H.2.3 Information Technology Security Policy

Initiated by: Director, Information Technology
Approved by: MBL COO
Date: August 29, 1994
Revision: May 1, 2018
Distribution: All Users of MBL Information Technology

Policy Purpose and Scope:

The MBL provides information technology to its research, education, administrative, visitor and guest users to advance its mission of scientific discovery. The purpose of this policy is to articulate and promote the ethical, legal and secure use of information technology by all members of the MBL community. This policy applies to everyone who uses MBL information technology resources and to all uses of those resources, whether physically located on campus or remotely.

1.0 MBL Information Technology Security Policy Goals:

• Availability – Ensure that systems, networks, applications, utilities, and data are on-line and accessible when authorized users need them.
• Integrity – Protect user information, data or software from improper modification or access (i.e. virus or unauthorized access/modifications.)
• Confidentiality – Assure that sensitive data is read only by authorized individuals and is not disclosed to unauthorized individuals or to the public.
• Propriety – Ensure that the MBL Network is used only for its intended purposes and not for any prohibited activities and uses.

2.0 Conditions and Procedures For Use:

MBL information technology users shall adhere to the conditions and procedures set forth in this policy. Violation of this policy may result in the loss of network privileges and may result in criminal or civil prosecution and/or disciplinary action for MBL employees up to and including dismissal.

• 2.1 All users of MBL information technology shall abide by the following conditions and procedures:
  • 2.1.1 Users shall not make unauthorized copies of data or software, however, the user is responsible for ensuring that data under their purview is adequately and routinely backed up.
  • 2.1.2 Users are to choose passwords in accordance with Policy No.H.2.2.
  • 2.1.3 Users are to access the system and data in an authorized fashion only.
    • 2.1.3.1 Users shall not allow access or use of their account to any other individual or group.
    • 2.1.3.2 Users shall not leave their computer logged in to networked services and unattended. Users shall use password protected screen savers and/or log out of applications before leaving the computer.
    • 2.1.3.3 Users shall not give system or site related information to an unauthorized person either in person in any manner, by telephone, email, written material, etc.
    • 2.1.3.4 Users shall not send sensitive or security related information (i.e. credit card, social security number, password) over unsecure channels, such as e-mail.
  • 2.1.4 Security violations or unusual activity should be reported immediately to helpdesk@mbl.edu. Unusual activity could include:
    • unexpected computer messages or behavior
    • mysterious or missing file
    • attempted use of a user’s account without his/her consent
  • 2.1.5 The Information Technology systems are not intended for personal use and the organization will not be held liable for safeguarding any personal data or programs placed on the computers and the network.
  • 2.1.6 Users are responsible for coordinating with the MBL Help Desk any network activity or additional connections that may affect MBL network performance. Network connections may be obtained only in the authorized manner by contacting MBL IT.
  • 2.1.7 Users are not to install or execute any programs or processes which are designed to gather information about the MBL network, the servers, or other machines on the Internet, both inside and outside of MBL.
  • 2.1.8 Users are not to purposefully access the MBL network or any MBL or Internet servers or computers in a manner which disguises the user’s identity, computer name, address, location, or other identification of the electronic source.
  • 2.1.9 Users are to ensure that all use of computing and network resources is consistent with the scientific and educational mission of the MBL.
• 2.2 MBL Information Technology reserves the right to remove user accounts and/or revoke network access privileges for cause. For purposes of this policy, “cause” is defined as the user’s failure to adhere to the conditions or procedures set forth in this policy or engaging in any other inappropriate conduct with respect to the MBL Network.

3.0 Prohibited Activities and Uses:

• 3.1 The network shall not be used to transmit any communication where the meaning of the message, the content of the file, or the operation of the application, including its transmission or distribution, would violate any applicable law or regulation or would likely be offensive to the recipient or recipients thereof. For example, the use of foul, obscene, discriminatory, unlawful or harassing language or images when sending or displaying messages on e-mail is prohibited.
• 3.2 It is unacceptable to use the Internet to send, display, download or print offensive messages or pornographic materials or sexually explicit pictures, derogatory religious or racial or defamatory material.
• 3.3 Unsolicited advertising may not be “broadcast” or otherwise sent to any user of the MBL network or any directly or indirectly attached network. However, when requested by a user of the networks, product information and other commercial messages are permitted to be transmitted over the network.

4.0 Monitoring:

While our goal is to respect our users’ privacy interests, the MBL bears significant and increasingly complex legal, operational and compliance-based duties, which from time to time require it to monitor and preserve custody of computer and network activity and data. Given these business requirements, MBL cannot guarantee the privacy of documents and messages on the MBL network or stored in MBL systems. Accordingly, MBL reserves the right to access and review all information on the system for legitimate business purposes.

5.0 Virus Control and other Compromises:

• 5.1 Users must ensure that any media (i.e. flash drives, disks, CDs or any computer equipment) brought into the MBL from outside is free of viruses, worms, or other compromises before used in a computer or connected to the network. If a user is uncertain how to check a disk or computer, he or she should contact the IT Help Desk.
• 5.2 If a virus, worm, or compromise is detected or suspected, the user should contact the IT Help Desk immediately.
• 5.3 Users should use EXTREME CAUTION when opening attachments and links in e-mail messages. E-mail has become a common way malware is spread. If a user does not know the sender or is not expecting the e-mail, then the attachment or link should NOT be opened.
• 5.4 Another frequently used “social virus” is in the form of an e-mail that urges the recipient to send everyone he or she knows a copy of the e-mail. Often it professes to protect against a new virus or serious incident. Users should NOT forward copies of such an e-mail, which often is a hoax. Users can, however, forward one copy to the IT Help Desk to verify the claim.
• 5.5 On devices where available and practicable, anti-virus software must be installed and automatic check for updates occurs at least daily.

6.0 Security Updates

On all devices connected to the MBL network, where available and practicable, the device must be running a supported operating system that automatically receives security updates and up-to-date security patches are installed.

7.0 Security Awareness Program

The MBL Information Security Awareness Program is intended to educate the MBL community about the inherent risks of the confidentiality, integrity, and availability of systems & data, and how you can do your part to help protect these systems & data. The program applies to anyone who accesses any of the MBL networks. Depending on the level and type of access, users may be required to sign off that they have reviewed MBL security policies, complete periodic information security awareness training, and/or participate in a phishing simulation program. Failure to comply with the information security awareness program may result in the loss of access to the MBL network.

8.0 Policy Updates:

Policy clarification and updates are available from the Information Technology department.