Technology Security Audit

PURPOSE

To provide the authority for members of the campus Information Technology Services team and the University’s Security Office to conduct a security audit on any technology system located on Penn State Mont Alto campus property in accordance with University policy AD20. 

Audits may be conducted to: 

• Ensure integrity, confidentiality and availability of information and resources.
• Investigate possible security incidents and ensure conformance to the Penn State Mont Alto and University security policies.
• Monitor user or system activity where appropriate (e.g. system compromise is suspected, policy violations are suspected, complaints have been received). 
• Ensure validity of user accounts.

SCOPE

This policy covers all computer and communication devices owned or operated by the Penn State Mont Alto campus. This policy also covers any computer and communication devices that are present on the Penn State Mont Alto premises and/or network, but which may not be owned or operated by the Mont Alto campus.

DEFINITIONS

Mont Alto Data Network – The technology infrastructure, hardware, and software installed at the campus which is used to facilitate the flow of digital information between (but not limited to) personal computers, prints, servers, the Internet, etc.

POLICY

When requested, and for the purpose of performing an audit, any access needed will be provided to members of the University security teams in line with University policy AD20.  Users and/or support personnel must ensure that any hardware or software installed for the purposes of filtering traffic such as a firewall appliance or personal firewall software allow unrestricted traffic to and from all systems authorized to conduct security audits at the campus level.  At no time shall anyone other than those authorized at the campus or University be permitted to scan computers or devices connected to the campus data network.

This access may include: 

• User level and/or system level access to any computing or communications device 
• Access to information (electronic, hardcopy, etc.) that may be produced, transmitted or stored on the Penn State Mont Alto equipment or premises 
• Access to work areas (labs, offices, cubicles, storage areas, etc.)
• Access to interactively monitor and log traffic on the Penn State Mont Alto data network.

Enforcement

Anyone found violating this policy will be subject to disciplinary action by the administrative unit, the campus, or the University.

Campus or University Security Office personnel will immediately block network access to any system found to be scanning systems in violation of this policy.  Individuals found to be in violation of local, Commonwealth or Federal regulations or laws will be referred to the University Security Office for case disposition.

CROSS REFERENCE

Other policies that should also be referenced:

AD20 - Computer and Network Security
PSU-MA-ITS-000 – End User Computer Agreement
PSU-MA-ITS-004 – Acceptable Use and Security Policy
PSU-MA-ITS-005 – Password Policy
PSU-MA-ITS-012 – Data Backup and Retention Policy

POLICY HISTORY

Ratified June 5, 2009