Information Resources
The University of Texas at Dallas
 
Information Security Office Logo

Office Hours
  M-F 8am-Noon, 1pm-5pm
ISO Main #'s
Phone: 972-883-6880
Fax: 972-883-6865
Physical Location:
Jonsson Bldg. (JO)
3.540 - 3.552
Mail Station: JO43
Directions to UT Dallas

Policies: Policy for the Use and Protection of Information Resources


1. Introduction

UT Dallas administers information resources that are important state assets. Information Resources include all computer and telecommunications hardware, software, and networks owned, leased, or operated by The University of Texas System and the information stored therein (“Information Resources”). Some of these assets require special protection. Some information is confidential and must be guarded against unauthorized disclosure; other information is sensitive and must be protected from unauthorized modification. Some information is both confidential and sensitive.

1.1 Purpose

This policy is established to achieve the following:

  1. to ensure that the University complies with state laws and regulations regarding the use of and security of Information Resources
  2. to establish prudent and reasonable practices for the protection of Information Resources
  3. to educate employees, students, and others who may use Information Resources about the responsibilities associated with such use.

There are many issues associated with information resources, not all of which are addressed by the Policy. These issues may be addressed by University Administration in additional policy statements. Additional information resource policies may elaborate upon any issue, but must not contradict this Policy.

1.2 Implementation

Information Resources must be identified, protected, and used in accordance with their character. These are the steps that must be undertaken by UT Dallas to comply with state requirements to protect information assets:

  1. Analyze information to determine whether it is confidential, sensitive, both or neither.
  2. Prepare a security plan to protect information identified as confidential, sensitive or both.
  3. Assign management responsibility for implementing the security plan.
  4. Train personnel to treat information resources properly.
  5. Monitor the treatment of information resources to ensure compliance with the security plan.
  6. Submit planning documents and reports to the Texas Department of Information Resources.

1.3 Policy Review

For reference, the full text of the Policy upon which this document is based may be accessed through The University of Texas System World Wide Web site at the following address: http://www.utsystem.edu/BPM/53.htm

The technical, cultural, and legal environment of The University of Texas as it relates to information technology use and security is constantly changing. Feedback concerning the impact of this Policy will be solicited during the first year of implementation. The Policy will be revised as needed to comply with changes in law or administrative rules or to enhance its effectiveness.

2. General Information

2.1 Scope

It is the policy of UT Dallas to protect all data and information technology resources in accordance with the Texas Department of Information Resources (DIR) Information Security and Risk Management Policy, Standards, and Guidelines published in the Texas Administrative Code, TAC202.  Under the provisions of the Information Resources Management Act, Section 2054.001 et seq., Government Code (“Act”), University Information Resources are strategic assets of the State of Texas that must be managed as valuable state resources.

This Policy also applies to Information Resources owned by others, such as political subdivisions of the state or agencies of the state or federal government, in those cases where there is a statutory, contractual, or fiduciary duty to protect the resources while in University custody. If the owner has a more restrictive policy, that policy will control.

2.2 Use of Information Resources

The business or purpose of UT Dallas is defined by its missions, and Information Resources are to be used in support of those missions. All persons who have access to and use of Information Resources of UT Dallas, other than resources made available to the public in general, must comply with this Policy, applicable laws and regulations relating to Information Resources of state agencies, and restrictions specified by the Owner.

Users may access or disclose confidential and sensitive information only as permitted by contract, state or federal law or regulation, the scope of their employment, or approved UT Dallas policy.

Users must abide by applicable software license agreements and may copy licensed software only as permitted by the license.

Following are provisions enacted by the Texas Legislature and established by the Department of Information Resources governing the use of Information Resources:

  1. Information and information resources possessed by agencies of the state government are strategic assets belonging to the residents of this state that must be managed as valuable state resources. Section 2054.001(a class=GramE>)(1) of the Texas Government Code.
  2. No person shall entrust state property to any state official or employee or to anyone else to be used for other than state purposes. Section 135 of Article IX of the General Appropriations Act.
  3. Access to state information resources must be strictly controlled. State law requires that state owned information resources be used only for official state purposes.  TAC 202.
  4. All information and telecommunication resources leased or owned by the state and all time-sharing services billed to the state shall be used only to conduct state business.  TAC 202.
  5. All network components under state control must be identifiable and restricted to their intended use. TAC 202.
  6. Section 33.02, Texas Penal Code, a provision of the Texas Computer Crimes Statute, makes it a criminal offense (1) to knowingly access a computer network or system without the effective consent of the owner; or (2) to intentionally or knowingly disclose a password, identification code or number, debit card or bank account number, or other confidential information about a computer security system without the consent of the person employing the security system. >
  7. Section 39.02, Texas Penal Code, makes it a crime for an officer, agent, or employee of a governmental agency to misuse government property, services, personnel, or other thing of value belonging to the state with the intent to obtain a benefit or to harm another person. The Texas Ethics Commission is authorized to issue opinions regarding the application of Section 39.02 to specific factual situations. It has ruled in Texas Ethics Commission Advisory Opinion No. 134 (1993) that the incidental personal use of state telephones that does not result in additional cost to the state is not a violation of Section 39.02(a)(2) of the Texas Penal Code.

Ethics and The University of Texas System: A Brief Practical Guide, published by The University of Texas System Office of General Counsel, provides additional guidance relating to use of state resources. Questions related to personal use of Information Resources of UT Dallas should be submitted to the Ethics Officer and the Information Resources Manager of UT Dallas, as appropriate.

2.3 Warning Statements

The Department of Information Resources rules and regulations, TAC 202, require all identification screens to include the following warning statements.

  1. Unauthorized use is prohibited
  2. Usage may be subject to security testing and monitoring
  3. Abuse is subject to criminal prosecution
  4. No expectation of privacy except as otherwise provided by applicable privacy laws.

2.4 User Acknowledgement

Employees, students, and others who use Information Resources other than public information servers must acknowledge that they understand their responsibilities relating to such use.

TAC 202 of the rules and regulations of the Department of Information Resources requires that all personnel of UT Dallas provide acknowledgment that will comply with this Policy. Acknowledgment is also required of all employees of UT Dallas, as well as any contractor, consultant and other person who may be accessing the Information Resources of the University. Acknowledgments may be signed in writing, or alternatively they may be signed electronically, if procedures exist to authenticate such signatures.

Section 135 of Article IX of the General Appropriation Act and TAC 202 of the rules and regulations of the Department of Information Resources require that UT Dallas Information Resources be used only for state purposes. This restriction applies to all persons using such resources. Each student who is a User of Information Resources is required to execute yearly an acknowledgment that they will comply with the policy. Student User Acknowledgments may be signed in writing, or alternatively they may be signed electronically, if procedures exist to authenticate such signatures.

Acknowledgments will be maintained locally by the appropriate Information Security Officer.

2.5 Classification of Information

Information requiring special protective precautions will be classified as CONFIDENTIAL or SENSITIVE as defined below:

Confidential information is information maintained by UT Dallas that is exempt from disclosure under the provisions of the Texas Public Information Act or other applicable state or federal law, regulation, or court order. The controlling factor for confidential information is prevention of dissemination.

Sensitive information is information maintained by UT Dallas that requires special precautions, as determined by university standards and risk management decisions, to protect it from unauthorized modification or deletion. Sensitive information may be either public or confidential. It is information that requires a higher than normal assurance of accuracy and completeness. The controlling factor for sensitive information is assuring and maintaining integrity.


2.6 Risk Analysis:

UT Dallas will identify its confidential and sensitive information. To ensure that such information is protected in accordance with its value, UT Dallas will produce:

  1. A Risk Analysis Report
  2. A Security Plan
  3. An Information Resources Contingency/Disaster Recovery Plan

3. Management and Staff Responsibilities

3.1 General Management Responsibilities

Department heads are responsible for security of Information Resources within their departments. By assuring that personnel comply with this Policy, department heads will provide the control necessary to protect the integrity of the Information Resources.

Department heads will identify positions under their supervision that require special trust. Applicants for and incumbents in those positions must be screened, trained, and managed in ways that will ensure an adequate level of security for Information Resources to which they have access.

3.2 Chief Administrative Officer

The Chief Administrative Officer of UT Dallas is responsible for establishing and maintaining security and risk management programs for Information Resources. Responsibilities include:

  1. Enforcing state-level security and risk management policies
  2. Establishing and maintaining a risk management program
  3. Establishing and maintaining policies and procedures that provide for the security of Information Resources
  4. Assigning ownership for Information Resources
  5. Preparing and maintaining the Contingency Plan for Information Resources Services Resumption
  6. Ensuring compliance with Texas Department of Information Resources (DIR) planning requirements by including security and risk management policies and practices in the institution's strategic plan
  7. Ensuring compliance with state Information Resources audit requirements
  8. Ensuring participation by all levels of management and administrative and technical staff during planning, development, and implementation of policies and procedures

3.3 Information Resources Manager (IRM)

The Chief Administrative Officer may designate an Information Resources Manager (IRM). [Note: Separate IRMs may be designated for academic and administrative information resources.]

The Chief Administrative Officer retains ultimate responsibility for enforcement of all security and risk management policies but may delegate the procedural responsibilities to the Information Resources Manager (IRM).

3.4 Information Resources Security Function

The individual(s) responsible for this function shall report to the IRM and is responsible for directing policies and procedures designed to protect Information Resources. This function:

  1. Identifies vulnerabilities
  2. Identifies critical and sensitive Information Resources
  3. Develops/Maintains a risk management program
  4. Develops/Maintains a Contingency Plan for Information Resources Services Resumption
  5. Develops/Maintains an adequate Security Awareness Program

3.5 Owners of Information Resources

Information Resources are to be assigned "Owners". The Owner is the designated person responsible for carrying out the program that uses the resources. That person is referred to herein as a "Program Manager". At a minimum, the Owner, or Program Manager, is responsible for and authorized to:

  1. Assess and classify information
  2. Identify risks to Information Resources through risk analysis
  3. Work with technical management to specify cost effective security controls and convey security control requirements to users and custodians
  4. Approve access and formally assign custody of the Information Resource
  5. Ensure compliance with applicable controls
  6. Plan for contingencies and disaster recovery for the Information Resources

3.6 Custodians of Information Resources

The "Custodian" is the individual responsible for physical possession of Information Resources (e.g., data processing director, network services director, etc.) and for providing the technical facilities, data processing, and other support services to Owners and Users of Information Resources.

As a general rule, the Custodian of Information Resources is assigned the responsibility to:

  1. Implement the security controls specified by the Owner
  2. Provide physical and procedural safeguards for Information Resources within the facility
  3. Assist Owners in evaluating the cost-effectiveness of controls
  4. Administer access to the Information Resources and make provisions for timely detection, reporting, and analysis of actual and attempted unauthorized access to information resources

3.7 Technical Management

Technical managers who have been assigned custodial responsibility for the Information Resources utilized in carrying out their technical activities (services) are also responsible for ensuring the security of those resources. In general, technical managers are responsible for:

  1. Ensuring that adequate technical support is provided to define and select cost-effective security controls
  2. Ensuring the implementation of security controls as defined by the owners of the Information Resource and those required to notify the owner of actual and attempted security violations
  3. Developing and maintaining contingency/disaster recovery plans
  4. Developing and following procedures for reporting on monitored controls

3.8 Security Administrators

Security administrators are responsible for:

  1. Providing assistance to the individual(s) responsible for the information security function
  2. Assisting with acquisition of security hardware/software
  3. Assisting with identification of vulnerabilities
  4. Developing/maintaining access control rules
  5. Maintaining user lists, password control, encryption keys, etc.

3.9 Internal Auditor:

The internal audit function of UT Dallas is responsible for the periodic, risk-based review of Information Resources security policies and procedures for:

  1. Compliance with security policies, standards, and guidelines
  2. Evaluation of the effectiveness of security controls
  3. Examination of planned security controls
  4. Participation in the risk analysis process

3.10 Failure to Comply with Minimum Standards

Should an audit indicate that corrective actions have not been taken with respect to security deficiencies, the institution may be subject to any or all of the following:

  1. Audit by the Office of the State Auditor
  2. Disapproval of strategic and operating plans
  3. Further action as deemed necessary by the state to ensure compliance with minimum security standards for protection of Information Resources

4 Personnel Practices

4.1 Information Resources Security Manual

UT Dallas will prepare an Information Resources Security Manual containing the institution's security policies and procedures.

The Information Security Manual will:

  1. Describe the roles and responsibilities of the Chief Administrative Officer, Information Resource Manager(s), Information Resources security officer, data processing managers, program managers, internal auditors, and other technical and program personnel with respect to Information Resources security.
  2. Affirm that all personnel have a responsibility for maintaining the security and confidentiality of the institution's Information Resources and that each individual must comply with information security policies and procedures.
  3. Describe the general roles and responsibilities of the Owners, Custodians, and Users of information.
  4. Inform all personnel regarding the oversight responsibilities of internal auditors in terms of reviewing the adequacy of information security policies and procedures.
  5. Identify and discuss the disciplinary actions that will occur if personnel do not comply with security policies and procedures.
  6. List procedures to ensure that new employees are knowledgeable about, understand their role in, and acknowledge Information Resources security policies and procedures.
  7. List procedures whereby all employees review and acknowledge Information Resources security policies and procedures.

4.2 Positions of Special Trust

Managers should review annually the duties of personnel under their supervision, or upon job description change, to determine if the position is one of special trust. A position of special trust is one in which the individual can view confidential information, alter sensitive information or is depended upon for the continuity of Information Resources that are determined to be essential. A person is also considered to be in a position of special trust if that person acts independently of controls and supervision and impacts the confidentiality, integrity, or availability of confidential or sensitive information. Employees in positions of special trust will be required to hand sign the acknowledgments yearly.

4.3 Security Awareness and Training

Personnel whose duties bring them into contact with confidential or sensitive information will be required to participate in an awareness and training program at least annually and will receive periodic briefings.

As appropriate, annual training programs will include such topics as:

  1. Public access to information
  2. Policy against using University resources for personal purposes
  3. Disposal of confidential or sensitive information
  4. Protection of passwords
  5. Message authentication and data encryption
  6. Privacy and confidentiality
  7. Copyright protection and the use of copyrighted material
  8. Work habits in relation to security

4.4 Hiring and Terminating Procedures

Policies and procedures regarding the use and security of Information Resources will be communicated to new employees. New employees are required to sign acknowledgments.

Applicants for employment for a position classified as security-sensitive may be subject to a criminal history record check pursuant to Section 51.215, Texas Education Code and approved institutional policy on security-sensitive positions.

Employees or persons contracting with the U. T. System surrender all Information Resources and means of access to Information Resources upon termination of such association. Obligations to maintain the confidentiality of information continue after termination. All security privileges shall be revoked upon termination of employment for any reason.

4.5 Disciplinary Actions

Violation of this Policy will result in such disciplinary action as is appropriate under the circumstances in compliance with the University's discipline policies.

4.6 Criminal Actions

A person who commits a violation of this Policy may be subject to prosecution under applicable state and/or federal law.

5. Information Security

5.1 Systems Design

Based on risk assessment, newly implemented information systems are to be designed to prevent the disclosure of confidential or sensitive information to any unauthorized person and to prevent unauthorized changes to files. Systems are to be designed for ease of use and for quick recovery in the event of disaster.

5.2 Accountability: Log-on Identifiers, Passwords, and Password Control

Confidential/sensitive systems will require users to provide a unique user identification (i.e., log-on identifier).

Accounts that give users access to Information Resources are to be used only by the persons to whom the accounts are assigned. Log-on Ids, passwords, telephone calling cards and other means of access must not be shared with anyone. Similarly, users may only access resources for which they are authorized. Holders of means of access are responsible for unauthorized access to their accounts that results from their negligence in maintaining the confidentiality of their means of access.

Users will be required to agree by written or electronic signature to use a password identifier only for the purposes intended, not to disclose their password, and to immediately report any possible breach in security.

Users will be trained to log-off computer systems when not in use. Where appropriate, an automatic time-out will occur after a specified period of system inactivity.

Each employee's information access authority will be reviewed periodically including review at time of a transfer, promotion, or termination.

Passwords for consultants and contractors will be disabled at the end of their contract.

The required use of passwords and establishment of appropriate audit trails will be determined through risk assessment.

Public information systems (such as bulletin boards, gopher servers, World Wide Web servers, kiosks and similar technologies) are used by the University to provide information and services directly to the public. The degree to which such systems are to be secured is determined through risk assessment.

5.3 Audit Trails

Based upon risk assessment, newly implemented transaction oriented systems are to be designed to capture audit trails as appropriate. As appropriate and to the extent feasible, transaction histories are to record:

  1. Update transactions
  2. Date and time of activity
  3. User identification
  4. Sign-on and sign-off activity
  5. Sensitive display transactions

5.4 Internal Audits

As a general rule, the scope of internal audits should include the evaluation of the following attributes:

  1. Effectiveness of Information Resource security measures
  2. Compliance with applicable Information Resources policies and standards
  3. The degree to which security policies and procedures are implemented

During the acquisition and system development process, internal auditors will participate in evaluating the effectiveness of security controls and in assuring their auditability.

5.5 Access for Enforcement

Pursuant to TAC 202 of the class=GramE>Department of Information Resources rules and regulations, UT Dallas has the authority and responsibility to monitor Information Resources to ensure compliance with this Policy and state laws and regulations related to the use and security of Information Resources. This authority will be exercised only with the approval of an executive officer, or representative(s) appointed by the Chief Administrative Officer of the University when there is a reasonable basis to believe that this Policy or state laws or regulations regarding the use and security of Information Resources have been violated.

5.6 Access for Other Purposes

Authorized staff at UT Dallas may access and examine Information Resources under the following circumstances:

  1. To review and obtain data or information to comply with the Texas Public Information Act; a subpoena or court order; or authorized requests by federal, state, or local officials or agencies.
  2. To conduct the business and perform the duties and responsibilities of UT Dallas.
  3. To conduct internal audits to evaluate the effectiveness of and compliance with security policies and procedures.
  4. To identify and resolve technical problems.
  5. To replace or update components of the Information Resources and ensure compatibility and function.
  6. Other unusual and compelling circumstances that require access.

5.7 System Acquisition, Development, and Testing

Information security and audit controls will be incorporated into new systems as deemed appropriate through a risk assessment.

To the extent feasible, test functions are to be logically or physically separate from production functions, and production data are not to be used for testing.

5.8 System Changes

Changes to operational systems are to be approved by the Owner before implementation to ensure that they have been authorized, tested, and documented.

This area here left blank