System and Information Integrity

Purpose

The purpose of this policy is to establish information security standards for the System and Information Integrity processes relevant to University of Maryland Global Campus ("UMGC" or "University") Information Technology Resources.

Scope and Applicability

This policy applies to all University Information Systems and Information Technology Resources. All Information System Stewards and their designees are responsible for adhering to this policy.

Definitions

Capitalized terms shall have the meaning ascribed to them herein and shall have the same meaning when used in the singular or plural form or any appropriate tense.

1. Authorized User: A User who has been granted authorization to access electronic Information Resources and is current in their privileges.

2. Contractor: A person or a company that undertakes a contract to provide materials or labor to perform a service.

3. Data: Element(s) of Information in the form of facts, such as numbers, words, names, or descriptions of things from which "understandable information" can be derived.

4. Employee: University staff and faculty, including nonexempt, exempt, and overseas staff and collegiate faculty.

5. Information System: Inter-related components of Information Technology Resources working together for the collection, processing, maintenance, use, sharing, dissemination, or disposition of information.

6. Information System Steward: A UMGC staff member or other individual providing services to the University who is responsible for the development, procurement, compliance, and/or final disposition of an Information System.

7. Information Technology Resource: Any equipment or interconnected system or subsystem of equipment that is used in the automatic acquisition, storage, manipulation, management, movement, control, display, switching, interchange, transmission, or reception of data or information by UMGC directly or by a third party under a contract with UMGC which requires the use of such equipment. The term includes computers, mobile devices, software, firmware, services (including support services), and UMGC's network via a physical or wireless connection, regardless of the ownership of the Information Technology Resource connected to the network.

8. Integrity: Ensuring records and the Information contained therein are accurate and Authentic by guarding against improper modification or destruction.

9. User: A University community member, including but not limited to, staff, faculty, students, alumni, and individuals working on behalf of the University, including third party vendors, Contractors, consultants, volunteers, and other individuals who may have a need to access, use or control University Data.

System and Information Integrity

Information System Stewards or their designee must adhere to the University's System and Information Integrity Policy to ensure that University Information Systems are updated with security patches to prevent malware infections, to ensure that anti-malware software is deployed, and that e-mail systems are monitored and protected to detect malicious activity.

1. Information System flaws must be identified, reported, and corrected in a timely manner. The University must have a process to review relevant vendor announcements regarding weaknesses, vulnerabilities, and/or flaws. After reviewing the information, the Information System Stewards must execute a process called patch management that allows for systems to be updated without adversely affecting the organization.

2. Protection from malicious code (e.g. malware) must be provided at appropriate locations within University Information Systems. Malicious code is program code that purposefully creates an unauthorized function or process that will have a negative impact on the confidentiality, integrity, or availability of an information system. Malicious code may include viruses, spyware, and trojan horses.

3. Malicious code protection mechanisms must be updated when new releases are available.

4. Periodic scans of the Information System and real-time scans of files from external sources as files are downloaded, opened, or executed must be performed.

5. Information System security alerts and advisories must be monitored and where necessary acted upon.

6. University Information Systems, including inbound and outbound communications traffic, must be monitored to detect attacks and indicators of potential attacks.

7. Unauthorized use of University Information Systems must be identified. Information System Stewards can monitor systems by observing audit activities such as intrusion detection systems, intrusion prevention systems, and malicious code protection software.

8. Spam protection mechanisms must be employed at Information System access entry and exit points.

9. Email forgery protections must be implemented to prevent compromised accounts through attacks such as phishing and spam.

10. Sandboxing must be utilized to detect or block potentially malicious email.

Exceptions

Exceptions to this policy should be submitted to the VP of Information Security for review and approval. If an exception is requested a compensating control or safeguard should be documented and approved.

Enforcement

1. Any Employee, Contractor, or third-party performing duties on behalf of the University with knowledge of an alleged violation of this Policy shall notify the VP of Information Security as soon as practicable.

2. Any Employee, Contractor, or other third-party performing duties on behalf of the University who violates this Policy may be denied access to Information Resources and may be subject to disciplinary action, up to and including termination of employment or contract or pursuit of legal action.

Related Policies

1. Audit and Accountability Policy

2. Configuration Management Policy

3. Identity and Access Management Policy

4. Information Security Awareness and Training Policy

5. Information Security Incident Management Policy

6. Information Security Policy

7. Maintenance Policy

8. Media Protection Policy

9. System and Communication Protection Policy

Effective Date

This policy is effective as of the date set forth above.