The new version of MAC OS X, 10.10 (Yosemite) is expected to be released today, Thursday October 16th, and is currently incompatible with the ClearPass registration system and potentially other services at Rowan.

University Policies

University Policies

Page tree

ROWAN UNIVERSITY POLICY


Title: Information System Maintenance Policy 
Subject: Information Security 
Policy No: ISO: 2024:01
Applies: University-Wide
Issuing Authority: Senior Vice President for Information Resources and Technology and Chief Information Officer
Responsible Officer: Information Security Officer
Date Adopted: 06/05/2024
Last Revision: 06/05/2024
Last Review: 06/05/2024

I. PURPOSE

Establishing and maintaining a healthy infrastructure and system environment starts with maintenance practices and schedules that are consistent and repeatable. This policy was created to ensure that maintenance procedures are developed and implemented for all information systems.

II. ACCOUNTABILITY

Under the direction of the President, the Chief Information Officer and Information Security Officer shall ensure compliance with this policy. The Vice Presidents, Deans, and other members of management will implement this policy in their respective areas.

III. APPLICABILITY

This policy applies to all members of the Rowan community who manage or administer the University’s information systems.

IV. DEFINITIONS

Refer to Rowan University Technology Terms and Definitions for terms and definitions that are used in this policy.

V. POLICY

All University information systems must be maintained in accordance with the following elements:

  1. Maintenance Procedures
    1. System maintenance procedures and schedules must be developed, implemented, and maintained.
    2. Maintenance of mission critical and sensitive systems and components should be prioritized.
    3. Maintenance support and spare parts for critical systems should be proactively obtained through vendor support contracts, where feasible.
    4. Maintenance should be conducted in a timely manner to minimize downtime and business disruption.
  2. Approval and Validation
    1. Maintenance and repairs on information system components should be scheduled, performed, documented, and reviewed in accordance with manufacturer or vendor specifications and/or organizational requirements.
    2. All maintenance activities must be approved by the appropriate change control process and/or directly by the system owner/manager.
    3. To support the availability and security of Rowan University resources, emergency maintenance occurring to resolve an outage or critical issue may have the change control process followed after implementation with the approval of the system owner or manager.
    4. Following maintenance, repair, or replacement, potentially impacted controls must be checked to verify proper functionality.
    5. Maintenance and diagnostic activities performed by non-Rowan personnel must be logged per department standards.
    6. Administrative commands and actions should be logged to a central system to the extent possible and practical.
  3. Off-site Maintenance and Repairs
    1. Prior to removal from University facilities for off-site maintenance, repair, or replacement, equipment must either be sanitized to remove sensitive information from associated media or the media must be encrypted per IRT standards.
    2. Explicit management approval must be obtained prior to the removal of information system components from organizational facilities for off-site maintenance or repairs.
  4. Maintenance Tools and Tracking
    1. System custodians, in collaboration with system owners and ISO, should approve the use of system maintenance tools.
    2. Media containing diagnostic tools and test programs must be scanned in accordance with IRT standard practices for malicious code before use.
    3. Records for maintenance and diagnostic activities must be maintained.
  5. Maintenance via Remote Access
    1. Multi-factor authentication and encrypted sessions must be employed in accordance with Rowan’s Remote Access Policy when establishing remote sessions into the Rowan University network to perform maintenance and diagnostic sessions.
    2. Outbound remote connections for maintenance and diagnostic sessions such as phone-home solutions and diagnostic file uploads to remote vendor systems are permitted without multi-factor authentication. These sessions should be configured with granular firewall rules (source/destination IP addresses, ports/applications) when possible and the firewall rules disabled when not in use.
    3. Network sessions and connections must be terminated when remote maintenance is complete.
    4. Maintenance features should be turned off when not needed, whenever possible.
  6. Maintenance Personnel
    1. Only authorized personnel are allowed to perform maintenance on University information systems.
    2. System owners should maintain a list of authorized maintenance personnel, including third-party maintenance providers.
    3. When maintenance personnel do not have the needed access authorizations, organizational personnel with appropriate access authorizations and sufficient technical competence must supervise maintenance personnel during the performance of information system maintenance activities.

VI. POLICY COMPLIANCE

Violations of this policy may subject the violator to the removal of system access or disciplinary actions, up to or including termination of employment or dismissal from a school, subject to applicable collective bargaining agreements and may subject the violator to penalties stipulated in applicable state and federal statutes. Sanctions shall be applied consistently to all violators regardless of job titles or level in the organization per the Acceptable Use Policy.  Any exceptions to this policy must be approved by the Information Security Office.


By Direction of the CIO:

Mira Lalovic-Hand,
SVP and Chief Information Officer  

                                                                                          



  • No labels