Policies of Colorado State University

University Policy

University Seal
Policy Title: Information Technology Security Category: Information Technology
Owner: Vice President for Information Technology Policy ID#: 4-1018-009
Contact:
Division of Information Technology
Web: https://it.colostate.edu
Phone: 970-491-5133
Original Effective Date: 7/8/2004
Last Revision: 4/12/2023

PURPOSE OF THIS POLICY

Colorado State University collects information of a sensitive nature to facilitate and enable its business/academic functions. Unauthorized access to such information may have many severe negative consequences, including adversely affecting the reputation of the University. Protection of such personally identifiable information (PII) from unauthorized access is required by various private sector, federal and state mandates, including among others the Health Insurance Portability and Accountability Act (HIPAA), the Gramm-Leach-Bliley Act (GLBA), the Family Educational Rights and Privacy Act (FERPA), Colorado House Bills 03-1175 and 06-1157, and the Payment Card Industry Data Security Standard (PCI-DSS). Sensitive information is stored on a variety of computer systems in the decentralized information technology (IT) environment at the University. As such systems are being subjected to increasing numbers and types of attempted unauthorized access, conformance to these IT security policies is required and will aid in the protection of such information.

Computers not containing Sensitive Information are also risk factors for the University and should be managed with appropriate security measures. Computer hackers are always searching for computers to compromise, whether or not Sensitive Information exists or is accessible there. Possible consequences of improper security precautions include inappropriate data exposure/access, identity theft, the installation of key loggers, adding or deleting files, and using the computer to distribute copyrighted material without authorization, among others. Indeed, there is even a black market for selling access to compromised computers for use in activities such as distributed denial of service attacks.

Therefore, the following IT security policies are adopted and put into place. The Vice President for Information Technology (VPIT) is responsible for overseeing the implementation and use of these policies. 

DEFINITIONS USED IN THIS POLICY

Application is a computer software program run on a computer for the purpose of providing a business/academic/social function.

Cloud Computing – Any network, remote server, application, digital facility, or related service that is hosted or provisioned on infrastructure external to CSU, and accessed via the Internet, to store, manage, preserve, or process data. It does not include infrastructure or services that are owned, controlled and/or operated solely by the University. Examples of Cloud Computing include: 1) externally hosted file storage Services (e.g. Dropbox, Google Drive, Microsoft OneDrive, Box); 2) externally hosted mail services (Gmail, Hotmail, Yahoo mail, etc.); 3) externally hosted Application services (e.g., Google Apps); and 4) externally hosted social networking applications, blogs and wikis.

Computer Server Systems (Servers) are computers accessed by multiple individuals and/or computers.

CORA, Colorado Open Records Act – Under CORA, records of state institutions of higher education are generally open for public inspection. However, CORA also provides that inspection may be denied or must be denied, depending upon the circumstances. Information at the University, including e-mail and other electronic documents, may be public records subject to inspection upon request under CORA.

Data Classification Levels: 

  • Private Data –Private Data are the most sensitive data at CSU, and as such are subject to the greatest protections. Because of legal, ethical, or other constraints, Private Data may not be accessed without specific authorization, and access may be granted only selectively with final approval from the appropriate Data Authority. Private data encompasses social security numbers, financial information including credit card information, driver’s license information, federally protected personnel information, proprietary research information, third-party proprietary information, personal health information, and any other information that is highly regulated or that through disclosure would adversely affect an individual or tarnish the reputation of the University. Private data may not be shared outside of the University, except as specifically allowed by the Vice President for IT and as approved by the Office of the General Counsel (for example arising from a subpoena).
  • Restricted Data –Restricted Data must be treated with propriety, and used only within the confines of the University, unless specific and appropriate approval is provided for sharing, generally from the Office of the General Counsel. Restricted Data may be accessed by employees of the University needing such access in the conduct of University business. Employees accessing data are responsible to conform to the Principle of Least Privilege, where they are personally responsible for accessing only the minimum amount of data required in the conduct of their necessary business. Employees are also personally responsible for adhering to any and all pertinent University policies, including this IT Security Policy and the Acceptable Use Policy, the Information Collection and Personal Records Privacy Policy, and others. Any requests for data from a member of the public should be referred to the appropriate Data Authority or the Office of the Vice President for IT and General Counsel.
  • Public Data – Public data are directory data, and data explicitly made available to the public (e.g., data available on open, public web pages, or in other publications and venues).

FERPA, Family Educational Rights and Privacy Act (FERPA) sets forth certain requirements regarding student records, including the release and access to such records. Under FERPA, “education records” are defined as records that are directly related to a student and are maintained by the institution. Student education records, except public or directory information, typically may not be disclosed without consent.

Local Area Network (LAN) is an internal network within an institution, e.g., at Colorado State University.

Payment Card Industry Data Security Standard (PCI-DSS) is a set of security requirements defined by the credit card industry, to which the University must comply.

Personal Computers are comprised of desktops, laptops, tablets, and other such devices of all brands, used principally by one individual at a time. This category includes laboratory computers.

PII – Personally Identifiable Information.

Portable Media includes all media or portable devices capable of storing data, including memory sticks, optical disks, disk drives, magnetic tapes, iPods, and laptop computers.

Sensitive Information includes social security numbers, personally identifiable health information, personally identifiable financial information including credit card information, driver’s license information, personnel employment and student performance information, proprietary research and academic information, third-party proprietary information, FERPA-protected non-directory information and any other information that through disclosure would adversely affect an individual or besmirch the reputation of the University. See the three levels of data classification at CSU (Private Data, Restricted Data, and Public Data).

Service – A server application offering specific functionality, typically to users over a network. Examples include web, email, and remote file access.

Virtual Private Network (VPN) is a mechanism for encrypting the information sent from an individual computer to a VPN concentrator that typically exists in a “secure” network location. Alternatively, VPN’s may be implemented between subnetworks (subnets) to encrypt all of the traffic flowing between the subnets, in other words from LAN to WAN to LAN. User authentication is an important element of a VPN in either scenario.

Wide Area Network (WAN) is an external network that provides connectivity among LANs.

POLICY STATEMENT

CSU’s IT Security policies are presented below in five separate sections. 

  • Section I contains general policies and guidelines that pertain to the University’s overall IT environment and are the responsibility of the department owning the IT environment. These general policies and guidelines are to be applied in varying degrees balancing risk, cost and access. As general policies, these are intended to be enduring. 
  • Section II contains mandatory, minimum IT security policies that are to be applied to every CSU IT system. These specific policies are intended to evolve over time to adjust to current threat levels, and as such, are more volatile than the general policies and guidelines in Section I. These mandatory, minimum IT security policies shall be reviewed and updated on a regular schedule aligning with the policy review of the University Policy Office and more frequently should the need arise, for example if significant new IT threats emerge that compromise IT security and that are not covered by the current specific policies. 
  • Section III pertains to specific requirements to protect credit card information, as mandated by the credit card industry. 
  • Section IV describes policies for the use of external Cloud resources to store CSU data. 
  • Section V defines the governance of these policies.

 A short reference to additional resources concludes this document.

POLICY PROVISIONS

SECTION I General IT Security Policies and Guidelines

Applicability

These policies encompass best practices that are in general to be applied comprehensively in the University’s IT environment, except when determined by the University to be unreasonably costly or when the result would be to impair business/academic functions. Common sense judgment is to be used in their application.

Principle of Least Privilege

Least Privilege is a well-established concept in information security. Expressed simply, it is the notion that information and resources should be made available only to those people, processes, or technologies that need them for a legitimate purpose, and for the minimum amount of time they are needed. As a guiding principle for designing and operating information systems, Least Privilege leads to careful system access control, strong authentication, data confidentiality, and default-deny network access control. In particular, access to, perusal of, use of, and storage of Sensitive Information should be kept to the minimum amount of information and time required to accomplish an employee’s business function. Adherence to this precept will ensure that exposure of such Sensitive Information is limited to the extent possible. 

The General Data Protection Regulation (GDPR)

The European Union mandated compliance with their GDPR on May 25, 2018, dealing with privacy and security of an individual’s personal information (very broadly defined, including an individual’s IP address). GDPR applies to the University in certain circumstances, when the data subject (the person whose personal information is collected by the University) is present in the EU, or when CSU exchanges personal data with an entity that is established in the EU. GDPR must be adhered to by anyone who controls or processes data within or for the University. The regulation contains an individual data subject’s rights concerning their personal information. In particular, the following rights are mandated:

  • To know how data are collected, kept and used (e.g. where).
  • To know what data are collected, and kept (e.g. where).
  • To inspect the data collected, for accuracy.
  • When data is held only as a result of the data subject’s consent, the right to withdraw consent to further use of the data.
  • To ask for remediation/corrections in the data collected, for accuracy
  • To be permanently “forgotten,” that is to have all of one’s data, information and login credentials removed permanently from all systems it resides on, and erased when the information is no longer needed for legitimate business purposes.
  • The right to be informed of how their personal data are being used. This right is usually fulfilled by ‘privacy notices’ (or ‘privacy policies’) which set out how an organization will use an individual’s personal data, who it will be shared with, etc.
  • The right of access to their personal data.
  • The right to have their inaccurate personal data corrected.
  • The right to have their personal data erased (right to be forgotten).
  • The right to restrict the processing of their personal data pending its verification or correction. This may result in inability to use some Services, yet that is the data subject’s choice, so we must honor that request.
  • The right to receive copies of their personal data in a machine-readable and commonly-used format (right to data portability).
  • The right to object: to processing (including profiling) of their data that proceeds under particular legal bases; to direct marketing; and to processing of their data for research purposes where that research is not in the public interest.
  • The right not to be subject to a decision based solely on automated decision-making using their personal data.

The University has certain rights and obligations concerning the GDPR, each vested in the GDPR Controller, who is the person designated by the University as the one having control over the data applicable to the particular data use or Service – this is the decentralized mode of compliance, as follows:

  • Implementing policies, procedures, processes and training to promote ‘data protection by design and by default’.
  • Having appropriate contracts in place when outsourcing functions that involve the processing of personal data.
  • Maintaining records of the data processing that is carried out across the organization.
  • Documenting and reporting personal data breaches.
  • Defining GDPR Controllers as the points of contact for questions regarding the GDPR for data and services from the units covered.
  • Identifying and acting on data retention and disposal periods for data under the authority of the GDPR Controller, and acting upon that (i.e. purging data) when the retention period is exhausted. 

The GDPR sets out various exemptions from compliance, two of which are pertinent to institutions of higher education:

  • Personal data processed for journalistic, artistic, literary or ‘academic purposes’ are exempt from the principles and almost all of the rights, though not the accountability requirements.[1]
  • Personal data processed for ‘scientific or historical research purposes’, ‘statistical purposes’ or ‘archiving purposes in the public interest’ are exempt from two of the principles (those stating that personal data shall be processed solely for specified purposes and not kept for longer than necessary) and most of the rights, though not the other principles, the right to be informed (unless providing the privacy notice would be impossible or would involve ‘disproportionate effort’), or the accountability requirements.[2]

[1] Art. 85(2), Rec. 153

[2] Art. 89(1), Rec. 159

IT Security Policies

1. Servers

Servers that contain Sensitive Information are subject to the policies of this section. It is recommended, however, that all servers at the University are brought into compliance with these policies. Departments owning the servers are responsible for ensuring that their servers containing sensitive information are secured in accordance with these policies. Servers shall be protected as follows:

  1. Such servers shall be housed in a physically secure facility where access is limited to only those individuals requiring access to perform routine or emergency maintenance on the system.
  2. To the degree practicable, only operating systems and applications that provide high levels of security shall be used, system security features shall be enabled, and security updates (patches) shall be applied in a timely manner. Please see the DoIT website for a list of acceptable versions of operating systems and applications for servers. 
  3. Server-side computer virus protection shall be implemented and kept up to date.
  4. Services and Applications installed/enabled shall be the minimum necessary to accomplish the required business and/or academic functions. Such Services and applications shall be reviewed periodically for conformance with this aspect of the policy.
  5. Network traffic shall be limited to only those Services and ports considered essential, unless exceptions to allow access to required Services are requested and granted. Periodically, such exceptions shall be reviewed to be in conformance with this aspect of the policy.
  6. In cases where computers are dedicated to specialized applications and cannot be brought into compliance with these policies, particularly with regard to minimum operating system versions, efforts shall be made to isolate the system from the campus environment using a hardware firewall. Approval for continuing to operate such systems must be obtained from CSU’s Chief Information Security Officer.
  7. Individual access shall be limited to only those needing access for legitimate business/academic purposes. Periodically, individual access shall be reviewed to be in conformance with this aspect of the policy.
  8. The amount of Sensitive Information collected and stored shall be the minimum amount required for the efficient and effective conduct of business and academic functions. In particular, Sensitive Information that is old and not needed in the normal course of academic/business operations should be removed and archived elsewhere, and these archives should be secured physically to the degree warranted by the amount and nature of the Sensitive Information archived.
  9. Reasonable and prudent efforts shall be made to isolate sensitive data from open access, for example on a separate back-end database server accessible only from a front-end web server that has been diligently protected.
  10. To the extent practicable, servers shall maintain log files to record events relevant to Services offered on that system (e.g. user access, failed login attempts, application access, etc.). These log files shall be reviewed regularly, either manually or via an automated process. System administrators shall take appropriate action to investigate and respond appropriately to events of a suspicious or illicit nature.
  11. To the degree practicable, only secure connections and file transfers shall be allowed, for example by using secure web protocols (HTTPS), secure connections (e.g. SSL and SSH), and other secure mechanisms for connections (e.g. the campus VPN). This policy is particularly relevant when allowing access from external (non-CSU) networks.
  12. To the degree practicable, remote access to the server that would potentially allow root or system-level control shall use encrypted protocols, shall use strong authentication, and should limit access to authorized source addresses and users (ideally through a separate, central service such as a load-balancer, proxy, or VPN).
  13. Server files shall be backed up on a regular schedule, and off-site storage of back-ups in a secure location shall be performed on a regular schedule. DoIT offers secure, off-site storage to interested parties.
  14. Where the server contains especially Sensitive Information that merits an additional measure of protection, either due to the quantity of Sensitive Information or information of an exceptionally sensitive nature, the integrity of systems logs should be preserved, for example by mirroring system logs on other servers, so that in the event of unauthorized access, analysis and traceback can be accomplished.
  15. Servers shall be scanned for operating system and application vulnerabilities on a regular schedule. Vulnerabilities detected shall be addressed in a timely manner.
  16. Contact information for system administrators of such servers shall be communicated to DoIT and kept up to date. This information shall include name, office telephone number, email address, and home, pager and cellular telephone numbers.
  17. To prevent the inadvertent release of Sensitive Information stored on hard drives when systems or components are decommissioned, all storage media must be sanitized in accordance with the guidelines in NIST 800-88 Revision 1 prior to release to other agencies. Surplus Property will either sanitize or destroy disk drives for a normal fee. 

 2. Personal Computers

Personal Computers as defined above shall be protected in accordance with a balance between the risks of not protecting them, the cost (effort and expense) of protecting them, and the required functionality (for example, sometimes specialized Personal Computers are required to meet research objectives and cannot and sometimes should not be protected at the same level as general-purpose computers). Departments owning the Personal Computers are responsible for ensuring that their Personal Computers either containing or used to access Sensitive Information are secured in accordance with these policies. It is recommended, however, that all Personal Computers at the University are brought into compliance. Guidelines and ‘best practices’ for securing Windows desktops on campus are provided by DoIT. In general, Personal Computers are subject to the following policies:

  1. Only operating systems and applications that provide high levels of security shall be used, and security updates (patches) shall be applied in a timely manner. A list of acceptable versions of operating systems and applications for Personal Computers connecting to the University network are provided by DoIT.
  2. Computer virus protection shall be implemented and kept up to date.
  3. Services and Applications offered shall be the minimum necessary to accomplish the desired business/academic functions.
  4. Network traffic shall be limited to only those Services and ports considered essential and required for legitimate business/academic purposes.
  5. Access to campus resources from remote Personal Computers via external providers (such as Comcast, CenturyLink, hotel networks, or any wireless network), shall be secure, e.g. encrypted over a VPN connection terminated on the University’s VPN concentrator.
  6. To prevent the inadvertent release of Sensitive Information stored on hard drives, all drives must be sanitized in accordance with the guidelines in NIST 800-88 Revision 1 prior to release to other agencies, or disposal. Surplus Property will either sanitize or destroy disk drives for a nominal fee.
  7. The amount of Sensitive Information collected and stored shall be the minimum amount required for the efficient and effective conduct of business and academic functions. In particular, Sensitive Information that is old and not needed in the normal course of academic/business operations should be removed and archived elsewhere, e.g. on tape, optical disk, on a “dark archive,” etc.

 3. Network Security

The campus network is critical for the conduct of university business and instructional functions, and its integrity is dependent upon proper IT security implemented on all users’ computers. IT support personnel and all users should be both familiar and compliant with the CSU Policy: Acceptable Use for Computing and Network Resources.

The best security model addresses vulnerabilities at multiple levels, a concept known as “defense in depth”. This document focuses primarily on securing systems and data, via virus protection, application and operating system patch management, passwords, etc. DoIT strives to secure the central network infrastructure to the extent possible, though colleges and departments are responsible for maintaining their LANs. DoIT networking staff is available to assist IT managers with evaluating their current networking environment and will recommend solutions for improving security at the network level.

Scanning--to expose system and application vulnerabilities, to assess adequate patching levels, and to assess the adequacy of information protection--is a fundamental IT security measure, and will be employed as a regular practice.

DoIT has the authority, at its discretion, to scan any and all computers connected to the University’s network without explicit permission from the computer’s owner, operator or system administrator. DoIT shall use reasonable and prudent measures to inform subnet managers of the scope and nature of scans that are to be done. Departmental IT staff may develop policies and procedures for scanning their own systems. Except as noted above, no one is authorized to scan systems they do not own or administer without prior, written approval from departmental officials at an appropriate level.

4. Passwords 

The act of authentication is the assertion that a credential (a username or other identifier) is possessed and being used by the appropriate person. Support for the veracity of this assertion can be provided by various authentication factors (also known as authentication tokens). The password (a knowledge-based factor) is the most common token, but others can include physical devices (possession-based factors) or personal physical characteristics such as fingerprints, faces, or writing patterns (biometric-based factors). 

Each type of factor provides some security, though the effectiveness of the protection provided will vary depending on the methods of implementation and enforcement. For instance, passwords can easily be guessed unless they are very long, but long passwords can be harder to remember. Similarly, physical tokens can be stolen, and biometric tokens can be mimicked. For the strongest authentication, appropriate for protecting access to Sensitive Information, different factor types can be combined in an approach called “multi-factor authentication” (MFA). 

This enhanced level of authentication is necessary in today’s IT Security environment. Therefore, it is CSU’s policy that MFA shall be implemented in an evolutionary, phased-in approach, to ease adoption and to prioritize the protection of highest-risk systems and most Sensitive Information. MFA is required for external access through the Virtual Private Network. As MFA becomes available and implementable for additional high-risk systems, central IT will implement it incrementally based upon a risk-based balance of authentication technologies, such as that described by the National Institute of Standards and Technology in the publication SP 800-63 Digital Identity Guidelines

Where passwords are used, prudent measures must be used to ensure that user passwords are hard to guess, systems are configured to avoid password theft, and users are encouraged to avoid fraudulent attempts to obtain their passwords. This is especially so for administrative accounts and is a requirement for central authentication credentials (netID). Standards and tips for creating good passwords, and instructions for using MFA, can be found on the DoIT security website.

5. Files and File Storage

In general, users are responsible for their own files, including the information contained in those files, and ensuring that files containing critical data are backed up and/or stored in multiple locations.

Files containing Sensitive Information are best maintained on a physically secured and “hardened” server.

Sensitive data in individuals’ files should be kept to a minimum, and reasonable and prudent protection of those files shall be implemented by the system administrator. In particular, files containing significant amounts of sensitive data stored on portable devices must be protected with strong encryption. As currently interpreted by government regulations and industry standards, "strong encryption" means either the Triple Data Encryption Standard (3DES) or the Advanced Encryption Standard (AES). If AES is chosen, it should be used with the maximum available key length. Furthermore, Sensitive Information that is old and not needed in the normal course of academic/business operations should be removed and securely archived elsewhere.

All types of physical IT media (disks, tapes, optical disks, memory sticks, memory cards, etc.) containing sensitive data shall be disposed of properly, ensuring that the sensitive data is not accessible after disposal. This may be accomplished either by degaussing, or physically destroying the media (e.g. shredding), or both. The owner of physical media that is being disposed is responsible for ensuring that the Sensitive Information is not accessible after disposal.

It is the responsibility of the owner of files containing sensitive data that are transmitted via the network to ensure that the files are reasonably protected against unauthorized access. Common measures that may be taken for files transmitted across unsecured networks are encryption of the files or establishing an encrypted network connection between the endpoints.

Having significant amounts of sensitive data in unencrypted form in insecure locations is prohibited.

In particular, unencrypted back-up tapes containing Sensitive Information must be secured at all times, and should not be removed from University property.

In order to minimize the substantial risk associated with maintaining files containing unencrypted sensitive data, University IT staff may, with proper approval, scan files and monitor network traffic for sensitive data. Such scanning is solely for the purpose of protecting Sensitive Information. IT staff are not permitted to access others’ personal files without their permission for any other purpose, nor are they permitted to disclose such information other than for the purposes of ensuring that sensitive data are protected. DoIT will work with campus IT administrators, recommending tools and procedures for scanning departmental computers for sensitive data. Upon detection of files containing sensitive data, the owner will be contacted and asked to comply with this CSU IT Security Policy.

6. Personally-owned Computers

Personally owned computers that routinely use University IT resources, including access to University networks, servers and/or other IT resources, and/or that contain sensitive University information, are subject to these same policies as are those computers owned and operated by the University.

7. Wireless Networks

The University funds and operates wireless networks for University business as well as for visitors. In general, these networks are subject to the same requirements as the University's wired network (see section I.3 and II.2: “Network Security”). Due to the nature of wireless networking, devices using the Wi-Fi spectra (2.4GHz and 5GHz) are subject to additional restrictions in order to maintain a functional campus network, therefore unauthorized wireless devices shall not be connected to the University's network. Furthermore, devices that interfere with the University's use of these spectra are not permitted. DoIT provides a list of approved classes of devices, and recommended configurations. University business conducted via wireless devices shall use the encrypted, authenticated wireless networks provided for students, faculty, staff, and visitors from eduroam member institutions.

8. Social Security Numbers

Social security numbers (SSNs) shall not be stored on University computers unless written authorization for doing so has been obtained from the Vice President for Information Technology. The Registrar’s Office and the Human Resource Services Office may store SSNs in an extremely secure location, with access strictly restricted to the minimum number of staff, as required for resolving identities, generating income tax reporting, etc.

9. Communications Rooms

Communications rooms housing telephone networks, data networks, servers, security systems including surveillance, alarm and card access systems, and other similar electronic devices and systems shall be physically secure, and access shall be limited only to those personnel directly responsible for operating and maintaining those systems. Any additions to hardware in communications rooms (other than replacement of existing hardware) must be authorized by the VPIT. Authorization forms for this can be obtained from DoIT.

Responses to IT Security Incidents

IT security incidents should be immediately reported to DoIT, which may assemble an IT security response team after becoming aware of IT security incidents. This response team will generally be comprised of 1) the Chief Information Security Officer or designee, 2) appropriate technical staff from DoIT and from the affected department(s), and 3) administrative staff from the affected department(s). All personnel so engaged should be prepared to devote the needed time and effort to dealing with the incident from the time the incident is identified until the incident is resolved or otherwise as agreed upon by the team.

The timeliness and extent of responses to IT security incidents should in general be proportionate to the risk associated with the incident. For example, where the incident involves a significant quantity of sensitive data, the incident involves data of a highly sensitive nature, or the activity may be illegal, a timely and significant response should ensue.

In the event of an incident, the following general procedure should be followed:

  1. DoIT should be contacted by departmental staff. This may be done during off hours by calling the Central Help Desk at 970.491.7276. During business hours, DoIT should be available by calling 970.491.5133. The responsible administrator(s) in the affected department(s) should be contacted and brought into discussions.
  2. DoIT will assign staff to the incident. An incident response team including the department may be formed, at the discretion of DoIT, and may involve the Provost should the incident be severe. The incident response team shall decide upon a response proportionate to the incident. Should there not be agreement in how to respond, the VPIT or the Provost, if involved, shall determine the response.
  3. Should it be appropriate, DoIT will contact CSU Legal Counsel for their advice. This may involve contacting law enforcement, but this shall be done only by DoIT, and only after CSU Legal Counsel has been consulted.
  4. No information regarding the incident should be released unless authorized by CSU Legal Counsel. Information should only be released through DoIT who shall coordinate such release with CSU Legal Counsel.
  5. HB18-1128 contains new legislation dealing with personal records privacy and security, data retention, data disposal, and data breaches is now in effect. It has requirements concerning disposal and security obligations with respect to “personal identifying information,” and timely breach notification (within thirty days of the breach) obligations for “personal information” (two different definitions). Should a breach occur, this legislation should be consulted for guidance.
  6. In general, the affected computer(s) should be disconnected from the network, but not turned off, or rebooted. Also, no modifications should be made to the systems until DoIT staff and departmental staff have agreed upon a set of appropriate next steps.

SECTION II Mandatory, Minimum IT Security Requirements

The requirements in this section are mandatory, minimum requirements that shall be implemented on all IT systems associated with the University. This includes University-owned devices and personally-owned devices that interact with University systems, even if only by a physical means such as sharing removable media such as floppy disks, optical disks, or other storage devices. If it is not possible or practicable to meet these requirements, the responsible department may petition DoIT for an exception to these requirements. The form for applying for an exception may be found on DoIT website.

1. Operating Systems

Only operating systems that are secure according to current best practices and require strong authentication shall be used. In particular, only currently supported Windows operating systems shall be used. If an older Windows operating system is required, an application for an exemption must be submitted.). Security patches and updates shall be applied in a timely manner. Where possible, updates shall be automatically applied to both operating systems and applications. 

2. Network Security

Following recommendations from the Campus IT Security Technical Advisory Committee, with input from the campus IT community, all incoming connections from the Internet will be blocked by default. Exceptions to this policy may be requested by contacting DoIT, for example to allow inbound mail connections to departmental web servers. To keep the list of exceptions current and relevant, thereby minimizing the possibility of inadvertent exposure of internal resources to attack, exception requests will need to be re-confirmed each year. By blocking the large volume of malicious connection attempts, the University’s IT security environment is greatly enhanced.

DoIT networking staff have the authority to take appropriate action when the University’s acceptable use policy () has been violated, or as otherwise required to maintain the integrity and functionality of the University’s IT environment. This may include, but is not limited to, traffic analysis and disabling access to individual or multiple computers. Reasonable attempts to contact the appropriate IT staff will be made by DoIT staff in such cases.

3. Anti-malware

Where applicable, all client computers shall deploy University-standard software for protection against various forms of malicious software (“malware”, including viruses, spyware, etc.). Anti-malware software shall be configured to automatically update malware definition files. Other means of providing equivalent levels of protection against malware may be used, provided an exemption has been approved by DoIT. 

4. Passwords

Passwords are widely used to protect computers, networks, and information, but they are particularly susceptible to compromise if the passwords are weak (easily guessed) or if systems performing user authentication do not enforce measures to limit guessing attacks. The following are mandatory, minimum requirements that shall be implemented for central (NetID) authentication. All campus systems must use strong passwords, and must configure server-level password-guessing protection technologies of similar strength where practicable; the requirements below are suggested as a combination of strength and guessing protection that meets current government and industry standards:

  1. Strong passwords shall be implemented on all systems (it is noted that system administrators can reasonably enforce only some of the following rules and that users bear the ultimate responsibility for compliance).
  2. Passwords for general systems shall be at least fifteen (15) characters in length (note that numbers, upper-case letters, and special characters are NOT required, though they are allowed).
  3. Passwords shall not be derived from a user’s name or login ID.
  4. Passwords shall not be derived from system-specific information such as hostname, aliases or entries in users’ files.
  5. Passwords shall not consist of a single-word entry in a dictionary (astrobiologists), or a commonly chosen phrase that would easily be guessable based on organizational affiliation (fightonyoustalwartrams) or personal/professional interests (businessadministration or denverbroncosfan). Rather, a good password is easily memorized but not obvious (ends-justify-means, darwin#beagleship, or stereochemrocks).
  6. Default passwords supplied by vendors shall always be changed before production implementation.
  7. In addition to enforcing good choice of passwords, systems that perform user authentication shall be configured to reduce the likelihood of a successful guessing attack and limit the scope of inappropriate access in the event of a compromise.
    1. Passwords shall be changed at least once per year.
    2. Systems shall be configured to track failed login attempts, as excessive failures may signal an automated guessing attack. Systems shall lock user accounts for one hour whenever the system detects fourteen (14) consecutive failed logins.
  8. Use of the same administrative or “root” password across administrative boundaries is prohibited. For example, system administrators should select an administrative password for configuring network hardware in their area, another password for administering their Windows servers, and yet another unique root password for Unix servers. Separate and distinct passwords shall also be used for units managing more than one Windows domain.

5. Files and File Storage

  • In general, users are responsible for their own files, including the information contained in those files, and ensuring that files containing critical data are backed up and/or stored in multiple locations.
  • Files containing Sensitive Information are best maintained on a physically secured and “hardened” server.
  • Sensitive data in individuals’ files should be kept to a minimum, and reasonable and prudent protection of those files shall be implemented by the system administrator. In particular, files containing significant amounts of sensitive data stored on portable devices must be protected with strong encryption. As currently interpreted by government regulations and industry standards, "strong encryption" means  the Advanced Encryption Standard (AES). AES should be used with the maximum available key length. Furthermore, Sensitive Information that is old and not needed in the normal course of academic/business operations should be removed and securely archived elsewhere.
  • All types of physical IT media (disks, tapes, optical disks, memory sticks, memory cards, etc.) containing sensitive data shall be disposed of properly, ensuring that the sensitive data is not accessible after disposal. This may be accomplished either by degaussing, or physically destroying the media (e.g. shredding), or both. The owner of physical media that is being disposed is responsible for ensuring that the Sensitive Information is not accessible after disposal.
  • It is the responsibility of the owner of files containing sensitive data that are transmitted via the network to ensure that the files are reasonably protected against unauthorized access. Common measures that may be taken for files transmitted across unsecured networks are encryption of the files or establishing an encrypted network connection between the endpoints.
  • Having significant amounts of sensitive data in unencrypted form in insecure locations is prohibited.
  • In particular, unencrypted back-up tapes containing Sensitive Information must be secured at all times, and should not be removed from University property.
  • In order to minimize the substantial risk associated with maintaining files containing unencrypted sensitive data, University IT staff may, with proper approval, scan files and monitor network traffic for sensitive data. Such scanning is solely for the purpose of protecting Sensitive Information. IT staff are not permitted to access others’ personal files without their permission for any other purpose, nor are they permitted to disclose such information other than for the purposes of ensuring that sensitive data are protected. DoIT will work with campus IT administrators, recommending tools and procedures for scanning departmental computers for sensitive data. Upon detection of files containing sensitive data, the owner will be contacted and asked to comply with this CSU IT Security Policy

6. Personally Owned Computers

Personally-owned computers that routinely use University IT resources, including access to University networks, servers and/or other IT resources, and/or that contain sensitive University information, are subject to the same policies as those computers owned and operated by the University.

7. Wireless Networks

The University funds and operates wireless networks for University business as well as for visitors. In general, these networks are subject to the same requirements as the University's wired network (see section I.3 and II.2: “Network Security”). Due to the nature of wireless networking, devices using the Wi-Fi spectra (2.4 GHz and 5 GHz) are subject to additional restrictions in order to maintain a functional campus network, therefore unauthorized wireless devices shall not be connected to the University's network. Furthermore, devices that interfere with the University's use of these spectra are not permitted. Approved classes of devices, and recommended configurations, are posted on the DoIT website. University business conducted via wireless devices shall use the encrypted, authenticated wireless networks provided for students, faculty, staff, and visitors from eduroam member institutions.

8. Web Browser Security

  1. Browser Version: Browsers should be set to automatically apply security updates (patches). 
  2. Plugins and Extensions: Utility programs that run within the browser also need to be kept updated so they do not become vectors for attack. 
  3. Cookies, History, and Temporary Files: Because browser cookies and files that exist on computers as a result of web browsing (including browsing history and temporary files) may contain Sensitive Information and are subject to access via spyware, malware and other illicit means of access, their existence on IT systems should be minimized whenever possible. Periodically, and at least once a week if significant amounts of Sensitive Information may exist in browser cookies on computers, users should delete these cookies and files.

Additional Protection: Instructions on keeping each of the major browsers securely configured, and additional steps to increase a computer’s protection, can be found on this site.

9. IT Vendor Risk Management and IT Procurement

University entities intending to purchase IT systems that exceed dollar thresholds requiring a documented quote or Request for Proposal should contact the Chief Information Security Officer for a security review, as early in the procurement process as possible to allow for expedient review.

SECTION III Protection of Credit Card Information

The University is required to comply with the Payment Card Industry Data Security Standard (PCI-DSS). The requirements in this section are mandatory, minimum requirements that shall be implemented on all University systems that process, store, or transport credit card information. This includes University-owned devices and personally-owned devices that interact with University systems, even if only by a physical means such as sharing removable media (disks or other storage devices). In order to maintain University-wide compliance with these standards, all credit card activity will be coordinated by a PCI Team comprised of members from DoIT and Business and Financial Services (BFS). The PCI Team shall post and maintain standards and procedures documentation, meet regularly with all credit card merchants, and provide annual compliance reporting.

1. Credit Card Information Stored in Non-electronic Form

Credit card information that is stored in non-electronic form is subject to PCI-DSS, as well as policies contained in the latest version of the “CSU Personal Records Privacy and Security Policy.” In particular, such materials must be stored in secure locations, e.g. behind locked doors. The PCI-DSS prohibits the storage of some kinds of card information after card authorization.

2. Credit Card Information Stored in Electronic Form

Computers shall not store credit card information in any form, unless approved in writing by BFS. If so approved, credit card information that is stored in electronic form is also subject to PCI-DSS, as well as policies contained in the latest version of the “CSU Personal Records Privacy and Security Policy."

3. Systems that Support Credit Card Authorization

To maintain appropriate internal controls and compliance with both card industry and University policies, departments that wish to process credit cards shall coordinate the establishment of their vendor agreements and merchant accounts with the Banking Services unit of BFS. All systems that process credit cards shall use a University-approved authorization provider, and be configured such that no credit card information traverses University networks or systems. To prevent credit card fraud, all use of these vendors’ systems shall be configured to comply with PCI Team procedures regarding fraud detection suites and use of the Card Verification Value (CVV) number (found on the back of credit cards). Systems involved in credit card activity shall be segmented from the main University network as specified by the PCI Team, and shall be reviewed by the DoIT Department of Cybersecurity and Privacy at least annually for compliance with the PCI DSS.

Other security features may also be required at the direction of Provost, as recommended by the University’s Vice President for Information Technology and the University Controller.

SECTION IV Cloud Computing

Cloud Computing is becoming commonplace, even for institutions that continue to maintain extensive internal computing and network Services. Cloud-based Services enable convenient storage or synchronization of a consistent set of files on one or more computers and mobile devices, sharing data with a large variety of external users, and leveraging externally hosted processing resources. Such Services make cloud resources an attractive option, and it is accepted that all members of the University community, including the institution itself, utilize cloud Services in CSU’s everyday business affairs.

However, these Services vary widely as to their integrity and reliability, as well as the contractual terms and conditions they impose upon their users (often with little or no understanding by those users). Some cloud providers, for instance, mine data for marketing purposes and make no effort to determine whether such data is subject to privacy laws that the University must obey (such as FERPA, protecting the privacy of students’ education records, and HIPAA, protecting the privacy of personal health information, among others).

The purpose of this Policy, therefore, is to define Cloud Computing as it applies to the University, and to establish certain prudent rules and practices to be followed when utilizing the cloud.

Policies for Cloud Computing

It is the policy of Colorado State University to permit and encourage the use of cloud-based Services that enhance productivity, convenience, and creativity, provided that the institution and its employees, agents and contractors must take reasonable measures to protect the integrity, security, and privacy of data, and to prevent damage to and unauthorized use of its systems, when utilizing such Services.

1.  General Cloud Policy

The University endorses the use of Cloud Computing services for University business, including file storing and sharing, when:

  1. The cloud services vendor provides appropriate levels of protection and recovery for University information;
  2. The vendor accepts and is contractually bound to implement explicit restrictions on storage of Sensitive Information (defined as both Private Data and Restricted Data)
  3. The use of such service does not place the University at an unreasonable risk of experiencing data breach, data loss/non-recovery, or degradation of its computing and network services; and
  4. The vendor complies in an acceptable manner to the GDPR, or the vendor is bound contractually by CSU to comply with the GDPR, as required by CSU.

2.  Use of Non-Contracted Vendors for Cloud Computing

The University, its departments and other business units, and persons acting for the University, may use Cloud Computing Services for University data only if (i) there is an approved University Contract authorizing such use; (ii) there is no University Contract, but the service has been approved by -the VP for IT for use by the University; or (iii) the use is limited to the exchange or storage of Public Data. Cloud-based services provided by non-contracted or non-approved vendors may not be used to store, transmit or share Private Data or Restricted Data.

3.  Contracted Vendors for Cloud Computing

When contracting with a Cloud Computing vendor, the University must specify particular data protection terms in a contract so as to provide a level of security that ensures that the University data is kept confidential, is not changed inappropriately, and is available to the University as needed. The level of confidentiality, security and integrity that is required varies depending on the type of data for which the service will be used, but, in general, must meet or exceed all applicable laws, rules and regulations, as well as other applicable University policies, concerning the use and protection of such data. At a minimum, such contracts must provide:

  1. Explicit, enforceable promises by the vendor to utilize encryption, password protection, firewalls, and other such technologies to protect the data at all times, without regard to interruption of service;
  2. An indemnification by the vendor protecting CSU from claims, damages and expenses that may occur as a result of the vendor’s negligence in providing the service, or its breach of the agreement; 
  3. A requirement that the vendor report any breach, loss, or corruption of University data to the responsible University administrator within a reasonable time (which may be immediate) after determining that such event may have occurred; and 
  4. Compliance itself with GDPR, or agreement to comply with CSU’s requirements under the GDPR. All contracts entered into by or on behalf of CSU with any cloud services provider must be approved by the VPIT before being signed on behalf of CSU by an authorized contract signatory.

Additionally, the University should consider the following contract terms to ensure a minimum level of information security protection: Data transmission and encryption requirements; Authentication and authorization mechanisms; Intrusion detection and prevention mechanisms; Logging and log review requirements; Security scan and audit requirements; and Security training and awareness requirements.

All contracts entered into by or on behalf of CSU with any cloud services provider must be approved by the VPIT before being signed on behalf of CSU by an authorized contract signatory.

Data restrictions for contracted vendor services: Cloud services provided by a University-contracted vendor may not be used to store, transmit or share Private Data or Restricted Data unless CSU’s Chief Information Security Officer or the VPIT has first approved such use.

4. Support

Many cloud-based services require the install of a third-party application on the device that will access the service. Use of these services under this policy does not imply that the applications will be supported by DoIT or other information technology service areas. Individuals using these services and applications should contact their local IT support personnel to discuss support options. Support options provided by the vendor should also be considered when contracting.

SECTION V Governance of These Policies

The Information Technology Executive Committee (ITEC) is responsible for these policies, including adoption, modification and change. Changes to these policies are to be widely reviewed by the campus, including such groups as the General Counsel, and the ITEC Advisory Council (IAC), prior to being taken to ITEC for their final approval.

Information Technology policies published in the CSU Policy Library have a 2-4 year scheduled review, depending on the frequency needed for each policy as determined by the Vice President for Information Technology and the University Policy Office.

COMPLIANCE WITH THIS POLICY

Compliance with this policy is required. For assistance with interpretation or application of this policy, contact the Division of Information Technology.

REFERENCES 

The University IT Security web page) provides a variety of information regarding IT security that is useful in the implementation of these policies.

PCI Security for credit cards

FORMS AND TOOLS

Security Exemption Request

APPROVALS

Originally approved July 8, 2004

Revision approved Anthony Frank, President, on June 5, 2019.

Revision approved by Brendan Hanlon, Vice President for University Operations, on April 12, 2023.