GUIDELINES ON USE OF INFORMATION TECHNOLOGY RESOURCES Revised January 27, 2014 These Guidelines are designed to supplement University Policies 10-02-04 – Data Administration, 10-0205 – Computer Access and Use, 10-02-06 – Administrative University Data Security and Privacy, and 1002-08 – Use and Management of Social Security Numbers and University Primary ID (“UPI”) Numbers within the Office of Chief Financial Officer, the Auxiliaries, and other areas receiving computing and technical support from FIS (Financial Information Systems). This document is to provide guidance in understanding permissible and impermissible uses of information technology resources. The goals are to ensure the availability, integrity, and confidentiality of information assets; to reduce risk of legal liabilities; to comply with security standards and regulatory laws such as the Gramm-Leach-Bliley Act, the Payment Card Industry Data Security Standard, the Sarbanes-Oxley Act, and the Pennsylvania Breach of Personal Information Notification Act; and to maximize the return of investments in information technology. These Guidelines apply to all users of information technology resources, including all staff, consultants, contractors, student employees and temporary employees (collectively referred to as “Users”) in FISsupported areas. Ownership All computing and information devices, systems, software and peripherals, as well as the data contained therein (collectively referred to as “IT Resources”) are the property of the University. Therefore, Users should be aware that all data they create on University IT Resources remains the property of the University of Pittsburgh. Information is an asset of the University, and all Users are required to protect this asset. Appropriate Use Through FIS, the University provides IT Resources for authorized business purposes only. Minimal, incidental use of IT Resources, including e-mail and internet access, for personal, non-University related purposes is permissible, similar to use of University telephones for occasional and necessary personal calls. However, such use must never interfere with work-related use of IT Resources, or disrupt or degrade the operation of the University network. IT Resources shall not be used for personal financial gain, political purposes, or for the storage, transmission, or display of obscene materials. Resource Management Standards related to IT Resources are established and maintained by FIS. Any exceptions to the FIS Standards require the submission of a Non-Standard Request approved by both the requesting department’s management and FIS. Only FIS-approved IT Resources are permitted to be used. FIS has the authority to provide, inventory, label, control, maintain, and allocate all IT Resources within its service area. To ensure effective utilization of technology, IT Resources are purchased, upgraded, replaced, rotated and retired on a schedule determined by FIS. Users are not permitted to purchase, install, modify, move, or dispose of any IT Resources, services, or network ports without the approval of FIS. Users shall not engage in IT-related contracts or hire IT consultants or employees without FIS consent. All agreements with third-party contractors must meet FIS and University IT Guidelines and security standards. Any damage or loss of IT Resources must be reported immediately to FIS. Financial Information Systems Page 1/5 Software Only software that has been properly licensed to the University, and approved and installed by FIS shall be used. All such uses must be in compliance with the applicable software license and University policy. Unauthorized duplication, storage, or distribution of copyrighted materials or intellectual property is prohibited. Users are not permitted to download software from the internet. All non-approved or personally owned software, software that isn’t properly licensed, or software incompatible with the standards established by FIS may be deleted without notice. Confidential Information and Sensitive Data Confidential information is information disclosed or known as a consequence of employment, and not generally known outside of the unit. Confidential information must be clearly marked as such. Users are required to keep Confidential information secret and not disclose it in any manner, except as directed by an authorized staff member. Confidential information should never be removed from the premises unless an authorized staff member has given approval. Users are responsible for taking necessary actions to prevent disclosure, modification, destruction, and unauthorized access to confidential information, whether accidental or intentional. FIS considers certain data sensitive and, as such, must be adequately protected. Sensitive data includes: Account Password, Bank Routing Code, Biometric Identifiers, Checking Account Number, Credit/Debit Card Number, Date of Birth/Death, Driver’s License Number, Employer Identification Number, Encryption Keys (excluding public keys), Financial Account Numbers (excluding PRISM account numbers), Government Issued ID Number, Insurance ID Number, Mother’s Maiden Name, Medical Record Numbers, Personal Identification Number, Place of Birth, Savings Account Number, Social Security Number, State ID Card Number, and Vehicle Identifiers. The unnecessary collection, display, or storage of sensitive data is prohibited. Sensitive data shall only be collected, displayed, or stored if necessary for legal, regulatory, or business reasons. All sensitive data must be stored and transmitted using encryption as determined by FIS. Sensitive data should be masked or truncated when displayed wherever possible. Sensitive data must not be copied, moved, or stored in less secure locations such as third-party cloud storage, local hard drives, mobile devices, or removable media, unless explicitly authorized for a defined business need and approved by FIS. Confidential or sensitive information must not be stored or transmitted via e-mail, instant messaging, or any other electronic means without being properly secured by FIS. Confidential or sensitive information must not be stored in voice mail and shall not be sent via fax or through public phone lines via modem unless a more secure method is not deemed feasible by FIS. All payment card data must be protected in accordance with PCI DSS requirements. Users are responsible for identifying sensitive data and developing a retention policy for their area. Users must ensure that all sensitive data, electronic or physical, is purged after it is no longer needed for legal, regulatory, or business reasons. All hard copies of sensitive data must be securely disposed through cross-cut shredding or incineration so it cannot be reconstructed. Sensitive data stored on electronic media must be rendered unrecoverable through physical destruction when no longer needed. Access Control Only authorized users are permitted to access University IT Resources. All access to IT Resources must be approved by the data owner and FIS. Users shall use only the devices, accounts, and information for which they are authorized. Data and data access must only be used as required for performance of job functions. Access rights must be restricted to provide the least privileges necessary to perform job responsibilities. Access to IT Resources by third parties such as vendors and business partners is strictly controlled by FIS, and is only made available when needed and immediately deactivated after use. Inactive accounts and sessions will be automatically terminated after a specific period of inactivity as determined by FIS. IT Resources must be placed in secured network locations as determined by FIS. Financial Information Systems Page 2/5 All access to IT Resources require authentication via a user account and password, or other secure authentication mechanism as determined by FIS. Users are responsible for the security of their accounts and passwords, and for the use of IT Resources assigned to them. All user accounts must be unique and not shared by more than one User. Sharing or providing access to IT Resources, private information, or identification such as usernames or passwords to other individuals is forbidden. All default or predefined passwords must be changed as soon as possible. Users must use strong passwords which are not easy to guess or deduce, and must change passwords on a frequent and regular basis. Users must be aware of others who may be trying to view their passwords as they type. Supervisors are responsible for ensuring that appropriate background checks are performed through Human Resources prior to hiring any employee that has access to confidential or sensitive information. Supervisors must immediately notify FIS when user accounts or access should be changed or terminated, such as when staff transfer positions or leave the University. All University materials, including data files, must be returned upon termination of employment. Physical Security Physical security of all IT Resources, whether University or personally owned, must be maintained. All IT Resources must be suitably protected from unauthorized physical intrusion, theft, and other hazards. All Users must be aware of eavesdropping, “shoulder surfing”, and the need to question strangers in offices or private areas. Whenever Users leave their work area, workstations must be secure so that access to IT Resources such as computing applications, files, data, e-mail, etc. cannot be obtained by anyone else. This includes securing file cabinets, check stock, name cartridges, University letterhead, form stock, check printers, currency, etc. All computing devices must be set to automatically lock with password-protected screensavers. All publicly-accessible IT Resources must be kept secured with FIS-provided physical locks. Adequate key control must be maintained, and safeguards must be in place to limit access to sensitive areas to those with appropriate clearance. All servers and related networking equipment must be located in an FIS-approved Data Center. FIS Data Centers must have restricted physical access, maintain proper temperature and humidity, be equipped with environmental monitoring and alerting, and have adequate fire suppression. Users are prohibited from physical access to FIS Data Centers. Security Management All users are required to complete the FIS online security awareness training course within the first thirty (30) days of hire, and a refresher training course annually thereafter. Users shall not attempt to disclose, circumvent or disable any security measures used on University IT Resources. Users shall not attempt to gain access to information, computers, or other IT Resources, within or outside of the University, that they are not authorized to access, or in a manner for which they are not authorized. Users must not accept any form of assistance to alter the security or configuration of their IT Resources, including consulting services or software downloads, without the prior consent of FIS. All IT Resources commonly affected by malicious software or mechanisms must utilize regularly updated anti-virus software. Any Users who learn of, or suspect, a possible security lapse relating to University IT Resources are required to immediately report the incident to their supervisor and to FIS. Any perceived or suspected IT security weakness, including access violations, inadequate backups, system unavailability, or poorly controlled electronic transactions, must immediately be brought to the attention of FIS to ensure prompt investigation and repair. Evidence from information security incidents shall be gathered, recorded, and retained by FIS, and may be shared with third parties and law enforcement as determined by the University. E-mail and Electronic Communication Using IT Resources such as e-mail to propagate chain letters, pyramid schemes, unsolicited mass mailings or “spam”, or alleged virus/security warnings is not permitted. Information obtained from internet or e-mail sources should be verified before being used for business purposes. Using e-mail or other IT Resources to solicit non-University services, promote personal business, and sell or trade Financial Information Systems Page 3/5 goods or services is prohibited. Using e-mail or other IT Resources to send fraudulent, obscene, defamatory, or harassing communications is not permitted. Unsolicited e-mail is to be treated with caution and not responded to. Users must be cautious of phishing attempts, malware, and links to malicious web sites. File attachments from unknown senders are to be deleted without being opened. Users shall not hide or misrepresent their identity in communications; electronic or otherwise. E-mail should be checked frequently, and online calendars should be kept up to date. Users authorized to make payments by University credit card for goods ordered online are responsible for its secure use. Mobile Devices Mobile and wireless computing devices such as laptop computers, tablets, smart phones, or other hand-held devices, whether University or personally owned, must be password-protected and physically secure. Users are responsible for the frequent and regular backup of information stored on mobile devices. Users must regularly install the latest operating system updates and security patches for their device. Mobile applications must only be downloaded from reputable sources. Sensitive or confidential information must not be stored on mobile devices without additional security precautions to prevent unauthorized access to that information. All data, whether personal or work-related, transferred to or from University IT Resources must be in compliance with applicable Guidelines and University policy. Any loss or theft of mobile devices must be reported immediately to FIS. Personally-owned mobile devices or other IT Resources that connect to University-owned IT Resources must be approved by FIS before use and properly secured to meet FIS standards. Users must only connect mobile devices to trusted wireless networks and trusted computers. Users are not permitted to “jailbreak” or modify the operating system or cellular network configuration of any mobile device. Users who choose to have FIS support for personally-owned devices are subject to all applicable FIS policies, including but not limited to the examination of personal data and the possible deletion of personal data on lost or stolen devices. Unauthorized wireless networking access points or ad hoc networking is prohibited. Privacy Information stored on IT Resources such as data, e-mail, calendars, etc. are archived and stored periodically for backup and recovery purposes. Therefore, data, e-mail, and other transactions may leave an audit trail or other record of the transaction, even when the data is later deleted or changed. For example, deleted data, e-mail and other transactions may have been archived and stored automatically without any type of user action or command. Upon appropriate management authorization, FIS reserves the right to search for, retrieve and examine data stored, received, or transmitted to or from any IT Resource managed by FIS. This includes documents, data files, e-mail, calendars, address books, log files, and network and internet activity. Although FIS does not normally engage in regular monitoring of IT Resources outside of performance tuning and maintenance, such IT Resources may be audited or viewed by FIS without notice for work-related purposes or to prevent or investigate violations of these Guidelines, University policy, or applicable laws. Because of the need to protect the security of our IT Resources, FIS cannot guarantee the privacy of information stored on any IT Resource. Responsibility The FIS Information Security Officer is responsible for overseeing all aspects of information security, including but not limited to the following: creating and distributing security policies and procedures; identifying, analyzing, and managing security risk and distributing information to appropriate personnel; analysis, identification, and ranking of emerging security vulnerabilities; maintaining security incident response procedures; and maintaining a formal security awareness program for all Users. Support Initial contact with FIS for all requests and incidents must be through the FIS Support Portal at www.fis.pitt.edu or through the FIS Support Hotline. Financial Information Systems Page 4/5 FIS considers any violation of these Guidelines to be a serious offense, and reserves the right to duplicate and examine any data or information resident on University IT Resources allegedly related to unacceptable use. Any IT Resource in violation of these Guidelines, or which poses a possible security risk, may be suspended or removed by FIS without notice. Any violation of the law involving IT Resources shall also be considered a violation of these Guidelines. Violations of these Guidelines may result in disciplinary action up to and including termination of employment, as well as prosecution under applicable federal, state, and local laws. Departmental supervisors are responsible for ensuring Users in their area of responsibility are aware of these Guidelines. Any violations or questions regarding these Guidelines should be directed to John M. Duska, Executive Director, Technical Services and Information Security Officer, at jduska@cfo.pitt.edu, or Monte A. Ciotto, Associate Vice Chancellor, Financial Information Systems, at mciotto@cfo.pitt.edu. Financial Information Systems Page 5/5