Computing Security Policy Summary
The Department of Electrical & Computer Engineering is in the process of establishing and documenting policies that support and augment the University's Minimum Computing Security Standard (MCSS) and related documents. Updated policies will be posted here.
- All use of computing systems and networks within the ECE boundaries will conform with the University Policy on Responsible Use of University Computing and Network Resources
- All systems connected to the ECE network must comply with the OSU Minimum Computing Security Standards (MCSS).
- OSUWIRELESS is the accepted wireless network within the boundaries of ECE-controlled Dreese and Caldwell Laboratories. (Policy)
- All equipment placed on the ECE network is subject to inspection and configuration by the Site Staff.
- Certain mail attachments are filtered out at the mail server.
- Passwords must comply with the MCSS.
- All system backups must be encrypted.
- Social Security Numbers and all "personal information" should be removed from all systems wherever possible, and must be protected where such removal is not possible.
Security Policy: Restricted Elements
Required Compliance with OSU and College of Engineering Policies and Standards
All systems within ECE must meet the standards and policies set by the University and by the College of Engineering. This includes, but is not limited to:
- MCSS - which dictates minimum standards for host-based security: local firewall, up-to-date Operating Systems including all security patches, anti-virus, anti-malware, and good passwords.
- CoE Encryption Policies - which dictate that all systems which have, or may have, restricted elements must be encrypted.
- OSU Institutional Data Policy - http://cio.osu.edu/policies/institutional_data/
Removal of Restricted Elements
All ECE personnel (faculty, staff and others) will remove all Restricted Elements from their possession wherever they are able to do so within the constraints of their jobs.
Restricted Elements that must be removed most specifically include, but are not limited to:
- Social Security Numbers - SSNs were printed on class rosters, grade reports and several other University documents until very recently. All instances of such data must be addressed.
- Class Rosters and Grade Reports - All documents which contains student enrollment information are considered Restricted Elements, even when these documents do not include SSNs, and as such must be addressed.
Removal may take the form of secure deletion/destruction of the item that contains the element, or the redaction of said item such that the element is removed, whichever is appropriate.
The deletion of electronic files that contained restricted elements should be done with a "shredder" program such as that contained within PGP for Windows.
For the identification and removal/redaction of electronic files bearing SSN or restricted information, the Site staff may be able to provide some assistance, but the responsibility for the data belongs to the person who maintains the data.
Note Bene: this policy applies to both electronic data and physical items such as paper, backup tapes, CDs and DVDs, floppy drives and so on. Where appropriate, physical items should be redacted or destroyed. Those which items that remain must be physically secured to the extents mandated by University Policies and State Law.
Secure Use of the ODS
All ECE personnel who have access to the ODS are required to follow University guidelines in connecting and using those resources. Site personnel may assist in the configuration and maintenance of such connections.
All systems that have or may have Restricted Elements must have their hard drives encrypted. By CoE policy this includes the systems of all Faculty, Staff, Research Scientists, and TAs. As needed it may also be extended to research laboratory machines where such systems are known to be used by students as part of their TA (or related) duties.
All mobile systems must have their hard drives encrypted.
Any exceptions to the above must be approved by the Department's Computing Committee, the Department Chair, and the College.
Anyone who wishes to have their systems encrypted, even if it does not necessarily require it as defined above, may voluntarily do so (please send a note to Site for assistance).
All Mac OS X systems which qualify above, must have FileVault turned on for all user accounts.
All Windows systems which qualify above, must have PGP Whole Disk Encryption applied.
All Linux systems which qualify above, must have their disks encrypted. The mechanism for this will be determined on a case-by-case basis, but will most likely be the native solution of the OS. IE: dm-crypt, cryptoloop, etcetera.
The Site staff is available to perform all encryption-related operations.
In accordance with University Policies and Guidelines, it is the Department of Electrical & Computer Engineering's policy that...
- No faculty member shall posses (electronic or printed) the Social Security Numbers or other data deemed "personal information" by Ohio House Bill Number 104, of any students or other University affiliates.
- No staff member (or Faculty Member acting in an administrative capacity) shall posses (electronic or printed) the Social Security Numbers of any students or other University affiliates except where it is specifically required for the function of their job.
- No student, non-employee, shall posses (electronic or printed) the Social Security Numbers or other data deemed "personal information" by Ohio House Bill Number 104, of any students or other University affiliates.
It is recognized that some University entities, most notably the Registrar, still makes use of SSN information. Wherever possible, that information should be removed from all documents before they are printed, stored to disk, or given to any third party (via email or other distribution) including Graders and TAs.
It is required that any data storage that includes SSN or other information identified as "personal information" by Ohio House Bill Number 104 be appropriately secured. Electronic storage must be encrypted on a secure disk (note: mobile storage or storage on personally owned media is forbidden... in the latter case by State Law). Printed storage must be redacted where possible to remove the information, or stored in a secured location with access limited to those authorized to have access to the information.
Ohio House Bill Number 104: http://www.legislature.state.oh.us/bills.cfm?ID=126_HB_104
OSU Social Security Number Privacy and Safeguarding Policy Draft 11: https://xpedio.oit.ohio-state.edu/xpedio/groups/public/documents/policy/ssn_priv_policy_public.pdf
OSU Buckeye Secure, SSN Privacy and Safeguarding: http://buckeyesecure.osu.edu/
Due to the inherent insecurity of data once it has been removed from its primary storage, all backups within the Department of Electrical & Computer Engineering must be encrypted.
The Site Staff is fully prepared to offer assistance to all (persons within the department) need it with this requirement.
In compliance with the MCSS, the Department of Electrical & Computer Engineering has the following password policies:
- Passwords must meet a minimum standard of complexity. They should use both upper and lower case characters as well as numerals and punctuation.
- Passwords must be changed no less often than every 90 days.
- Passwords may not be changed more often than once a day.
- Passwords may not be repeated for at least 5 iterations. It is further recommended that they never repeat.
Due to the proliferation of virus, spam, phishing and other malevolent forces on the Internet, the Department of Electrical & Computer Engineering has blocked certain file types from being passed through mail messages.
Not every possible attachment will be detailed here, but of most important note:
- .exe files will not be passed through the mail server.
- .zip files will be passed.