completed prior to using Appendix B. Technical Contact: Information Systems Access Administrator.
Appendix B: Request for CICS transactions. May be submitted multiple times for additional CICS transactions. Technical Contact: Information Systems Access Administrator.
Appendix C: Access to NetView Access Services, which enables departments to tailor a menu of accessible platforms through one sign-on. This is one step towards good security in the department. Technical Contact: Information Systems Access Administrator.
Appendix D: Access to ISPF CICS. Technical Contact: Information Systems Access Administrator.
Appendix E: Access to TSO, must be submitted before Appendix F. Technical Contact: Information Systems Access Administrator.
Appendix F: Access to datasets or prefixes for generic access in TSO. May be submitted numerous times. Similar to Appendix B. Technical Contact: Information Systems Access Administrator
Appendix G: Application to RS/6000. Technical Contact: UNIX Support Manager.
Appendix H: Faculty and student application for E-mail. Technical Contact:
Academic E-mail Administrator.
Appendix I: Administrative application for E-mail. Technical Contact: Information Systems Accounting/Billing Services.
Appendix J: Project number request. Technical Contact: Information Systems Accounting/Billing Services.
Appendices K and L: Requests for work on current or new administrative systems. Technical contact: Director of Administrative Computing.
Forms may be picked up and dropped off at Administrative Information Systems, Julian 101.
Any employee, emeritus or retired staff, student, agent, consultant, or any other person whose services are procured by a contract, appointment or through a temporary personnel agency shall comply with the provisions of the Policy on Information Resource Access and Security.
On February 1, 1999 the President of Illinois State University approved the Policy on Information Resource Access and Security. This policy will be periodically reviewed by Administrative Information Systems and the Information Technology Policy and Planning Council and changes or additions to this policy will be recommended by this Council to the President of the University.
Last Review: April 2000
