Skip navigation.
New Mexico State University

Security, Policies & Guidelines

NMSU Institutional Data Security Policy

Pending Admin Council Approval (February 1, 2006)

Rationale


Managing institutional data is a requirement for NMSU, particularly as it relates to electronic information systems and electronic reports.  With emerging technologies and the increases in desktop software sophistication, both desktop computers and standalone servers hold institutional data and personal data.  This policy addresses the secure management of data at NMSU.

Access to Information

NMSU specifies that institutional and personal data only be used for work related activities.  Access to and use of these data granted based on an employee’s position and duties, and approval for access is granted by the appropriate data custodians.. Employees cannot transfer their access to other employees.  Rather employees must be granted approval by the appropriate VP/Dean/Director and the data custodian. No personal use of institutional data is permitted unless acquired through appropriate open records act procedures. 

All users of NMSU institutional data must sign a non-disclosure form and follow all federal laws, state laws and university policies, including FERPA, GLB, and HIPAA.  Failure to abide by laws and policies will result in appropriate university sanctions. Transmission of university data to other NMSU affiliates (like 3rd party vendors) must have prior approval by the appropriate VP/Dean/Director and data custodian.

Information Stored on Desktop Computers

Since desktop computers are a tool of choice for manipulating data, users with access to institutional data must maintain reasonable measures to ensure that the copies of data they posses are not stolen. The following requirements must be observed:

  • A password is required to access the computer whenever the computer is started or rebooted. 
  • Sensitive institutional data on a desktop computer must be encrypted and/or password protected.
  • Sensitive institutional data must be transmitted using encryption.
    • For all ISP connected computers and wireless computers.
    • For on-campus wired computers, this encrypted transmission is encouraged, but not required.
  • Institutional data must be removed from the desktop computer when it is no longer needed.  For long-term storage, data should be copied to permanent electronic media, for example DVD or CD, and kept in a secure storage area.
  • Regular backups of the desktop.

Information Security on Desktop Computers

All desktop computers that hold institutional data, including personal computers used from home, must follow the above security procedures.  In addition, each desktop computer must:

  • Use a vendor-supported operating system.
  • Maintain a current virus scan product.
  • Enable automatic updates the operating system and virus protection.
  • Use a password to gain access to a restarted machine.
  • Use a password-protected screen saver which locks access to an unattended desktop.
  • No use of file sharing software, in particular software that allows the sharing of music and videos.

Information Security on Servers

There are many applications where institutional data is maintained on a server outside of the SCT Banner system for specific departmental or university needs. These servers require additional security measures because they often contain sensitive information about the entire university community, including students, faculty, staff and alumni.  To limit the exposure of these servers, all servers must

  • Run a supported version of the operating system
  • Have automatic updates enabled
  • Have an updated virus scan product installed and operational.
  • Have a full-time employee assigned as the primary system administrator of the server.  Students and temporary staff cannot be the primary contact for the server.  The administrator must be a trained administrator.
  • Reside on a physically separate subnet than that of desktop computers.
  • Have all unnecessary services turned off and/or removed from the server.
  • Perform regular backups of data, operating system and applications. The backup media should be stored offsite.
  • Have a firewall enabled.
  • Not be used as a desktop or personal computer.
  • Use a web browser only for the download/update of software