Security, (CIO/CISO/ISM), computer systems must not allow any user to
conduct multiple simultaneous remote network connections.
6. All log-in banners must include security notice. Every log-in screen for multi-
user computers must include a special notice. This notice must state: (1) the
system may only be accessed by authorized users, (2) users who log-in
represent that they are authorized to do so, (3) unauthorized system usage or
abuse is subject to penalties, and (4) system usage will be monitored and logged.
7. Security notice in log-in banner must not disclose system information.
All log-in banners on network-connected Howard University computer
systems must simply ask the user to log-in, providing terse prompts only
where essential. Identifying information about the organization, operating
system, system configuration, or other internal matters must not be
provided until a user's identity has been successfully authenticated.
8. Users must log off before leaving sensitive systems unattended. If the
computer system to which users are connected or which they are currently using
contains sensitive information, and especially if they have special access rights,
such as domain admin or system administrator privileges, users must not leave
their computer, workstation, or terminal unattended without first logging-out,
locking the workstation, or invoking a password-protected screen saver.
9. Academic, Administrative, and Supporting Enterprise Technology Services’ staff
must:
a. Follow policies and procedures, as established by ETS, to validate firewall
activation, operating system installation, application software security patches and
virus protection updates for all devices in the unit’s areas of physical or
administrative control that are to be, or are configured to utilize network resources
that are controlled and managed by ETS.
b. Follow policies and procedures, as established by ETS, for using
automated tools to test devices connected to the business unit’s local wired or
wireless data network for compliance. Noncompliant devices are to be
disconnected, disabled or quarantined until the device is brought into compliance.
When devices are not compliant, operating units, or individuals and their
information technology staff must employ compensating controls. Units must
document compensating controls and/or any exceptions. These must be reviewed,
tested, and approved by Information Security.
The operating business unit or individual must retain the approved
documentation for audits as long as the device is in operation. Any
connection to the Internet, or to a national or regional network from a
private network operated by an academic, administrative, or support unit,
must be made via University network resources. The Executive Director
Organization
ETS
Title/Subject
Network Security Policy
Document Number
Author
Christopher Cole
Approved by
Tilmon Smith
Date
April 10, 2014
Version
2.0
Page
5