Security requirements can vary considerably depending on the assets at risk and the potential threats to these assets. Implementing and maintaining security may not be particularly difficult or expensive if the asset is easily replaced or if there are few threats that could create a compromise. At the same time, maintaining security for highly sensitive information can be very resource intensive. The objective of doing a review is to determine real requirements and then evaluate whether policy and procedures match these requirements.

This document identifies responsibilities specific to Data Trustees, System Administrators, and Application Administrators. These are separately defined responsibilities, only in particular circumstances are these actually job titles or separate positions.

What assets are at risk and what are the exposures and threats to these assets?

Data Trustees are responsible for collections of University Information. Information that may require protection include BUIDs, curriculum, directory, registration, financial information, etc. The risks to this information may include unauthorized access, information disclosure, and loss of integrity. Legal issues and requirements should be considered.

System Administrators are responsible for use of their system. All systems on the Campus Network must be protected against use of ethernet “sniffing”, login spoofing, or other techniques designed to capture account names and passwords. System Administrators must also implement security adequate for requirements of any Data Trustee whose information resides on their system. System Administrators should also consider the sensitivity of correspondence, coursework, grant proposals, etc. as well as the operational requirements of those who use and depend on the system.

Application Administrators need to evaluate access control for sensitive information. Important applications to consider include Databases, FTP servers, World Wide Web (WWW) servers, Print servers, Network File Systems (e.g. NFS) and other peer to peer networking applications that implement direct network access independent of access control on the server system.

There are many different kinds of assets that may require protection. The following issues apply to all Data Trustees, System Administrators and Application Administrators.

Typical issues that should be addressed in a security review

Note: This is intended to be a sample list, it is not a checklist.

Anyone with access to information that requires authorization must understand their respective responsibilities. Data Trustees, System Administrators and Application Administrators should therefore maintain and forward answers to at least the first three issues to all personnel they authorize to access University resources.

Responsibilities of the Data Trustee