College of Engineering Computing Policies and Standards

University leadership has crafted and will maintain administrative policies, guidelines, and standards to provide base-level guidance, specifically Policy AD95 - Information Assurance and IT Security and Policy AD96 - Acceptable Use of University Information Resources, for all IT related issues.

The College of Engineering adheres to this institution-wide security program designed to ensure the confidentiality, integrity, and availability of the Pennsylvania State University’s (“Penn State“ or “the University”) information assets from unauthorized access, loss, alteration, or damage while supporting the open, information-sharing needs of our academic culture.

The College of Engineering is permitted to enhance the language of the standards in order to best clarify the college’s security position. The College of Engineering Security Committee has reviewed the standards and provided the following additions.

Access, Authentication, and Authorization Management

  • Least User Privilege
    • All computers must be operated in Least User Privilege mode for normal logon. All Least User Privilege accounts must not have administrative rights, regardless of the presence of native user access control management on the system.
    • Users demonstrating a valid business need for elevated privileges will be delegated the necessary capability either via the use of native, or approved third party, privilege management solution. If this approach proves to be inadequate a separate "facadmin" account may be granted.
    • University-owned computer(s) must be administered by a professional information technology staff person.
    • Unless granted an exception, all systems must use the University's Enterprise Active Directory (EAD) as their primary authentication source
  • VPN/Remote Access
    • All remote or wireless systems must use the college approved VPN with multi-factor authentication (MFA) to access resources inside of the college's network.
    • All remote access must be done via an encrypted and approved remote access application
  • Access Control and Authorization
    • In order to adhere to the standard's Session Termination requirement, all College of Engineering systems must be configured with an approved enterprise control (e.g., GPO, Jamf, etc.) to ensure systems automatically lock when idle

Network Security

  • Unless otherwise excepted, all systems connected with the College of Engineering's network infrastructure must do so using an assigned DHCP IP address via the college's network infrastructure. In most cases this will require the system's MAC address to be preregistered with local IT

Physical Security

  • AD95 encourages that all laptops employ disk level encryption to prevent data exposure in the event the laptop is lost or stolen and requires it on level 3 and 4 systems.  The College of Engineering has already experienced such data loss and has adopted the recommendation as a standard requirement for all College owned laptops.
  • As per http://travel.state.gov, all persons traveling to countries listed as Level 3 (as classified by the United States Department of State) or higher must use a loaner laptop that contains no data classified higher than “Low” as determined by the Penn State Information Classification Tool. Persons traveling to countries listed at Level 2 are highly encouraged to use a loaner laptop.

Requests for Exception to Information Security policy

  • Requests for exceptions to the college standards must go through the College of Engineering IT Security Liaisons

Vulnerability Management

  • Unless otherwise excepted, systems must be running all college-required desktop/patch management, logging, anti-virus, and other security-related software. All operating systems must be fully supported (not categorized as “End-of-Life”) by their respective developers.
  • Windows must be Enterprise Edition to support all possible security/management options
  • All firewall exception requests must be made by a department’s professional information technology staff person to the College IT Security liaisons

All faculty and staff in the College of Engineering are governed by these policies and are responsible for reviewing and understanding the elements contained herein.

Please email security@engr.psu.edu regarding questions or suggestions for improving Penn State University College of Engineering Computing Policies.
 
 

About

The faculty and staff of Networking, Computing and Training Services are proud to be an organization within the College of Engineering’s Dean’s Office. This small but extremely dedicated assembly of personnel work in four groups that support the College’s educational, research, and administrative operations.

Networking, Computing & Training Services (NCTS)

149 Hammond Building

The Pennsylvania State University

University Park, PA 16802-4710