3.4 General Network and Data Security Practices

3.4.1 Basic Practices for All Network Users

Persons using the PLU network or computing resources (including university employees, students, guests, and vendors) may not

  • change, delete, corrupt, or remove university data from university systems without work-related need or specific authorization to do so
  • share or use university data for any purpose other than university business
  • transport or share university-owned restricted data (as defined in 3.2) via portable media (e.g. flash memory, laptop computer, external hard drive) or through direct access without authorization by a vice president or provost.
  • share a personal login or user account with another person

Persons using any device to conduct university business must

  • not share a personal login or user account with another person
  • keep all operating systems, servers, and application software up-to-date (e.g. current upgrades and patches)
  • configure user privileges to be as limited as possible while still meeting business needs (consistent or regular use of the administrator or root account is discouraged)
  • use I&TS-approved secure connections (e.g. https, VPN, etc.) when accessing internal or restricted data
  • encrypt any transmission of restricted information (as defined in 3.2), including passwords
  • ensure all accounts have strong passwords at least equivalent to the strength required for ePass passwords (3.3.1)
  • password-protect all local shares or other resources or services for file access including up-to-date access groups
  • disable all network services not needed for a system to fulfill its function
  • change any passwords that originate with default values set by an external vendor or service provider
3.4.2 Encryption (Key Escrow)

Encryption is required on all devices and on media in transit that contain confidential university-owned data. Encryption is also required for electronic transfer of university-owned or -managed confidential data.

Administrative access to all encrypted services, applications, and data stores, sufficient to manage institutional risk (e.g. employee termination, student expulsion), must be provided to the I&TS Director for Enterprise Systems.