Search Penn State College of Education

College of Education IT Policies

Least User Privilege (ed-lup-01)

What is Least User Privilege?

the principle of least privilege reduces security risk by requiring all users, even those who have been granted administrator privileges, login with access only to the information and resources that are necessary for meeting a legitimate purpose. The principle of least privilege is widely recognized as an important design consideration in enhancing the protection of data and reducing risk across the enterprise.

Rationale:

Computer security is the primary driving force behind this change in user account management procedures. In recent years, malicious behavior (hackers) have significantly increased their ability to compromise systems, making these systems participants in illicit activities, and/or making them vulnerable to harvesting of institutional data or intellectual property. The majority of daily business related computer operations do not require administrator (privileged) account access because few individuals need to install or update applications every day. Furthermore, there are a significant number of administrative computing users that cannot point to any business reason for having administrator control of their computer.

Why the Change in Operating Philosophy?

It is true that most systems within the College were originally configured to allow all users to administer their computer, but this was in a time when computer hacker undertaking malicious behavior were not as sophisticated and able to remotely install detrimental software as easily as they can today. Unfortunately, even relatively benign and official/well-known web sites can unknowingly have been compromised and may contain malicious code that automatically downloads and installs when a user simply visits the site and selects what appears to be a valid web page link. The downloading and installation of malicious code happens in the background; so, unsuspecting users have no idea that their computer has been compromised. A compromise can be anything from installation of software that harvests data from a disk, monitors keystrokes, to enrolling the computer as a "BotNet" relay, and leveraging these captured devices to create a denial of service attack on key internet service providers, businesses and research institutions including Universities.

How does "Least User Privileges" Affect Daily Operations?

The short answer: very little. All users can perform their normal business functions without noticing anything different. However, a user cannot install software on their computer while operating in this mode; the benefit is that both hackers and users are prevented from inadvertently downloading and installing a malicious application from the web, infected USB devices and or Flashdrives, etc.

How may Individuals Install Software if Least User Privileges are enforced?

If an individual has a valid need to install software on their computer, there are generally two ways:

  1. If the user is approved to run a second local account with administrative privileges on College owned WinOS device 
  2. If the user has a valid license and uses a College owned MacOS device they can use the Managed Software Center
  3. Submit a Help Ticket
  4. Request one of the Information Technology Staff to remote in and assist. You must have a valid license.

It should be stressed that the use of Administrator Account privileges should be restricted to those individuals that require this type of access. Operating computers in a least privilege mode is a best practice for everyone; users should never routinely operate their computer in an Administrator Privilege mode. 

Are There any Issues with Migrating to a Least User Privileges Account?

Some applications may encounter problems when a system runs in the least privilege mode. Most of these problems have been successfully addressed by modifying the permissions for the folders used by these programs. For the very few programs that must run with administrative privileges, commercial utilities are available to allow these programs to run with system level privileges while the login account continues to run in Least User Privileges mode.

Final Observation:

While this change in computer operating procedures protects against many threats, users must still be diligent in how they manage their system because the hacker community continues to invent new and ingenious techniques to compromise existing security measures.

College of Education Policy on Least User Privilege:

It is the policy of the College of Education that all computer users log in for day-to-day access using accounts that do not have administrative privileges. Users who have a frequent need to install software or who daily engage in specialized activities that require administrative access may be assigned a different account with administrative privileges. This person must submit a user exemption form, including significant justification, to the Associate Dean for Research, Outreach, and Technology in the College of Education. The user exemption request can be found as a drop down option when submitting a help ticket under Technical Support - Software - Admin Rights Exemption. The user acknowledges and understands that performing higher level functions correlate with the added responsibility and accountability for related or associated security issues.

1 Source: 1 April 2009, Electronic and Computer Services, cdcadm/computing/090331 Least User Privileges.docx, College of Engineering, Authorized by: wjb, Rev. May 14, 2014, Rev. Nov. 3, 2016

Acceptable Use Policy (ed-au-01)

1.0 Purpose

The purpose of this policy is to outline the acceptable use of computer equipment within the College of Education. It is the responsibility of every computer user to know these guidelines and conduct their activities accordingly.

2.0 Scope

This policy applies to all users and all equipment that is connected to the College of Education network. Users are defined as full-time or part-time permanent staff, temporary staff, student interns, work-study students, graduate students, guests, and alumni.

3.0 Policy

3.1 General Policy

Identifiable, sensitive or vulnerable information must be encrypted. (For details, see the College Confidential Data Policy ed-cd-01.) For security and network maintenance purposes, authorized individuals within the College of Education may monitor equipment, systems and network traffic at any time (See the College Account Audit Policy ed-aa-01).
The College of Education reserves the right to scan and audit networks and systems on a periodic basis to ensure compliance with this policy and University policies.

3.2 Acceptable Use Terms of Agreement

The user must be knowledgeable of and agree to abide by the conditions set forth in the following Penn State policies: AD-11, AD-20, AD-23 and ADG-01.

  • AD-11: University Policy on Confidentiality of Student Records
  • AD-20: Computer and Network Security
  • AD-23: Use of Institutional Data
  • ADG-01: Glossary of Computer Data and System Terminology

In addition:

  • The user understands that Penn State computers and network resources are provided to advance the mission of the University and their use for inappropriate, illegal, or profit-making enterprises is not permitted.
  • The user understands that, because computer skills that are valuable in the workplace are often developed after work hours while people work on such things as digital photography, digital movie making, and podcast creation, these activities are encouraged and may be conducted on Penn State computers, but activities of a personal nature must be conducted outside of the normal work day.
  • The user understands that when physically connected to the College network using a Penn State owned computer they will need to accept the following warning to advance to the login screen:
  • "This computer is property of The Pennsylvania State University. Its use is reserved for persons authorized by Penn State University College of Education and is governed by Penn State security and acceptable use policies; including AD-11, AD-20, AD-23 and ADG-01."
  • The user agrees not to share any account passwords, nor allow another user to access a computer under his or her credentials.
  • For each account, the user agrees to adhere to secure password criteria and comply with the requirement for periodic changes.
  • The user agrees not to attempt to obtain or view any electronic institutional data that is not intended for use in her/his job function.
  • The user agrees not to introduce malicious code into departmental computer systems, either as a result of willful intent or as a result of the user's unsafe electronic mail practices.
  • The user understands that use of the College of Education network account constitutes his/her continued agreement with the conditions set forth above. If the user chooses not to comply with this agreement, s/he will cease using the account and immediately notify the College's Education Technology Center office by telephone, electronic mail, or in writing. Upon receipt of the notification, the user's account(s) will be disabled. The account will be terminated in 3 months if no further communication regarding the status of the account is received. Data deleted after 1 year.

3.3 Email and Communications Activities

The user agrees not to engage in the following activities:

  • Sending unsolicited "junk mail" or other advertising material to individuals who did not specifically request such material (email spam).
  • Any form of harassment via email, telephone or paging, whether through content, language, frequency, or size of messages.
  • Unauthorized use, or forging, of email header information.
  • Solicitation of email for other email address, other than that of the poster's account, with the intent to harass or to collect replies.
  • Creating or forwarding "chain letters" or "pyramid" schemes of any type.
  • Posting identical or similar non-business-related messages to large numbers of Usenet newsgroups (newsgroup spam).

4.0 Enforcement

Any user found to have violated this policy may be subject to disciplinary action by their Administrative unit, the College, and/or the University.

5.0 Revision History

 

_________________________________
Please sign and deliver to 201 Chambers

 

______________________

Date

Disaster Tolerance Response (ed-dt/r-01)

1.0 Purpose

The purpose of this policy is to document the processes and responsibilities of the College faculty and staff in responding to security incidents disaster recovery (security compromises, virus infected systems, and events that render one or more network closets inoperable). This policy is intended to provide all users of College-based personal computers, servers, and networking hardware with information pertaining to how the Education Technology Center and the University Security Operation Services are expected to respond in the event of a system compromise or disaster within a College-operated network closet. 

2.0 Background

2.1 Incident Response

Incident response applies to the actions taken at all levels within Penn State University when a user's computer or any server is compromised for one or more of the following reasons:

  • Compromise by brute-force attacks from inside or outside the College.
  • Downloading of any virus that threatens continuous College communications and computing services.
  • Connecting any non-patched or compromised system to the College's hardwired or wireless network.
  • Participating in any computing practices that are unlawful, against College or University computing policies.
  • Participating in any computing activities that prevent or have the potential to prevent others from carrying out the College's academic and administrative missions.

Incident response also applies to any reported or discovered illegal activities on any computer used on University premises, where illegal activities are defined by University policies and laws established by local, state, or federal governments.

2.2 Disaster Tolerance/Recovery

Disaster Tolerance and Recovery are two distinctly different issues. Disaster Tolerance applies to actions taken by the College, a department, and users to insure that computing operations and network services are maintained or at worst case, gracefully degraded and terminated during a disaster. Disaster Recovery are those actions taken by the College, departments, and users to recover from events that render computing operations and network services inoperable. Events that initiate actions to maintain or restore computing operations and network services include but are not limited to momentary/long-term power outages, hardware failures, fire, natural disasters, and malicious attacks that render servers or systems inoperable or degraded.

3.0 Scope

All College departments, centers, and operational units are responsible for developing and implementing Disaster Tolerance/Recovery plans.

4.0 Policy

4.1 Incident Response

Any desktop, laptop, workstation, server or other network capable device found or suspected of violating any College or University policy focusing on ensuring secure and safe communications and computing will summarily and immediately be disconnected from the College of Education's and University's data backbone.

Users will be notified as quickly as possible of such action once the Education Technology Center or University Security personnel are satisfied that a real or potential threat to other users or the Internet in general has been mitigated. Individuals at any level (users, the Education Technology Center, and University Security) have the obligation to report any real or potential computer operational activities that may detract from normal computing activities.

4.2 Disaster Tolerance/Recovery

4.2.1 Disaster Tolerance

Disaster Tolerance is a result of planned actions, policies, hardware deployments, and any other efforts aimed at preventing limited to momentary/long-term power outages, hardware failures, fire or natural disasters from causing long-term disruptions of College academic or administrative activities. The Education Technology Center assumes the responsibility for Disaster Tolerance in networking operations throughout College and Univeristy-maintained Telecommunications Closets. The Education Technology Center is also responsible for these activities as they relate to maintenance and operations of core College servers (e.g., email, web, data, etc.) and departmental servers maintained by the Education Technology Center personnel.

In an effort to achieve Disaster Tolerance within the aforementioned operations and services, the Education Technology Center has implemented the following procedures:

  • Maintains spare components for critical networking hardware operations (as budget permits)
  • Maintains spare components for critical servers (as budget permits)
  • Provides and maintains Uninterruptible Power Supplies (UPS) for network equipment deployed in Telecommunications Closets maintained by the College
  • Provides and maintains UPS for all core College servers and departmental servers maintained by the Education Technology Center
  • Mirrors College email servers and deploys them in a secondary Telecommunications Closet so that they can assume email services in the event of a primary email cluster failure
  • Provides and maintains at least two months of data backup for core TSM backups for all College and departmental servers maintained by the Education Technology Center.


4.2.2 Disaster Recovery

Disaster Recovery encompasses all those activities and steps necessary to restore personnel and system services that have been interrupted by an unforeseen event(s) that may include but are not limited to momentary/long-term power outages, hardware failures, fire, natural disasters, and malicious attacks that render servers or systems inoperable/degraded. It necessarily includes making plans to relocate personnel in order to effectively reconstitute personnel and system services along with academic and administrative services.

It is neither economical nor practical to maintain 100% redundant hardware in preparation for any and all potential disasters. Therefore, as soon as conceivably possible and approved by appropriate University or other authority, the Education Technology Center personnel will enter building Telecommunications Closets for the purpose of assessing damage and serviceability of network hardware and core/departmental server effected by a disaster. All equipment will be inventoried and categorized according to its serviceability. Steps will immediately be taken to procure and receive replacements for unserviceable equipment.

  • In the event that offices and equipment used daily by the College's networking, computing and training personnel are rendered uninhabitable, personnel will work from their homes or other locations where connectivity is available.
  • Office or laboratory lab space will be made available to displaced personnel based on a separate agreement made by the Facility Manager, the College's Associate Dean for Technology (IT Director)
  • Replacement computing assets will be made available through emergency local purchases.
  • The IT Director will work with the College's Financial Officer to establish emergency procurement procedures.

In the event of a minor disaster such as a long-term electrical power outage, the Education Technology Center will work with the College's Facilities Coordinator and the Office of Physical Plant (OPP) to have power generation equipment installed to restore critical networking services. Naturally, this process assumes that a building remains serviceable and is approved for use by OPP or the appropriate authorities.

Reconstitution of networking operations and computing services will receive the highest priority. Initially, only that equipment and tools that are absolutely required to support reestablishment of reliable/sustainable services will be procured under the aforementioned emergency procurement process.

Departments are responsible for establishing and implementing Disaster Recovery policies and procedures that will enable them to reconstitute operations and continue their academic and administrative missions.

5.0 Incident Response Enforcement

University Security Operations (SOS) personnel have the right and responsibility to identify and take immediate action to curtail any computing operation that violates University Policies. They have the right and responsibility to intentionally or randomly scan any systems on the University's backbone. Furthermore, they have the right and obligation to summarily curtail a system's computing activities that disrupt or are suspected of negatively impacting secure computing activities on University property or beyond.

Education Technology Center personnel have the right and responsibility to identify and take immediate action to curtail any computing operation that violates College or University Policies. They have the right and responsibility to intentionally or systematically scan any systems on the College's network. Furthermore, they have the right and obligation to summarily curtail a system's computing activities that disrupt or are suspected of negatively impacting secure computing activities on College, University or beyond.

Illicit and illegal activities are forbidden on the College and University networks. Illicit activities are those which are expressly prohibited by Department, University and/or College policies and are not illegal as defined by local, state, or federal laws; they include but are not limited to operating business for personal gains. It is the responsibility of a department head to ensure that individuals within their departments abstain from such practices. Should someone outside or within the department report such activities to a department head or the Education Technology Center, it is the Education Technology Center's responsibility to advise the offending party of the offence and to ensure that all remnants of such activities are removed immediately from the College's network and the computer or server on which it resides. Questions concerning illicit activities may be directed to the Information Technology Manager, at 865-0474 and the University's Security Officers at [email protected].

Illegal activities are those that are contrary to local, state, or federal laws. Anyone becoming aware of such activities must immediately contact the College's Information Technology Manager, at 865-0474 and University's Security Officers at [email protected]. No further actions are to be taken at the department level until and when either the Information Technology Manager or the University Security Officer notifies the department head. No one in a department is to discuss their knowledge or suspicion of illegal activities with individuals suspected of participating in such activities; this is ultimately the responsibility of the University's Security Officer (SOS).

Any faculty or staff member has responsibility to identify and take immediate action to curtail any computing operation that violates departmental, College or University Policies. At the department level and other than prescribed above, faculty, staff and students are explicitly prohibited from scanning systems on the College's network or University's data backbone.

Faculty, staff or students that have a compromised or suspected compromised system identified, which is owned by Penn State, are obligated to repair the system or refer the system to the Education Technology Center for repair.

Faculty, staff or students that have a personally owned system identified which is compromised or suspected of being compromised, are obligated to repair the system immediately.

In either case, systems must be validated as having been patched with the latest operating system (OS) updated and cleansed of any virus-laden or disruptive software before being reinstated on any Penn State network.

6.0 Revision History

Rev. 5-3-2016, David Cochrane

Addendum to be added under 4.0 Policy, 4.1 Incident Response

4.1a The following procedure outlines the College’s initial response to a local security incidence and reporting out from the College Carrara Education Technology Center (CETC) to the Office of Information Security (OIS) is as follows.  

CETC’s internal procedure requires communicating locally discovered incidents and reporting them via email to the following email locations in the Office of Information Security (OIS).

This procedure allows CETC and the OIS to react quicker when communicating discovered incidents. This provides a communication feedback loop on all incidents generated from the College or to the College by OIS to the College IT persons through current systems. In addition it provides a means of reporting out on local incidences.  Once reported OIS will create a ticket in their ticketing system (SNOW) to address the nature and outcome of the challenge.

College of Education IT Guidelines

Firewall Guidelines

1.0 Documentation

The purpose of this Penn State University, College of Education (CoE), and Firewall guideline is to establish best practices in the use of port-level security on all networked devices (networks, Switches, servers, laptops, wireless configurations, mobile systems, and services) within our College LAN. These guidelines are necessary to preserve the integrity, availability and confidentiality of Penn State University College of Education devices and data.

2.0 Change Management

There is one managed checkpoint firewall appliance for the College.  The firewall rules are required by Penn State and The College of Education to provide appropriate safeguards and access to College systems and data. Restricting certain specific ports allow us to comply to governmental, state, and local IT policies while effectively directing traffic, used for business purposes, to the appropriate devices and data on our LAN.

2.1 Organizational Structure

Penn State Telecommunications and Networking Services (TNS) provide the College’s Checkpoint Appliance and related Services.

College maintains the rules sets in collaboration with the TNS Firewall Manager. This collaboration includes the request for new rules, additions, change. At regular intervals review and refresh of the College’s rule set will be scheduled.

2.2 Responsibilities and Accountability

This policy applies to operators of college owned servers or networked devices that communicate with Penn State University Enterprise networks.

Listed below are the minimum guidelines in managing our firewall service

  1. All requests for a rule must be requested through the CETC Ticket system. After review by the Systems Administrators a Firewall Request Form is submitted to TNS.
  2. TNS: Authorization and verification are provided via email to: [email protected]
  3. Revised of changes Firewall rule set is provided after each change to the College Firewall Service.
  4. Only College (CETC) Systems Administrators may request Firewall changes as needed. (See  #1)
  5. Request for Firewall Rules Form requires this format:
    • Request:
    • Priority: 
    • Reason for Change: 
    • Firewall Name: Chambers-FWO1
    • Create New Rule: 
    • Source: 
    • Destination:
    • Ports:
    • Action:
    • Track:
    • Log:
    • Comments:
  6. Only authorized IT staff are permitted access to specialized core services, for example the Hyper-V server environment.
  7. IT will assure physical and logical topology is used (e.g. VLANs) to create network segregation, such as security zones, that prevent traffic from different asset types with different criticality form reaching each other. 
  8. IT will assure that all devices are locked down to specific IPs or a range of IP addresses and limited to only ports that are required. 
  9. IT will annually review all firewall rules to assure they are still needed and appear appropriate.  Additionally, IT will assure there is documentation as to whether the rule is permanent or temporary, and if temporary, set an automatic expiration or require the rules to be reviewed more frequently. 
  10. IT will log files. Files will be maintained for at least one-month online and one-year offline as required by the General Retention Schedule.

2.3 Monitoring

Procedures used on the firewall to detect security breaches and attacks

  1. IT will monitor procedures used on the firewall to detect security breaches and attacks.
    • Automated procedures: In conjunction with TNS, IT authorizes quick response to fixes, patches, updates, alerts, required to maintain the integrity of the College LAN and data.
    • Manual procedures: During manual auditing and review of the firewall rules IT will request necessary changes via the TNS Firewall Rules Form as needed.
  2. Monitoring will be performed on an annual basis.
  3. Logs will be proactively reviewed and for specific incident responses. (See 2)

3.0 References

Penn State Service Management Office: http://smo.psu.edu/documents.  College IT Guidelines and Policies, Information Technology Guidelines and Policies .

Disposing of Computer Equipment Guidelines

There are a few ways to dispose of your computer equipment depending on whether the old equipment will be recycled and used again within your department, sold to an employee who is leaving the University, or sent to Lion Surplus.  As you know, CETC and the Finance Office are working to centralize the processes related to purchasing and disposing of computer equipment.  By following the procedures provided below under the example, when disposing of any computer equipment, you will enable us to log all computer dispositions and/or recycle requests so that we can capture the complete life cycle of our computer equipment.  This will also help as we plan our annual equipment budgets.  

1. EXAMPLE:   You’ve purchased a new computer for Professor X and you want his/her old computer to go to a Graduate Assistant in your department.

  • You created a help desk ticket to purchase a new computer.  In the notes, you should let CETC know that the old computer will be recycled and used by a GA. 
  • When Professor X picks up his/her computer (laptop) at CETC, he/she should bring their old computer (laptop) so that CETC can prepare it for a new GA.  CETC will log the equipment as RECYCLED TO A GA and let the Admin. Support Coordinator (or the person who opened the original ticket) know the work is complete and it’s ready to be picked up.

2. EXAMPLE:  You’ve decided to get rid of some old computers that belonged to GA’s or that you feel can’t be recycled within the dept.  You want to send the computer to salvage but you are not purchasing a new computer to replace it. 

  • You create a DISP in SIMBA.  Check *Lion Surplus on the first page of the DISP form.  Complete all the other required information on the DISP and submit ti for approval.  After the Budget Administrator approves the document it will flow to the Finance Office, for approval.  They will decide if they would like to keep the equipment or any of its parts before sending it onto Lion Surplus.  If they decide to keep the equipment, they will instruct Facilities Coordinator to change the DISP to Loaned/Relocated and Facilities Coordinator will note the reason in the notepad. This may cause the form to resubmit to the Budget Administrator.  CETC will log the equipment as recycled within CETC for our records.  If CETC does not feel that the equipment can be re-used, they will let Facilities Coordinator know and this person will approve the DISP onto Lion Surplus.  

3. EXAMPLE:  Professor X is leaving the University and he/she wants to purchase his/her computer for personal use. 

  • Complete a DISP and check *Lion Surplus.  In the notepad, please note that the item is being purchased by the employee who is leaving.  You will need to work with Lion Surplus to calculate the value of the equipment and the employee will need to purchase the item from Lion Surplus.
  • When the DISP reaches Facilities Coordinator, this person will let CETC know that the computer equipment is being purchased by the employee.  CETC will log the disposition appropriately in their life cycle database and will remotely wipe the computer clean before it can be purchased.  (Lion Surplus can also do this.)  Please make sure you let the employee purchasing the equipment know that they will not have the current operating system or University provided software on the computer when they purchase it.  They will need to purchase an operating system license and any other software on their own. 

Mobile Device Guidelines

1.0 Overview

Mobile devices, including but not limited to, phones, tablets, and laptop computers, are becoming increasingly powerful and affordable. Their small size and functionality are making these devices ever more desirable to replace or supplement traditional desktop devices in a wide number of applications. However, the portability offered by these devices increases the risk that information stored or transmitted on them will be exposed. Penn State University and the College of Education allow personal mobile computing devices to be used for business purposes as long as those devices adhere to the guidelines as stated below.

2.0 Purpose

The purpose of this Penn State University, College of Education (CoE), and Mobile Device Policy is to establish best practices in the use of mobile computing devices. This process is necessary to preserve the integrity, availability and confidentiality of Penn State University College of Education data.

3.0 Scope

This policy applies to all mobile devices used to host any Academic and institutional data for the purpose and conduct of meeting some business obligation or need associated with Penn State.

3.0a Scope: College Owned

This policy applies to all CoE faculty, staff, and students and staff and individuals external to CoE who own or operate a college owned mobile device that communicate with Penn State University equipment and networks or stores data in any way.

3.0b Scope: Personally Owned

This policy applies to all CoE faculty, staff, and students and staff and individuals external to CoE who own or operate a personal device that holds Penn State data (such as email, files in Box) and is used to communicate with Penn State University equipment and networks or stores data in any way.

4.0 Policy

Listed below are the minimum guidelines when using a mobile device.

4.0a Policy: College Owned

Restricted data. Penn State University and CoE restricted data should NOT be stored on portable computing devices if it can be avoided. However, in the event that data can only be stored on a mobile device, the Penn State University Data Categorization requires that all "restricted" data must be encrypted using approved encryption techniques and password protected. All Penn State owned mobile devices will be registered so the device can be locked or wiped if lost or stolen. This is based on the best practice and resources currently provided by Penn State. In regard to sensitive data users are required to submit an Authority to Operate (ATO) for L3/L4 data. 

Configure mobile devices securely. Users will be required to register your mobile device with our Penn State Mobile Device Management (MDM) and Enrollment Service. All CoE new purchased mobile devices will automatically be enrolled. The enrollment service provides the following benefits:

  • It enables auto-lock with pin or passcode
  • It enables the use of a complex password (Recommended)
  • It avoids using auto-complete features that remember user names or passwords
  • It ensures that browser security settings are configured appropriately.
  • It enables remote wipe and lock in the event of loss or theft
  • It ensures that *SSL protection is enabled, if available.
  • It will provide VPP services. The Volume Purchase Program (VPP) provides application request and management on mobile apple devices purchased and owned by Penn State University. (See definitions)

4.0b Policy: Personally Owned

Mobile systems NOT owned by Penn State and CoE that require network connectivity must conform to Penn State and CoEs’ information security policies and procedures. See policy at: http://www.ed.psu.edu/for-current-faculty-and-staff/outreach-office/outreach-office-page

Restricted data:

The Penn State University and Data Categorization requires that all "restricted" data must be encrypted if on a mobile device. Once encrypted, a best practice in these cases is to use box.psu.edu as your secure data storage service. 

Configure mobile devices securely. Owners of mobile devices must passcode protect all devices that hold Penn State data (such as email, files in Box). Those who would like their personal mobile systems secured in the same manner as CoE owned devices can submit a request for this service at help.educ.psu.edu. 

The recommended enrollment service provides the following benefits:

  • It enables auto-lock with pin or passcode
  • It enables the use of a complex password (Recommended)
  • It avoids using auto-complete features that remember user names or passwords
  • It ensures that browser security settings are configured appropriately.
  • It enables remote wipe and lock in the event of loss or theft
  • It ensures that *SSL protection is enabled, if available.

Take appropriate physical security measures to prevent theft or enable recovery of mobile devices.

Purchase and enable tracing and tracking software (MobileMe, Computrace, FindMyMac, etc.).

Report lost or stolen devices immediately to the CoE Information Technology Help Desk. Remember to back up data on your mobile device on a regular basis.

5.0 Definitions 

VPN – Virtual Private Network is a way to securely transmit private data over a public network (wired or wireless Internet) using an encryption solution. Connecting to Penn State University, CoE network includes the following:

  •  
    • If you have a network capable device (ex. laptop) plugged into a Penn State University CoE wired network, and you are a “registered user” then you can connect to the “EDUC” LAN (local area network) and use our services.
    • If you connect from a remote location using a different SSID, with a network capable device, through the Penn State University VPN (virtual private network), using the option “ISPtoPSU” you can connect to the CoE “EDUC” LAN (local area network) services.
    • If you have a network capable device and connect using Penn State wireless SSID “psu” you can connect to PSU network services.

VPP - The Apple Deployment Programs consist of three programs.  The Volume Purchase Program (VPP) lets you purchase Apps store apps and books in volume.  The Device Enrollment Program (DEP) gets your institutionally-owned devices automatically enrolled in mobile device management (MDM) during activation without touching the device.  Finally, the Apple ID for Students creates Apple ID accounts for students under 13.

MDM – Mobile Device Management (mdm.psu.edu) There are many different aspects to mobile device management. The features of MDM vary based on the operating system of the mobile device. MDM primarily focuses on two components:

The automation of linking a mobile device with an MDM server

The management of installed applications and other settings via an MDM Server

SSID - An SSID is the name of a wireless local area network (WLAN). Wireless devices on a WLAN must employ the same SSID in order to communicate with each other.

SSL - (Secure Socket Layer) when enabled it allows for encrypted connections to be used.

BYOD - Bring Your Own Device (Normally called a “personal system” not owned or purchased by the organization for which you work.)

WLAN - A WLAN typically extends an existing wired LAN (local area network). WLANs are built by attaching a device called the access point (AP) to the edge of the wired network.

Data Categorization and Related Policies – AD71 Data Categorization; ADG07 Data Categorization Examples; ADG02 Computer Security and others. (See Guru.psu.edu)

References: http://smo.psu.edu/documents. Additional and supplemental policies are provided online at: IT Guidelines and Policies, Information Technology Guidelines and Policies. OIS - Office of Information Security (security.psu.edu) Travel Policy (http://guru.psu.edu/policies/TravelPolicySINGLEDOC.html) Please note sections regarding Export Controls and Compliance.

Moving Computer-based devices. Rev.0.0.3

 

This document is required for all who submit a “move” request in the College.  A ticket is required for “all” computer moves in the College.  (IT Equipment)

 

In most cases the user can move their own systems to the new location and place a marker or note on the system. The submitted ticket must indicate when, where and what is needed for the IT staff to setup, connect or reconfigure the moved system.

 

IT Technical Support Request

https://help.educ.psu.edu

 

Within the same office or the same building in the College

  1. Move and plug in your equipment including the cable into the available data jack. 
  2. Enter an IT Technical Support request to activate the data jack.  Please include old and new port #'s.

 

From one building to another building within the College

  1. Schedule, if necessary, an OPP request to move equipment if it’s more than two or more devices or objects.
  2. Enter an IT Technical Support request ticket. The ticket should indicate what, where, when associated with the move.

 

From the College of Education to a building or office in another academic unit

  1. Schedule, if necessary, an OPP request to move equipment if it’s more than two or more devices or objects.
  2. Enter a CETC Technical Support Ticket to request a data backup and system reset before leaving the College. 
    • Notifications of this kind originate from the HR Office and follow the guidelines outlined in HRG20 (https://policy.psu.edu/policies/hrg20)
    • Contact the IT staff in your new location for setup and connections within their network.

 

Equipment related to research, testing or iRB, or related

  1. Unit must discuss move with IT prior to changes being made.
  2. Ensure any related information or forms are updated and re-signed as needed to reflect research or testing requirements for location of such equipment.