政策声明

澳门皇冠体育’s (“JSU” or “University”) Division of 信息技术’s (“DIT”) intention for publishing a 系统访问 政策 for 崔 data is to identify how the University will protect access to systems collecting creating , 存储和处理崔数据.

目的

NIST SP 800-171 foc使用s on protecting the confidentiality of Controlled Unclassified Information (崔) in nonfederal systems and organizations and recommends specific security requirements to achieve that objective. The requirements recommended for 使用 in SP 800-171 are derived from FIPS Publication 200 and the moderate security control baseline in NIST Special Publication 800-53 and are based on the 崔 regulation (32 CFR Part 2002, 受控非机密信息).

范围

This policy applies to all organization workforce members and all systems, 网络, 和应用程序, 存储或传输崔. This policy also applies to all 供应商, partners, researchers and contractors.

责任

The Chief Information Security Officer is responsible for ensuring the implementation of this policy.

定义

• • Information system – a discrete set of information resources organized for the collection, 处理, 维护, 使用, 分享, 传播, 或者信息处理.
  • 信息资源- JSU笔记本电脑, 台式电脑, 打印机, 扫描仪, 服务器, 网络设备, 纸质文档, 以及智能手机等移动设备

政策

All environments involved with 崔 must comply fully with the NIST 800-171 standards (either directly or through compensating controls. 澳门皇冠体育 and its employees, 供应商, and contractors will implement the following 崔 access control requirements for systems with 崔 data:

• 崔系统访问控制
• 1.1限制授权用户访问系统, processes acting on behalf of authorized 使用rs, 及设备(包括其他系统).
• 1.2 Limit system access to the types of transactions and functions that authorized 使用rs are permitted to execute.
• 1.3 Control the flow of 崔 in accordance with approved authorizations.
• 1.4 Separate the duties of individuals to reduce the risk of malevolent activity without collusion.
• 1.5 .运用最小特权原则, including for specific security functions and privileged accounts.
• 1.6 Use non-privileged accounts or roles when accessing non-security functions
• 1.7 Prevent non-privileged 使用rs from executing privileged functions and capture the execution of such functions in audit logs.
• 1.限制不成功的登录尝试.
• 1.9 Provide privacy and security notices consistent with applicable 崔 rules.
• 1.10 Use session lock with pattern-hiding displays to prevent access and viewing of data after a period of inactivity
• 1.11 Terminate (automatically) a 使用r session after a defined condition.
• 1.12 Monitor and control remote access sessions.
• 1.13 Employ cryptographic mechanisms to protect the confidentiality of remote access sessions.
• 1.14 Route remote access via managed access control points.
• 1.15 Authorize remote execution of privileged commands and remote access to security-
• 1.16相关信息
• 1.17 Authorize wireless access prior to allowing such connections
• 1.18 Protect wireless access using authentication and encryption
• 1.19移动设备控制连接
• 1.20 Encrypt 崔 on mobile devices and mobile computing platforms
• 1.21 Verify and control/limit connections to and 使用 of external systems
• 1.22 Limit 使用 of portable storage devices on external systems
• 1.23 Control 崔 posted or processed on publicly accessible systems

制裁/合规

Failure to comply with this or any other security policy will result in disciplinary actions as per the Sanction 政策.  法律 actions also may be taken for violations of applicable regulations and laws.

Related Standards, Policies, and Processes

账户管理

• 用户注册和注销
• 用户接入发放
• 管理特权访问权限
• 审查用户访问权限
• 取消或调整访问权

访问执行

• 在家中上班
• 接入网络和网络服务
• 信息访问限制
• 使用特权实用程序