Information Resources
What is an information resource and what are common threats to information resources?
Information resources include many components of automated information systems which access, process, or contain data. These resources are part of every mainframe, minicomputer, microcomputer, distributed processing, and networking environment of the University.
Information resources are procedures, equipment, facilities, software and data designed, built, operated and maintained to collect, record, store, retrieve, display and transmit information.
These and other information resources must be protected from many threats including natural and man-made disasters, theft, vandalism, or any other loss that prevents the resource from being used for its designed purpose, or that endangers the integrity or confidentiality of the resource. The University has designated an Information Security Manager to coordinate information security activities within the university.
Who has been designated to protect information resources?
The University of Texas – Pan American has identified key roles in information systems (IS) security for program managers, faculty, staff, students, and others who manage, use, or support information technology at the University. These owners, technical staff, and users are responsible and liable for safeguarding computer hardware, software, data, and information resources: Owners establish rules and procedures to ensure compliance with policies for the security of information resources, and inform those using University information resources of security policies:
- The President of the University: As Chief Executive Officer, the President ultimately owns all information assets and assigns ownership responsibilities and authority to University management.
- University Management: Vice Presidents, Deans, Directors, and Department Chairpersons/Heads are owners of information assets and are accountable for the security of information assets in their area of responsibility.
- Faculty: Faculty members own many information assets requiring special protection such as grades, student data and projects, grant and research information, and non-published papers.
Custodians are managers who possess information resources owned by others and who generally manage resource services including supporting security controls and information procedures designated by owners. Custodians are assisted by System Managers/Administrators who help identify vulnerabilities and needed controls, and maintain the resource. Users are faculty, employees, students, and others granted access to University resources, who (1) use information resources for the purpose specified by the owner, (2) comply with controls established by the owner, (3) prevent disclosure of confidential or sensitive information:
- Faculty: Faculty members who use and own specific academic-related information resources.
- Employees: Staff persons and student employees who carry out responsibilities that require access to information resources.
- Students: Students who use information resources for their education, and often need access to information resources to carry out other responsibilities.
- Others: Typically non-employees who carry out responsibilities, in support of the University, that require access to information resources.
What information requires special handling and control?
The Texas DIR defines two classifications of data for security control purposes:
Confidential: Information maintained by state agencies and exempt from disclosure under the provisions of the Texas Open Record Act or other state or federal law. Examples of confidential information include student grades and test scores, software source code, personnel data, and computer passwords. Mission Critical: Information defined by state agencies to be essential to the agency's function. Mission critical data requires special precautions, as determined by agency risk management decisions, to assure its accuracy and integrity. Examples of mission critical information may include include financial transactions, budgetary information, bid information, operating information. Confidential information must be protected from unauthorized or accidental disclosure to the public. Mission critical information requires a higher than normal assurance of accuracy and completeness, and must be protected from unauthorized modification or deletion.
What are legitimate and non-legitimate uses of UTPA information resources?
UTPA information resources exist to complement the educational mission of the University and must be used appropriately. You have the obligation to ensure that you are utilizing all University information resources (including all University equipment, networks, user accounts, Ethernet connections) in accordance with University policy and applicable laws. You are the only person who can use an information resource (such as your UIC) that the University has provided specifically for educational use or for use in the performance of official activities for State of Texas. You may not be paid, or otherwise profit, from the use of any University-provided information resource or from any output produced using it. Further, you may not promote any commercial activity using University resources. Examples of inappropriate use include: Posting advertisements. You may not post advertisements as they promote commercial activities. Posting "chain letters". You may not post "chain letters" as they use an inordinate amount of processing power and prevent others from accessing network information resources. Using the Ethernet connection in a student lab or office to run or promote a business. You must never use any University-provided information resource to do something illegal, threatening, or deliberately destructive -- not even as a joke. All complaints will be investigated. The Office of Student Affairs investigates complaints about students; the Office of the President and the appropriate Vice President investigate complaints about UTPA faculty and staff. Violations can result in disciplinary action, criminal charges, or both. The police and the FBI routinely investigate such matters.
What are the relevant security regulations and potential disciplinary actions for non-compliance?
Listed below are the most important rules about using University information resources (E-mail and other computer access accounts, departmental user IDs, Ethernet connections in student labs or offices, etc. These rules apply to anyone using such resources: students, faculty, and staff. Learn these rules so that you don't get into trouble. You cannot be exempt from the law because you are "just a student" or you were "just playing around". If you are a student with a part-time job at the University, you may be disciplined as an employee and as a student, resulting in both professional and educational consequences. Read the relevant laws. The Texas Department of Information Resources’ (DIR) Information Security Standards are published in the Texas Administrative Code. TAC 202.75 requires the University of Texas System and component institutions protect State of Texas information system resource assets against accidental or unauthorized disclosure, modification, or destruction, as well as to assure the security, reliability, integrity, and availability of the information. The University of Texas System’s Information Resources use and Security Policy (UTS 165) and The University of Texas – Pan American’s Policy for the Use and Protection of Information Resources, outline System and University policy and scope, regulations, management and individual responsibilities, and best practices for handling and safeguarding information resources. University information resources are regulated under the Property Laws of the State of Texas and are subject to the property laws of the University and the Texas Computer Crimes Statutes. The Texas Computer Crimes Statutes provide punishments for deliberate or neglectful acts that cause unlawful release or damage to information resources, or disrupt computer service availability. Federal interstate communication laws apply to computers using telecommunications networks to cross-state boundaries. These laws apply to our campus network, since the network provides links to the Internet.
Who besides the account owner can access an account? How does it occur?
Pursuant to State of Texas DIR rules and regulations, UTPA has the authority and responsibility to monitor information resources to insure compliance with State laws and regulations and UT System and UTPA policies. This authority will be exercised only with approval by UTPA Executive Management designated by the President when there is a reasonable basis to believe that with State laws and regulations or UT System and UTPA policies regarding the use and security of information resources have been violated. UTPA Executive Management designated by the President may access and examine Information Resources under the following circumstances:
- To review and obtain data or information to comply with the Texas Public Information Act; a subpoena or court order; or authorized requests by federal, state, or local officials or agencies.
- To conduct the business and perform the duties and responsibilities of UTPA administration.
- To conduct internal audits to evaluate the effectiveness of and compliance with security policies and procedures.
- To identify and resolve technical problems.
- To replace or update components of the information resources and ensure compatibility and function.
- Other unusual and compelling circumstances that require access.
Note: These guidelines will be reviewed and updated periodically to support changes in governing regulations and upgrades to technology that may influence security of University information resources and responsibilities of University information resource users.
How do copyright laws affect use of software and/or Internet materials?
Be careful of copyright infringement. It is a violation of University policy and federal law to participate in copyright infringement. Copyrighted materials include, but are not limited to, computer software, audio and video recordings, photographs, and written material. Violators are subject to University discipline, as well as legal liability, even if the work did not contain a written copyright notice. See the UT System Intellectual Property Policy for more information. All users must abide by applicable software license agreements and may copy licensed software only as permitted by license.
