The Southern Adventist University network is divided into security zones to maintain separation among internal university networks and the Internet. The Intranet zone, comprising computers and servers containing confidential and proprietary data, is subject to stricter rules. This policy defines these rules and augments the existing university policies for computers and users.
- The firewall is configured so computers outside the Intranet zone cannot initiate connections to computers inside the zone.
- Specific exceptions to the above rule may be granted for academic or administrative needs. Requests are made in writing to the executive director of Information Technology, and should include rational, security precautions, a specific IP address, port connections, and a time limit if applicable. Information Technology studies the security implications of the request and grants access only when the integrity of the network can be maintained.
- Exceptions will be reviewed during the annual security audit (see below).
Backup and Recovery
- All servers connected to the Intranet zone must participate in the centralized backup system as outlined in the Backup and Recovery Policy.
- Users of workstations in this zone have private storage space on a centralized server for backing up university data contained on the local machine. In case of disaster, files can be restored according to the Backup and Recovery Policy.
Operating Systems and Software
- Workstations must have Windows 7 and OS X Yosemite (10.10) or above installed as the operating system.
- Workstations and servers must not use remote access software that is configured for access directly by modem. Users needing remote access to internal resources should contact Information Technology about VPN connections.
- Users should not share their passwords with anyone. No one, including Information System employees, has authorization to ask for a password. Employees are required to change every six months and encourage students to do the same. It's advisable to memorize passwords or use a password manager in order to avoid the need to write them down.
- If workstations are left unattended, users should lock their machine. For longer periods, users should log out of all administrative software and log out of their account on the machine.
- Intranet servers are to be used primarily for university data and not personal files. Users will be required to provide an explanation for excessive use of Intranet storage space.
- Users should report to Information Technology any suspected security violations, security problems, or suspicious behavior as it relates to computer security.
Information Technology staff will annually audit security on the Intranet zone. This audit will include network scanning of all workstations, review of server configurations, reevaluation of firewall rules, testing of backup and recovery procedures, and review of this policy as outlined below.
Policy evaluation and review
This policy will be reviewed annually to ensure that it is relevant, serves the needs and priorities of the institution, and is consistent with current trends in information technology. The following process will be followed:
- Information Technology Networking Staff reviews this policy before the May meeting of the Information Technology Advisory Committee. Additional input will be solicited from members of this committee.
- The executive director of Information Technology compiles possible changes for discussion at the summer I/T advisery committee meeting.
- The I/T advisery committee votes policy editions.