Montana State University

500.00 System Security


SECTION CONTENTS


510.00  Data Security
510.10    Background
510.20    Data Classifications
510.30    Access Control
510.40    User Responsibilities
510.50    Security Officer
510.60    Penalties

520.00  Unauthorized Use of Computer Software
520.10    Background
520.20    Montana University System Computer Software Use Policy
520.30    Policy Dissemination at Montana State University
520.40    Penalties

510.00 Data Security

Revised November 1992

510.10 Background

The MSU computer network accommodates a wide assortment of data, ranging from highly confidential information to material made available for the entire campus community. This policy establishes a system of classifying data with respect to need for security, and institutes guidelines for maintaining the security of each data classification. The policy covers all data accessible on MSUnet or stored in stand-alone systems.

510.20 Data Classifications

  1. Restricted Data: All data which, if released in an uncontrolled fashion, could have substantial fiscal or legal impacts on the University. Examples include personal data containing elements such as Social Security numbers, student grades, and personnel records.

  2. External Data: All data belonging to an outside party or agency. Examples include data maintained by commercial account owners and certain researchers who have special data arrangements with public or personal agencies.

  3. Personal Data: All data equivalent to personal documents stored in desks or file cabinets. Examples include electronic mail, personal correspondence, and personal files, including most research files.

  4. Public Data: All data that is not restricted by one of the above classifications. Examples include the Campus-wide Information System and ITC banner information.

510.30 Access Control

  1. Restricted Data: Copying or moving restricted data to other accounts alters its classification from restricted to personal and changes the responsibility for access control, but does not change the confidentiality of the data. Access to the Administrative Information System is the responsibility of the Data Base Managers (DBMs), as described in Section 340.30.

  2. External Data: Access control is the responsibility of the local owners and researchers, who may request assistance in securing data from the Security Officer (Section 510.50).

  3. Personal Data: Access control is the responsibility of each individual account owner, who may request assistance in securing data from the Security Officer (Section 510.50). Recipients of restricted data are responsible for maintaining the restricted nature of the data.

  4. Public Data: Access is unrestricted.

510.40 User Responsibilities

  1. Users will not make or permit any unauthorized use of any data present in university accounts. They will not seek personal or financial benefit or allow others to benefit personally or financially by knowledge of any job-related data.

  2. Users will maintain a clear understanding of the types of data which can be released without the data owner's consent, and will not release any other information.

  3. Users will take reasonable measures for protecting data in their possession or to which they have access. The "Security Responsibilities of Departments for Data and Information Technology Resources" are detailed in Montana Code Annotated 2-15-114.

510.50 Security Officer

  1. The Director of ITC shall appoint a Security Officer from among ITC staff to be responsible for implementing and monitoring data security policies and procedures.

  2. The Security Officer's responsibilities include:

    1. Restricted Data: Works with the DBMs to monitor all access to restricted data and investigate all security violations.

    2. External and Personal Data: At the request of the account owner, serves as a consultant for establishing a level of data security beyond that normally provided by ITC, or for investigating breaches of data security.

  3. At the request of the Director of ITC, the Security Officer will monitor or investigate possible breaches of data security. In the absence of the Director, the Security Officer is responsible for responding to complaints and initiating investigations.

  4. The Security Officer will serve as MSU's liaison to the Internet for investigations of possible Internet security violations.

510.60 Penalties

  1. Alleged violations of this policy should be reported to the Director of ITC. Incidents will be investigated by ITC in cooperation with the alleged violator's supervisor and other MSU authorities as required by the nature of the offense.

  2. The appropriate MSU, Board of Regents, and state grievance procedures and disciplinary actions apply in cases of alleged data security violations. Users found to have violated data security may be subject to suspension of computer access privileges, letter of reprimand, academic sanction, unsatisfactory performance evaluation, suspension or expulsion, employment termination, and/or accountability in a court of law.

520.00 Unauthorized Use of Computer Software

Revised August 1992

520.10 Background

The Board of Regents has established a system wide policy, "Unauthorized Copying and Use of Computer Software" (Item 55-002-R0687), which is printed in Section 520.20. Montana State University has developed several avenues for disseminating this policy, which are described in Section 520.30.

520.20 Montana University System Computer Software Use Policy

  1. Employees and students of any unit of the Montana University system, community college or vocational technical center are prohibited from making or using any unauthorized copy or copies of computer software or related documentation on any equipment available at or through such institution.

  2. Employees and students are subject to disciplinary actions under appropriate employee or student regulations in addition to any civil or criminal penalties which may be imposed as a result of vendor action.

  3. In the event an employee is sued by the copyright owner or licenser, the state will generally not provide a defense or indemnification.

520.30 Policy Dissemination at Montana State University

  1. Copies of this policy are available to MSU students and staff from ITC and through the computerized campus-wide information system (MSUinfo).

  2. The following statement will be an integral part of all conduct guidelines for faculty, staff, and students: "Copying of software, including programs, applications, data bases and code not authorized by the copyright owner or licenser is illegal." This statement, or one similarly worded, will be published in the following places:

    • Faculty Handbook
    • Personnel Policies and Procedures Manual
    • Undergraduate Bulletin
    • Student Conduct Code
    • Posted in all student computer laboratories.
    • Printed in the Staff Bulletin early in each academic year.

520.40 Penalties

  1. Alleged violations of this policy should be reported to the Director of ITC. Suspected incidents will be investigated by ITC in cooperation with the alleged violator's supervisor and other MSU authorities as required by the nature of the offense. The appropriate MSU, state, and Regent's grievance procedures and disciplinary actions apply in these cases.

  2. The appropriate MSU, Board of Regents, and state grievance procedures and disciplinary actions apply in cases of alleged unauthorized use of computer software. Users found to have violated data security may be subject to suspension of computer access privileges, letter of reprimand, academic sanction, unsatisfactory performance evaluation, suspension or expulsion, employment termination, and/or accountability in a court of law.

Table of Contents