System Security Audit Policy
To ensure that the University has a stable and secure computing environment, IT will periodically perform security audits on campus connected systems. Systems that pose a risk to campus network stability will be classified according to their threat level.
If a system is detected as having a vulnerability, the owner or administrator of the system will be notified by email of the vulnerability. If possible, information will be included regarding the the remedy recommended for the system as well as the amount of time allowed to fix the problem. If the system is not repaired within the designated time period, network access will be temporarily suspended until corrections and repairs are made. IT will classify vulnerabilities using the guidelines below:
|Critical||Vulnerabilities that are easily exploited, could lead to compromise, and/or pose a high risk to the stability of the campus network||Immediate termination of network access|
|Important||Vulnerabilities whose exploitation could result in compromise of the confidentiality, integrity, or availability of users' data, or the integrity or availability of processing/network devices||24 hours|
|Moderate||Vulnerabilities that are not easily exploited or, if exploited, would not lead to a compromise or a high risk to the stability of the campus network||72 hours|
|Low||Vulnerabilities that are very difficult to exploit or, if exploited, impact would be minimal||1 week|
If a system is detected as being compromised, IT will notify the registered owner or administrator of the system by email. If possible, steps to correct the situation, as well as the amount of time they will be allowed to take corrective action will be included in the communication. Failure to correct or remedy the compromise in the specified time period will result in termination of network access for the system in question.
|Critical||The system is in an active state being used for nefarious purposes (trying to scan or infect other systems, causing network problems, providing services to off-campus entities, etc.)||Immediate termination of network access|
|Important||The system is compromised, but is not actively being manipulated. However, it could become critical at any moment||24 hours|
|Moderate||The system has been compromised but cannot be elevated to higher level of compromise. Impact of the compromise is minimal||72 hours|
Actions which could affect the user:
Misuse of University computing facilities will be dealt with on a case by case basis. The users subject to charges of misuse will be dealt with in a manner consistent with the laws of the state of Missouri, the policies of the University of Missouri and the Bylaws of the Missouri S&T General Faculty. The Chief Information Officer is responsible for making these misuses known to the appropriate University administrators. The Chief Information Officer may impose temporary restrictions on the offender's computer access in order to ensure that the network remains stable and secure for all university users.
Note: All IT policies and procedures are subject to annual review.