Skip to main content.
University Network Policies
University Network Policies Home > University Network Policies Home Page > Responsibility for Computing Devices Connected to the UMW Network

RESPONSIBILITY FOR COMPUTING DEVICES CONNECTED TO THE University of MARY WASHINGTON NETWORK

POLICY STATEMENT:
Those responsible for devices connected to the University of Mary Washington network must deploy prudent and current security, configuration and maintenance practices to protect the devices and the network from intrusion and other potential threats. Device owners are required to ensure that their devices (including the physical locations and configurations of their devices, as well as software installed on them) do not represent preventable risks to the security and integrity of the University's network, to its normal operation, and to its other users. Device owners whose devices provide network access to other users assume full responsibility for the behavior of those other users and are subject to disciplinary sanctions as though such behavior was their own.

Purpose

The purpose of this policy is to clearly define requirements for owners and overseers of the University of Mary Washington network-connected devices to close security gaps. It also describes loss of network access for noncompliance.


Background

Although the rapid growth of legitimate new uses of the Internet is welcome, the growth has at the same time increased opportunities and temptations for misuse (intentional or otherwise). Critical University computing resources are at risk, and University computing devices are potential vehicles for cybercriminals to launch attacks on external entities.

While it is not possible to anticipate and intercept all risks and vulnerabilities, specific steps can be taken to significantly reduce them. These steps are effective only if they are taken for all devices on the University of Mary Washington network. The University network is only as strong as its weakest link.

For the purposes of this policy and procedure, device "owners" are defined as individuals

  • who determine the location of a device and connect it to the network or who can (have privileges allowing them to) add or delete software or who can (have privileges allowing them to) configure the device
  • or who are otherwise responsible for the devices to which this policy and procedure relates.

In particular, device owners must address key security vulnerabilities. Key security gaps that need to be closed may vary depending upon the type of device. Examples of actions the University expects device owners to take include:

  • Device owners may not attach to the network in University Residence Halls certain devices without prior review and approval by the Division of Infrastructure Services, including:
    • Wireless routers or other wireless access points
    • Certain game devices that may cause problems with network service
    • Any device that allows network access for users other than the user to whom a network connection in a student Residence Hall is assigned
  • All device owners must ensure passwords used on their devices are not easily guessable by attackers. A strong password has at least these minimum characteristics: at least six characters long, does not contain all or part of the users account name, and contains at least three of the four following categories of characters: uppercase characters, lowercase characters, base 10 digits, and symbols found on the keyboard (such as !, @, #) when the system involved allows the use of such symbols.
  • Owners of personal computers must install and run anti-virus software on these devices and apply updates from the software vendor as they become available.
  • Owners of personal computers must take steps to avoid the loading of so-called "adware" or "spyware" on their devices and to remove such software when it is present.
  • Owners of personal computers on which any institutional business is conducted must disable "instant messaging" capabilities or ensure that there is no security risk from having the service enabled.
  • Owners of personal computers and servers must apply security-related updates to the operating system running on their devices as these updates become available from operating system vendors. Examples of a few operating systems found at UMW are Windows 2000, Windows NT, Windows XP, Macintosh, Unix, and Linux.
  • Users who are conducting institutional business on any wireless devices, including personal computers, on- or off-campus must ensure that appropriate security is in place throughout the path of communication, including any wireless segments.
  • Owners of servers and of personal computers must switch off unneeded services to eliminate the risk of their being exploited.
  • No owner or user of a University network-connected device may configure that device in such a way that it provides University network access to other parties who would not ordinarily have access to the University network without the explicit approval of the Vice President for Information Resources.
  • Owners of devices attached to the network must take appropriate steps to protect the physical security of such devices and of the network. In most instances, devices should not be located in open, unmonitored or unlocked areas.

These are examples only and do not represent a complete list of known security vulnerabilities and corrective actions.

Vulnerabilities that are considered "key" will change over time as new threats and risks surface. The SANS Institute maintains a current list of key vulnerabilities and steps required to close the vulnerabilities. At the minimum, University device owners/overseers are responsible for staying apprised of changes to this list and acting promptly to address any new security gaps defined.

The Department of Information Technologies works in partnership with owners and overseers in fulfilling the responsibilities outlined in this policy. For assistance in addressing security vulnerabilities, call the Help Desk at 624-2255 or send e-mail to helpdesk@umw.edu. Requests for exceptions to this policy should be directed to the Vice President for Information Resources.

Scope

This policy applies to anyone in the University community owning or overseeing the use of a computing device of any type connected to the University of Mary Washington network, including but not limited to:

  1. The Department of Information Technologies, if the devices are under written ongoing support agreements with the Department;
  2. Faculty, staff, students, and other individuals who have devices connected to University's network, even if those devices were acquired personally, i.e. not with University funds, and even if those devices are not physically on the campus;
  3. University department heads, even in cases where the equipment housed in departments is owned or managed by vendors;
  4. Research project "principal investigators," if their projects use devices connected to University's network.

If no one claims responsibility for a device, the head of the department or unit in which the device resides will be presumed to be responsible by default.

This policy is especially focused on individuals responsible (as defined above) for devices that serve more than one user, but the required actions outlined in this policy are appropriate for and must be undertaken by those responsible for single-user devices as well. When devices are used for University business, compliance will be verified by the University's Internal Auditor during routine audits.

If you are uncertain if or how this policy affects you, call the Help Desk at 654-2255 or write helpdesk@umw.edu.

Enforcement

In cases where University network resources and privileges are threatened by improperly maintained computing devices, the Department of Information Technologies will act on behalf of the University to eliminate the threat by working with the relevant device owner or overseer to quickly eliminate security vulnerabilities. In circumstances where these collaborative efforts fail or there is an urgent situation requiring immediate action and leaving no time for collaboration, the Department of Information Technologies is authorized to disconnect the device from the network.

Source of Policy:
Adapted by the Department of Information Technologies from a similar policy at the University of Virginia

Date/Revised Date:

  • December 18, 2006 -- revised language to make scope and definitions clearer.
  • April 12, 2006 -- added eighth bullet in "Background."
  • June 30, 2004 -- updated to reflect University name change; supporting material also updated with new security information


Review Frequency: Yearly by the Office of the VP/CIO

back to top