Abstract:  JSU must protect and control access to the sensitive Data it creates, collects, stores and process in paper, and electronic  formats in accordance with all applicable federal and state laws and university policies. Policy Number: 50000.019 Effective Date: 1/25/2019 Review/Revised Date: 3/22/2023  Category: Information Technology Policy Owner: CIO/Information Technology Policy Contact: CISO/Information Technology

Policy Statement

The purpose of this policy is to provide the processes and guidelines necessary to maintain the integrity of critical systems and end user systems campus-wide and Jackson State University’s data by applying the latest operating system and application security updates/patches in a timely manner.

 

Definitions

• Patches- Patches are software and operating system (OS) updates that address security vulnerabilities within a program or product.

 

Scope

This policy and its processes refers to all JSU owned desktops, laptops, servers, applications, mobile and network devices and any other additional items that represent access points to sensitive and confidential University data as well as to technology resources and services.

 

Employee Adherence

This policy applies to all JSU employees, contractors, consultants, temporary and other workers, including all personnel affiliated with third parties that use JSU owned desktops, laptops, servers, applications, mobile and network devices and any other additional equipment, technology resources and services that access CUI, sensitive and non-sensitive university data.

Policy

General Use and Ownership

While JSU’s network administration desires to provide a reasonable level of integrity, users should be aware that the data/email they create/receive on University systems remain the property of JSU and that no privacy can be expected while using these systems. Because of the need to protect the University’s network, management cannot guarantee the confidentiality of information stored on any network device belonging to JSU. JSU is responsible for exercising good judgment regarding the reasonableness of personal use. DIT recommends that any information which users consider sensitive or vulnerable be encrypted and password protected. For security and network maintenance purposes, authorized individuals within the DIT group may at any time analyze network utilization, traffic patterns and volumes related to JSU systems/equipment and network. JSU’s DIT Group reserves the right to audit networks and systems periodically to ensure compliance with this policy.

Secured and Proprietary Information

(Personally Identifiable, FERPA, GLBA, SOX, Federal/State regulated. See definitions in Section 3 of this policy.)

• All users should take all necessary steps to prevent unauthorized access to this information. Keep passwords secure and do not share accounts.
• Authorized users are responsible for the security of their passwords and accounts.
• System level passwords should be changed biannually (every 6 months). Previously used passwords will not be permissible.
• User level passwords should be changed biannually every 6 months).
• All PCs, laptops and workstations should be secured with a password-protected screensaver with the automatic activation feature set at 10 minutes or less, or by logging-off (Control+Alt+Delete for Win users) (Control+Shift+Eject for Mac users) (Control+Shift+Power for Retina Macbook Pro) when the system will be unattended. Because information contained on portable computers is especially vulnerable, special care should be exercised to protect this data.
• All Postings by employees from JSU email addresses to newsgroups should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of JSU, unless posting is in the course of business duties. Employees must use extreme caution when opening email attachments received from unknown senders, which may contain viruses, email bombs, or Trojan horse code.
• Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of “pirated” or other software products that are not appropriately licensed for use by JSU.

Unacceptable Use

The following activities are, in general, prohibited. Employees may be exempted from these restrictions during the course of their legitimate job responsibilities (e.g., systems administration staff may have a need to disable the network access of a host if that host is disrupting production services). Under no circumstances are users of JSU authorized to engage in any activity that is illegal under local, state, federal, or international law while utilizing JSU-owned resources. The lists below are by no means exhaustive, but attempt to provide a framework for activities which fall into the category of unacceptable use. All Postings by employees from JSU email addresses to newsgroups should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of JSU, unless posting is in the course of business duties. Employees must use extreme caution when opening email attachments received from unknown senders, which may contain viruses, email bombs, or Trojan horse code.

• Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of “pirated” or other software products that are not appropriately licensed for use by JSU.
• Collection, storage or distribution of pornography or material considered to be obscene in violation of this policy.
• Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, copyrighted movies and the installation of any copyrighted software for which JSU or the end user does not have an active license is strictly prohibited.
• Illegally exporting software, technical information, encryption software or technology in violation of international or regional export control laws.
• Introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, email bombs, etc.)
• Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home.
• Using a JSU computing asset to actively engage in procuring or transmitting material in violation of sexual harassment or hostile workplace laws in the user’s local jurisdiction.
• Making fraudulent offers of products, items, or services originating from any JSU account.
• Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, the following: Accessing data of which the user is not an intended recipient or logging into a server or account that the user is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, “disruption” includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information.
• Port scanning or security scanning is expressly prohibited unless prior notification is given to DIT and/or these processes are within the scope of regular duties.
• Executing any form of network monitoring which will intercept data not intended for the employee’s host, unless this activity is a part of the employee’s normal job/duties.
• Circumventing user authentication or security of any host, network, or account.
• Interfering with or denying service to any user other than the employee’s host (for example, denial of service attack).
• Using any program/script/command, or sending messages of any kind, with the intent to interfere with or disable a user’s terminal session, by any means, locally or via the Internet/Intranet/Extranet.
• Providing information about (or lists of) JSU users protected/non-directory information to parties outside the University without the express written permission of the University Administration.
• Any person found in violation of this policy will be notified immediately to cease and desist. The user will be given a time frame to comply or be disconnected from the JSU network until they can prove the issue has been addressed.

 

• (Personally Identifiable, FERPA, GLBA, SOX, Federal/State regulated. See definitions in Section 3 of this policy.)
•  
• • A risk-informed systems patch cycle for all server operating systems (OS) must be scheduled, as appropriate, for JSU Information Systems and related subsystems.
  • Any emergency patching process outside of the routine patching schedule must be done according to level of risk, as determined by the system ownehvjhvr in consultation with the JSU Patch Management Team members.
  • Servers, services, or applications must be maintained with current OS, application, or security patch levels, as recommended by the software manufacturer and informed by risk, to protect University Information from known information security issues.
  • Where and when automated patches cannot be implemented to an end users’ system the appropriate IT patch management team members must manually implement the patches

 

• Patch Management Roles and Responsibilities
  • Management roles and responsibilities and procedures to ensure a quick, effective, and orderly process to managing patches for JSU’s information systems and devices are assigned in the table below:

 

 

Role	Responsibilities
Chief Information Officer	Review and Approve proposed patch implementation for critical systems and devices
Chief Technology Officer	Review and Approve proposed patch implementation for critical systems and devices
CISO/Cyber Security Officer/Specialist	Lead the PMT in the patch implementation process; proactively identify essential patches that may lead to vulnerabilities; assess patch management process and its effectiveness
Patch Management Team	Identify and discuss patch releases Test patches; maintain patch management tools; notify the CIO and CTO of adverse effects.

 

• All members and employees of the JSU workforce who have been approved to use personal devices in the workplace for work related duties are responsible for ensuring their device is always up to date on patches that are related to security vulnerabilities.

 

• All Third Party Vendors contracted to store, and/or process JSU’s sensitive data are responsible for ensuring that the systems it uses to provide the contracted services are updated at all times and that security patches ae applied to these systems in a timely manner.

 

Patch Management Process

1. 1. Create and maintain an organizational hardware and software inventory.
   2. Identify newly discovered vulnerabilities and security patches using security vulnerability resources (vendor websites, news sources, rss feeds, vendor vulnerability databases).
   3. Conduct generic testing of patches in a testing environment
   4. Establish a timeline for deploying patches based upon type of updates (critical, non-critical, regularly scheduled maintenance)
   5. Roll out the deployment of patches to the production environment
   6. Continue to monitor and evaluate patches

 

Patch Management Procedures

1. 1. Identify essential patch and perform Patch Verification: JSU Information Technology Systems will only utilize trusted sources for system/application patches.
   2. Perform patch evaluation to determine level of criticality
   3. Determine Response time with regards to the criticality of the system, and business impact if the system goes down, and the likelihood the vulnerability could occur if the system remains unpatched and based upon type of updates (critical, non-critical, regularly scheduled maintenance)
   4. Submit change request via email or form in accordance with the JSU change management policy and procedures
   5. An authorized JSU IT employee from the patch management team will (1) conduct a pre-deployment test of the patch or patches in a non-production environment that is as similar to the production environment to evaluate usability, security, and effects on other systems and (2) description of results and impact of the patch will be logged into the JSU Change Management Log document for review
   6. The request to have patches applied will be reviewed and approved by the change management committee members
   7. After approval an email notification will be sent to the appropriate parties with the following information: Date/time the patch will be deployed, what system and services will be impacted, length of time patch updates will last and provide contact information to voice concerns or issues providing the deployment of patches to the production environment
   8. Members of the JSU patch management team will continue to monitor and evaluate systems with the applied patches as necessary

 

 

Exceptions

The following exceptions for any JSU owned system, software, application or device that cannot be patched to resolve a known vulnerability include 1) the vendor does not have a patch available; 2) the patch provided by vendor creates instability within the system; instability outweighs the risk.  

 

Policy Compliance

• • Any JSU employee, vendor(s) and contractor(s) found to have violated this policy may be subject to disciplinary action, up to and including revocation of access privileges, or termination of contract or employment.  In addition to University discipline, users may be subject to criminal prosecution under federal, state or local laws; civil liability or both for unlawful use of any IT System