System Access and Security Policy ("SASP")
for Users of Administrative Workstations

The System Access and Security Policy ("SASP") is official Information Technology Services policy with regard to computer systems and network access for all administrative users of technology within the NIU organization. All new and existing administrative employees are expected to abide by its terms.

General Guidelines
Users and departments requesting access to university enterprise systems and data resources agree to follow accepted and prudent practices regarding computer security. The following policies should guide user and departmental practices and procedures:

Confidentiality
University data and information stored on university enterprise systems is considered confidential. Access to university information involves both trust and responsibility. Users must ensure that private and sensitive information is not disclosed to unauthorized individuals or organizations that do not have a legitimate reason for access to the information.

Requests for the disclosure of confidential information outside the university will be governed by the provisions of law, including but not limited to the Family Educational Rights and Privacy Act of 1974 as amended in 1998 ("FERPA"), the Illinois School Student Records Act, and the Illinois Freedom of Information Act. All such requests will be honored only when approved by university officials who are the legal custodians of the information requested, or if required by state or federal law or court order.

Availability
Computer systems are provided to users to perform university business. Denial of service caused by the installation of unauthorized software that compromises an individual or network system, or virus infections that corrupt or delete system software or data is a serious threat to university operations. Users shall refrain from practices that tend to compromise the availability of computer systems or resources.

Accuracy and Integrity
Accuracy and integrity are essential elements in the use, storage and retrieval of electronic data. The use and/or exchange of data must be done with adequate controls to ensure integrity and verifiable results. Authenticity requires that data is not corrupted or altered in such a way that would misrepresent or hinder audit ability.

User Responsibilities
Follow good security practices as outlined in this security policy as well as supplemental departmental security policies and procedures.

Maintain and use computer workstations in accordance with this Security Policy, the ITS Acceptable Use Policy Statement ("AUP") (see http://www.its.niu.edu/aup/), and applicable supplemental departmental security policies and procedures.

Report known violations of this security policy, the AUP and/or supplemental departmental security policies to management.

Only request access to official files and records necessary to perform duties as defined by the user's position description.

Confidential data and information may be transferred among university staff only as required for fulfilling assigned duties and responsibilities.

Do not attempt to access data or programs on enterprise systems for which the user does not have authorization or explicit consent of the owner of the data.

Do not reproduce, edit, revise or otherwise alter data and information except as required for legitimate university reporting purposes.

Do not make copies of system configuration files (e.g., password files, cache files, registry entries, .ini files, .cfg files, etc.) for unauthorized personal use or to provide to other people/users for unauthorized uses.

Do not purposely engage in activity with the intent to do any of the following: harass other users; degrade the performance of systems; deprive an authorized user of access to a university resource; obtain extra resources beyond those allocated; circumvent computer security measures; or gain access to enterprise systems for which proper authorization has not been given.

Do not disclose or share a user login id and password with others except as required for system maintenance purposes or for purposes of promptly changing a password as appropriate.

Do not download, install or run security programs or utilities which reveal weaknesses in the security of a system except as specifically required by the user's position. For example, only users whose position requires it may run or "test" password cracking programs or network sniffers on university computing systems.

Refrain from installing personal or third party applications not related to a user's job function that may compromise access to university enterprise systems.

Do not seek personal benefit or permit others to benefit by disclosing or otherwise using confidential data or information which has come to him/her by virtue of work assignment.

Do not use university computing resources for private, commercial gain.

Supervisor and Departmental Responsibilities
Ensure that only authorized users have access to university data for appropriate departmental and university business purposes.

Ensure that official files, reports, and data accurately reflect university operations and transactions.

Ensure that user id's and passwords are not shared and that appropriate access and usage policies are maintained and enforced.

Be subject to periodic audits of departmental practices and procedures regarding access to enterprise computer resources.

Notify ITS Network Security and/or local area network administrator of any change in a user's job function or employment that would require changes be made to the user's access at least five business day before such a status change. Managers must specify both access to be added or revoked as appropriate for job changes.

Request that accounts or passwords for individuals who no longer require access to network resources be deactivated within 24 hours of user's change in status.

Setup and configure university owned computer workstations in accordance with this security policy and supplemental departmental security policies and procedures.

Ensure that ITS certified virus protection software is properly installed and functioning on computer workstations.

Ensure that staff is adequately trained in basic Windows usage and navigation skills and that users have had appropriate training in applicable software packages.

Consequences of Noncompliance
Noncompliance with these guidelines constitutes a violation of security policy. Violations shall be reported to the proper university officials and will result in short-term or permanent loss of access to enterprise computing systems. Violators are also subject to university disciplinary procedures. Serious violations may be referred to state and/or federal law enforcement officials and may result in civil or criminal prosecution. In the event that it is necessary to suspend an existing user's account for security or disciplinary reasons, the account will not be reinstated until or unless the user is witnessed to have read the SASP and signs a Statement of Responsibility for retention by ITS security.

Please refer questions or concerns to ITS Network Security at 753-1678.


NORTHERN ILLINOIS UNIVERSITY
Information Technology Resources
Acceptable Use Policy

Northern Illinois University information technology resources, including the electronic communications network (NIUnet) on the NIU campus and in off-campus education and research centers and the computers attached to this network, are for the use of persons currently affiliated with Northern Illinois University, including faculty, staff and students. Information technology resources are provided by the university to further the university's mission of research, instruction and public service. Use of these resources should be consistent with this mission and this policy.

Acceptable use of NIU information technology resources is based on common sense, common decency, and civility applied to the networked computing environment. All authorized users have the right to expect reasonable privacy with regard to all computer files and e-mail. The University may access university-owned or networked computers for maintenance and upgrades or when based upon established procedures for suspected abuse of this policy. Users are entitled to notification of such access and, whenever possible, notification should precede access. If users believe their reasonable rights to computer privacy have been violated, they may follow usual grievance procedures.

Unacceptable uses include, but are not limited to, the following:::

These principles and guidelines are extended to networks and information technology resources outside the university accessed through NIUnet via the Internet. Networks or information technology resource providers outside the university may, in turn, impose additional conditions of appropriate use which the user is responsible to observe when using those resources.

Access to the information technology environment at Northern Illinois University is a privilege and must be treated as such by all users of these systems. Like any other campus facility, abuse of these privileges can be a matter of legal action or official campus disciplinary procedures. Depending on the seriousness of an offense, violation of the policy can result in penalties ranging from reprimand (i.e., don't do this any more), to loss of access, to referral to university authorities for disciplinary or legal action. In a case where unacceptable use severely impacts performance or security, in order to sustain reasonable performance and secure services for the rest of the user community, Information Technology Services will immediately suspend an individual's access privileges.
This policy is subject to amendment at any time. For a copy of the most recent policy see the Northern Illinois University web server at http://www.niu.edu/.
Revised 8/29/2000
Page last reviewed 7/1/2002


NORTHERN ILLINOIS UNIVERSITY
Electronic Mail (e-mail) Policy

Northern Illinois University participates in a range of computing networks and many members of the university community, including faculty, staff and students, use electronic mail (e-mail) in their day-to-day activities. E-mail services are provided on university owned computing and networking systems to further the university's mission of research, instruction and public service. Use of e-mail should be consistent with this mission and this policy.

Acceptable use of e-mail is based on common sense, common decency, and civility applied to the electronic communications environment.

Mass mailings are permitted, but need to follow these guidelines:

Unacceptable uses include, but are not limited to, the following:

Communications in this medium are protected by the same laws and policies, and are subject to the same limitations, as communications in other media. However, users should exercise caution when committing confidential information to electronic media because the confidentiality of such material cannot be guaranteed. For example, e-mail messages can be saved indefinitely on the receiving computer. Copies can easily be made and forwarded to others either electronically or on paper. Messages sent to nonexisting or incorrect user names are delivered to a person designated as Postmaster for either the remote or local site. Routine maintenance or system administration of a computer may result in the contents of files and communications being seen (network and system administrators are, however, expected to treat the contents of electronic files as private and confidential).

Also, under the Illinois Freedom of Information Act, electronic files are treated in the same way as paper files. Any official university documents (as defined by law) in the files of employees of the State of Illinois are considered to be public documents, and may be subject to inspection through FOIA. In such cases, the campus Freedom of Information Officer should inspect files to determine which portions may be exempt from disclosure. Any inspection of electronic files, and any action based upon such inspection, will be governed by all applicable U. S. and Illinois laws and by university policies.

Access to the information technology environment in general, and electronic mail in particular, at Northern Illinois University is a privilege and must be treated as such by all users of these systems. Like any other campus facility, abuse of these privileges can be a matter of legal action or official campus disciplinary procedures. Depending on the seriousness of an offense, violation of the policy can result in penalties ranging from reprimand (i.e., don't do this any more), to loss of access, to referral to university authorities for disciplinary action. In a case where unacceptable use severely impacts performance or security, in order to sustain reasonable performance and secure services for the rest of the user community the Computing Facilities will immediately suspend an individual's access privileges.

This policy is subject to amendment at any time. For a copy of the most recent policy see the Northern Illinois University web server at http://www.niu.edu/.

Department of Geography Computer System Policies

(revised 8-21-02)

Abbreviated version for web posting, see Computer Systems Administrator for full policy that extends beyond the logon screen details! Additional policies pending

    1. University Equipment
      Department of Geography computers are assigned primarily to "full time" Faculty and Staff. These computers (whether they are lab based or in a faculty / staff office) are the property of Northern Illinois University, allocated to the department and maintained by the Department's Systems Administrator (Philip Young). These computers are for teaching, research and projects that are part of the mission and purpose of the Department of Geography. These systems are not to be used for personal use or private functions. These computers should not be shared out to those who are not assigned to use them. This includes undergraduate students, graduate students, private citizens, faculty from other departments, and so forth. This applies to computer labs as well as individual computers. Many of the machines tie directly into departmental servers and LANs, which have access capabilities that are not intended for general public use. All faculty, staff, instructor and grad student desktop computers tied into the department network must stay connected to the network and must remain in Davis Hall at all times.

    2. Computer Access
      It is the responsibility of every faculty and staff member to see that all Department of Geography computer policies are adhered to. If there are problems with the computer systems, the Systems Administrator should be contacted. Absolutely no students or outside personnel should have any access to these computer systems without prior consent from the department. Only the Department Systems Administrator has the authority to connect an individual to a computer or network resource.

    3. Lab Access
      Lab (computer) access should be designed to maximize the use of a given lab for students, while taking into account the logistics of finite resources. These labs are an extension of the curriculum that the department offers and must be planned out well in advance of each semester's start. Some labs have high security levels and limited access while others have general access with reduced security. These are set by the Systems Administrator as to the specific hardware / software content. In some cases, selected labs are set specifically for project / grant oriented research and development, and access is dictated by the project needs.

      Lab access is enforced by the Systems Administrator (through account activation) whose authority has been granted by the Department of Geography. Each lab has a different level of access based upon the activities dictated by the primary usage of each lab. All accounts for these labs are authorized through the Systems Administrator. For access to the mobile projection systems you should also talk to the Systems Administrator.

    4. Server Hard Drive Access
      The department server(s) are to be accessed by those who have accounts established by the Systems Administrator. Each account will have a set hard drive limit based upon the designated user. The following hard drive allocations apply per individual computer user:

      Faculty / Staff - 3 gigabytes
      Graduate Students - 500 megabytes
      Student Class Accounts - 75 megabytes
      Research Projects need to discuss with Computer Admin
      Web pages - 10 megabytes
      Email Accounts - 10 megabytes (20 megs for attachments)

      The operating system software will monitor hard drive sizes and will warn the Systems Administrator when a users limits are nearing capacity. Users may be notified by the System Administrator if they need to reduce the directory size to comply with departmental limits. Users may be locked out of their accounts if they fail to reduce their directory size, after being notified by the Systems Administrator. Users who have access to restricted directories (ex. Class directories) should not transfer data directly into these directories without first informing the Systems Administrator about the data content.

    5. Office Computer Systems
      Office computer systems are a privilege, not a guaranteed "right". Each permanent faculty member will have access to [ONE] computer system and printer that he or she will operate in their office (occasionally an Instructor may also be assigned a computer). It is the responsibility of the faculty member to adhere to all departmental and university regulations regarding the use of this equipment (www.niu.edu). Each faculty member is responsible for their office computer and must safeguard it from unauthorized access, damage or theft. These computers are still an overall part of the Systems Administrators responsibility. This means that if department policies are not adhered to, the Systems Administrator can remove any office computer at any time. All network operations (connections) and hardware maintenance of these computers is solely the responsibility of the Systems Administrator.

    6. Mobile Computers (notebooks)
      Mobile computer systems such as the department's notebook computers or mobile projection system must be monitored closely since they are at high risk for theft and damage. Notebook computers need to be protected from environmental extremes (shock, humidity, heat, cold, water, etc.). Spare notebook computers can be checked out for specific departmental functions and then must be returned upon completion of the task.

      Any faculty member that is permanently assigned a notebook computer will not be allowed to concurrently have an office desktop computer. Faculty members who opt to utilize a notebook computer instead of a stationary computer must take extra care to safe guard the equipment against theft and damage. Information of a confidential nature pertaining to the Department should not be stored on these machines when they are outside of the office unless adequate encryption or lockouts are used. If a faculty member is permanently assigned a notebook computer, then they are responsible for the repair costs, if it is damaged while out of the office. It is not the department's responsibility to repair or replace damaged or lost notebook computers due to user negligence. Furthermore, if a notebook is damaged or lost while under the supervision of a faculty member, that faculty member is not automatically guaranteed that he or she will get a desktop computer in the interim nor does it guarantee a replacement notebook. In the event of a damaged or lost notebook, if an older stationary unit is available, it will be loaned out on a temporary basis. This is no guarantee though, and since notebook computers are far more prone to damage and abuse, they generally should be discouraged from being used by faculty as their primary computer choice.

    7. Computer Security
      A major function of the department's computer labs is the level of security that is provided by the Systems Administrator. This task involves access to labs and servers, as well as security passwords for labs and office computers. Passwords are crucial in securing computer files from unauthorized access. Passwords are set up to maintain computer system security and to safe guard against potential virus infiltration. It is the individual responsibility to safeguard his or her password and to not share it with anyone else. As the department's network and computing functions become more complex this becomes a vital part of the system security. No faculty passwords should be given out to students. Any students that need passwords for faculty sponsored projects or lab assignments should have separate accounts and passwords established. Faculty that let students access the department server utilizing their faculty account give the students unauthorized access to faculty directories, class labs and their email! Twice every calendar year each faculty and staff member will be required to change their password to protect the system.

    8. Software Licenses
      University policies dictate that all software is legally purchased, registered and used appropriately. The department is continually updating many of its software products and licenses. Some software is based upon site licenses (such as from ITS) that have yearly renewal policies, while others are based upon individual or multi-pack licenses. All Department of Geography lab computers must have legally registered software that was purchased by the department. Only the System Administrator should load software onto any lab computer.

    9. E-Mail Access
      E-mail access is available for faculty / staff and Instructors through the E-mail server. E-mail should be used only for "official" departmental functions. Email download limits will be enforced to prevent unnecessarily large files from overloading the server hard drives. Anyone downloading "attached files" with their email should be aware of the potential for hidden viruses. Users should not download attached files from people or places they do not know. New viruses are created daily, so it is the individuals responsibility to protect their own computer. Geography computer labs vary in the amount of access that is available to the "outside" world. Computer users who repeatedly download viruses (willingly or unwillingly) will have their account frozen until they talk to the System Administrator. Continued download abuses will result in all email privileges revoked.

      E-mail usage is strictly for Department of Geography official business, not personal usage! No third party email systems should be accessed from the Department's systems (web browser) nor should any third party email system be redirected to the Department's email server. List servers and other mass email listings should not be directed to individuals email accounts.

    10. Internet Access
      Internet access is granted to all Department Faculty, Staff and Graduate students (and in some instances undergraduate students in certain labs). The right to Internet access is governed by

      Departmental and University guidelines. Some of the restrictions are (but not limited to):

      • Internet access is for research and educational data acquisition
      • Internet access should not be used for downloading programs and updates
      • Internet access for recreational usage is not authorized
      • Internet access to sites that do not meet the criteria set forth by the department and university are not authorized.

        Failure to adhere to proper usage of the Internet will result in permanent denial of connection to the Internet.
    11. Virus infiltration
      All computer systems must be protected from viruses infiltrating the computer network. A virus reaching the Primary Server can have catastrophic effects on the computer domain, research data as well as computer lab access. Therefore it is absolutely critical that all computer users adhere to the following protocols:
      1. Do not open up any email and/or attachments from anyone that you do not know.
      2. Do not load floppy disk data onto your computer or the server without first scanning it for viruses.
      3. Do not load data from floppies provided by students unless it is scanned thoroughly.
      4. If you work on data at home make sure that you have an updated anti-virus software loaded on your computer before bringing floppy/Zip disks back to the office systems
      5. Do not attempt to telnet or FTP into the system from the outside.
      6. Do not send out email to newsgroups with content that may bring out a retaliatory response from thousands of outside users.
      7. Do not assume that your email and Internet activities will not be examined by the University and/or Department System Administrator for illegal or non-worked related activities!
      8. Do not give out any information about Department of Geography computer names, addresses, or any type of operating system/network configurations.

    12. Computer Maintenance
      Any departmental computer system that malfunctions must be repaired or processed through the System Administrator. Faculty and staff should not attempt to repair or upgrade any Department computer systems. All service calls on such machinery must be processed through the System Administrator. Philip Young is responsible for all hardware / software maintenance of department computer systems.

    13. Computer Labs
      All computers in the Geography Computer labs are to be used for classes or labs that are specifically assigned for that semester. These are courses approved by the Department and the Department's Systems Administrator maintains the labs. The Systems Administrator will be in charge of all aspects of security in 101 which includes:

      • Systems administration of all computers (hardware & software).
      • Arming \ disarming the security system.
      • Securing the lab for the weeknights and weekends.
      • Computer Lab Maintenance.
      • Lab enforcement (closing student accounts for violating posted policies).
      • Setting account privileges for students and/or labs.

These labs are not an open lab for Geography Graduates to use for their thesis work!

Please look for postings in all computer labs for additional local rules!

Policy