Internet Security Policy Options

Background:

Pennsylvania State University has recently implemented computer security policies and a computer scanning initiative, under which all university computers will be scanned at regular intervals to eliminate storage of Protected Personal Information.
These policies are aligned with recent federal laws and Payment Card Industry standards, which govern personal privacy. They supplement PSU administrative computer and network policies that are already in place and include, among others, network and firewall standards, Kerberos authentication requirements, file back-up and recovery standards.
In addition to the university-wide standards for network applications and hard drive storage, there are many additional security standards that local campuses and departments can adopt to protect University information as well as the personal information of each user.

Under the direction of the interim supervisor, the ITS staff recently conducted a thorough review of all University policies relating to Internet connectivity and employee computer use. During this review several needs were identified:
1. The need to review computer use policy with the campus faculty and staff. Each employee signs an “agreement of use” prior to receiving their access account; yet, many seem to have forgotten exactly what they signed.
2. The need to develop a comprehensive inventory of all University assets that the Lehigh Valley campus is currently responsible for.
3. The need for continuing education in safe computing habits.

Policy Option 1:

An inventory of all computer equipment wilI be conducted. Laptops and desktops and printers can be inventoried directly through the network. Other peripherals (projectors, wacom tablets, dvd players, etc.) must be physically inventoried. In addition to the hardware equipment inventory, an inventory of each computer’s installed software will also be made. A form (Computer Software Use Agreement) for this inventory has already been made. ITS personnel will list the all applications that are installed according to “supported” and “not supported,” as per University policy. The employee will sign acknowledging the receipt of the application inventory and a copy of the Access ID Computer Use Agreement. Each time a new unit is issued, this Software Agreement and Computer use agreement will be issued and employees will sign acknowledgement of such. To be effective, this policy must be adopted through the Senior Management Council

PROS:
A physical inventory serves as a guide to “where University information is stored.” Reissuing the Computer use agreements serves as a reminder of the University policy that all employees already agreed to. Inventory of software applications reduces the risk of ITS personnel becoming involved with faculty/staff personal business.

CONS:
Faculty/staff may feel that their personal rights are being violated through such an inventory. Personnel resources will be required to conduct the inventory.

Policy Option #2

Educate all employees in the safe use of computer and Internet Resources using the ITS Training Services Computer Security workshop materials at the onset.
• Monthly email “tip ”of best practices.
• Posters placed in faculty/staff lounge (and a smaller one at mailbox locations) at both campus locations to reinforce the tip
• Brief mention of the monthly tip during staff meetings and faculty senate
Examples of such “best practices” and may found at http://www.staysafeonline.org and www.OnGuardOnline.gov.

PROS:
For busy working adults, it is much easier to ponder small pieces of information, rather than a formal training session. Visual representation of email material and brief mention of the monthly tip during regularly scheduled meetings will provide the information in modalities that serve most learning styles.

CONS:
Email message will be ignored due to disinterest. Faculty/staff may not pay attention to announcements and/or visuals. More education/compliance is needed than can be provided through a monthly “tip.”