Adopted for use at the WCS User Committee
meeting on March 9, 2005.
Rationale: Certain policies are necessary to insure the reliable operation of any shared resource such as a computer network. Today's hostile global internet climate harbors a never ending supply of those who would willingly damage or hinder the operations of others for sport, fame or to promote a personal ideology. Every organization needs to take certain precautions to protect their infrastructure and clients from the risks of being connected to the internet. The following policies should be thought of as protections for you and your colleagues rather than restrictions on your actions.
Network Connections (to building wall jacks)
The Waisman Center's network is an extension of the University owned campus network which is a shared resource and must have certain safeguards to ensure reliable operation. Unlike the power or telephone networks which are protected by numerous codes, regulations and standards, the improper configuration of a single computer can adversely affect the functionality of the network and have an immediate impact on other computers or services. There are numerous past cases where this has actually occurred. To minimize these risks and potential disruptions, the following requirements have been established for all devices physically attached to the Waisman Center's network (defined as everything on the internal side of our firewall):
- All equipment physically attached to the Waisman Center's network must be approved by WCS (Waisman Computing Services) staff prior to attaching to a building wall jack. For computers, approval will require that software be secured, have all current security updates and the system successfully pass an automated security scan.
- All equipment attached to the Waisman network must be owned by the University. Personally owned equipment such as personal laptops are not permitted to be attached to the Waisman network. However, personally owned equipment such as laptops may be used with the building wide wireless network or connected to a jack that's not on the Waisman network such as the UWNet network.
- Computers that will be members of the Waisman windows domain (recommended) or are located in HIPAA areas must have their hard drive imaged (cloned, duplicated or copied) from a master copy we supply to ensure they are running uncompromised trusted software.
- All equipment attached to the Waisman network must be configured according to settings supplied by WCS staff. While network settings are typically provided automatically by DHCP, the provided settings must not be modified, cloned or tampered with to ensure proper network operation or impact other network devices.
- Devices or equipment that extends, aggregates or modifies network capacity or function beyond what is provided such as hubs, switches and wireless routers are not permitted to be attached to the Waisman network.
Network and Computer Usage
Safeguards on the use of computing resources must be established to mitigate the risk of damage and/or disruption to Waisman Center services, research, business activities or funding as a result of litigation. Please remember that while the particular computer you are using might be thought of as "your computer", it is the property of the University and expected to cooperatively participate as a "good citizen" on the University's campus wide network.
- Legitimate Use. Waisman computing resources, facilities and services may be used only to conduct Waisman related business and research that is consistent with the mission of the Waisman Center.
- Copyrighted Material. You may not violate copyrights, licenses or other content restrictions, whether you believe they are valid or not, by storing protected material on Waisman provided storage services or equipment. This includes music, images, movies, documents, licensed software or any other protected material.
- Software installation. You may only install software that has been legally licensed and necessary for your Waisman related work or research. Installing software, especially if it is billed as free, increases the risk to both your computer and others on the network in that it may contain malicious programs such as key loggers, password grabbers, data miners, viruses or spyware that could impact the security or performance of the network. It has been estimated that up to 35% of computers on the internet are compromised by malicious programs and 80% have spyware infections. In the course of performing routine computer support or monitoring network performance, if suspicious software is found that could potentially have an impact on security or network resources, it will be removed and any suspected damage repaired. The cost of removal and repair will be billed to the administrative contact for the computer. Once such software is discovered, it's eradication and repair is not optional as it can impact everyone else on the network.
Example (from an actual occurrence in 1/2005): A staff member from your lab requests assistance in installing a statistical package on a computer. It's found that the installation fails due to infestation and damage caused by the spyware programs NetPumper and Cydoor that were installed by a previous employee who left 2 months prior. It takes 4 hours to clean and remove the effects of these spyware programs before the statistical software can be successfully installed (which takes 15 minutes). Your grant is billed for 4 hours of labor for what should have been a free software installation.
The protection of Waisman network resources depends on each user's responsible handling of their account(s), since any account can serve as an entry point for theft, damage, or unauthorized use to the entire network. You must take reasonable steps to secure your username and password(s) to prevent others from using your computing identity. Sharing of usernames and passwords by more than one person is not permitted.
Administrator accounts have elevated privileges for the purposes of changing the configuration of both hardware and software on a computer. Using an administrator account significantly increases the risk of damage to critical settings or installed software. Malicious software such as a virus or other exploit typically depends on the victim using an administrator level account for maximum destructive effect - i.e. your computer is then owned by the hacker community and completely under the control of others to use for whatever purpose (usually malicious) they wish. Responsible use of administrator accounts (only to install trusted software or make configuration changes) goes a long way in limiting or thwarting the effects of a virus or other attack. Ignoring this distinction essentially defeats many of the security features added to personal computers since the days of Windows 98. Please note some software (typically open source) can be installed for a specific user without an administrator account.
Since improper use of an administrator account can potentially hinder the operation and destroy data on the computers of your colleagues, additional safegaurds must be followed in order to protect everyone else that uses the network. These safeguards primarily involve educating potential candidates about the security risks and proper use of administrator accounts.
- Use of a local administrator account requires written permission from a supervisor or investigator that is responsible for funding your computing activity. The designated user must also attend a training session on the security risks of using administrator accounts and agree to use the account in a safe and responsible manner. As an alternative to this training session, the candidate may also elect to take a short web quiz where all questions can be answered from information in this policy.
- As an administrator, you are now responsible for adhering to all UW policies current and future. Pay particular attention to the Information and Incident reporting policy which requires you to report any "possible unauthorized access to UW-Madison restricted data or other sensitive information". Not doing so can result in serious consequences.
- Administrator accounts are only permitted for the purposes of installing legally licensed software that is necessary for your Waisman related work or research and may not be shared by others. You cannot create additional accounts or change the computer's configuration without express approval from Waisman Computer Services.
- Using an Administrator account to install software on a computer in a designated HIPAA area is not considered best practice and has addtional restrictions.
- Using Administrator accounts for routine activities such as email, web access and document preparation is not permitted due to the increased and unnecessary risk of compromise that may be used to launch an attack on others from your computer. For example, visiting a web site that unknowingly hosts a malicious ad just once using an Administrator account can result in a complete take over of the computer requiring re-imaging of the hard drive (erasing) to mitigate the damage and reporting the incident to the Office of Campus Information Security (OCIS) with the potential involvement of UW Legal Services if there was a possibility for the disclosure of sensitive information.
- All software that is pre-installed by WCS (included in the initial hard drive image) does not require administrator privileges to use. Nearly all current versions commercial software packages do not require administrator privileges to use. For the rare exceptions, WCS staff has experience in tailoring uncooperative software to be used without administrator privileges.
- You must provide administrator level system access for WCS staff for the purpose of mitigating or responding to security related issues or threats directed from or against your computer. This may include applying emergency security updates to prevent an imminent attack or to investigate a report of suspicious behavior originating from a computer that you use. This is also useful for remotely diagnosing any computer problems you may have, eliminating a physical visit to the computer. If WCS initially setup or imaged the computer then this is already provided. If administrator access is not provided and we cannot contact an appropriate person in a timely fashion to investigate a problem or confirm that a critical security update has been applied, then the network connection to the computer will be disabled.
Account expiration and removal. In the absence of information from the account holder, the owner (supervisor or investigator), Waisman Center administration or higher authorities, if an account has not been used (a logon detected) for a period of six months, it will be considered abandoned and removed. All associated files will be archived and then deleted. The archived files will be retained for 90 days and then destroyed unless we receive other disposition instructions. We will maintain an email forwarding address for up to one year after account removal.
Damage Liability.The funding source of your computing activity is responsible for any damage or clean up costs that result from the irresponsible or careless use of computing resources under your control.
- Example: A student working for another investigator installs a "free" screensaver from the internet that is actually a destructive worm in disguise. Three months later it's discovered that all the computers in your lab have been infected by the virus and made unusable. The cost to diagnose and clean up all the infected computers will be billed to the investigator the student was employed by.
Periodic Auditing. Use of computing and network resources may be periodically audited to ensure that the above policies are adhered to.
University Baseline Password Standard
A UW-Madison Policy adopted in February 2006 provides mimimum password standards that states passwords must be a minimum of eight (8) characters in length, contain mixed case letters, a digit and special characters. The policy can be viewed at:
University Policy on Electronic Devices
A UW-Madison Policy adopted in March 2004 pertains to network security and anything attached to the campus network. It's known as the "Electronic Devices Policy" and basically says you must run up-to-date anti-virus software (available at no cost) and ensure all other software has current security updates. It can be viewed at:
University Responsible Use Policy
The UW-Madison Information Technology Committee (ITC) and the Provost's Office have approved guidelines for responsible use of campus information technology resources. The policy includes nine guidelines in areas like computer security, hacking, impersonation and anonymity.
The Responsible use policy has been incorporated into the student non-academic misconduct rules for UW-Madison. According to the Dean of Students office, violation of the code by students may result in disciplinary action including probation, suspension, and expulsion. Violation of the policy by faculty and staff may result in loss of access privileges, University disciplinary action, and/or criminal prosecution.
While the Department of Information Technology (DoIT) does not monitor people's use of the network, the web or e-mail, complaints will be investigated.
Both the University and/or the Waisman Center reserve the right to suspend network access to preserve the integrity of the network.