ࡱ> k gbjbj "}}VclFFFFFFFZ8LlZ7UH&n!(!!!u"z%'TTTTTTT$V  YTF'q"u"''T,FF!!T,,,'F!F!T,'T, ,56PFFS!< QSZ(\zQSU07UQY+YS,ZZFFFFvlog Information Assurance Guidelines ** TUC DRAFT 2.1 ** August 2002  TOC \o "1-3" \h \z  HYPERLINK \l "_Toc18809762" 1 Purpose  PAGEREF _Toc18809762 \h 2  HYPERLINK \l "_Toc18809763" 1.1 Introduction  PAGEREF _Toc18809763 \h 2  HYPERLINK \l "_Toc18809764" 1.1.1 General Information  PAGEREF _Toc18809764 \h 2  HYPERLINK \l "_Toc18809765" 1.1.2 Objectives  PAGEREF _Toc18809765 \h 3  HYPERLINK \l "_Toc18809766" 1.1.3 Sanctions  PAGEREF _Toc18809766 \h 4  HYPERLINK \l "_Toc18809767" 1.2 Responsible Organizational Structure  PAGEREF _Toc18809767 \h 5  HYPERLINK \l "_Toc18809768" 1.2.1 Information System Security Officer  PAGEREF _Toc18809768 \h 5  HYPERLINK \l "_Toc18809769" 1.2.2 Overview  PAGEREF _Toc18809769 \h 5  HYPERLINK \l "_Toc18809770" 1.2.3 Corporate Information Services (Central Services)  PAGEREF _Toc18809770 \h 6  HYPERLINK \l "_Toc18809771" 1.2.4 Business Unit Information Services (De-centralized services)  PAGEREF _Toc18809771 \h 6  HYPERLINK \l "_Toc18809772" 1.2.5 Residence Halls  PAGEREF _Toc18809772 \h 7  HYPERLINK \l "_Toc18809773" 1.3 Related Policies  PAGEREF _Toc18809773 \h 7  HYPERLINK \l "_Toc18809774" 1.3.1 Information Protection  PAGEREF _Toc18809774 \h 7  HYPERLINK \l "_Toc18809775" 1.3.2 Use of Computing Resources  PAGEREF _Toc18809775 \h 7  HYPERLINK \l "_Toc18809776" 1.3.3 Privacy  PAGEREF _Toc18809776 \h 8  HYPERLINK \l "_Toc18809777" 1.3.4 Use of Computer Software  PAGEREF _Toc18809777 \h 8  HYPERLINK \l "_Toc18809778" 2 System Administrator Responsibilities  PAGEREF _Toc18809778 \h 9  HYPERLINK \l "_Toc18809779" 2.1 General  PAGEREF _Toc18809779 \h 9  HYPERLINK \l "_Toc18809780" 2.1.1 Scope and Documentation  PAGEREF _Toc18809780 \h 9  HYPERLINK \l "_Toc18809781" 2.1.2 Physical Security  PAGEREF _Toc18809781 \h 9  HYPERLINK \l "_Toc18809782" 2.2 Logical Security  PAGEREF _Toc18809782 \h 9  HYPERLINK \l "_Toc18809783" 2.2.1 Authentication  PAGEREF _Toc18809783 \h 9  HYPERLINK \l "_Toc18809784" 2.2.2 Secured Hosts  PAGEREF _Toc18809784 \h 9  HYPERLINK \l "_Toc18809785" 2.2.3 Virus Scanning  PAGEREF _Toc18809785 \h 10  HYPERLINK \l "_Toc18809786" 2.2.4 Active Monitoring  PAGEREF _Toc18809786 \h 10  HYPERLINK \l "_Toc18809787" 2.3 Backup and Recovery  PAGEREF _Toc18809787 \h 10  HYPERLINK \l "_Toc18809788" 3 Security Services and Procedures  PAGEREF _Toc18809788 \h 10  HYPERLINK \l "_Toc18809789" 3.1 Risk Assessment and Monitoring  PAGEREF _Toc18809789 \h 10  HYPERLINK \l "_Toc18809790" 3.2 Incident Response  PAGEREF _Toc18809790 \h 10  HYPERLINK \l "_Toc18809791" 4 On-going Activities  PAGEREF _Toc18809791 \h 11  HYPERLINK \l "_Toc18809792" 4.1 Implementation  PAGEREF _Toc18809792 \h 11  HYPERLINK \l "_Toc18809793" 4.2 Reports  PAGEREF _Toc18809793 \h 11  HYPERLINK \l "_Toc18809794" 4.3 Reviews  PAGEREF _Toc18809794 \h 11  HYPERLINK \l "_Toc18809795" Appendix A Definitions  PAGEREF _Toc18809795 \h 12  1 Purpose 1.1 Introduction 1.1.1 General Information Information resources are vital assets that require protection. These guidelines are intended to protect and defend the integrity of vlogs information and information systems. This document defines the security and data ownership responsibilities, along with relevant and necessary authorities to undertake these assigned responsibilities. The university has a legal responsibility to secure its computers and networks from misuse. While the value of equipment such as computer hardware is easily appreciated, we must not overlook the larger investment in less tangible information assets - such as data, software, and automated processes. Computers and network resources can provide access to these less tangible resources both on and off campus. Failure to exercise due diligence may lead to financial liability for damage done by persons accessing the network from or through vlog. At the extreme, an unprotected IUP network open to abuse might be denied access to parts of the larger network community. Data, whether stored in central computers accessible through peripheral hardware, processed locally on microcomputers, delivered via email, or generated by other computer systems, are vulnerable to a variety of threats and must be afforded adequate safeguards. A combination of protection, detection, and reaction capabilities will be employed to protect the information system and data. Maximization of the five information assurance security objectives of: availability, integrity, authentication, confidentiality, and nonrepudiation will serve as the goal for information systems security for the University. 1.1.2 Objectives The university reserves the right to limit, restrict, or extend computing privileges and access to its resources. Access to the university's information system facilities and resources is a privilege granted solely to vlog faculty, staff, registered students, and other authorized individuals outside the university. This user community is expected to cooperate with the Technology Services Center and Academic Computing in its operation of the information systems and networks as well as in the investigation of misuse or abuse of those assets. Open access to technology resources is a privilege implicit in the granting of access to users. Such open access requires that individual users act in a responsible and acceptable manner. Acceptable use always is ethical, reflects academic honesty, and shows restraint in the consumption of shared resources. Acceptable use demonstrates respect for intellectual property, truth in communication, ownership of data, use of system security mechanisms, and individuals' right to privacy and freedom from intimidation, harassment, and unwarranted annoyance. The university considers any violation of acceptable use principles or guidelines to be a serious offense and reserves the right to test and monitor security, and copy and examine any files or information resident on university systems. IUP faculty, staff, and students need to be aware of the value of these information system and data resources and the means of protecting them. User awareness through education is the first line of defense in maintaining confidentiality, reliability, availability, and integrity of IUP information resources. The vlogs Information Assurance Guidelines success is dependent on education of faculty, staff, and students in the need for and means of protecting IUP information resources. This education should include exposure to our authentication and password policies, and other physical loss prevention mechanisms, the distribution and regular updating of virus protection software to all users, the use of encryption tools for critical data, and, where necessary, the implementation of back up and recovery procedures for all systems and other policies and procedures. 1.1.3 Sanctions Those IUP authorized users who do not abide by IUP policies are subject to disciplinary action in accordance with university rules for misconduct and existing judicial, disciplinary, or personnel processes. Offenders may also be subject to criminal prosecution under federal or state laws, and should expect the university to pursue such action. The Technology Services Center or Academic Computing should be notified about violations of computer laws and policies, as well as about potential loopholes in the security of its information systems and network. 1.2 Responsible Organizational Structure 1.2.1 Information System Security Officer The Information Systems Security Officer is responsible for the implementation and administration of these guidelines, including the definition of documentation standards noted section 2.1.1. The IUP Information Systems Security Officer is the Provost. The Provost will delegate operational responsibility and accountability to the senior managers within each IUP technology Operational Group as detailed in 1.2.2 (Deans, Director Technology Services Center, Director Academic Technology Services.). The Provost, as necessary, will align all non-central technology services not specifically addressed in these guidelines with existing reporting and responsibility structures. 1.2.2 Overview IUP advisory and operational technology units are defined as follows: Advisory Groups: Academic Computing Policy Advisory Committee (ACPAC) - consists of faculty representatives from each college as well as representatives from university administrative and support units. Serves the role of reviewing policy and providing advice regarding technology support related to the academic mission. Administrative Computing Oversight Committee (ACOC) - defines priorities, standards, and future directions for administrative computing. ACOC includes representatives appointed by the Vice President of each division, the Council of Deans and the Technology Services Center. Academic Technology Operations Group (AOG) - has authority and responsibility for implementation, management, and operations of academic technology support throughout the Academic Affairs Division of the university as directed by the Council of Deans. The AOG works in conjunction with the independent college technology structures to coordinate overall academic computing operations. Furthermore, AOG has the authority to recommend policy related to academic technology and the responsibility to provide technical input to departments and units throughout the university as it relates to academic technology issues. Technology Utilities Council (TUC) - makes recommendations concerning those aspects of technology that need to be provided centrally or that need to be coordinated between the academic and administrative areas. The concept that certain functions should be viewed as utilities assures that the two areas do not have conflicting infrastructures. Consists of representatives from ACPAC and ACOC plus ex officio members and the Provost. Meets quarterly and chaired jointly by the Director of the TSC and the Director of ATS. Operational Groups: Technology Services Center (TSC) - responsible for support of administrative computing and the administrative network including applications development. In addition, the network and computing infrastructure is managed by the TSC. The TSC Director reports to the Vice Provost for Administration and Technology. Academic Technology Services (ATS) - Provides primary technology support to assigned units and secondary support to the CTMs. Provides coordination for academic technology issues. The Director of ATS reports jointly to the Vice Provost for Administration and Technology and the dean co-chair of AOG. College Technology Managers (CTMs) - one CTM for each of six colleges, and the library. The CTM is responsible for matters related to the implementation and management of technology within their respective unit. Each CTM reports to a College Dean who has IT operational responsibility and accountability within the college. 1.2.3 Corporate Information Services (Central Services) Services: E-mail, university web presence, business systems, network services & infrastructure (IP addresses, Internet connectivity), software administration, central user name space management. Advisory body: TUC Implementation/operational unit: TSC 1.2.4 Business Unit Information Services (De-centralized services) Administrative Services: support for administrative business units (Administration and Finance, Student Affairs, Institutional Advancement, Academic Affairs administrative staff) Advisory unit: ACOC Implementation/operational unit: TSC Academic Services: (Colleges, Branches, Centers & Institutes, Academic Staff) end-user support, local network administration & network services, application specific services (eg. disciplinary-specific software/hardware), computer labs, technology classrooms, administrative offices (eg: academic department offices). Advisory units: AOG, ACPAC Implementation/operational units: ATS, CTMs, and others (Vocational Personnel Preparation Center, Highway Safety Center, etc.). Housing/student services: providing access to campus network services for student residents, residence hall computer labs. Advisory units: AOG, ACPAC Implementation/operational unit: Housing and Residence Life (technology manager). Other services: : technology support and responsibility for other affiliated university activities including certain grants, centers, and units such as the Student Coop. Advisory units: AOG, ACPAC, ACOC Implementation/operational unit: individual unit (technology support staff). 1.2.5 Residence Halls The Office of Housing and Residence Life (OHRL) is the designated administrator for ResNet (see Appendix A) systems. . IUP Business data must not be stored on ResNet systems. ResNet systems are subject to all OHRL-specific policies. Data transmitted over the IUP network is subject to all IUP policies. 1.3 Related Policies 1.3.1 Information Protection All IUP Users and Systems Administrator are subject to the Access, Use, and Maintenance responsibilities defined with the  HYPERLINK "http://www.iup.edu/tsc/policies/INFOPROT.HTML" IUP Information Protection Policy. 1.3.2 Use of Computing Resources All IUP Users are subject to the responsible use of computing resources and all System Administrators are obligated to suspend activities which pose a clear and present threat to efficient operation of and equitable access to university computing resources as defined in  HYPERLINK "http://www.iup.edu/ats/sts/policies/computing_resources_policy.shtm" the IUP Computing Resources Policy. 1.3.3 Privacy University computer systems, including all related equipment, networks and network devices (specifically including internet access), are provided only for authorized university use. The University supports each individual's right to reasonable privacy when using IUP computing resources for authorized university business, and will take reasonable steps to ensure security of these resources. IUP computer systems may be monitored for all lawful purposes, including to ensure that their use is authorized, for management of the system, to facilitate protection against unauthorized access, and to verify security procedures, survivability, and operational security. Use of this IUP network and computer system, authorized or unauthorized, constitutes consent to monitoring of system activities for information assurance. Data contained on University computer systems is accessible to System Administrators. As noted in  HYPERLINK "http://www.iup.edu/academicaffairs/policies/email.shtm" the IUP E-mail Privacy statement, access to private information is granted only on a need to know, need to create, or need to fix basis. During monitoring, information may be examined, recorded, copied, and used for authorized purposes. All information, including personal information, placed on, or sent over this system may be monitored. Unauthorized use may be subject to criminal prosecution. Evidence of unauthorized use collected during monitoring may be used for administrative, criminal or other adverse action. System Administrators are also responsible for responding to authorized requests for system information from compulsory legal entities. 1.3.4 Use of Computer Software All IUP Users and System Administrators are responsible for the legal and ethical use of computer hardware and software, including the use, copying, or distribution of contractually protected or copyrighted educational, commercial, or administrative software as defined in the  HYPERLINK "http://www.iup.edu/academicaffairs/policies/software.shtm" IUP Computer Software Policy. 2 System Administrator Responsibilities 2.1 General 2.1.1 Scope and Documentation Every system connected to the IUP network must have a designated System Administrator. A System Administrator is responsible for the implementation and maintenance of all University security policies and guidelines and any local College/Unit policies for every system for which the System Administrator is directly responsible. The System Administrator will develop and maintain documentation of security compliance and make the documentation available to the Information Systems Security Officer in accordance with the IUP Information Assurance Procedures. Said documentation, which will follow a format defined by the Information Systems Security Officer and reviewed by the Operational Groups, will address all items detailed in sections 2.2 and 2.3 2.1.2 Physical Security Servers, networking equipment, and related hardware are to be housed in a physically secure area with access restricted to designated System Administrators. 2.2 Logical Security 2.2.1 Authentication System Administrators are responsible for limiting access to computing resources to authorized users from the University or its affiliates. Access will be granted based on the minimum access required. Public access will be restricted to pre-defined cases documented by the System Administrator. System Administrators must document and follow account management procedures that detail the creation, maintenance, and removal of accounts on each system and associated account password standards in accordance with the IUP Information Assurance Procedures. In addition, System Administrators will limit access to root, administrator, or privileged accounts/rights to employees that absolutely require such access. 2.2.2 Secured Hosts All systems connected to the university network will be administered with a secured host model where all unnecessary services are removed and all vendor security patches are applied to each system before it is placed into production. Moreover, once the system is in production the System Administrator is responsible for monitoring and installing security patches released by vendors whose products are utilized on each system and maintaining documentation of same. 2.2.3 Virus Scanning System Administrators will install and actively maintain virus scanning software on their systems and the University-owned systems of their Users. 2.2.4 Active Monitoring System Administrators will actively monitor all logs for the systems that they administer, including the deployment of any appropriate Intrusion Detection Systems. System Administrators may conduct security scans for any systems that they directly administer. Security scans of other systems on the Unversity network are strictly prohibited unless prior written permission is obtained from the Information Systems Security Officer except for the central Risk Assessment & Monitoring functions performed by the Technology Services Center as detailed in item (3). 2.3 Backup and Recovery Each system must have an appropriate backup and recovery procedures defined by the System Administrator, including a Disaster Recovery plan. Records will be maintained of all backups created. Critical backups will be maintained off site in a secure facility System Administrators will publish backup schedules for each system being managed and provide procedures for users to request files restorations, if available. 3 Security Services and Procedures 3.1 Risk Assessment and Monitoring The Technology Services Center will operate and maintain a risk assessment system on the IUP production network to monitor network traffic and scan IUP hosts for security problems. Risks will be escalated to the designated System Administrator of a given system. Based on the threat level of a given incident, network access may be suspended as defined under the IUP Computing Resources policy. 3.2 Incident Response The Directors of Academic Technology Services and the Technology Services Center (will) maintain a Technical Emergency Response Plan. Security incidents will be classified with the categories defined with the plan and the associated procedures will be followed to address the incident with appropriate communications, documentation, and actions. System Administrators must follow the provisions of the emergency response plan. 4 On-going Activities 4.1 Implementation To be effective, the IUP Information Assurance Guidelines must be enforced for all systems connected to the university network. This enforcement, which is the responsibility of the Information Systems Security Officer, must be an on-going effort applied to both new and existing systems. Information Assurance is a dynamic and demanding field. Information Technology Management at IUP (as outlined in Section 1 of the Information Assurance guidelines) will limit System Administrator responsibilities to designated System Administrators. 4.2 Reports Each System Administrator will submit a report to the Information Systems Security Officer in May and December of each year documenting compliance with all items defined in Section 2 of the Information Assurance guidelines. On-going documentation is a requirement of the documentation defined in Section 2. As such, the Information Systems Security Officer will have on demand access to all required documentation maintained by System Administrators in the event of an incident or audit. 4.3 Reviews Under the direction of the Information Systems Security Officer, the IUP Information Assurance Guidelines will be reviewed annually between October and December. Appendix A Definitions Academic ComputingThe university technology support structure for direct support of the academic mission that includes ATS (Academic Technology Services) as a coordinating unit, technology staffs in each college, deans within each college, AOG, the Council of Deans, ACPAC, and other units and departments related to the academic mission.ACOCAdministrative Computing Oversight Committee- defines priorities, standards, and future directions for administrative computing. ACOC includes representatives appointed by the Vice President of each division, the Council of Deans and the Technology Services Center.ACPACAcademic Computing Policy Advisory Committee - consists of faculty representatives from each college as well as representatives from university administrative and support units. Serves the role of reviewing policy and providing advice regarding technology support related to the academic mission.AOGAcademic Technology Operations Group- has authority and responsibility for implementation, management, and operations of academic technology support throughout the Academic Affairs Division of the university as directed by the Council of Deans. The AOG works in conjunction with the independent college technology structures to coordinate overall academic computing operations. Furthermore, AOG has the authority to recommend policy related to academic technology and the responsibility to provide technical input to departments and units throughout the university as it relates to academic technology issues.AuthenticationVerification of the identity of an individual or the source of the informationAvailabilityPrevention of unauthorized withholding of information resourcesConfidentialityEnsuring that data is not disclosed to those not authorized to access itInformation Assurance (IA)Information operations that protect and defend information and information systems by ensuring their availability, integrity, authentication, confidentiality, and nonrepudiation.Information Assurance ProceduresTechnical and documentation procedures defined under the direction of the Information Systems Security Officer that detail how System Administrators comply with the Information Assurance Guidelines.Information Sysems Security OfficerIUP employee responsible for the administration of the IUP Information Assurance Guidelines.IntegrityAssurance that data cannot be deleted, modified, duplicated, or forged without detectionNonrepudiationVerification of the origin and receipt of messages and dataResNetNon-University owned computers attached to the IUP network in the Residence Halls. With regard to Resnet Computers, IUP simply acts as an Internet Service provider.System AdministratorAn IUP employee who is responsible for the technical administration of a University Information Technology resource with direct control of the hardware and software of the resource. Appendix A Definitions (continued) TUCTechnology Utilities Council - makes recommendations concerning those aspects of technology that need to be provided centrally or that need to be coordinated between the academic and administrative areas. The concept that certain functions should be viewed as utilities assures that the two areas do not have conflicting infrastructures. Consists of representatives from ACPAC and ACOC plus ex officio members and the Provost. Meets quarterly and is chaired jointly by the Director of the TSC and the Director of ATS.User Anyone who accesses a University Information Technology resource IUP Information Assurance Guidelines - TUC DRAFT 2.1 IUP Information Assurance Guidelines ** TUC DRAFT 2.1 ** Page  PAGE 1 of  NUMPAGES 13 "DEij~ɼxd&j>*B*UmHnHphuj{UmHnHujUmHnHumHnHu&j>*B*UmHnHphu mHnHu0JmHnHuj0JUmHnHu jUB*OJPJQJphB*CJ OJPJQJph5B*CJ OJPJQJ\ph5CJ OJQJ\##DEfghiv<9C T  $  $  $  $ [$\$^Vgg89:;UVWpqrstuvwxïޡÍj]UmHnHu&j>*B*UmHnHphujgUmHnHu&j>*B*UmHnHphu0JmHnHu mHnHuj0JUmHnHumHnHujUmHnHujqUmHnHu*5678<=abc|}~ϵ߯ׯכׯύ߯ׯykj?UmHnHu&j>*B*UmHnHphujIUmHnHu&j>*B*UmHnHphu mHnHujSUmHnHujUmHnHumHnHu0JmHnHuj0JUmHnHu&j>*B*UmHnHphu*    6789:;<=>YZ[\3ѽћy&j>*B*UmHnHphuj+UmHnHu&j>*B*UmHnHphuj5UmHnHu&j>*B*UmHnHphu0JmHnHu mHnHuj0JUmHnHujUmHnHumHnHu.3456789:;VWXYnop  ïޡÍj UmHnHu&j >*B*UmHnHphuj UmHnHu&j >*B*UmHnHphu0JmHnHu mHnHuj0JUmHnHumHnHujUmHnHuj! UmHnHu,   " # $ = > ? @ A B C D E ` a b c ϵ߯ׯכύ߯ׯykj UmHnHu&jt >*B*UmHnHphuj UmHnHu&j~ >*B*UmHnHphu mHnHuj UmHnHujUmHnHumHnHu0JmHnHuj0JUmHnHu&j >*B*UmHnHphu*     3 4 5 N O P Q R S T U V q r s t u v  ɽɯɽɽɍɽyɽ&jV>*B*UmHnHphujUmHnHu&j`>*B*UmHnHphujUmHnHujUmHnHumHnHu&jj>*B*UmHnHphu0JmHnHu mHnHuj0JUmHnHu.      & ' ( ) G H I b c d e f g h i j ïޡÍjUmHnHu&jB>*B*UmHnHphujUmHnHu&jL>*B*UmHnHphu0JmHnHu mHnHuj0JUmHnHumHnHujUmHnHujUmHnHu* h  m  s 1E6^^ [$\$^ $  $  $           4 5 6 7 L M N g h i j k l m n o ϵ߯ׯכύ߯ׯykjUmHnHu&j$>*B*UmHnHphujUmHnHu&j.>*B*UmHnHphu mHnHujUmHnHujUmHnHumHnHu0JmHnHuj0JUmHnHu&j8>*B*UmHnHphu*          6 7 8 9 Q R S l m n p q r s t u ɽɯɽɽɍɽyɽ&j>*B*UmHnHphujUmHnHu&j>*B*UmHnHphujUmHnHujUmHnHumHnHu&j>*B*UmHnHphu0JmHnHu mHnHuj0JUmHnHu, *+,./0123NOPQtuvïޡÍjmUmHnHu&j>*B*UmHnHphujwUmHnHu&j>*B*UmHnHphu0JmHnHu mHnHuj0JUmHnHumHnHujUmHnHujUmHnHu*   #$%>?@BCDEFGbcdexyzϵ߯ׯכύ߯ׯykjOUmHnHu&j>*B*UmHnHphujYUmHnHu&j>*B*UmHnHphu mHnHujcUmHnHujUmHnHumHnHu0JmHnHuj0JUmHnHu&j>*B*UmHnHphu*/01345678STUVnopɽɯɽɽɍɽyɽ&j>*B*UmHnHphuj;UmHnHu&j>*B*UmHnHphujEUmHnHujUmHnHumHnHu&j>*B*UmHnHphu0JmHnHu mHnHuj0JUmHnHu,8S$v:Ljmbl m  "$%&&I&G'z'Z((**,,-.?.K/m/002+23˻>*6]5\ *CJ *B*OJPJQJphB*OJPJQJphjB*OJPJQJUph mHnHuj0JUmHnHumHnHujUmHnHuj1 UmHnHu:DE$suvm ^  & F [$\$[$\$ p[$\$^p [$\$^m o  """"#%%%&&G'Z(*,,,,.K/^ p1$7$8$H$^p 1$7$8$H$^^ [$\$^^$da$K/0000001111222233F4b444`5|55 & F & F & F & F & F ^^p^p334455688(9)9*9L9M9:::::::>>>>>??AABBCCC#C$CFDTDqEEF8FFIINNPPQQdRnRVVoYZZZ[\ ].]{_|____``)`*`r```Ca+b5\@6]jQ#UPJjr"Ujy!U0Jj U jU * *>*>*55666667:8;8<8R8q8N9O9r9:: ;C>D>Ap^p@ ^@ ^^^^^ & F & F^ !AAA%C&C(CPCQC^C}CrFF(G)G?GUGII!J"J7J L"LLLO^^^^p^pOOOPPPPP QRRR_T`TaTwTTVVXXXXTYUYoYY$If^^^YZZZ[[[]] ]l_m_|__D |wq$If  !$If$Ifk$$Ifl0&(0'64 la $1$7$8$H$If ___``*`s`t``BaCada+b,bPb8h}<}}}}}$If$If  !$Ifk$$Ifl0&(0'64 laPbbbbcc!c]c^cec d d!ddd}0}0$If  !$Ifk$$Ifl0&(0'64 la$If+bbcdde!eggggggggggggg mHnHu jU6]5CJ KH OJQJ\^JaJ @ddee g ggTgUgVgggggg {y$a$k$$Ifl0&(0'64 la $1$7$8$H$If$Ifgg 1h/ =!"#$%{DyK  _Toc18809762{DyK  _Toc18809762{DyK  _Toc18809763{DyK  _Toc18809763{DyK  _Toc18809764{DyK  _Toc18809764{DyK  _Toc18809765{DyK  _Toc18809765{DyK  _Toc18809766{DyK  _Toc18809766{DyK  _Toc18809767{DyK  _Toc18809767{DyK  _Toc18809768{DyK  _Toc18809768{DyK  _Toc18809769{DyK  _Toc18809769{DyK  _Toc18809770{DyK  _Toc18809770{DyK  _Toc18809771{DyK  _Toc18809771{DyK  _Toc18809772{DyK  _Toc18809772{DyK  _Toc18809773{DyK  _Toc18809773{DyK  _Toc18809774{DyK  _Toc18809774{DyK  _Toc18809775{DyK  _Toc18809775{DyK  _Toc18809776{DyK  _Toc18809776{DyK  _Toc18809777{DyK  _Toc18809777{DyK  _Toc18809778{DyK  _Toc18809778{DyK  _Toc18809779{DyK  _Toc18809779{DyK  _Toc18809780{DyK  _Toc18809780{DyK  _Toc18809781{DyK  _Toc18809781{DyK  _Toc18809782{DyK  _Toc18809782{DyK  _Toc18809783{DyK  _Toc18809783{DyK  _Toc18809784{DyK  _Toc18809784{DyK  _Toc18809785{DyK  _Toc18809785{DyK  _Toc18809786{DyK  _Toc18809786{DyK  _Toc18809787{DyK  _Toc18809787{DyK  _Toc18809788{DyK  _Toc18809788{DyK  _Toc18809789{DyK  _Toc18809789{DyK  _Toc18809790{DyK  _Toc18809790{DyK  _Toc18809791{DyK  _Toc18809791{DyK  _Toc18809792{DyK  _Toc18809792{DyK  _Toc18809793{DyK  _Toc18809793{DyK  _Toc18809794{DyK  _Toc18809794{DyK  _Toc18809795{DyK  _Toc18809795DyK yK \http://www.iup.edu/tsc/policies/INFOPROT.HTMLDyK yK http://www.iup.edu/ats/sts/policies/computing_resources_policy.shtmDyK yK nhttp://www.iup.edu/academicaffairs/policies/email.shtmDyK yK thttp://www.iup.edu/academicaffairs/policies/software.shtm& i8@8 NormalCJ_HaJmH sH tH R@R Heading 1$<@&5CJ KH OJQJ\^JaJ T@T Heading 2$<@& 56CJOJQJ\]^JaJN@N Heading 3$<@&5CJOJQJ\^JaJ<A@< Default Paragraph Font,@, Header  !, @, Footer  !T^@T Normal (Web)dd[$\$B*OJPJQJ^Jph<C@"< Body Text Indent ^@R@2@ Body Text Indent 2 @ ^@ .U@A. Hyperlink >*B*ph@S@R@ Body Text Indent 3 ^6Bb6 Body Text$da$aJ@ TOC 1&@& TOC 2 ^&@& TOC 3 ^&& TOC 4 ^&& TOC 5 ^&& TOC 6 ^&& TOC 7 ^&& TOC 8 ^&& TOC 9 ^:'@: Comment ReferenceCJaJ44  Comment Text!CJaJ88 Comment Subject"5\@2@  Balloon Text#CJOJQJ^JaJ>QB> Body Text 3$$a$5CJ\aJ>V@Q> FollowedHyperlink >*B* phc#DEfghiv<9CT hm s 1 E 6 DE$suvmo!!!""G#Z$&((((*K+,,,,,,----....//F0b000`1|111|222223:4;4<4R4q4N5O5r566 7C:D:===%?&?(?P?Q?^?}?rBB(C)C?CUCEE!F"F7F H"HHHKKKLLLLL MNNN_P`PaPwPPRRTTTTTUUUoUUVVVWWWYY Yl[m[|[[[[\\*\s\t\\B]C]d]+^,^P^^^^__!_]_^_e_ ` `!````aa c ccTcUcVccccc000000000000000000000000000000000000000000000000 (0 0 0 0 0 0 0 0 0 0 0 0 0 000(00000000(00000(00(0(0000000000000000(000 0 00(000 0 000 0 000 0 000 0 000(00000(000(000(00000(0000000(00(0000(00000(00(00(000000000000000000000000000000000000000000000000000000000000000000000000000000@0@0@0 0773  3+bg=@ABCDEFHIJKLMQX m K/5AOY_Pbdgg>GNOPRSTUVWYZg?i~:Vqstv7b} 79:<[4679Xo#>@ACb4OQRTs (Hcefh6Mhjkm    8 R m p q s  + . / 1 P u $ ? B C E d y   0 3 4 6 U o 4)5L5666::;>?#?c X%tX%tX%tX%tX%tX%tX%tX%tX%tX%tX%tX%tX%tX%tX%tX%tX%tX%tX%tX%tX%tX%tX%tX%tX%tX%tX%tX%tX%tX%tX%tX%tX%tX%t̕XXXXz!448@0(  B S  ?c" _Toc18809762 _Toc18809763 _Toc18809764 _Toc18809765 _Toc18809766 _Toc18809767 _Toc18809768 _Toc18809769 _Toc18809770 _Toc18809771 _Toc18809772 _Toc18809773 _Toc18809774 _Toc18809775 _Toc18809776 _Toc18809777 _Toc18809778 _Toc18809779 _Toc18809780 _Toc18809781 _Toc18809782 _Toc18809783 _Toc18809784 _Toc18809785 _Toc18809786 _Toc18809787 _Toc18809788 _Toc18809789 _Toc18809790 _Toc18809791 _Toc18809792 _Toc18809793 _Toc18809794 _Toc18809795 vo!,-2<4R4O56=(?Q?^?rB)C?C"F HHKLLNaPwPRTVUc  ! ~!,.3Q4o4p5 7=O?]?|?B>CTC6F!HHKL MNvPPRTnUc"**h+l+//#0%000X3^33333O5T567;;(?)?IJ2]@]8^>^_ _^_d___UcVcccccccW`  "$(v!!,,--Q/W///1133R4d4q4N5O5Y5r566 788:;;=E====%?Q?]?^?j?rBB)C5C?CTC"F0FH H HH[HiHHHKKLLNNwPPRRTT``UcVccccccc333333333333333333333333333333333333333333TUi kk//4M566:;>$?UK_KC],^`aUcVcocpc}c~ccccccccccc Samuel PuleiobH:\Preferences\Microsoft\Word\AutoRecovery save of TUC-Information-Assurance-Guidlines-draft-2.asd Samuel PuleiobH:\Preferences\Microsoft\Word\AutoRecovery save of TUC-Information-Assurance-Guidlines-draft-2.asd Samuel PuleiowO:\Technical Services\Security Policy Info\IUP Policy development - TUC\TUC-Information-Assurance-Guidlines-draft-2.doc Samuel PuleiobH:\Preferences\Microsoft\Word\AutoRecovery save of TUC-Information-Assurance-Guidlines-draft-2.asd Samuel PuleiowO:\Technical Services\Security Policy Info\IUP Policy development - TUC\TUC-Information-Assurance-Guidlines-draft-2.doc Samuel PuleiowO:\Technical Services\Security Policy Info\IUP Policy development - TUC\TUC-Information-Assurance-Guidlines-draft-2.doc Samuel PuleiowO:\Technical Services\Security Policy Info\IUP Policy development - TUC\TUC-Information-Assurance-Guidlines-draft-2.doc Samuel PuleioyO:\Technical Services\Security Policy Info\IUP Policy development - TUC\TUC-Information-Assurance-Guidlines-draft-2-1.doc Samuel PuleioyO:\Technical Services\Security Policy Info\IUP Policy development - TUC\TUC-Information-Assurance-Guidlines-draft-2-1.docjrmcferrJC:\My Documents\security\TUC-Information-Assurance-Guidlines-draft-2-1.doc WF$$B' F$#-;C^$7!F$G%,J k<5lPAb0{T`;8LY^$d *\vl ^`OJQJo(o ^`OJQJo(oh pp^p`OJQJo( @ @ ^@ `OJQJo( ^`OJQJo(o ^`OJQJo( ^`OJQJo( ^`OJQJo(o PP^P`OJQJo( ^`OJQJo(o ^`OJQJo(o pp^p`OJQJo( @ @ ^@ `OJQJo( ^`OJQJo(o ^`OJQJo( ^`OJQJo( ^`OJQJo(o PP^P`OJQJo(^`CJOJQJo(^`CJOJQJo(opp^p`CJOJQJo(@ @ ^@ `CJOJQJo(^`CJOJQJo(^`CJOJQJo(^`CJOJQJo(^`CJOJQJo(PP^P`CJOJQJo( ^`OJQJo(o ^`OJQJo(o pp^p`OJQJo( @ @ ^@ `OJQJo( ^`OJQJo(o ^`OJQJo( ^`OJQJo( ^`OJQJo(o PP^P`OJQJo(h pp^p`OJQJo(o ^`OJQJo(oh pp^p`OJQJo( @ @ ^@ `OJQJo( ^`OJQJo(o ^`OJQJo( ^`OJQJo( ^`OJQJo(o PP^P`OJQJo(^`o(.^`.pLp^p`L.@ @ ^@ `.^`.L^`L.^`.^`.PLP^P`L.h pp^p`OJQJo(oh @ @ ^@ `OJQJo(oh ^`OJQJo(h ^`OJQJo(h ^`OJQJo(oh ^`OJQJo(h PP^P`OJQJo(h   ^ `OJQJo(oh ^`OJQJo(h pp^p`OJQJo(oh @ @ ^@ `OJQJo(oh ^`OJQJo(h ^`OJQJo(h ^`OJQJo(oh ^`OJQJo(h PP^P`OJQJo(h   ^ `OJQJo(oh ^`OJQJo(0^`0o(808^8`0o(.0^`0o(..0^`0o(...   ^ `o( .... @ @ ^@ `o( ..... `^``o( ...... x`x^x``o(....... HH^H`o(........h pp^p`OJQJo(o ^`OJQJo(o pp^p`OJQJo( @ @ ^@ `OJQJo( ^`OJQJo(o ^`OJQJo( ^`OJQJo( ^`OJQJo(o PP^P`OJQJo(  ^ `CJo(.  ^ `.xLx^x`L.HH^H`.^`.L^`L.^`.^`.X LX ^X `L. G%,{T5lPA;CLY$B' W7!#-d *\k<                   iD*"8i0(dJ,|                   C                                   <9        oUUVVVWWWYY Yl[m[|[[[[\\*\s\t\\B]C]d]+^,^P^^^^__!_]_^_e_ ` `!```aa c ccTcUcc@؛tcP@UnknownG: Times New Roman5Symbol3& : ArialIArial Unicode MS5& z!Tahoma?5 z Courier New;Wingdings"1hwiFwiFviF^Q)i/fY0dd^8i 3QH"Indiana University of Pennsylvaniasecurity policyspuleiojrmcferrCPAC FileArchived ACPAC File# FV]t@Data \6$1TableoYWordDocument"Root Entry F[i:@Data \6$1TableoYWordDocument"՜.+,D՜.+,D ,  8)d2 $vlog Title@H     ,4L<D _PID_HLINKSEktContentID64EktContentLanguageEktFolderId64 EktQuickLinkEktContentTypeEktFolderName EktCmsPath EktExpiryType EktDateCreated EktDateModified EktTaxCategory EktCmsSizeEktSearchableEktEDescriptionekttaxonomyenabledEktShowEvents EktInPermA< Y:http://www.iup.edu/academicaffairs/policies/software.shtm`)7http://www.iup.edu/academicaffairs/policies/email.shtmteDhttp://www.iup.edu/ats/sts/policies/computing_resources_policy.shtmJ.http://www.iup.edu/tsc/policies/INFOPROT.HTML9 _Toc188097959 _Toc188097949 _Toc188097939 _Toc188097929 _Toc188097919 _Toc188097908 _Toc188097898 _Toc188097888 _Toc188097878 _Toc188097868 _Toc188097858՜.+,D՜.+,D ,  8)d2 $vlog Titlel$,p|     $,\d _PID_HLINKSEktContentID64EktContentLanguageEktFolderId64 EktQuickLinkEktContentTypeEktFolderName EktCmsPath EktExpiryType EktDateCreated EktDateModified EktTaxCategory EktCmsSizeEktSearchableEktEDescriptionekttaxonomyenabledEktShowEventsA< Y:http://www.iup.edu/academicaffairs/policies/software.shtm`)7http://www.iup.edu/academicaffairs/policies/email.shtmteDhttp://www.iup.edu/ats/sts/policies/computing_resources_policy.shtmJ.http://www.iup.edu/tsc/policies/INFOPROT.HTML9 _Toc188097959 _Toc188097949 _Toc188097939 _Toc188097929 _Toc188097919 _Toc188097908 _Toc188097898 _Toc188097888 _Toc188097878 _Toc188097868 _Toc188097858 _Toc188097848 _Toc188097838z _Toc188097828t _Toc188097818n _Toc188097807h _Toc188097797b _Toc188097787\ _Toc188097777V _Toc188097767P _Toc188097757J _Toc188097747D _Toc188097737> _Toc1880977278  !"#$%&'()*+,-./0123456789:;<=>?@ABCDEFGHIJKLMNOPQRSTUVWXYZ[]^_`abcdefghijklmnpqrstuvwxyz{|}~ _Toc1880977172 _Toc188097706, _Toc188097696& _Toc188097686  _Toc188097676 _Toc188097666 _Toc188097656 _Toc188097646 _Toc188097636 _Toc18809762UX ;DownloadAsset.aspx?id=88149e@bs@p~tArchived ACPAC File "SummaryInformation(DocumentSummaryInformation8CompObjjObjectPoolQSQS   FMicrosoft Word Document MSWordDocWord.Document.89qOh+'0@@ XL `|@F#@LZQS@~QS@~QS^QInfor-Assurance-Guidelines$Mr. Christopher G. Bennett cbennett$Mr. Christopher G. Bennett cbennettArchived ACPAC FileArchived ACPAC FileEktTaxCategory՜.+,D՜.+,D ,  8 _Toc188097848 _Toc188097838z _Toc188097828t _Toc188097818n _Toc188097807h _Toc188097797b _Toc188097787\ _Toc188097777V _Toc188097767P _Toc188097757J _Toc188097747D _Toc188097737> _Toc1880977278 _Toc1880977172 _Toc188097706, _Toc188097696& _Toc188097686  _Toc188097676 _Toc188097666 _Toc188097656 _Toc188097646 _Toc188097636 _Toc18809762UX ;DownloadAsset.aspx?id=88149e@bs@p~tr Summary Archived ASummaryInformation(DocumentSummaryInformation8PCompObjjObjectPoolQSQS