Skip to main content
Learn More
Shearman Fine Arts at Dusk

Data Integrity Guidelines

Data Integrity Guidelines

Data Integrity Guidelines

  1. Overview

    In accordance with the McNeese State University Guidelines for Sensitive Data, all information systems that create, receive, store, or transmit 'Sensitive Data' (hereafter “Confidential Data”) should adhere to the principles of these guidelines.

  2. Purpose

    State and federal regulations, as well as general best practices, shape the security and privacy protections that must be afforded to data classified as "Confidential". This document addresses regulatory and best practice requirements to protect data integrity.

  3. Scope

    The scope of these guidelines include all personnel who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any McNeese State University facility, has access to the McNeese State University network, or stores any non-public McNeese State University information.

  4. Guidelines

    Information systems or applications that create, receive, store, or transmit Confidential data (hereafter "Confidential Systems" - see Guidelines for Sensitive Data) should adhere to the following:

    1. Disabling unnecessary services
      1. All Confidential Systems should disable services that are not required to achieve the business purpose or function of the system. Examples of unnecessary services could include, but are not limited to, FTP, Telnet, SMTP, Web services, etc.
    2. Monitoring Log-in Attempts
      1. All access to Confidential Systems should be logged. Logs should be audited on a predetermined, periodic basis. Documented procedures should be in place for the regular review of the audited activity. Discrepancies or access violations found through audits should be documented and, when appropriate, reported.
    3. Protection from malicious software
      1. All Confidential Systems should be tagged , which ensures protections from software are available. These protections include, but are not limited to, antivirus software, personal firewall software, and automated installation of security patches. For non-networked Confidential Systems, users should make reasonable efforts to keep systems updated with the latest security patches and antivirus software and definitions. Antivirus software is available to all users through the Network Services.
      2. Confidential Systems (including laptops and PDA's) should be used for appropriate functions. While non-essential computer activities such as playing music are not generally prohibited, users should be cognizant that, when misused, this type of practice can result in disruption of the larger computing environment. Users are expected to treat electronic resources with care and seek advice from their direct supervisors or if they are unsure as to the appropriateness of particular computing functions.
    4. Patch Management
      1. Managers and administrators of Confidential Systems have the responsibility of determining whether and/or which patches (e.g. operating system, application, or other patches) to deploy.
    5. Intrusion Detection and Vulnerability Scanning
      1. Networks that support processing, storage, or transmission of Confidential data should be monitored for intrusion and compromise by contemporary intrusion detection and/or prevention technologies by personnel with documented authorization. Intrusions should be investigated, logged and reported as per the incident reporting guidelines.
      2. Vulnerability scanning of Confidential Systems should occur on a predetermined, regular basis, no less than annually. Vulnerability scans should be reviewed by trained personnel and, when appropriate, reported as per the incident reporting guidelines.
    6. Server Security
      1. Server administrative functions on Confidential Systems may be performed only by personnel with documented authorization.
    7. Workstation Security
      1. Anyone authorized to use a workstation is expected to protect the integrity of that workstation and the data it contains.
      2. Users are expected to make reasonable efforts (e.g. by one more of the following: locking, logging out, using privacy screens, using logons with limited access, etc.) to restrict the viewable access to workstations that are connected to (or are considered to be) Confidential Systems when they are going to be out of viewable range of those workstations. After a predetermined amount of inactivity, workstations that have access to (or are considered to be) Confidential Systems should automatically lock or log off. Electronic access from workstations to Confidential Systems should be automatically terminated after a predetermined period of activity.
      3. Workstations, printers, fax machines, etc, classified as "Confidential" should not be located in public sections of walkways, hallways, waiting areas, etc. To the extent reasonable, efforts should be made to limit the viewing of data on these workstations to workforce members with legitimate business need to do so.
    8. Laptops
      1. All reasonable efforts should be made to avoid storing Confidential data on laptops.
      2. Laptops devices that store Confidential data should employ:
        1. Unique individual power-on passwords
        2. Password protected screen savers (when technically possible)
        3. Encryption of Confidential data (when technically possible)
    9. Mobile Devices
      1. All reasonable efforts should be made to avoid storing Confidential data on mobile devices, including smart phones, tablets, flash drives, etc.
      2. Mobile devices that must store Confidential data should employ encryption of Confidential data (when technically possible).
    10. Data Security
      1. Managers and administrators of Confidential Systems should document and adhere to a process to regularly assess data storage systems and requirements in order to:
        1. Reduce the risk of compromise of Confidential data confidentiality and/or integrity.
        2. Implement and/or review controls designed to protect Confidential data from improper alteration or destruction.
        3. Ensure that Confidential data is stored in a manner that supports user access logs and automated monitoring for potential security incidents.
        4. Ensure that back-end databases containing large amounts (over 1 gigabyte) of Confidential data are isolated from other application or system services (e.g. application middleware, Web and e-mail servers, thin-client servers, etc.) and where not practical, protected by equivalent compensating controls.
        5. Backup tapes containing Confidential data should be encrypted using contemporary encryption standards (see Guidelines for Acceptable Encryption).
    11. Transmission Security
      1. Managers, administrators, or other applicable users of Confidential Systems are responsible for protecting Confidential data (including file transfers) while in transit, both within McNeese State University networks, and on public networks such as the Internet. Managers and administrators of Confidential Systems and data should adhere to the following:
        1. Any transmission of Confidential data over public networks should be encrypted.
        2. Integrity controls that ensure data has not been tampered with by unauthorized users should be in place for all Confidential data that traverses McNeese State University networks.
        3. Sender authentication controls that verify the sender of Confidential data is who that sender claims to be should be in place for all Confidential data that traverses McNeese State University networks.
        4. Recipient authentication controls that verify the recipient of Confidential data is who that recipient claims to be should be in place for all Confidential data that traverses McNeese State University networks.
        5. System logs of all transmissions of Confidential data over public networks should be available for audit.
    12. Email Transmission Security
      1. Many of the controls above are addressed by the appropriate use of security technologies (e.g. IPSec-compliant virtual private networks (VPN's), SMTP over SSL, etc) and practices. Users should be particularly careful when transmitting email containing Confidential data, as e-mail is inherently insecure. Additional standards for the use of email in communicating Confidential data are:
        1. The inclusion of Confidential data in email should be kept to the minimum necessary needed to meet the intended purpose of the message and must be directed only to people with legitimate authorization.
        2. Sending messages to an unintended recipient is particularly easy to do with email, and senders should verify the send-to email address before sending messages containing Confidential data.
        3. To protect the confidentiality of Confidential data, senders should use encrypted email services wherever such services are available and practical.
        4. Instead of sending or receiving email attachments containing unencrypted Confidential data, users should use a secure file transfer service.
        5. Instant messaging and other similar technologies (e.g. text paging, text messaging) have many of the same security problems as email and are generally even more difficult to secure. Unless the communicating parties are certain that communications are protected effectively against unauthorized use or disclosure, Confidential data should not be sent through instant messaging or other similar technologies.
  5. Revision History

    Fri Dec 20, 2013