DRAFT -- University of Tennessee, Knoxville

Information Security Standards

for Implementing the

Use of Information Technology Resources

Policy of the University of Tennessee

 

Preamble

The general policy for Use of Information Technology Resources15 at the University of Tennessee (Policy) contains the governing philosophy for regulating faculty, student, and staff use of the University’s information technology resources. It relates the general principles regarding appropriate use of equipment, software, and networks. By adopting this Policy, the University of Tennessee, Knoxville (UTK) recognizes that all members of the University are also bound by local, state, and federal laws relating to copyrights, privacy, security, and other statutes regarding electronic media. The Policy also recognizes the responsibility of faculty and system administrators to take a leadership role in implementing the Policy and assuring that the University community honors the Policy.

 

Purpose

The purpose of the standards described in this document, UTK Information Security Standards (Standards), is to establish the Information Security Program for UTK that implements UT’s Use of Information Technology Resources (Section 175, Part 01, of UT’s Fiscal Policy Manual)15. The community at UTK is based on principles of honesty, academic integrity, respect for others, and respect for others’ privacy and property.

UTK seeks to:

 

Scope

The Division of Information Infrastructure (DII) is responsible for the creation and implementation of a cost-effective information infrastructure in which authorized users (e.g., students, faculty, staff, alumni, authorized affiliates, and outside clients) can create and share intellectual and administrative information. The Standards described in this document apply to all UTK computing and networking facilities that are provided for use by these users for legitimate purposes relating to education, research, administration, and outreach activities of the University. These Standards do not apply to open access to library materials required for the general public (which are to be addressed in a separate document); however, access from those library systems to remaining UTK IT resources must be limited and restricted.

The UTK IT resources addressed in these Standards includes any computers, computer systems, networks (including telecommunications equipment, e.g., routers, switches), or other devices that are owned by UTK or are attached to or access UTK network assets (including privately-owned computers or systems). UTK IT data resources include all electronic information, institutional data, documents, messages, programs or system software, or configuration files that are stored, executed, or transmitted via University computers, networks or other information systems.

To protect UTK IT resources, the University reserves the right to restrict access to computers and network systems for electronic communications while responding to and correcting reported or suspected abuse in order to investigate / obtain evidence of violations of UTK policies; other organizational policies; or local, state, or federal laws.

 

Responsibilities

Each departmental unit is responsible for the security on their systems and networks and may apply more stringent security policies while connected to UTK IT resources; however, they must follow these Standards as a minimum or risk losing connectivity to UTK networks.

DII is responsible for identifying a campus Information Security Officer who will coordinate and facilitate the campus Information Security Program. This program will include but not be limited to the following:

  1. Development and implementation of information security policies, standards, controls, procedures, and practices as defined UT Fiscal Policy Section 175, Part 01; Use of Information Technology Resources15 in order to protect UTK IT resources.
  2. Development of a Security Awareness and Training Program for users, system administrators, and designated security officers.
  3. Establishment of a central repository for tracking, resolving, and recording security-related incidents through collaboration with responsible organizations.
  4. Recommendations for cost-effective security solutions for unit / departmental systems, network administrators, and designated security officers.
  5. Establishment of UTK’s Best Practices Guidelines for Information Technology Resource Use to include but not limited to:

System Administrator Responsibilities

System administrator privileges on UTK IT resources confer substantial authority as well as responsibility to all other connected systems and networks. Systems through which intrusions are detected may be disconnected from all other UTK IT resources, in order to isolate the intrusion and protect other systems connected to the network until DII is certain the problem has been adequately resolved and will not reoccur.

System administrators are responsible for the implementation of appropriate technical security on their computer systems. They must remain familiar with the changing security technology that relates to their system and continually analyze technical vulnerabilities and their resulting security implications. Stored authentication data (e.g., password files, encryption keys, certificates, personal identification numbers, access codes) must be appropriately protected with access controls, encryption, shadowing, etc. – for example, password files must not be world-readable.

Systems administrators or designated security officers may supplement this document with more unit-specific and/or stringent guidelines for their users, but cannot lessen these Standards. System administrators and designated security officers shall be trained and certified through the Division of Information Infrastructure’s First Responder program. Equivalent prior training and experience is also acceptable to fulfill this requirement.

System administrators shall perform their duties fairly, in cooperation with the user community, the University administration, and in accordance with University policies. System administrators shall respect the privacy of users unless investigating charges of abuse of privileges and shall refer all reported violations to the appropriate authority (e.g., Student Judicial Affairs, OHRM) for disciplinary action.

System administrators are responsible for ensuring appropriate security is enabled and enforced in order to protect the UTK network to which it is connected. UTK reserves the right to immediately disconnect systems from the network while assessing and/or repairing any discovered or reported security incident in order to minimize risk to the rest of the UTK network.

User Responsibilities

There is an expectation of confidentiality / privacy on UTK IT resources inherently granted to users; however, although the University cannot guarantee that privacy, it strives to protect it. Users are expected to act in a responsible, ethical, and legal manner with the understanding that UTK’s IT resources are conducted in a public forum – electronic communications, such as electronic mail, are public records that can be used as evidence in a court of law. Users should respect the rights of others (especially rights of privacy and confidentiality), freedom of expression, intellectual property rights, law, and due process.

Users are required to follow the established guidelines and procedures described in these Standards. Although system administrators or designated security officers strive to provide and preserve the security and integrity of files, account numbers, authorization codes, and passwords, security can be breached through actions or causes beyond their reasonable control. Therefore, users are urged to safeguard their data, personal information, passwords, and authorization codes by taking full advantage of file security mechanisms built into the computer’s operating system.

User’s granted root access are also subject to the Standards for system administrators delineated above.

 

Compliance

The University will not routinely examine the content of a user’s account space; however, it reserves the right to inspect the account contents and investigate the use of that account when an abuse is suspected or reported.

To protect authorized users from the effects of abuse or negligence, the University reserves the rights to limit, restrict, or terminate any account or use of UTK computer resources, and to inspect, copy, remove, or otherwise alter any data, file, or system resources which undermine authorized use.

The University shall not be liable for inadvertent loss of data or interference with files resulting from this action.

System administrators or designated security officers will ensure that user authentication is required before access to any UTK IT resources is granted and that public and open access is restricted to library materials. All users of UTK IT resources agree to the following rules and responsibilities:

  1. No one shall use UTK’s IT resources for personal gain – commercial use of these resources, except for authorized University business, is prohibited.
  2. No one shall interfere with the intended use of UTK’s IT resources. All users shall share computing resources (including bandwidth) in an ethical and fair manner in accordance with the policies and criteria set for the systems involved by cooperating fully and not unduly interfering with other authorized users.
  3. No one shall perform, participate, encourage, or conceal any unauthorized use or attempts of unauthorized use of UTK IT resources.
  4. No one shall use UTK IT communications resources to attempt unauthorized use, or interfere with the legitimate use by authorized users, of other computers or networks elsewhere. Users are responsible for adhering to the policies and standards of such networks. UTK cannot and will not extend any protection to users who violate external network policies. Abuse of networks or computers at other sites through the use of UTK IT resources will be treated as an abuse of UTK IT resource privileges.
  5. No one shall install or use network "sniffers" or otherwise inappropriately intercept or monitor a user’s network traffic or data communications without prior approval from DII.
  6. No one shall use UTK’s IT resources to transmit abusive or harassing material; chain letters or mass mailings (e.g., "spamming"), or other communications prohibited by law; nor launch denial of service attacks against other users, systems, or networks. Users shall take full responsibility for any electronic messages that are transmitted from their accounts through UTK’s telecommunications networks.
  7. No one shall abuse the policies of any newsgroups, mailing lists, and other public forums through which they participate from a University account.
  8. No one shall connect any computer or network system to any of UTK’s networks (e.g., direct connection, direct dial-in access) unless it meets the technical and security standards set and approved by DII.
  9. No one shall give any account authentication (e.g., password) to an unauthorized person, nor obtain another user’s authentication by any means. Since passwords are the first line of defense to UTK IT resources, users must choose passwords carefully and comply with password guidelines [ref.] for effective password protection.
  10. No one shall access UTK IT resources without appropriate authentication. (The only exception to this is restricted open public access for library web materials.) In order to protect UTK IT resources, the use of remote access products requires prior approval from DII to ensure authentication and security functions are implemented.
  11. No one shall misrepresent his or her identity or relationship to the University for the purpose of accessing or attempting unauthorized access to UTK IT resources nor misrepresent his or her identity to other networks (e.g., IP address "spoofing") from UTK IT resources.
  12. No user shall access (e.g., read, write, modify, delete, copy, move) another user’s files or electronic mail without the owner’s permission regardless of whether the operating system allows this access to occur.
  13. No one shall post, copy, install, or use any electronic materials in violation of applicable patent protection and authorizations, copyrights, license agreements, other contracts, or state or federal laws.
  14. No one shall knowingly create, install, execute, or distribute any malicious code (e.g., virus, Trojan Horse, worm) or another surreptitiously destructive program on any UTK IT resource, regardless of the result.
  15. No one shall modify or reconfigure the software, data, or hardware of any UTK IT resource without appropriate authorization.
  16. No one shall knowingly or willingly interfere with the security mechanisms or integrity of UTK IT resources. Users shall not attempt to circumvent data protection schemes or exploit security loopholes.
  17. No one shall place confidential information in computers without appropriately protecting it. The University cannot guarantee the privacy of files, electronic mail, or other information stored or transmitted on UTK’s IT resources.
  18. No one shall compromise the privacy of others or the confidentiality of the information contained on UTK IT resources.

 

Violations

Abuse of UTK policies or standards, abuse of UTK IT resources, or abuse of other sites through the use of UTK IT resources may result in termination of access, disciplinary review, expulsion, termination of employment, legal action, and/or other appropriate disciplinary action. Notification will be made to the appropriate UTK office, e.g., Office of Human Resource Management, Student Judicial Affairs, Dean of Student Affairs, General Counsel, Office of Human Resource Management, UTK police, or local and federal law enforcement agencies.

System administrators and designated security officers will, when necessary, work with other University offices such as the Dean of Students, UT Police, schools’ and colleges’ disciplinary councils, the General Counsel, Office of Human Resource Management, and others in the resolution of security incidents.

 

Reporting Security Incidents / Infractions

Users are expected to report any information concerning instances in which they suspect or have evidence that the above Standards have been or are being violated.

In general, reports about violations of these Standards should be directed to the administrative office of the school, college, or unit for the system involved. That administrative office will be responsible for immediately forwarding Standards violation reports as well as reporting incidents of unauthorized access to UTK IT resources to the Campus Information Security Officer.

Users may report possible or suspected abuses and violations of these Standards to:

abuse@utk.edu for customer relations regarding inappropriate public behavior, network-security@utk.edu for network operations or infrastructure, or security@utk.edu, or the Campus Information Security Officer.

DIGITAL MILLENNIUM COPYRIGHT ACT

The Digital Millennium Copyright Act (DMCA)3, signed into law on October 28, 1998, amended the copyright law to provide limitations for service provider liability relating to online material.

The University of Tennessee, Knoxville (UTK) is considered an Internet Service Provider (ISP) for its community of students, faculty and staff and, in some cases, for other nonprofit organizations. In order to take advantage of some of the DMCA provisions, UTK must take steps to respond to notices received alleging that someone to whom UTK provides Internet service has infringed the rights of a copyright owner. The DMCA does not require UTK to monitor or affirmatively seek out information about copyright infringement by its users.

Principles

· The University of Tennessee, Knoxville respects the rights of copyright holders and will respond promptly to valid complaints.

· The University of Tennessee, Knoxville supports the fair use rights of its students, faculty, and staff.

Compliance with the DMCA

· The University of Tennessee, Knoxville will accommodate and not interfere with standard technical measures that identify and protect rights of copyright owners.

· The University of Tennessee, Knoxville is committed to informing members of the university community of their rights and responsibilities under the DMCA.

· Account holders will be warned in advance that material may be taken down if an infringement complaint is received and that disciplinary action may be taken if they repeatedly infringe copyrights. DMCA compliance information will appear in Hilltopics, Context, staff handbooks, graduate and undergraduate catalogs, and the UTK Policy on Use of Information Resources.

· In cooperation with the General Counsel's Office, authoritative web-based information on copyright, fair use, and the DMCA will be made available to the UTK community.

· Copyright information, including the right to file a counter-notice to a complaint, will be integrated in existing training sessions for UTK faculty, students and staff.

· A decision not to disable access to materials UTK's reasonable belief that the complaint is substantially incomplete, without sufficient foundation, or that a legal defense may apply.

Receiving a Complaint of Online Copyright Infringement

All complaints of online copyright infringement will be referred to UTK's registered agent, the UTK Division of Information Infrastructure. Complaints will be handled by the Information Security Officer, who will first determine the nature of UTK's role.

Determining the Role of UTK

UTK may take advantage of the ISP limitations on liability only if UTK is acting as an ISP, and not as a content provider. The Information Security Officer will make this determination, consulting with the General Counsel's Office as needed.

Take-Down

If the University is eligible for the ISP liability limitation, and the complaint is complete, the Information Security Officer will immediately disable access to the work.

Consultation with Account Holders

As soon as a complaint is received, the Information Security Officer shall notify the account holder of the allegation of infringement. A standard notification will include a copy of the complaint, information on counter notification, put back, and basic copyright rights and responsibilities. This will allow the account holder to voluntarily remove the challenged material or formulate a counter notification of fair use. Under certain circumstances it may be appropriate for the University to participate in the determination of whether fair use or some other exemption may apply that would allow the work to continue to be used.

If the material is to remain down, it is important that the account holder understands why a complaint was made and agrees to refrain from further infringements.

Counter-Notification

If the account holder files a counter-notification claiming that the work is misidentified, or the owner is mistaken and the use is lawful, the Information Security Officer will send the counter-notification to the complainer, explaining that the material will be put back in fewer than 10 to 14 days.

Put Back

Access to the material will be re-established in fewer than 10 to 14 days unless the complainer sends notice that a court order is being sought or other legal action will be taken.

Disciplinary Action

Account holders who infringe the rights of a copyright owner may be subject to disciplinary action. Students will be referred to the Dean of Students and the student judicial process. Faculty will be referred to the Provost and appropriate Dean. Staff will be referred to the Office of Human Resource Management and the appropriate Vice Chancellor.

Other Responses to Infringement Allegations; Investigating Fair Use

Allegations of infringement for which UTK is the content provider and for which UTK is not eligible for liability limitation as an ISP will be referred to both the account owner and the General Counsel's Office. UTK shall respond to these allegations by conducting an investigation into whether the allegedly infringing materials are authorized by law or otherwise do not infringe on copyright protections.

RELATED DOCUMENTS
  1. Being a Good Citizen of the UTK Net Community,

    2. http://notes.utk.edu/DII/GoodCit.nsf.

  2. CAS Code of Computing Practice, http://www.cas.utk.edu/code.html.
  3. Digital Millennium Copyright Act (DMCA),

    4. http://www.educause.edu/issues/dmca.html.

  4. DII Policy on Chain Letters, http://www.cas.utk.edu/faq/chainltr.html.
  5. DII Policy on Spam, http://www.cas.utk.edu/faq/spam.html.
  6. Disciplinary Actions – Security of Computer Files, UT Personnel Procedure, Section 500, Proc. 525-PrB1, 7/1/86.
  7. Hilltopics Student Handbook, Disciplinary Regulations and Procedures, Standards of Conduct, http://funnelweb.utcc.utk.edu/~homepage/hill/hillsoc.htm.
  8. The No Electronic Theft ("NET") Act, http://www.usdoj.gov/criminal/cybercrime/netsum.htm.
  9. NSA Glossary of Terms Used in Security and Intrusion Detection, http://www.sans.org/NSA/glossary.htm.
  10. Privacy and Freedom of Information, http://www.legal.gsa.gov/legal24.htm.
  11. Responsibilities of UTK Network System Administrators and Designated

    12. Security Officers, DII, August 1998 draft, http://notes.utk.edu/DII/netadmin.nsf/pages/home.

  12. Responsible Use of Information Technology, Last revised: July 5, 1996,

    13. Information Policy Advisory Committee.

  13. Software Copyright Compliance, Statement 05, Section 135, Part 01 of the

    14. University of Tennessee Fiscal Policy, http://toltec.lib.utk.edu/~gco/SOFTWARE.html.

  14. Tennessee Computer Crimes Act, http://www.overhill.org/tncrimes.html, http://www.icsa.net/icsalaws/tenn.html.
  15. Use of Information Technology Resources, Section 175, Part 01 of the

University of Tennessee Fiscal Policy, http://solar.cini.utk.edu/ams/5175-01.htm.

ATTACHMENT A: GLOSSARY OF SECURITY TERMS8

 

Abuse The willful or negligent unauthorized activity that affects the availability, confidentiality, or integrity of computer resources. Computer abuse includes fraud, embezzlement, theft, malicious damage, unauthorized use, denial of service, and misappropriation.

Attack An attempt to bypass security controls on a computer. The attack may alter, release, or deny data. Whether an attack will succeed depends on the vulnerability of the computer system and the effectiveness of existing countermeasures.

Audit The independent examination of records and activities to ensure compliance with established controls, policy, and operational procedures, and to recommend any indicated changes in controls, policy, or procedures.

Authenticate To establish the validity of a claimed user or object.

Authentication To positively verify the identity of a user, device, or other entity in a computer system, often as a prerequisite to allowing access to resources in a system.

Availability Assuring information and communications services will be ready for use when expected.

Breach The successful defeat of security controls which could result in a penetration of the system. A violation of controls of a particular information system such that information assets or system components are unduly exposed.

Compromise An intrusion into a computer system where unauthorized disclosure, modification or destruction of sensitive information may have occurred

Computer Security Technological and managerial procedures applied to computer systems to ensure the availability, integrity and confidentiality of information managed by the computer system.

Computer Security Incident Any intrusion or attempted intrusion into an automated information system (AIS). Incidents can include probes of multiple computer systems.

Computer Security Intrusion Any event of unauthorized access or penetration to an automated information system (AIS).

Confidentiality Assuring information will be kept secret, with access limited to appropriate persons.

Countermeasures Action, device, procedure, technique, or other measure that reduces the vulnerability of an automated information system. Countermeasures that are aimed at specific threats and vulnerabilities involve more sophisticated techniques as well as activities traditionally perceived as security.

Crack A popular hacking tool used to decode encrypted passwords. System administrators also use Crack to assess weak passwords by novice users in order to enhance the security of the AIS.

Cracking The act of breaking into a computer system.

Denial of Service Action(s) which prevent any part of an AIS from functioning in accordance with its intended purpose. Antonym of availability.

DNS Spoofing Assuming the DNS name of another system by either corrupting the name service cache of a victim system, or by compromising a domain name server for a valid domain.

Ethernet Sniffing This is listening with software to the Ethernet interface for packets that interest the user. When the software sees a packet that fits certain criteria, it logs it to a file. The most common criteria for an interesting packet is one that contains words like login or password.

Fraud Computer-related crimes involving deliberate misrepresentation or alteration of data in order to obtain something of value.

Hacker A person who enjoys exploring the details of computers and how to stretch their capabilities. A malicious or inquisitive meddler who tries to discover information by poking around. A person who enjoys learning the details of programming systems and how to stretch their capabilities, as opposed to most users who prefer to learn on the minimum necessary.

Hacking Unauthorized use, or attempts to circumvent or bypass the security mechanisms of an information system or network.

Information Security The result of any system of policies and/or procedures for identifying, controlling, and protecting from unauthorized disclosure, information whose protection is authorized by executive order or statute.

Integrity Assuring information will not be accidentally or maliciously altered or destroyed.

Intrusion Any set of actions that attempt to compromise the integrity, confidentiality or availability of a resource.

Intrusion Detection Pertaining to techniques which attempt to detect intrusion into a computer or network by observation of actions, security logs, or audit data. Detection of break-ins or attempts either manually or via software expert systems that operate on logs or other information available on the network.

IP Spoofing An attack whereby a system attempts to illicitly impersonate another system by using IP network address.

Mailbomb The mail sent to urge others to send massive amounts of email to a single system or person, with the intent to crash the recipient's system. Mailbombing is widely regarded as a serious offense.

Malicious Code Hardware, software, of firmware that is intentionally included in a system for an unauthorized purpose; e.g. a Trojan horse, virus, timebomb, worm

Network Attack Operations to disrupt, deny, degrade, or destroy information resident in computers and computer networks, or the computers and networks themselves.

Network Security Protection of networks and their services from unauthorized modification, destruction, or disclosure, and provision of assurance that the network performs its critical functions correctly and there are no harmful side-effects. Network security includes providing for data integrity.

Non-Repudiation Method by which the sender of data is provided with proof of delivery and the recipient is assured of the sender's identity, so that neither can later deny having processed the data.

Packet Sniffer A device or program that monitors the data traveling between computers on a network

Security A condition that results from the establishment and maintenance of protective measures that ensure a state of inviolability from hostile acts or influences.

Security Features The security-relevant functions, mechanisms, and characteristics of AIS hardware and software.

Security Incident Any act or circumstance that involves classified information that deviates from the requirements of governing security publications. For example, compromise, possible compromise, inadvertent disclosure, and deviation.

Security Officer The official having the designated responsibility for the security of and AIS system

Security Policies The set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information.

Security Violation An instance in which a user or other person circumvents or defeats the controls of a system to obtain unauthorized access to information contained therein or to system resources.

Smurfing A denial of service attack in which an attacker spoofs the source address of an echo-request ICMP (ping) packet to the broadcast address for a network, causing the machines in the network to respond en masse to the victim thereby clogging its network.

Snarf To grab a large document or file for the purpose of using it with or without the author's permission.

Sniffer A program to capture data across a computer network. Used by hackers to capture user id names and passwords. Software tool that audits and identifies network traffic packets. Is also used legitimately by network operations and maintenance personnel to troubleshoot network problems

Spam To crash a program by overrunning a fixed-site buffer with excessively large input data. Also, to cause a person or newsgroup to be flooded with irrelevant or inappropriate messages.

Spoofing Pretending to be someone else. The deliberate inducement of a user or a resource to take an incorrect action. Attempt to gain access to an AIS by pretending to be an authorized user. Impersonating, masquerading, and mimicking are forms of spoofing.

SSL (Secure Sockets Layer) A session layer protocol that provides authentication and confidentiality to applications.

Subversion Occurs when an intruder modifies the operation of the intrusion detector to force false negatives to occur.

SYN Flood When the SYN queue is flooded, no new connection can be opened.

TCP/IP Transmission Control Protocol/Internetwork Protocol. The suite of protocols the Internet is based on.

Terminal Hijacking Allows an attacker, on a certain machine, to control any terminal session that is in progress. An attack hacker can send and receive terminal I/O while a user is on the terminal.

Tinkerbell Program A monitoring program used to scan incoming network connections and generate alerts when calls are received from particular sites, or when logins are attempted using certain ID's.

Tipwire A software tool for security. Basically, it works with a database that maintains information about the byte count of files. If the byte count has changed, it will identify it to the system security manager.

Trojan Horse An apparently useful and innocent program containing additional hidden code which allows the unauthorized collection, exploitation, falsification, or destruction of data.

TTY Watcher A hacker tool that allows hackers with even a small amount of skill to hijack terminals. It has a GUI interface.

Virus A program that can "infect" other programs by modifying them to include a, possibly evolved, copy of itself.

Vulnerability Hardware, firmware, or software flow that leaves an AIS open for potential exploitation. A weakness in automated system security procedures, administrative controls, physical layout, internal controls, and so forth, that could be exploited by a threat to gain unauthorized access to information or disrupt critical processing.

War Dialer A program that dials a given list or range of numbers and records those which answer with handshake tones, which might be entry points to computer or telecommunications systems.

 

Worm Independent program that replicates from machine to machine across network connections often clogging networks and information systems as it spreads.