Uploaded by Aroosha Abdul

fis guidelines

Revised January 27, 2014
These Guidelines are designed to supplement University Policies 10-02-04 – Data Administration, 10-0205 – Computer Access and Use, 10-02-06 – Administrative University Data Security and Privacy, and 1002-08 – Use and Management of Social Security Numbers and University Primary ID (“UPI”) Numbers
within the Office of Chief Financial Officer, the Auxiliaries, and other areas receiving computing and
technical support from FIS (Financial Information Systems). This document is to provide guidance in
understanding permissible and impermissible uses of information technology resources. The goals are to
ensure the availability, integrity, and confidentiality of information assets; to reduce risk of legal liabilities;
to comply with security standards and regulatory laws such as the Gramm-Leach-Bliley Act, the Payment
Card Industry Data Security Standard, the Sarbanes-Oxley Act, and the Pennsylvania Breach of Personal
Information Notification Act; and to maximize the return of investments in information technology. These
Guidelines apply to all users of information technology resources, including all staff, consultants,
contractors, student employees and temporary employees (collectively referred to as “Users”) in FISsupported areas.
All computing and information devices, systems, software and peripherals, as well as the data
contained therein (collectively referred to as “IT Resources”) are the property of the University.
Therefore, Users should be aware that all data they create on University IT Resources remains the
property of the University of Pittsburgh. Information is an asset of the University, and all Users are
required to protect this asset.
Appropriate Use
Through FIS, the University provides IT Resources for authorized business purposes only. Minimal,
incidental use of IT Resources, including e-mail and internet access, for personal, non-University
related purposes is permissible, similar to use of University telephones for occasional and necessary
personal calls. However, such use must never interfere with work-related use of IT Resources, or
disrupt or degrade the operation of the University network. IT Resources shall not be used for
personal financial gain, political purposes, or for the storage, transmission, or display of obscene
Resource Management
Standards related to IT Resources are established and maintained by FIS. Any exceptions to the FIS
Standards require the submission of a Non-Standard Request approved by both the requesting
department’s management and FIS. Only FIS-approved IT Resources are permitted to be used.
FIS has the authority to provide, inventory, label, control, maintain, and allocate all IT Resources
within its service area. To ensure effective utilization of technology, IT Resources are purchased,
upgraded, replaced, rotated and retired on a schedule determined by FIS. Users are not permitted to
purchase, install, modify, move, or dispose of any IT Resources, services, or network ports without
the approval of FIS. Users shall not engage in IT-related contracts or hire IT consultants or
employees without FIS consent. All agreements with third-party contractors must meet FIS and
University IT Guidelines and security standards. Any damage or loss of IT Resources must be
reported immediately to FIS.
Financial Information Systems
Page 1/5
Only software that has been properly licensed to the University, and approved and installed by FIS
shall be used. All such uses must be in compliance with the applicable software license and
University policy. Unauthorized duplication, storage, or distribution of copyrighted materials or
intellectual property is prohibited. Users are not permitted to download software from the internet. All
non-approved or personally owned software, software that isn’t properly licensed, or software
incompatible with the standards established by FIS may be deleted without notice.
Confidential Information and Sensitive Data
Confidential information is information disclosed or known as a consequence of employment, and not
generally known outside of the unit. Confidential information must be clearly marked as such. Users
are required to keep Confidential information secret and not disclose it in any manner, except as
directed by an authorized staff member. Confidential information should never be removed from the
premises unless an authorized staff member has given approval. Users are responsible for taking
necessary actions to prevent disclosure, modification, destruction, and unauthorized access to
confidential information, whether accidental or intentional.
FIS considers certain data sensitive and, as such, must be adequately protected. Sensitive data
includes: Account Password, Bank Routing Code, Biometric Identifiers, Checking Account Number,
Credit/Debit Card Number, Date of Birth/Death, Driver’s License Number, Employer Identification
Number, Encryption Keys (excluding public keys), Financial Account Numbers (excluding PRISM
account numbers), Government Issued ID Number, Insurance ID Number, Mother’s Maiden Name,
Medical Record Numbers, Personal Identification Number, Place of Birth, Savings Account Number,
Social Security Number, State ID Card Number, and Vehicle Identifiers.
The unnecessary collection, display, or storage of sensitive data is prohibited. Sensitive data shall
only be collected, displayed, or stored if necessary for legal, regulatory, or business reasons. All
sensitive data must be stored and transmitted using encryption as determined by FIS. Sensitive data
should be masked or truncated when displayed wherever possible. Sensitive data must not be
copied, moved, or stored in less secure locations such as third-party cloud storage, local hard drives,
mobile devices, or removable media, unless explicitly authorized for a defined business need and
approved by FIS. Confidential or sensitive information must not be stored or transmitted via e-mail,
instant messaging, or any other electronic means without being properly secured by FIS. Confidential
or sensitive information must not be stored in voice mail and shall not be sent via fax or through
public phone lines via modem unless a more secure method is not deemed feasible by FIS. All
payment card data must be protected in accordance with PCI DSS requirements.
Users are responsible for identifying sensitive data and developing a retention policy for their area.
Users must ensure that all sensitive data, electronic or physical, is purged after it is no longer needed
for legal, regulatory, or business reasons. All hard copies of sensitive data must be securely
disposed through cross-cut shredding or incineration so it cannot be reconstructed. Sensitive data
stored on electronic media must be rendered unrecoverable through physical destruction when no
longer needed.
Access Control
Only authorized users are permitted to access University IT Resources. All access to IT Resources
must be approved by the data owner and FIS. Users shall use only the devices, accounts, and
information for which they are authorized. Data and data access must only be used as required for
performance of job functions. Access rights must be restricted to provide the least privileges
necessary to perform job responsibilities. Access to IT Resources by third parties such as vendors
and business partners is strictly controlled by FIS, and is only made available when needed and
immediately deactivated after use. Inactive accounts and sessions will be automatically terminated
after a specific period of inactivity as determined by FIS. IT Resources must be placed in secured
network locations as determined by FIS.
Financial Information Systems
Page 2/5
All access to IT Resources require authentication via a user account and password, or other secure
authentication mechanism as determined by FIS. Users are responsible for the security of their
accounts and passwords, and for the use of IT Resources assigned to them. All user accounts must
be unique and not shared by more than one User. Sharing or providing access to IT Resources,
private information, or identification such as usernames or passwords to other individuals is
forbidden. All default or predefined passwords must be changed as soon as possible. Users must
use strong passwords which are not easy to guess or deduce, and must change passwords on a
frequent and regular basis. Users must be aware of others who may be trying to view their
passwords as they type.
Supervisors are responsible for ensuring that appropriate background checks are performed through
Human Resources prior to hiring any employee that has access to confidential or sensitive
information. Supervisors must immediately notify FIS when user accounts or access should be
changed or terminated, such as when staff transfer positions or leave the University. All University
materials, including data files, must be returned upon termination of employment.
Physical Security
Physical security of all IT Resources, whether University or personally owned, must be maintained.
All IT Resources must be suitably protected from unauthorized physical intrusion, theft, and other
hazards. All Users must be aware of eavesdropping, “shoulder surfing”, and the need to question
strangers in offices or private areas. Whenever Users leave their work area, workstations must be
secure so that access to IT Resources such as computing applications, files, data, e-mail, etc. cannot
be obtained by anyone else. This includes securing file cabinets, check stock, name cartridges,
University letterhead, form stock, check printers, currency, etc. All computing devices must be set to
automatically lock with password-protected screensavers. All publicly-accessible IT Resources must
be kept secured with FIS-provided physical locks. Adequate key control must be maintained, and
safeguards must be in place to limit access to sensitive areas to those with appropriate clearance.
All servers and related networking equipment must be located in an FIS-approved Data Center. FIS
Data Centers must have restricted physical access, maintain proper temperature and humidity, be
equipped with environmental monitoring and alerting, and have adequate fire suppression. Users are
prohibited from physical access to FIS Data Centers.
Security Management
All users are required to complete the FIS online security awareness training course within the first
thirty (30) days of hire, and a refresher training course annually thereafter. Users shall not attempt to
disclose, circumvent or disable any security measures used on University IT Resources. Users shall
not attempt to gain access to information, computers, or other IT Resources, within or outside of the
University, that they are not authorized to access, or in a manner for which they are not authorized.
Users must not accept any form of assistance to alter the security or configuration of their IT
Resources, including consulting services or software downloads, without the prior consent of FIS. All
IT Resources commonly affected by malicious software or mechanisms must utilize regularly updated
anti-virus software.
Any Users who learn of, or suspect, a possible security lapse relating to University IT Resources are
required to immediately report the incident to their supervisor and to FIS. Any perceived or suspected
IT security weakness, including access violations, inadequate backups, system unavailability, or
poorly controlled electronic transactions, must immediately be brought to the attention of FIS to
ensure prompt investigation and repair. Evidence from information security incidents shall be
gathered, recorded, and retained by FIS, and may be shared with third parties and law enforcement
as determined by the University.
E-mail and Electronic Communication
Using IT Resources such as e-mail to propagate chain letters, pyramid schemes, unsolicited mass
mailings or “spam”, or alleged virus/security warnings is not permitted. Information obtained from
internet or e-mail sources should be verified before being used for business purposes. Using e-mail
or other IT Resources to solicit non-University services, promote personal business, and sell or trade
Financial Information Systems
Page 3/5
goods or services is prohibited. Using e-mail or other IT Resources to send fraudulent, obscene,
defamatory, or harassing communications is not permitted. Unsolicited e-mail is to be treated with
caution and not responded to. Users must be cautious of phishing attempts, malware, and links to
malicious web sites. File attachments from unknown senders are to be deleted without being
opened. Users shall not hide or misrepresent their identity in communications; electronic or
otherwise. E-mail should be checked frequently, and online calendars should be kept up to date.
Users authorized to make payments by University credit card for goods ordered online are
responsible for its secure use.
Mobile Devices
Mobile and wireless computing devices such as laptop computers, tablets, smart phones, or other
hand-held devices, whether University or personally owned, must be password-protected and
physically secure. Users are responsible for the frequent and regular backup of information stored on
mobile devices. Users must regularly install the latest operating system updates and security patches
for their device. Mobile applications must only be downloaded from reputable sources. Sensitive or
confidential information must not be stored on mobile devices without additional security precautions
to prevent unauthorized access to that information. All data, whether personal or work-related,
transferred to or from University IT Resources must be in compliance with applicable Guidelines and
University policy. Any loss or theft of mobile devices must be reported immediately to FIS.
Personally-owned mobile devices or other IT Resources that connect to University-owned IT
Resources must be approved by FIS before use and properly secured to meet FIS standards. Users
must only connect mobile devices to trusted wireless networks and trusted computers. Users are not
permitted to “jailbreak” or modify the operating system or cellular network configuration of any mobile
device. Users who choose to have FIS support for personally-owned devices are subject to all
applicable FIS policies, including but not limited to the examination of personal data and the possible
deletion of personal data on lost or stolen devices. Unauthorized wireless networking access points
or ad hoc networking is prohibited.
Information stored on IT Resources such as data, e-mail, calendars, etc. are archived and stored
periodically for backup and recovery purposes. Therefore, data, e-mail, and other transactions may
leave an audit trail or other record of the transaction, even when the data is later deleted or changed.
For example, deleted data, e-mail and other transactions may have been archived and stored
automatically without any type of user action or command.
Upon appropriate management authorization, FIS reserves the right to search for, retrieve and
examine data stored, received, or transmitted to or from any IT Resource managed by FIS. This
includes documents, data files, e-mail, calendars, address books, log files, and network and internet
activity. Although FIS does not normally engage in regular monitoring of IT Resources outside of
performance tuning and maintenance, such IT Resources may be audited or viewed by FIS without
notice for work-related purposes or to prevent or investigate violations of these Guidelines, University
policy, or applicable laws. Because of the need to protect the security of our IT Resources, FIS
cannot guarantee the privacy of information stored on any IT Resource.
The FIS Information Security Officer is responsible for overseeing all aspects of information security,
including but not limited to the following: creating and distributing security policies and procedures;
identifying, analyzing, and managing security risk and distributing information to appropriate
personnel; analysis, identification, and ranking of emerging security vulnerabilities; maintaining
security incident response procedures; and maintaining a formal security awareness program for all
Initial contact with FIS for all requests and incidents must be through the FIS Support Portal at
www.fis.pitt.edu or through the FIS Support Hotline.
Financial Information Systems
Page 4/5
FIS considers any violation of these Guidelines to be a serious offense, and reserves the right to
duplicate and examine any data or information resident on University IT Resources allegedly related to
unacceptable use. Any IT Resource in violation of these Guidelines, or which poses a possible security
risk, may be suspended or removed by FIS without notice. Any violation of the law involving IT
Resources shall also be considered a violation of these Guidelines. Violations of these Guidelines may
result in disciplinary action up to and including termination of employment, as well as prosecution
under applicable federal, state, and local laws. Departmental supervisors are responsible for ensuring
Users in their area of responsibility are aware of these Guidelines.
Any violations or questions regarding these Guidelines should be directed to John M. Duska, Executive
Director, Technical Services and Information Security Officer, at [email protected], or Monte A. Ciotto,
Associate Vice Chancellor, Financial Information Systems, at [email protected]
Financial Information Systems
Page 5/5