USC IT Policy

Owned by Toney Green
Jun 09, 2017
The following is an excerpt from the USC Office of Compliance regarding the usage of USC information systems & equipment. Click here to view the full policy listing.

Appendix A—Access Authorization Procedures

Purpose

This appendix A describes the procedures for establishing, modifying, and terminating access to USC information systems.

Establishing and Modifying Access

  1. System administrators shall have documented procedures for establishing and modifying user access to information systems and applications within the department/school/unit.
  2. The procedure will document the process for obtaining supervisor approval to establish or modify access.
  3. System administrators will perform an annual review of their access procedures and will update and revise accordingly.
  4. System administrators shall determine to which systems and applications these procedures apply, and will document the justification for their determinations.

Terminating Access

  1. System administrators shall have documented procedures for terminating user access to information systems and applications within the department/school/unit.
  2. System administrators must promptly delete user access upon notification by Human Resources that access should be terminated.

Password Guidelines

User responsibilities

  1. Users shall not give their passwords to other individuals to use on their behalf.
  2. Users shall not post or otherwise display their passwords where they can be seen by others.
  3. Where applicable, users shall create strong passwords. For example:
    1. Passwords should consist of a minimum of 6 alphanumeric characters.
    2. Passwords should contain a combination of alpha-characters, numbers and/or special characters.
    3. Passwords should be selected with the intention of not allowing other people to guess them easily.
    4. Passwords must never be the same as or resemble the logon-ID. Passwords such as “password”, “administrator”, “user”, “guest”, “123456”, etc. should not be used. Repeating passwords such as “111111” or “z1z1z1” should not be used.

System administrator responsibilities

  1. Where possible, system administrators should enforce user responsibilities as outlined above.
  2. Where possible, passwords should use an expiration policy requiring passwords to expire.
  3. Where possible, systems should be configured to disallow re-use of passwords for 3 generations.
  4. Where possible, systems should be configured to “lock-out the account” after 5 incorrect password attempts.
  5. Where possible, the use of single sign-on (shibboleth) logins and passwords for applications through the Global Directory Services (GDS) should be encouraged.
  6. Passwords should be stored in an encrypted format only, not in plain text format.
  7. Where possible, system administrators should implement password protected screensaver controls after a specified idle time, to be determined by the system administrator and unit.
  8. System administrators have the discretion to implement stricter guidelines; the above are minimum standards.

Exceptions

  1. Those systems that operate in an environment that does not allow for the use of passwords (i.e. sub-systems and systems without a user interface), must be appropriately secured by other security means by system administrator.
  2. Systems that do not currently allow for these requirements to be implemented must be able to comply when that system is replaced or substantially upgraded.

Appendix B—Virus Protection and Patch Management Procedures

Purpose

This Appendix B describes USC’s requirements for anti-virus protection and patch management.

Anti-Virus Protection

System administrator responsibilities

  1. System administrators must ensure that all departmental servers and workstations have current and updated anti-virus software installed.
  2. With the exception of troubleshooting or special installation activities, system administrators shall ensure that anti-virus software is not modified or disabled on servers or workstations.
  3. Any virus with potential harmful impact on the network infrastructure should be reported to ITS.

User responsibilities

  1. Users must contact their system administrator for assistance if they become aware that they do not have current up to date anti-virus software installed on their workstation or laptop.
  2. Once the anti-virus software is installed, users shall not modify the software or its configuration in any manner, unless directed by their system administrator or ITS.
  3. Users should report virus incidents to system administrator or ITS.

Patch Management

System administrator responsibilities

System administrators must ensure that all departmental servers and workstations have automated patch management software or are updated by regularly scheduled update procedures.

User responsibilities

Once the automated patch management is configured on the computer, users shall not modify the software or its configuration in any manner, unless directed by their system administrator or ITS.

ITS Responsibilities

  1. ITS is responsible for providing an enterprise anti-virus solution for university computers.
  2. ITS is responsible for providing guidelines on installing and maintaining the anti-virus software and updates on university computers.

System Monitoring and Auditing

ITS and the ISO are authorized to monitor the network infrastructure and take proactive measures, including scanning, to maintain the operation and security of the network infrastructure