Pace Security Plan

Pace University’s Security Plan  is the existing and current operating plan. In addition, Pace has an active confidential Disaster Recovery Plan in place. This document is available to the Pace community on the Internal Pace Network. An outline of this plan can be found in the Information Technology Strategic Plan Draft of July 2003. The Strategic Plan discusses Pace’s commitment to a secure mission critical infrastructure using best-of-breed information technology security policies, procedures and systems.

Pace’s technology personnel are kept up to date on security issues through listserv subscriptions with CERT-L, Acuta-L and Resnet-L. They also monitor hacker sites to see how to protect the University from potential threats.

Physical security is professionally managed at Pace. Security cameras are strategically placed at all places of ingress and egress. There are locks on all PCs as well as keypad locks. Disks are put away and locked. All network closets are locked and only key personnel have access to them. The Main Distribution Facility where the network backbone is located is alarmed.

Pace utilizes off site backup of all information. The mainframe and ITS servers backup to Iron Mountain every day and there is a full weekend backup.

Pace is implementing a high-level intrusion detection and an intrusion prevention system, beyond firewalls and virus protection.

The faculty and students are kept apprised of all security issues through the Information Management Officers (IMOs) and Resident Information Technology Advisers (RITAs). The direct support personnel, IMOs, are Pace employees and students. This includes the Resident Information Technology Advisers who participate as IMOs in the dormitories. IMOs are the points of contact between the organization and ITS User Services Department and work centers. IMOs subscribe to a listserv where they receive technology update notices, timely bulletins, and meeting notifications.

The following security standards exist to protect Pace’s network:

  • Modems, hubs, switches, routers, wireless routers/hubs or other network peripherals will not be connected directly to any computer on the Pace Network without prior written authorization from the Pace University Chief Information Officer.
  • For users physically connected to the Pace data network directly or via the Pace dial-ups: All outgoing SMTP traffic must be routed to smtp.pace.edu.
  • Incoming traffic (e.g. TELNET, HTTP, FTP, PING, SMTP) will be blocked at the firewall. Any requests for exceptions to this policy must be submitted in writing, signed by a Dean or University Officer and approved by the University Data Network Security Officer.
  • All official Pace WWW pages will reside on, or will be an extension of www.pace.edu . Official WWW pages are those that represent the University and are approved by a Dean or the Vice President of University Relations and the Webmaster.
  • All unofficial Pace Web pages will reside on, or will be an extension of, webpage.pace.edu. Unofficial Web pages are those that represent specific students or faculty/staff and not the University. Unofficial pages will conform to the Pace University Appropriate Use of Information Technology Policy.
  • Computing users are strongly discouraged from using broadcast protocols such as IPX or NETBEUI.
  • It is not permitted to use an IP address that has not been assigned to the PC by either DHCP or the Network Operations Center (NOC).
  • The Pace University Network Operations Center (NOC) is the only entity permitted to run any type of network analysis, scanning equipment, or software, unless express permission has been granted. Such devices can be used to manipulate the network, impact connectivity, and/or damage individual machines.
  • Software that uses SNMP or ICMP to automatically "discover" or identify entities on a network generally can have a negative impact on the network at large. The current state of such software technology does not allow Pace to permit the use of such software across the Pace network.
  • The administrative ERP application (SCT Banner; a.k.a. SPARTA) maintains its own security system. Under the direction of Pace's auditors, SPARTA users are required to change their password on a regular schedule. ITS's Oracle DBAs monitor the ERP security process. All requests for security changes, additions and deletions to the HR, financial and student ERP systems must be routed through the SPARTA functional leads and ITS's Computer Systems Department (CSD).
  • All schools and departments requesting and maintaining Internet accessible servers must first have their external access request approved by the CIO or CISO prior to access being granted. Additionally, all Internet accessible servers are scanned to insure that personally identifiable information is not hosted on the server.
  • All users with access to personally-identifiable information must adhere to the Administrative back office Policy. No files containing personally identifiable information are permitted to be stored in clear text, unencrypted and without password protection. See the  Back Office Users Policy  for further details.
     

The following recommendations will assist IT users in protecting their systems:

  • On the Pace Internal Network (IPN), visit the IMO Resource Web site for the latest software patches, Service Pack (SP) fixes, upgrades to supported/licensed products (e.g.Virsus Scan programs/data files).
  • Virus protection is mandatory for all PCs/workstations physically connected to the internal Pace network. Pace users should keep their security signatures (".data" files) as well as executable virus detection programs current.

Pace’s Information Technology Services (ITS) is headed by Mr. Chris Elarde, Interim Chief Information Officer, Information Technology. Pace University has an Information Security Plan Coordinator who also serves as the University’s Compliance Officer. This person works closely with University Counsel, the Director of ITS’s Computer Systems Department, the University’s Chief Technology Officer, and the University’s Chief Information Officer, as well as all relevant schools and departments throughout the university.