June 1997

The following definitions apply to this document:

Departmental Security Administrator: The person responsible for maintaining the University Information Systems (UIS) mainframe accounts within his/her area of responsibility. Responsibilities include but are not limited to the timely inactivation of accounts; providing signed Non-disclosure Agreements to UIS Information Security; assignment and collection of SecurID cards; and requesting appropriate access to UIS facilities, functions, and tasks from UIS Information Security.

Data Trustee: The designated administrative officer responsible for a collection of data. Responsibilities include but are not limited to granting authorization for access to that data and regular review of that authorization. Access is granted or denied based on the University's administrative and business needs.

System Administrator: The person responsible for installing and maintaining the operating system and application software on a computer system. Responsibilities include but are not limited to controlling access to the system, maintaining the security of the system, and ensuring that the system is in compliance with all security guidelines established by the University.

1. Each Unit/Department must designate at least two responsible employees as Departmental Security Administrators.
2. Data Trustees and System Administrators must know what they are authorizing and to whom. NEED for access must be verified.
3. At least once each year, Departmental Security Administrators, Data Trustees, and System Administrators should conduct and document reviews of access to systems, data, and programs. Reviews should identify sensitive reports and information, define and document the security requirements for this information, and categorize differing requirements where necessary. Issues to consider include data integrity and exposure risks, legal considerations, requirements for audit trails, and requirements for signed receipt. For more information, refer to the "Implementing an Information Security Review" document, available on-line (see item 13 on next page).
4. Departmental Security Administrators and System Administrators are expected to suspend login names of students, staff, contractors, vendors, etc., on departure due to termination, transfer, withdrawal, or leave. Accounts with access to sensitive University Information must be suspended not later than the day of termination or transfer unless, after review, management determines that an exception is warranted. Exceptions should be sparingly granted, must be documented, and must be periodically reviewed. Upon graduation, student accounts will be terminated in accordance with management policy.
5. All systems (mainframe, UNIX, VMS, PC server, etc.) with access to University Information MUST use individual, password-protected accounts. All login names must comply with and be registered in the University Global UserID system. Sensitive University Information must be stored only on password-protected devices.
6. Individual login names and passwords must not be shared. Each individual is responsible for all use of his/her account. See also the UIS Non-Disclosure Agreement and the Boston University Policy on Computing Ethics.
7. System Administrators will maintain lists of individuals who have the passwords to systems or privileged accounts on platforms within their respective areas of responsibility. These lists should be reviewed periodically. These passwords should be changed frequently, and must be changed whenever an employee with such a password is terminated or transferred.
8. The following syntactic guidelines apply to passwords on all computing platforms wherever the technology permits. All passwords:
   • should be a mix of upper and lower case letters
   • should contain at least one non-alphabetic character
   • should be a minimum of six characters in length
   • should not be common dictionary words, computing terms, etc.
   These guidelines are expected to be enforced by appropriate systems facilities wherever practical.
9. Passwords can be guessed, possibly decrypted, and discovered by tapping into communication lines/wires. Therefore, System Administrators should advise users to change their passwords frequently. Wherever practical, system facilities should be used to invalidate passwords at periodic intervals, compelling users to make such changes.
10. Passwords must never be contained in a non-encrypted form on the system, even in a protected file. Passwords must not be transmitted via electronic mail. Whenever possible, encrypted passwords should be kept in a protected file. Any exceptions which might be required by the nature of a specific operating system must be determined by management, documented, and periodically reviewed.
11. The use of encryption is encouraged for all sensitive data. All systems containing sensitive data should provide a key-based encryption/decryption package.
12. Regular and frequent backups of sensitive information should be maintained. All backups must be stored in a secure manner; additionally, backups of critical data should be securely stored off-site.
13. Documents concerning security protocols for a number of operating systems are published and can be viewed online. The operating systems described are in common use at the University, and information about security vulnerabilities and remedies is current.
14. Management, Data Trustees, Departmental Security Administrators, and System Administrators are expected to set a good example through practice of sound security procedures.

For assistance in implementing these guidelines and applying them to specific situations, contact UIS Information Security (telephone 353-9004) or the Office of Information Technology Security Team (telephone 353-2780), or send an e-mail message to viewed online.

• Computing Ethics
• Student Web Page Disclaimer
• Information Security Policy
• Information Security Management

February 16, 2005