
11.  Appendix B: Policies

11.1  University Policy on Computer Use

Individuals are expected to exercise responsible, ethical behavior
when using the UniversityÕs computers, information, networks or
resources. Policy AD-20, ÒComputer and Network SecurityÓ from the 
University Policy Manual is reprinted here for your reference. 


11.2  Purpose

To establish conditions for use of, and requirements for appropriate 
security to cover University computers, available information 
technology, and networks.


11.3  Scope

This policy is effective at all University locations and represents 
the minimum requirements that must be in place. Individual areas 
that have computers and networks may have additional controls and 
security, but they are in addition to this Policy.


11.4  Responsibility

The University Computing, Network, and Information Security Officer 
is responsible for the development and implementation of University-
wide policies, controls and procedures to protect the University 
network and information systems from intentional or inadvertent 
modification, disclosure or destruction, as well as monitoring user 
adherence to these policies; arbitrating and resolving issues and 
problems pertaining to ownership, accessibility and updating 
responsibility for the UniversityÕs data resources; and educating 
the user community to the ethical use of computer information and 
network facilities.


11.5  Policy

Appropriate security shall include protection of the privacy of 
information, protection of information against unauthorized 
modification, protection of systems against denial of service, and 
protection of systems against unauthorized access.

In order to protect the security of the computers and networks, and 
the integrity of the information against unauthorized or improper use, 
and to protect authorized users from the effects of unauthorized or 
improper usage of the facilities, the University reserves the rights 
to limit, restrict or terminate any account holderÕs usage; and 
inspect, copy, remove or otherwise alter any data, file, or system 
resources which may undermine the authorized use of that system, with 
or without prior notice to the user. The University also reserves the 
right to periodically check the systems, and to take such other 
actions necessary to protect the University computers, information, 
and networks.

Each operational computer facility at Penn State must develop an 
internal security document to cover such details as the type of access 
controls (minimum length of passwords, other type of accessing, etc.), 
disaster recovery plans, contingency plans for continuous operation in 
case of power outages, etc. Those documents are considered to be part 
of this Policy statement.

The University shall not be liable for, and the user assumes the risk 
of, loss of data or interference with files resulting from the 
UniversityÕs efforts to maintain the privacy and security of the 
UniversityÕs computer, information and network facilities.


11.6  Access to and Use of Computers and Computer Networks

Individuals are expected to exercise responsible, ethical behavior 
when using the UniversityÕs computers, information, networks or 
resources. This includes the following: 

1.  Access to University computer systems, accounts and resources is 
    limited only to those which an individual has been authorized to 
    by the University. Authorization for access to computer 
    systems, including the purpose of the account, issuance of 
    words and designation  of computer accounts, must be approved 
    in writing through the respective Dean or Director of the 
    administrative unit, or their authorized representative. Examples 
    of administrative units include the Center for Academic Computing, 
    the Hershey Medical Center, the Office of Administrative Systems, 
    Library Computing Services, and college or departmental computer 
    systems. The unauthorized use of University computer systems, 
    accounts and resources, the unauthorized use of another personÕs 
    computer account, and providing false or misleading information for 
    the purpose of obtaining access to computer systems, is prohibited 
    and will be subject to the sanctions described in this policy.

2.  Each user is responsible for understanding and complying with 
    the security rules of University computer systems. Authorized
    users shall take all reasonable precautions to prevent use of 
    University computer systems by unauthorized persons.

3.  Use of another personÕs account or access to the UniversityÕs 
    computer systems is prohibited without authorization. 
    Authorization shall not be given for anyone to use anotherÕs 
    account(s) unless such authorization is specifically requested 
    in writing, and approved in writing by the account owner and 
    the respective Dean or Director (or authorized representative) 
    of the computer or network. The authorized user(s) of an account 
    is (are) responsible for all usage on that account. Account 
    owners shall take all reasonable precautions, including password 
    maintenance and file protection measures, to prevent use of 
    accounts by unauthorized persons. Accounts must only be used for 
    the purpose for which they were authorized. For example, non-
    funded research or student accounts may not be used for funded 
	research or private consulting.

4.  Users have the responsibility to use available mechanisms 
    and procedures to protect their own programs, programs in software 
    libraries, and data, and they also are responsible for assisting 
    in the protection of the systems they use.

5.  Programs, programs in software libraries, and data that belong 
    to another account shall not be accessed or copied without prior 
    authorization from the account holder. Files may not be taken to 
    other computer sites without written permission from the holder 
    of the account under which the files reside. 

6.  Computer software protected by copyright is not to be copied 
    from, into or by using University computers, except as permitted 
    by law or by the license or contract with the owner of the 
    copyright. The software license or contract will define number 
    of copies, simultaneous users, machine exclusivity, etc.

7.  University computer systems are reserved for use only for 
    University-related activities. Transmitting or making accessible 
    offensive, obscene or harassing materials or messages are not 
    University-related activities and are prohibited. The intentional 
    deletion or alteration of information or data of others, 
    intentional misuse of system resources, and permitting misuse of 
    system resources by others are prohibited.

8.  Individuals aware of any breach of information system or network 
    security, or compromise of computer security safeguards, must 
    report such situations to the responsible computer security 
    officer. The appropriate computer security officer, in conjunction 
    with the University Computing, Network and Information Security 
    Officer, will contact Auditing for assistance to determine if 
    financial loss has occurred and if control or procedures require 
    modification. When warranted by such preliminary review, Police 
    Services, Auditing, and other departments will be contacted as 
    appropriate.


11.7  Sanctions for Policy Violations


Violation of any provision of this policy may result in (i) a 
limitation on a userÕs access to some or all University systems, 
(ii) the initiation of legal action by the University, including, but 
not limited to, criminal prosecution under appropriate State and 
Federal laws, (iii) the requirement of the violator to provide 
restitution for any improper use of service, and (iv) disciplinary 
sanctions, which may include dismissal.


11.8  Course and Work Related Access to Computers and Computer Networks

Many academic courses and work-related activities require the use of 
computers, networks and systems of the University. In the event of an 
imposed restriction or termination of access to some or all University 
computers and systems, a user enrolled in such courses or involved in 
computer related work activities may be required to use alternative 
facilities, if any, to satisfy the obligation of such courses or work 
activity. However, users are advised that if such alternative 
facilities are unavailable or not feasible, it may be impossible to 
complete requirements for course work or work responsibility. The 
University views misuse of computers as a serious matter, and will 
make no exceptions to restrictions on access to its facilities even if 
the user is unable to complete course requirements or work 
responsibilities as a result.

Any questions about this policy, or of the applicability of this 
policy to a particular situation, should be referred to the 
appropriate University computer security officer. 


11.9  Cross References

Other policies in the University Policy Manual should also be 
referenced, especially the following:

AD-11	University Policy on Confidentiality of Student Records
AD-12	Use of University Equipment, Supplies and Services
AD-23	Use of Institutional Data
AD-35	University Archives and Records Management
AD-60	Access to Personnel Files
ADG-1	Glossary of Computerized Data and System Terminology
ADG-2	Operational Computer Facility Internal Security Guideline

Other resources include but are not limited to Policies and Rules, A 
Guide for Students (Policy Statement on Computers).


11.10  CAC Guidelines

Additional guidelines for computer use can be found in the following 
publications. These documents are available electronically on the 
Internet Gopher information system. Printed copies are available for 
reference in rooms 215 and 230 of the Computer Building and in 12 
Willard Building.

Center for Academic Computing Guide

EDUCOM Statement on Using Software: A Guide to the Ethical and Legal 
Use of Software for Members of the Academic Community


11.11  CAC Policy on Passwords

Purpose:  In accord with the Penn State Computer Facilities, 
Information Technology, and Networking Security Policy (University 
Policy), the Center for Academic Computing Policy on Passwords 
defines passwords for computer systems operated by the Center for 
Academic Computing.  	

Application:  This policy applies to every person using computers 
controlled by the Center or operated as a public facility by the 
Center for Academic Computing.  Computers with operating systems not 
providing password protection (e.g., MS-DOS) are not covered.  When 
connected to networks, other means of protection are required.	

A password is private information.  All use of the userid (or file) 
is assumed to be performed by the person assigned to that userid.  
(The userid is a unique identifier associated with the person assigned 
to it by the Director of the Center for Academic Computing or designee.  
On some computer systems it may be called an account.)  You are 
responsible for safeguarding passwords for your userids.  Passwords 
must not be shared.  It is against policy and in most cases law to use 
anotherÕs account or file.  (See exceptions below.)  Failure to 
conform to these restrictions may lead to suspension of userid or 
other action as provided by University Policy or law.	

Password Guidelines:  The following guidelines are based upon 
experience and common sense.  They are explicit for the Center 
systems.  The software used to change passwords will screen for most 
of these guidelines as an aid in creating secure passwords.  This does 
not relieve a person of responsibility for creating and securing a 
good password.  These guidelines may be tailored as proper for other 
CAC systems with the written agreement of the Director.  	

1.  It must be at least six characters in length.  
2.  It must contain at least one alphabetic and one numeric character.  	
3.  It must be significantly different from previous passwords.  	
4.  It cannot be the same as the userid.  	
5.  It cannot start or end with the initials of the person issued the 
	userid.  	
6.  It cannot include the first, middle, or last name of the person 
	issued the userid.  	
7.  It should not be information easily obtainable about you. This 
	includes license plate, social security, telephone numbers, or 
	street address.	

Password Expiration:	While password changes can be more often, 
they must occur at expiration.  Logon passwords will expire as follows:	

1.  All passwords for newly activated userids must be changed at
    first use.
2.  Passwords for accounts will expire at six months intervals unless
    otherwise noted.	
3.  The password for a CAC staff account expires every 90 days. 	

On VM systems, when users logon after password expiration, the 
following two messages will be displayed after the standard CP 
Logon message:  	

VMXSYS011I Your logon password has expired.	

VMXSYS372R Select and enter a new password for your userid:  	

After a new password has been selected, the logon proceeds normally.  	

Exceptions:  Exceptions to this Policy or those in the University 
Policy must be applied for in writing and will be authorized only by 
the Director of the Center for Academic Computing or designee.  	

Effective:  The Policy will go into effect July 1, 1991.  	

Distribution:	The Center will provide a copy of this Policy when an 
account is opened.  It will also be available on-line in an accessible 
manner.	

Change:  The Director of the Center for Academic Computing may change 
this policy at any time subject to the review of the Executive Director 
of Computer and Information Systems.