 |
 |
|
|
|
|
 |
| |
Guidelines for use of IT resources |
||
|
What responsibilities do I bear…with regard to network and information security? On the very practical side, you are responsible for protecting account and password information which permits access to University resources, and for changing passwords where that is possible, periodically or as needed to maintain secure control of your assigned accounts and services. If you own or maintain a computer used via connection to the University network, you are responsible for assuring that any administrative passwords are chosen carefully and in place; for assuring that any security patches or upgrades released for the system are installed in timely fashion; for assuring that the system is protected against virus infection and that such protection is kept up to date; and for assuring reasonable protection against unauthorized access to, or unauthorized use of, the system. Any device on the Princeton University network that requires log-in using Princeton University credentials (account-password) must use a log-in mechanism approved by the University's Information Security Officer. Use of an unapproved log-in mechanism will be considered a serious violation. You are responsible for assuring that there are backups of important documents and files which reside on systems supported by the University, and for protection against unauthorized access to, sharing, or viewing of, any sensitive information or any copyrighted material stored on your computer or account. You must not attempt to intercept, capture, alter, or interfere in any way with information on local, campus or global network pathways. This also means you may not run " sniffers" (programs used illegitimately to capture information being transmitted) on the campus network or any portion thereof. You may not operate Dynamic Host Configuration Protocol (DHCP) or Bootstrap Protocol ( BootP) servers on the campus networks without authorization. You must not attempt to obtain system privileges to which you are not entitled, whether on Princeton University computers or on systems outside the University. Attempts to do so will be considered serious transgressions. Computer procedures, programs and scripts that permit unauthenticated or unauthorized senders to send e-mail to arbitrary recipients from unrestricted sources are prohibited. If you have authorized or inadvertent access to sensitive or confidential data, you must observe the University's policy regarding information security ( www.princeton.edu/informationsecurity) and know what University office has stewardship of, and authority over, the information. Such data should not be stored on laptop computers, flash drives, or other devices that are easy to carry away. If it is absolutely necessary to store sensitive or confidential information on such a device, the information should be encrypted to protect it from view should the device fall into unauthorized hands. It also is essential to provide adequate physical security for any device, including a desktop machine, that contains sensitive data. When the University endorses a particular encryption product or protocol, that product or protocol should be used whenever possible. If you are responsible for data that are important to the University and that is created or stored on portable devices, you also are responsible for ensuring that the information is backed up regularly in a form that permits ready retrieval. If you encounter or observe a gap in system or network security, you must report the gap to the appropriate office or authority, which may be the OIT Help Desk, the Library Systems Office, or the appropriate system authority, either within or outside the University. (The website www.princeton.edu/itsecurity may be of help identifying the appropriate office.) You must refrain from exploiting any such gaps in security. You must refrain from any action that interferes with the supervisory or accounting functions of the systems or that is likely to have such effects. You must refrain from creating and/or implementing code intended to periodically or aperiodically interrupt or interfere with computer systems or services. You must refrain from knowing propagation of computer viruses or presumed computer viruses. You must not conduct unauthorized port scans. You must not initiate nuisance or denial-of-service attacks, nor respond to these in kind. Previous Section  |
||
© 2009 by the Trustees of Princeton University. Last modified
9/9/09
|
||