Policies and Guidelines

IT Related policies are currently under heavy revision.  Questions should be directed to ITS Help Desk.

Contents

Preamble

Information Technology Service’s (ITS) intentions for publishing these policies are not meant to impose restrictions that are contrary to Princeton Theological Seminary’s (the Seminary) established culture of openness, trust and integrity.

The purpose of these policies is to outline the acceptable use of computer equipment and services at the Seminary. They are in place to protect students, employees and the Seminary. Inappropriate use exposes students, employees and the Seminary to risks including virus attacks, compromise of network systems and services, disruption of normal and vital activities of the Seminary, privacy and ethical considerations, the Seminary’s public image, and legal issues.

These policies also include ITS itself in regard to its duties and responsibilities to the Seminary and its data assets.

ITS is committed to protecting the Seminary's students, employees, partners and the Seminary from illegal or damaging actions by individuals, either knowingly or unknowingly.

"Princeton Theological Seminary" will henceforth be referred to as the "Seminary" in these policies.

Princeton Theological Seminary's "Information Technology Services" department will henceforth be referred to as "ITS" in these policies.

An "employee" includes employees of the Seminary, faculty, contractors, consultants, temporary and other workers at the Seminary, including all personnel affiliated with third parties.

For the purposes of these policies only, a student who is paid by the Seminary or has access to its privileged systems and data is also considered an employee.

The word "user" or "computer user" will sometimes be used in these policies and includes all students, faculty, employees, contractors, consultants, temporary, and other workers at the Seminary and its subsidiaries, and sometimes those not associated with the Seminary. For example, someone walking in and using library computers.

Acceptable Use Policy

1. Overview

Internet/Intranet/Extranet-related systems, including but not limited to computer equipment, software, operating systems, storage media, network accounts providing electronic mail, WWW browsing, FTP , and all other Seminary computer systems and data, are the property of the Seminary. These systems are to be used for business purposes in serving the interests of the Seminary and of our clients and customers in the course of normal operations.

The Seminary makes computing and network resources available to its students for their use while they are members of the Seminary community.

Effective security is a team effort involving the participation and support of every Seminary student, employee and affiliate who deals with information and/or information systems. It is the responsibility of every computer user to know these guidelines and to conduct their activities accordingly.

Those who are connected to the network and/or who otherwise avail themselves of the Seminary’s network or computer resources are therefore expected to use the technology in a responsible, considerate, and ethical manner.

2. Purpose

The purpose of this policy is to outline the acceptable use of computer equipment at the Seminary. These rules are in place to protect students, employees and the Seminary. Inappropriate use exposes students, employees and the Seminary to risks including virus attacks, compromise of network systems and services, privacy, ethical considerations, the Seminary’s public image, and legal issues.

3. Scope

This policy applies to the use of information, electronic and computing devices, and network resources to conduct Seminary business or interact with internal networks and business systems, whether owned or leased by the Seminary, student, employee, or a third party. All employees, contractors, consultants, temporary, and other workers at the Seminary and its subsidiaries are responsible for exercising good judgment regarding appropriate use of information, electronic devices, and network resources in accordance with Seminary policies and standards, and local laws and regulations.

This policy applies to students, employees, contractors, consultants, temporaries, and other workers at the Seminary, including all personnel affiliated with third parties. This policy applies to all equipment that is owned or leased by the Seminary.

4. Policy

4.1 General Use and Ownership

4.1.1 All data, documents, and other information created or stored on the Seminary’s computers or in the Seminary network, including all incoming and outgoing electronic mail, are the property of the Seminary. You must ensure through legal or technical means that proprietary information is protected in accordance with the Restricted Information Policy.

4.1.2 Students and employees cannot and should not have any expectation of privacy with regard to any data, documents, electronic mail messages, or other computer files or documents created or stored on computers within or connected to the Seminary’s network, nor should students have any expectation of privacy with respect to any such items on which they have worked while connected to the Seminary’s network.

4.1.3 All Internet data that is composed, transmitted, or received via the Seminary’s computer communications systems is considered part of the official records of the Seminary and, as such, is subject to disclosure at any time to Seminary supervisors and officers, to law enforcement officials, and/or to other third parties. Consequently, you should always ensure that the information contained in electronic mail messages and other transmissions is accurate, appropriate, ethical, and lawful.

4.1.4 The Seminary strives to maintain a community free of harassment and is sensitive to the diversity of its members. Therefore, the Seminary prohibits the use of its computer network, including its electronic mail system, and the access it provides to the Internet, in ways that are disruptive, offensive to others, or harmful to morale. Such misuse includes, but is not limited to, the display or transmission of sexually explicit images, messages, and cartoons, ethnic slurs, racial comments, off-color jokes, or anything that may be construed as harassment or showing disrespect for others.

4.1.5 Data that is composed, transmitted, accessed, or received via the Internet must not contain content that could be considered discriminatory, offensive, obscene, threatening, harassing, intimidating, or disruptive to any employee or other person. Examples of unacceptable content may include, but are not limited to, sexual comments or images, racial slurs, gender-specific comments, or any other comments or images that could reasonably offend someone on the basis of race, age, sex, religious or political beliefs, national origin, disability, sexual orientation, or any other characteristic protected by law.

4.1.6 You have a responsibility to promptly report the theft, loss or unauthorized disclosure of Seminary proprietary information.

4.1.7 You have a responsibility to promptly report the theft, loss, or stolen computer equipment of all kinds.

4.1.8 You may access, use or share Seminary proprietary information only to the extent it is authorized and necessary to fulfill your assigned job duties.

4.1.9 Users are responsible for exercising good judgment regarding the reasonableness of personal use. Individual departments are responsible for creating guidelines concerning personal use of Internet/Intranet/Extranet systems. In the absence of such policies, users should be guided by departmental policies on personal use, and if there is any uncertainty, users should consult their supervisor, manager or ITS.

4.1.10 For security and network maintenance purposes, authorized individuals within the Seminary may monitor equipment, systems and network traffic at any time, per ITS's Audit Policy.

4.1.11 The Seminary reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy.

4.2 Security and Proprietary Information

4.2.1 All mobile and computing devices that connect to the internal network must comply with the Minimum Access Policy.

4.2.2 System level and user level passwords must comply with the Password Construction Policy. Providing access to another individual, either deliberately or through failure to secure its access, is prohibited.

4.2.3 All Seminary computing devices must be secured with a password-protected screensaver with the automatic activation feature set to 10 minutes or less. You must lock the screen or log off when the device is unattended.

4.2.4 Postings by students or employees from a Seminary email address to newsgroups should contain a disclaimer stating that the opinions expressed are strictly their own and not necessarily those of the Seminary, unless posting is in the course of business duties.

4.2.5 Users must use extreme caution when opening e-mail attachments received from unknown senders, which may contain malware.

4.3 Unacceptable Use

The following activities are, in general, prohibited. Users may be exempted from these restrictions during the course of their legitimate job responsibilities (e.g., ITS employees may have a need to disable network access of a host if that host is disrupting production services).

Under no circumstances is an employee of the Seminary authorized to engage in any activity that is illegal under local, state, federal or international law while utilizing Seminary-owned resources.

The lists below are by no means exhaustive, but attempt to provide a framework for activities which fall into the category of unacceptable use.

4.3.1 System and Network Activities

The following activities are strictly prohibited, with no exceptions:

  1. Violations of the rights of any person or company protected by copyright, trade secret, patent or other intellectual property, or similar laws or regulations, including, but not limited to, the installation or distribution of "pirated" or other software products that are not appropriately licensed for use by the Seminary.
  2. Unauthorized copying of copyrighted material including, but not limited to, digitization and distribution of photographs from magazines, books or other copyrighted sources, copyrighted music, and the installation of any copyrighted software for which the Seminary or the end user does not have an active license is strictly prohibited.
  3. Accessing data, a server or an account for any purpose other than conducting the Seminary business, even if you have authorized access, is prohibited.
  4. Exporting software, technical information, encryption software or technology, in violation of international or regional export control laws, is illegal. Appropriate management should be consulted prior to export of any material that is in question.
  5. Intentional or careless introduction of malicious programs into the network or server (e.g., viruses, worms, Trojan horses, e-mail bombs, etc.).
  6. Revealing your account password to others or allowing use of your account by others. This includes family and other household members when work is being done at home.
  7. Using a the Seminary computing asset to actively engage in procuring or transmitting material that is in violation of sexual harassment or hostile workplace laws in the user's local jurisdiction.
  8. Making fraudulent offers of products, items, or services originating from any the Seminary account.
  9. No one may use the Seminary’s computer network or equipment for personal financial gain.
  10. Effecting security breaches or disruptions of network communication. Security breaches include, but are not limited to, accessing data of which a student or employee is not an intended recipient or logging into a server or account that a student or employee is not expressly authorized to access, unless these duties are within the scope of regular duties. For purposes of this section, "disruption" includes, but is not limited to, network sniffing, pinged floods, packet spoofing, denial of service, and forged routing information for malicious purposes.
  11. Port scanning or security scanning is expressly prohibited unless prior notification to ITS is made.
  12. Executing any form of network monitoring which will intercept data not intended for the student or employee unless this activity is a part of a user's normal job/duty.
  13. Circumventing user authentication or security of any host, network or account.
  14. Introducing honeypots, honeynets, or similar technology on the Seminary network.
  15. Interfering with or denying service to any user other than the employee's host (for example, denial of service attack).
  16. Using any program/script/command, or sending messages of any kind, with the intent to interfere with, or disable, a user's terminal session, via any means, locally or via the Internet/Intranet/Extranet.
  17. Providing information about, or lists of, Seminary students or employees to parties outside the Seminary.

 4.3.2 Email and Communication Activities

When using Seminary resources to access and use the Internet, users must realize they represent the Seminary. Whenever a student or employee states an affiliation to the Seminary, they must also clearly indicate that "The opinions expressed are my own and not necessarily those of the Seminary". Questions may be addressed to the ITS Department.  

  1. Sending unsolicited email messages, including the sending of "junk mail" or other advertising material to individuals who did not specifically request such material.
  2. Any form of harassment via email, telephone or text messages, or any other electronic means, whether through language, frequency, or size of messages.
  3. Unauthorized use, or forging, of email header information.
  4. Solicitation of email for any other email address, other than that of the poster's account, with the intent to harass or to collect replies.
  5. Creating or forwarding "chain letters", "Ponzi" or other "pyramid" schemes of any type.
  6. Use of unsolicited email originating from within the Seminary's networks of other Internet/Intranet/Extranet service providers on behalf of, or to advertise, any service hosted by the Seminary or connected via the Seminary's network.
  7. Posting the same or similar non-business-related messages to large numbers of blogs, online forums, or social media sites.

4.3.3 Blogging and Social Media

  1. Blogging by students or employees, whether using the Seminary’s property and systems or personal computer systems, is also subject to the terms and restrictions set forth in this Policy. Limited and occasional use of the Seminary’s systems to engage in blogging is acceptable, provided that it is done in a professional and responsible manner, does not otherwise violate the Seminary’s policy, is not detrimental to the Seminary’s best interests, and does not interfere with an employee's regular work duties. Blogging from the Seminary’s systems is also subject to monitoring.
  2. The Seminary’s Restricted Information Policy also applies to blogging. As such, students and employees are prohibited from revealing any Seminary confidential or proprietary information or any other material covered by the Seminary’s Confidential Information policy when engaged in blogging.
  3. Students and employees shall not engage in any blogging that may harm or tarnish the image, reputation and/or goodwill of the Seminary and/or any of its students or employees. Users are also prohibited from making any discriminatory, disparaging, defamatory or harassing comments when blogging or otherwise engaging in any conduct prohibited by the Seminary’s Non-Discrimination and Anti-Harassment policies. See http://titlevi.ptsem.edu/ and http://titleix.ptsem.edu/.
  4. Students and employees may also not attribute personal statements, opinions or beliefs to the Seminary when engaged in blogging. If a user is expressing his or her beliefs and/or opinions in blogs, the user may not, expressly or implicitly, represent themselves as a representative of the Seminary. Users assume any and all risk associated with blogging.
  5. Apart from following all laws pertaining to the handling and disclosure of copyrighted or export controlled materials, the Seminary’s trademarks, logos and any other the Seminary intellectual property may also not be used in connection with any blogging activity.

5. Policy Compliance

5.1 Compliance Measurement

The Seminary’s Information Technology Services team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and inspection, and will provide feedback to the policy owner and appropriate business unit manager and/or appropriate academic authorities.

5.2 Exceptions

Any exception to the policy must be approved by ITS in advance.

5.3 Non-Compliance

Any student who violates this policy shall be subject to discipline, up to and including immediate dismissal from the Seminary. Any employee who violates this policy shall be subject to disciplinary action, up to and including termination of employment. Any vendor or contractor who violates this policy shall be subject to disciplinary action, up to and including termination of contract or employment.

6. Related Standards, Policies and Processes

  • Data Classification Policy
  • Data Protection Standard
  • Social Media Policy
  • Minimum Access Policy
  • Password Policy

7. Definitions and Terms

The following definition and terms can be found in the SANS Glossary located at:

https://www.sans.org/security-resources/glossary-of-terms/

  • Blogging
  • Honeypot
  • Honeynet
  • Proprietary Information
  • Spam

Clean Desk Policy

1. Overview

A clean desk policy can be an important tool to ensure that all sensitive/confidential materials are removed from an end user workspace and locked away when the items are not in use or a user leaves his/her workstation. It is one of the top strategies to utilize when trying to reduce the risk of security breaches in the workplace. Such a policy can also increase employee’s awareness about protecting sensitive information.

2. Purpose

The purpose for this policy is to establish the minimum requirements for maintaining a “clean desk” where sensitive/critical information regarding the Seminary, its students, employees, intellectual property and vendors is secure in locked areas and out of site. A Clean Desk policy is part of standard basic privacy controls.

3. Scope

This policy applies to all the Seminary students, employees, affiliates and anyone else accessing, operating and/or utilizing the Seminary’s accounts, network or data either on the Seminary campus or accessing remotely.

4. Policy

4.1   Users are required to ensure that all sensitive/confidential information in hard copy or electronic form is secure in their work area at the end of the day and when they are expected to be gone for an extended period.

4.2   Computer workstations must be locked when workspace is unoccupied.

4.3   Any Restricted or Sensitive information must be removed from the desk and locked in a drawer when the desk is unoccupied and at the end of the work day.

4.4   File cabinets containing Restricted or Sensitive information must be kept closed and locked when not in use or when not attended.

4.5   Keys used for access to Restricted or Sensitive information must not be left at an unattended desk.

4.6   Portable computing devices such as laptops and tablets must be either locked with a locking cable or locked away in a drawer or within a secure office.

4.7   Passwords may not be left on sticky notes posted on or under a computer, nor may they be left written down in an accessible location.

4.8   Printouts containing Restricted or Sensitive information should be immediately removed from the printer.

4.9   Upon disposal, Restricted and/or Sensitive documents should be shredded in the official shredder bins or placed in the lock confidential disposal bins. There are several locations on campus with locked garbage cans for placing papers to be shredded.

4.10 Whiteboards containing Restricted and/or Sensitive information should be erased.

4.11 Treat mass storage devices such as CDROM, DVD or USB drives as sensitive and secure them in a locked drawer

All printers and fax machines should be cleared of papers as soon as they are printed; this helps ensure that sensitive documents are not left in printer trays for the wrong person to pick up.

5. Policy Compliance

5.1 Compliance Measurement

The Seminary’s Information Technology Services team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and inspection, and will provide feedback to the policy owner and appropriate business unit manager and/or appropriate academic authorities.

5.2 Exceptions

Any exception to the policy must be approved by ITS in advance.

5.3 Non-Compliance

Any student who violates this policy shall be subject to discipline, up to and including immediate dismissal from the Seminary. Any employee who violates this policy shall be subject to disciplinary action, up to and including termination of employment. Any vendor or contractor who violates this policy shall be subject to disciplinary action, up to and including termination of contract or employment.

6. Related Standards, Policies and Processes

None.

7. Definitions and Terms

None.

Email Policy

1. Overview

Electronic email is pervasively used and is often the primary communication and awareness method within an organization. At the same time, misuse of email can pose many legal, privacy and security risks. Thus it’s important for users to understand the appropriate use of electronic communications.

2. Purpose

The purpose of this email policy is to ensure the proper use of the Seminary’s email system and make users aware of what the Seminary deems as acceptable and unacceptable use of its email system. This policy outlines the minimum requirements for use of email within the Seminary Network.

3. Scope

This policy covers appropriate use of any email sent from a Seminary email address and applies to all students, employees, vendors, and agents operating on behalf of the Seminary.

4. Policy

4.1 Employee

4.1.1  All use of email must be consistent with Seminary policies and procedures of ethical conduct, safety, compliance with applicable laws and proper business practices. 

4.1.2  A Seminary email account should be used primarily for the Seminary business-related purposes; personal communication is permitted on a limited basis depending upon individual department rules, but non-Seminary related commercial uses are prohibited.

4.1.3  Employee email should be retained only if it qualifies as a Seminary business record. Email is a Seminary business record if there exists a legitimate and ongoing business reason to preserve the information contained in the email.

4.1.4  Email that is identified as a Seminary business record shall be retained according to the Seminary Record Retention Schedule.

4.1.5  The Seminary email system shall not to be used for the creation or distribution of any disruptive or offensive messages, including offensive comments about race, gender, hair color, disabilities, age, sexual orientation, pornography, religious beliefs and practice, political beliefs, or national origin. Users who receive any email with this content from any other Seminary user should report the matter immediately.

4.1.6  Users are prohibited from automatically forwarding Seminary email to a third party email system (noted in 4.1.8 below). Individual messages which are forwarded by the user must not contain Seminary confidential information.

4.1.7  Employees are prohibited from using third-party email systems and storage servers such as Google, Yahoo, and MSN Hotmail etc. to conduct Seminary business, to create or memorialize any binding transactions, or to store or retain email on behalf of the Seminary. Such communications and transactions should be conducted through proper channels using the Seminary-approved documentation. 

4.1.8  Employees using a reasonable amount of Seminary resources for personal emails is acceptable, but non-work related email shall be saved in a separate folder from work related email. Sending chain letters or joke emails from a the Seminary email account is prohibited.

4.1.9 Seminary users shall have no expectation of privacy in anything they store, send or receive on the Seminary email system.

4.1.10 The Seminary may monitor messages without prior notice. The Seminary is not obliged to monitor email messages.

4.2 Student

4.2.1 The Seminary maintains an email system for the conduct of business within and outside the Seminary. The Seminary emails students at their “ptsem” address as an official and sometimes the sole method of communication on a variety of issues. As such, students are expected to check their “ptsem” email on a regular basis. Failure to do so is at the student’s own risk and in such circumstances a student may not use as a defense the fact that he or she has not read the email at issue. The email system hardware is the property of the Seminary. Additionally, all messages composed, sent, or received on the email system are and remain the property of the Seminary. Said messages are not the private property of any student. The email system is not to be used to create any offensive or disruptive messages. Among those that are considered offensive are any messages that contain sexual implications, racial slurs, gender-specific comments, or any other comment that offensively addresses someone’s age, sexual orientation, religious or political beliefs, national origin, or disability.

4.2.2 The Seminary reserves the absolute right to review, audit, intercept, access, and disclose all messages created, received, or sent over the email system for any purpose, with or without notice. The contents of email obtained by the Seminary may be disclosed within the Seminary without the permission of the student. Policies of this nature are common among institutions that provide email service to their constituents, and seek to make the institution’s expectations for use of the system explicit. The Seminary intends to use its rights under this policy only in limited circumstances and only when it determines, in its sole discretion, that it has good cause to do so.

4.2.3 The confidentiality of any email message should not be assumed, and the use of passwords for security does not guarantee confidentiality. Even when a message is erased, it is still possible to retrieve and read that message. Notwithstanding the Seminary’s right to retrieve and read any email message, such messages should be treated as confidential by all students and may be accessed only by the intended recipient. Students are not authorized to retrieve or read any email message that is not sent to them.

5. Policy Compliance

5.1 Compliance Measurement

The Seminary’s Information Technology Services team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and inspection, and will provide feedback to the policy owner and appropriate business unit manager and/or appropriate academic authorities.

5.2 Exceptions

Any exception to the policy must be approved by ITS in advance.

5.3 Non-Compliance

Any student who violates this policy shall be subject to discipline, up to and including immediate dismissal from the Seminary. Any employee who violates this policy shall be subject to disciplinary action, up to and including termination of employment. Any vendor or contractor who violates this policy shall be subject to disciplinary action, up to and including termination of contract or employment.

6. Related Standards, Policies and Processes

  • Data Protection Standard

7. Definitions and Terms

None.

Password Protection Policy

1. Overview

Passwords are an important aspect of computer security. A poorly chosen password may result in unauthorized access and/or exploitation of the Seminary's resources. All users, including contractors and vendors with access to the Seminary systems, are responsible for taking the appropriate steps, as outlined below, to select and secure their passwords.

2. Purpose

The purpose of this policy is to establish a standard for the creation of strong passwords, the protection of those passwords, and the frequency of change.

3. Scope

The scope of this policy includes all users who have or are responsible for an account (or any form of access that supports or requires a password) on any system that resides at any Seminary facility, has access to the Seminary network, servers, or systems, or stores any non-public Seminary information. This includes all privately owned personal computers, laptops, cell phones, tablets, USB thumb drives, and any other electronic device.

4. Policy

4.1 Password Creation

4.1.1 All user-level must conform to the Password Construction Policy.

4.1.2 Users must not use the same password for the Seminary accounts as for other non- Seminary access (for example, personal ISP account, option trading, benefits, and so on).

4.1.3 User accounts that have system-level privileges granted through group memberships or programs such as sudo must have a unique password from all other accounts held by that user to access system-level privileges.

4.1.4 Where Simple Network Management Protocol (SNMP) is used, the community strings must be defined as something other than the standard defaults of public, private, and system and must be different from the passwords used to log in interactively. SNMP community strings must meet password construction guidelines. 

4.2 Password Change

4.2.1 All user-level passwords (for example, email, web, desktop computer, and so on) must be changed at least every six months. A password cannot be the same as that used within the last three password changes.

4.2.2 Password cracking or guessing may be performed on a periodic or random basis by ITS or its delegates. If a password is guessed or cracked during one of these scans, the user will be required to change it to be in compliance with the Password Construction Guidelines.

4.3 Password Protection

4.3.1 Passwords must not be shared with anyone. All passwords are to be treated as sensitive, confidential Seminary information.

4.3.2 Passwords must not be inserted into email messages or other forms of electronic communication.

4.3.3 Do not reveal a password on questionnaires or security forms.

4.3.4 Do not hint at the format of a password (for example, "my family name").

4.3.5 Do not share Seminary passwords with anyone, including other students, employees, administrative assistants, secretaries, managers, co-workers while on vacation, and family members.

4.3.6 Do not write passwords down and store them nearby. Do not store passwords in a file on a computer system or mobile device (phone, tablet) without encryption.

4.3.7 Do not use the "Remember Password" feature of applications (for example, web browsers).

4.3.8 Any user suspecting that his/her password may have been compromised must report the incident and change all passwords.

4.4  Application Development

Application developers must ensure that their programs contain the following security precautions:

4.4.1 Applications must support authentication of individual users, not groups.

4.4.2 Applications must not store user passwords in clear text or in any easily reversible form.

4.4.3 Applications must not transmit passwords in clear text over the network.

4.4.4 Applications must provide for some sort of role management, such that one user can take over the functions of another without having to know the other's password.

5. Policy Compliance

5.1  Compliance Measurement

The Seminary’s Information Technology Services team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and inspection, and will provide feedback to the policy owner and appropriate business unit manager and/or appropriate academic authorities.

5.2  Exceptions

Any exception to the policy must be approved by ITS in advance.

5.3  Non-Compliance

Any student who violates this policy shall be subject to discipline, up to and including immediate dismissal from the Seminary. Any employee who violates this policy shall be subject to disciplinary action, up to and including termination of employment. Any vendor or contractor who violates this policy shall be subject to disciplinary action, up to and including termination of contract or employment.

6. Related Standards, Policies and Processes

  • Password Construction Guidelines

7. Definitions and Terms

The following definition and terms can be found in the SANS Glossary located at:

https://www.sans.org/security-resources/glossary-of-terms/

  • Simple Network Management Protocol (SNMP)

Password Construction Policy

1. Overview

Passwords are a critical component of information security. Passwords serve to protect user accounts. However, a poorly constructed password may result in the compromise of individual systems, data, or the Cisco network. This guideline provides best practices for creating secure passwords.

2. Purpose

The purpose of this guideline is to provide best practices for the creation of strong passwords.

3. Scope

This guideline applies to students, employees, contractors, consultants, temporary and other workers at the Seminary, including all personnel affiliated with third parties. This guideline applies to all passwords including but not limited to user-level accounts, system-level accounts, web accounts, e-mail accounts, screen saver protection, voicemail, and local router logins.

4. Statement of Guidelines

All passwords should meet or exceed the following guidelines.

Strong passwords have the following characteristics:

  • Contain at least ten alphanumeric characters
  • Contain both upper and lower case letters
  • Contain at least one number (for example, 0-9)
  • Contain at least one special character (for example,!$%^&*()_+|~-=\`{}[]:";'<>?,/)

Poor, or weak, passwords have the following characteristics:

  • Contain less than ten characters.
  • Can be found in a dictionary, including foreign language, or exist in a language slang, dialect, or jargon.
  • Contain personal information such as birthdates, addresses, phone numbers, or names of family members, pets, friends, and fantasy characters.
  • Contain work-related information such as building names, system commands, sites, companies, hardware, or software.
  • Contain number patterns such as aaabbb, qwerty, zyxwvuts, or 123321.
  • Contain common words spelled backward or preceded or followed by a number (for example, terces, secret1 or 1secret).
  • Are some version of “Welcome123” “Password123” “Changeme123”

You should never write down a password. Instead, try to create passwords that you can remember easily. One way to do this is create a password based on a song title, affirmation, or other phrase. For example, the phrase, "This May Be One Way To Remember" could become the password TmB1w2R! or another variation.

(NOTE: Do not use either of these examples as passwords!)

5. Policy Compliance

5.1  Compliance Measurement

The Seminary’s Information Technology Services team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and inspection, and will provide feedback to the policy owner and appropriate business unit manager and/or appropriate academic authorities.

5.2  Exceptions

Any exception to the policy must be approved by ITS in advance.

5.3  Non-Compliance

Any student who violates this policy shall be subject to discipline, up to and including immediate dismissal from the Seminary. Any employee who violates this policy shall be subject to disciplinary action, up to and including termination of employment. Any vendor or contractor who violates this policy shall be subject to disciplinary action, up to and including termination of contract or employment.

6. Related Standards, Policies and Processes

Password Protection Policy

7. Definitions and Terms

None.

Server Security Policy

1. Overview

Unsecured and vulnerable servers continue to be a major entry point for malicious threat actors. Consistent Server installation policies, ownership and configuration management are all about doing the basics well.

2. Purpose

The purpose of this policy is to establish standards for the base configuration of internal server equipment that is owned and/or operated by the Seminary. Effective implementation of this policy will minimize unauthorized access to Seminary proprietary information and technology.

3. Scope

All employees, contractors, consultants, temporary and other workers at the Seminary and its subsidiaries who are responsible for Seminary electronic data must adhere to this policy. This policy applies to server equipment that is owned, operated, or leased by the Seminary or registered under a Seminary-owned internal network domain.

This policy specifies requirements for equipment on the internal Seminary network or equipment maintained by the Seminary.

4. Policy

4.1 General Requirements

4.1.1 All internal servers deployed at the Seminary must be owned by an operational group that is responsible for system administration. Approved server configuration guides must be established and maintained by each operational group based on business needs and approved by ITS. Operational groups should monitor configuration compliance and implement an exception policy tailored to their environment. Each operational group must establish a process for changing configuration guides which includes review and approval by ITS. The following items must be met:

  • Servers must be registered within the Seminary management system. At a minimum, the following information is required to positively identify the point of contact:
    • Server contact(s) and location and a backup contact
    • Hardware and Operating System/Version
    • Main functions and applications, if applicable
  • Information in the Seminary management system must be kept up-to-date.
  • Configuration changes for production servers must follow appropriate change management procedures

4.1.2 For security, compliance, and maintenance purposes, authorized personnel may monitor and audit equipment, systems, processes, and network traffic per the Audit Policy.

4.2  Configuration Requirements

4.2.1 Operating System configuration should be in accordance with approved ITS guidelines.

4.2.2 Services and applications that will not be used must be disabled where practical.

4.2.3 Access to services should be logged and/or protected through access-control methods such as a web application firewall, if possible.

4.2.4 The most recent security patches must be installed on the system as soon as practical, the only exception being when immediate application would interfere with business requirements.

4.2.5 Trust relationships between systems are a security risk, and their use should be avoided. Do not use a trust relationship when some other method of communication is sufficient.

4.2.6 Always use standard security principles of least required access to perform a function. Do not use root/Admin when a non-privileged account will do.

4.2.7 If a methodology for secure channel connection is available (i.e., technically feasible), privileged access must be performed over secure channels, (e.g., encrypted network connections using SSH or IPSec).

4.2.8 Servers should be physically located in an access-controlled environment.

4.2.9 Servers are specifically prohibited from operating from uncontrolled areas (cubicles, public spaces, etc.).

4.3 Monitoring

4.3.1 All security-related events on critical or sensitive systems must be logged and audit trails saved as follows:

  • All security related logs will be kept online for a minimum of 1 week.
  • Daily incremental tape backups will be retained for at least 1 month.
  • Weekly full tape backups of logs will be retained for at least 1 month.
  • Monthly full backups will be retained for a minimum of 2 years.

4.3.2 Security-related events will be reported to ITS who will review logs and report incidents to ITS management. Corrective measures will be prescribed as needed. Security-related events include, but are not limited to:

  • Port-scan attacks
  • Evidence of unauthorized access to privileged accounts
  • Anomalous occurrences that are not related to specific applications on the host.

5. Policy Compliance

5.1 Compliance Measurement

The Seminary’s Information Technology Services team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and inspection, and will provide feedback to the policy owner and appropriate business unit manager and/or appropriate academic authorities.

5.2 Exceptions

Any exception to the policy must be approved by ITS in advance.

5.3 Non-Compliance

Any student who violates this policy shall be subject to discipline, up to and including immediate dismissal from the Seminary. Any employee who violates this policy shall be subject to disciplinary action, up to and including termination of employment. Any vendor or contractor who violates this policy shall be subject to disciplinary action, up to and including termination of contract or employment.

6. Related Standards, Policies and Processes

  • Audit Policy
  • DMZ Equipment Policy

7. Definitions and Terms

The following definition and terms can be found in the SANS Glossary located at:

https://www.sans.org/security-resources/glossary-of-terms/

  • De-militarized zone (DMZ)

Backup Policy

1. Overview

This policy outlines the minimum requirements for data backup and retrieval operations within the Seminary Network.

2. Purpose

The purpose of this policy is as follows:

  • To safeguard information assets of the Seminary
  • To prevent the loss of data in the case of corruption of data, system failure, or disaster
  • To recover data that has been Inadvertently deleted or overwritten
  • To permit timely restoration of information and business processes, should such an event occur
  • To manage and secure backup and restoration processes and the media employed in the process

System backups are not meant for the following purposes:

  • Archiving data for future reference.
  • Maintaining a versioned history of data.
  • Programs (i.e., applications) of any type (personal or officially supported)

  • Personal data of any kind

3. Scope

This policy applies to all Seminary employees, both from ITS and other departments, and vendors and agents operating on behalf of the Seminary who are responsible for Seminary electronic data.

This policy applies equally to virtual machines and physical machines.

This policy only refers to work related data; end users should not utilize Seminary resources to backup or store personal data.

Workstations available for academic computing do not fall within the confines of this policy. 

Backup retention periods are not necessarily the same as retention periods defined by legal or business requirements.

4. Policy

ITS is responsible for backing up Seminary network servers. Workstation data (including data residing on PCs, laptops, phones, tablets, etc.) are not backed up by ITS. It is the responsibility of individual employees to back up all Seminary related data and to know where that data is located.

4.1 Server Backup Policy

Backups of all Seminary records and software must be retained such that computer operating systems and applications are fully recoverable. This may be achieved using a combination of image copies, incremental backups, differential backups, transaction logs, or other techniques.

The frequency of backups is determined by the volatility of data; the retention period for backup copies is determined by the criticality of the data. At a minimum, backup copies must be retained for 30 days.

At least three versions of Seminary records must be maintained.

At a minimum, one fully recoverable version of all Seminary records must be stored in a secure, off-site location. An off-site location may be in a secure space in a separate Seminary building.

Derived data should be backed up only if restoration is more efficient than creation in the event of failure.

All Seminary information accessed from workstations, laptops, or other portable devices should be stored on networked file server drives to allow for backup. Seminary information located directly on workstations, laptops, or other portable devices should be backed up to networked file server drives. Convenience records and Non-records, or other information which does not constitute a Seminary Record does not carry this requirement.

Required backup documentation includes identification of all critical data, programs, documentation, and support items that would be necessary to perform essential tasks during a recovery period. Documentation of the restoration process must include procedures for the recovery from single-system or application failures, as well as for a total data center disaster scenario.

Backup and recovery documentation must be reviewed and updated regularly to account for new technology, business changes, and migration of applications to alternative platforms.

Recovery procedures must be tested on an annual basis.

Because it is impractical for ITS to back up every bit of data stored on everything in the Seminary, the only data that ITS accepts responsibility for is the data which is explicitly listed in the “Data Source Manifest”. Is there one? Or should there be one?

Data to be backed up will be listed by location and specified data sources. This will be stipulated in a separate document called “Data Sources Manifest”. Is there one? Or should there be one?

Daily backups will be stored on-site in a physically secured fire-proof safe located in a building separate from server locations.

During transport or changes of media, media will not be left unattended.

4.2 Employee/End User Backup Policy

It is the responsibility of the end-user to ensure that they back up all important files.

Information Technology Services (ITS) provides all students, faculty, and staff with the ability to back up their data to Filr (see Filr and http://filr.ptsem.edu/) or directly to the H drive. Faculty and staff that are assigned Seminary-owned laptop and desktop computers are encouraged to utilize Filr for their data storage and backups. Filr at Princeton Theological Seminary enables end users to store data locally while another copy is automatically backed up to Filr (on Seminary Servers, which is, in turn, backed up).

Backup resources should only be utilized to backup University related data and not personal data.  End-users must avoid creation of prohibited data that includes potentially sensitive information, and must carefully protect institutional data.

Computer systems that create or update critical data on a daily basis need to be backed up on a daily basis.

4.2 Server Backup Procedures

The Seminary is almost completely virtualized with only a handful of physical servers.

ITS Virtual Machines are backed up using Veeam which writes the backups to disk. Full backups are performed weekly on Friday nights. The rest of the week consists of incremental backups (only changed blocks).

Physical servers on campus use Symantec System Restore to take a backup of the server nightly and write the backup files to disk.

The files written by Veeam and Symantec System Restore to disk are then backed up to tape daily via Backup Exec. Backup Exec has a weekly tape rotation in place with five weeks of tapes. The oldest backup we can guarantee is a month old.

On a daily basis, logged information generated from each backup job will be reviewed for the following purposes:

  • To check for and correct errors.
  • To monitor the duration of the backup job.
  • To optimize backup performance where possible.
  • ITS will identify problems and take corrective action to reduce any risks associated with failed backups.
  • Random test restores will be done once a week in order to verify that backups have been successful
  • ITS will maintain records demonstrating the review of logs and test restores so as to demonstrate compliance with this policy for auditing purposes.

4.3 Media Disposal

Prior to retirement and disposal, ITS will ensure that:

  • The media no longer contains active backup images
  • The media’s current or former contents cannot be read or recovered by an unauthorized party.
  • With all backup media, ITS will ensure the physical destruction of media prior to disposal.

4.4 Restoration

  • In the event of a catastrophic system failure, off-site backed up data will be made available to users within 3 working days if the destroyed equipment has been replaced by that time.
  • In the event of a non-catastrophic system failure or user error, on-site backed up data will be made available to users within 1 working day.
  • In the event of accidental deletion or corruption of information, requests for restoration of information will be made to ITS. Include information about the file creation date, the name of the file, the last time it was changed, and the date and time it was deleted or destroyed.

5. Policy Compliance

5.1 Compliance Measurement

The Seminary’s Information Technology Services team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and inspection, and will provide feedback to the policy owner and appropriate business unit manager and/or appropriate academic authorities.

5.2 Exceptions

Any exception to the policy must be approved by ITS in advance.

5.3 Non-Compliance

Any student who violates this policy shall be subject to discipline, up to and including immediate dismissal from the Seminary. Any employee who violates this policy shall be subject to disciplinary action, up to and including termination of employment. Any vendor or contractor who violates this policy shall be subject to disciplinary action, up to and including termination of contract or employment.

6. Related Standards, Policies and Processes

  • Data Protection Standard

7. Definitions and Terms

See Definitions and Terms.

Desktop/Portable Backup Policy

1. Overview

Electronic data is one of the Seminary's most important assets. In order to protect these assets from loss or destruction, it is imperative that it be safely and securely captured, copied, and stored.

Data on desktops and laptops, phones and tablets, is often more vulnerable to data loss than data sitting on servers simply because backups are often not carried out correctly, completely, or periodically, and because, unlike servers, laptops and other portable devices are more prone to loss and theft.

The goal of this document is to outline a policy that governs how and when data residing on Seminary or personally-owned desktop computers, laptops, phones, tablets, or any other device that may store Seminary electronic data will be backed up and stored for the purpose of providing restoration capability.

2. Purpose

The purpose of this policy is as follows:

  • To safeguard information assets of the Seminary.
  • To prevent the loss of data in the case of an accidental deletion or corruption of data, system failure, or disaster.
  • To permit timely restoration of information and business processes, should such an event occur.
  • To manage and secure backup and restoration processes and the media employed in the process.

Desktop computer backups are not meant for the following purposes:

  • Archiving data for future reference.
  • Maintaining a version-ed history of data.

3. Scope

All employees, contractors, consultants, temporary and other workers at the Seminary and its subsidiaries who are responsible for Seminary electronic data must adhere to this policy.

This policy refers to the backing up of data that resides on Seminary or personally-owned individual desktop computers, laptops, phones, tablets, or any other device that may store Seminary electronic data (collectively to be referred to as “workstations”).

Responsibility for backing up data on local workstations rests solely with the individual user. It is imperative that end‐users save their data to the appropriate media and/or network space outlined in this policy in order that their data is backed up regularly in accordance with this policy. Explicitly this means all work should be saved to the user's network share (aka H drive) if it is Seminary work.

4. Policy

4.1 Data Storage

It is the Seminary’s policy that ALL seminary data will be backed up according to schedule. This includes any Seminary documentation (i.e. reports, RFPs, contracts, etc.), e‐mails, student and employee records, applications/projects under development, Web site collateral, graphic designs, and so on, that reside on end‐user workstations.

  • Office Users: Seminary data, especially work‐in‐progress, should be saved to a specific drive after consent of ITS, located on the company network by in‐house employees. This ensures that data will be backed up when the servers are backed up. However, if data is saved on a workstation’s local drive, then that must be backed up every week onto some type of removable storage device such as an external hard drive or USB thumb drive.
  • Remote/Mobile Users: Remote and mobile users will also back up data to a specific drive after consent of ITS, provided they have access to the drive via a Virtual Private Network (VPN) connection. Where a VPN is not in use, the remote/mobile user will download his/her device’s data to their in‐house computer at least once every week, and then follow the same procedure as “Office Users” shown above. If this is not feasible, due to distance from his/her office, then the remote/mobile user will employ removable storage device such as an external hard drive or USB thumb drive.

5. Policy Compliance

5.1 Compliance Measurement

The Seminary’s Information Technology Services team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and inspection, and will provide feedback to the policy owner and appropriate business unit manager and/or appropriate academic authorities.

5.2 Exceptions

Any exception to the policy must be approved by ITS in advance.

5.3 Non-Compliance

Any student who violates this policy shall be subject to discipline, up to and including immediate dismissal from the Seminary. Any employee who violates this policy shall be subject to disciplinary action, up to and including termination of employment. Any vendor or contractor who violates this policy shall be subject to disciplinary action, up to and including termination of contract or employment.

6. Related Standards, Policies and Processes

  • Data Protection Standard

7. Definitions and Terms

None.

Wireless Communication Policy

1. Overview

With the mass explosion of Smart Phones and Tablets, pervasive wireless connectivity is almost a given at any organization. Insecure wireless configuration can provide an easy open door for malicious threat actors.

2. Purpose

The purpose of this policy is to secure and protect information assets owned by the Seminary. The Seminary provides computer devices, networks, and other electronic information systems to meet missions, goals, and initiatives. The Seminary grants access to these resources as a privilege and must manage them responsibly to maintain the confidentiality, integrity, and availability of all information assets.

This policy specifies the conditions that wireless infrastructure devices must satisfy to connect to the Seminary network. Only those wireless infrastructure devices that meet the standards specified in this policy or are granted an exception by ITS are approved for connectivity to a Seminary network.

3. Scope

All students, employees, contractors, consultants, temporary and other workers at the Seminary, including all personnel affiliated with third parties that maintain a wireless infrastructure device on behalf of the Seminary must adhere to this policy. This policy applies to all wireless infrastructure devices that connect to a Seminary network or reside on a Seminary site that provide wireless connectivity to endpoint devices including, but not limited to, laptops, desktops, cellular phones, and tablets. This includes any form of wireless communication device capable of transmitting packet data.

4. Policy

4.1 General Requirements

All wireless infrastructure devices that reside at a Seminary site and connect to a Seminary network, or provide access to information classified as Seminary Confidential, or above, must:

  • Be installed, supported, and maintained by an approved support team--except for students who are permitted their own wireless routers in their own dorm rooms and apartments.
  • Use Seminary approved authentication protocols (a minimum of WPA2-PSK) and infrastructure.
  • Use Seminary approved encryption protocols.
  • Maintain a hardware address (MAC address) that can be registered and tracked.
  • Not be tampered with, and student deployed devices must not interfere with the Seminary provided wireless equipment.

4.3 Home Wireless Device Requirements

4.3.1 Wireless infrastructure devices that provide direct access to the Seminary network must conform to the Wireless Device Requirements as detailed in the General Requirements.

4.3.2 Wireless infrastructure devices that fail to conform to the Home Wireless Device Requirements must be installed in a manner that prohibits direct access to the Seminary network. Access to the Seminary network through this device must use standard remote access authentication. Open wireless networks should not be deployed.  A minimum of WPA2-PSK authentication should be required to connect.

5. Policy Compliance

5.1 Compliance Measurement

The Seminary’s Information Technology Services team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and inspection, and will provide feedback to the policy owner and appropriate business unit manager and/or appropriate academic authorities.

5.2 Exceptions

Any exception to the policy must be approved by ITS in advance.

5.3 Non-Compliance

Any student who violates this policy shall be subject to discipline, up to and including immediate dismissal from the Seminary. Any employee who violates this policy shall be subject to disciplinary action, up to and including termination of employment. Any vendor or contractor who violates this policy shall be subject to disciplinary action, up to and including termination of contract or employment.

6. Related Standards, Policies and Processes

  • Lab Security Policy
  • Wireless Communication Standard

7. Definitions and Terms

The following definition and terms can be found in the SANS Glossary located at:

https://www.sans.org/security-resources/glossary-of-terms/

Remote Access Policy

1. Overview

Remote access originates from networks that may already be compromised or are at a significantly lower security posture than our Seminary’s network.  While these remote networks are beyond the control of our Seminary’s policy, we must mitigate these external risks to the best of our ability.

2. Purpose

The purpose of this policy is to define rules and requirements for connecting to the Seminary's network from any host. These rules and requirements are designed to minimize the potential exposure to the Seminary from damages which may result from unauthorized use of Seminary resources. Damages include the loss of sensitive or confidential data, intellectual property, damage to public image, damage to critical Seminary internal systems, and fines or other financial liabilities incurred as a result of those losses.

3. Scope

This policy applies to all members of the Seminary community including but not limited to students, employees, contractors, vendors and agents with a Seminary-owned or personally-owned computer or workstation, or phone or tablet, used to connect to the Seminary network. This policy applies to remote access connections used to do work on behalf of or in association with the Seminary, including reading or sending email and viewing intranet web resources.  This policy covers any and all technical implementations of remote access used to connect to the Seminary networks.

4. Policy

It is the responsibility of Seminary students, employees, contractors, vendors and agents with remote access privileges to the Seminary's network to ensure that their remote access connection is given the same consideration as the user's on-site connection to the Seminary.

When accessing the Seminary network from a personal computer, Authorized Users are responsible for preventing access to any the Seminary computer resources or data by non-Authorized Users.  Performance of illegal activities through the Seminary network by any user (Authorized or otherwise) is prohibited.  The Authorized User bears responsibility for and consequences of misuse of the Authorized User’s access.  For further information and definitions, see the Acceptable Use Policy.

For additional information regarding the Seminary's remote access connection options, including how to obtain a remote access login, anti-virus software, troubleshooting, etc., contact the Seminary’s Information Technology Services.

4.1 Requirements

4.1.1 Secure remote access must be strictly controlled with encryption (i.e., Virtual Private Networks (VPNs)) and a strong password. See Password Construction Policy.

4.1.2 Authorized Users shall protect their login and password, even from family members.

4.1.3 While using a Seminary-owned computer to remotely connect to the Seminary's network, Authorized Users shall ensure the remote host is not connected to any other network at the same time, with the exception of personal networks that are under their complete control or under the complete control of an Authorized User or Third Party ???.

4.1.4 Use of external resources to conduct Seminary business must be approved in advance by Information Technology Services and the appropriate business unit manager.

4.1.5 All hosts that are connected to the Seminary internal networks via remote access technologies must use updated industry-supported operating systems and up-to-date anti-virus software; this includes personal computers. 

5. Policy Compliance

5.1 Compliance Measurement

The Seminary’s Information Technology Services team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and inspection, and will provide feedback to the policy owner and appropriate business unit manager and/or appropriate academic authorities.

5.2 Exceptions

Any exception to the policy must be approved by the Seminary’s Information Technology Services team in advance.

5.3 Non-Compliance

Any student who violates this policy shall be subject to discipline, up to and including immediate dismissal from the Seminary. Any employee who violates this policy shall be subject to disciplinary action, up to and including termination of employment. Any vendor or contractor who violates this policy shall be subject to disciplinary action, up to and including termination of contract or employment.

6. Related Standards, Policies and Processes

Review the following policies for details of protecting information when accessing the Seminary’s network via remote access methods, and acceptable use of the Seminary’s network:

  • Acceptable Encryption Policy
  • Acceptable Use Policy
  • Password Protection Policy
  • Password Construction Policy
  • Third Party Agreement
  • Hardware and Software Configuration Standards for Remote Access to the Seminary Networks

Remote Access Tools Policy

1. Overview

Remote desktop software, also known as remote access tools, provide a way for computer users and support staff alike to share screens, access Seminary computer systems from home, and vice versa. Examples of such software include TeamViewer, LogMeIn, GoToMyPC, VNC (Virtual Network Computing), and Windows Remote Desktop (RDP). While these tools can save significant time and money by eliminating travel and enabling collaboration, they also provide a back door into the Seminary network that can be used for theft of, unauthorized access to, or destruction of assets. As a result, only approved, monitored, and properly controlled remote access tools may be used on the Seminary computer systems.

2. Purpose

This policy defines requirements for remote access tools used at the Seminary.

3. Scope

This policy applies to all remote access where either end of the communication terminates at a Seminary computer asset.

4. Policy

All remote access tools used to communicate between Seminary assets and other systems must comply with the following policy requirements.

4.1 Remote Access Tools

The Seminary provides mechanisms to collaborate between internal users, with external partners, and from non-Seminary systems. Because proper configuration is important for secure use of these tools, mandatory configuration procedures are provided for each of the approved tools. 

  1. The approved software list may change at any time, but the following requirements will be used for selecting approved products:
  2. The authentication database source must be Active Directory or LDAP and the authentication protocol must involve a challenge-response protocol that is not susceptible to replay attacks. The remote access tool must mutually authenticate both ends of the session.
  3. Remote access tools must support the Seminary application layer proxy rather than direct connections through the perimeter firewall(s). 
  4. Remote access tools must support strong, end-to-end encryption of the remote access communication channels. 
  5. All Seminary antivirus, data loss prevention, and other security systems must not be disabled, interfered with, or circumvented in any way.

5. Policy Compliance

5.1 Compliance Measurement

The Seminary’s Information Technology Services team will verify compliance to this policy through various methods, including but not limited to, periodic walk-thrus, video monitoring, business tool reports, internal and external audits, and inspection, and will provide feedback to the policy owner and appropriate business unit manager and/or appropriate academic authorities.

5.2 Exceptions

Any exception to the policy must be approved by ITS in advance.

5.3 Non-Compliance

Any student who violates this policy shall be subject to discipline, up to and including immediate dismissal from the Seminary. Any employee who violates this policy shall be subject to disciplinary action, up to and including termination of employment. Any vendor or contractor who violates this policy shall be subject to disciplinary action, up to and including termination of contract or employment.

6. Related Standards, Policies and Processes

None.

7. Definitions and Terms

The following definition and terms can be found in the SANS Glossary located at:

https://www.sans.org/security-resources/glossary-of-terms/

  • Application layer proxy

 

 

 


System Status

Network (details)
E-mail

© Princeton Theological Seminary P.O. Box 821, 64 Mercer Street, Princeton, NJ 08542-0803, 609.921.8300 An Institution of the Presbyterian Church (USA)