Software Security Policy
The purpose of software security is to assure employees' access to the computing resources and data needed to conduct University business while protecting those resources to ensure availability, reliability and integrity.
Appropriate Use
Purdue University computing resources and information are provided to support the University's administrative functions. Any use of these resources that interferes with these functions or does not respect the image and reputation of Purdue University is improper.
In addition, the following specific actions and use of Purdue University information and resources are improper:
- Use of these resources for commercial or private business purposes.
- Activity which unreasonably interferes with or threatens other individuals.
- Use of these resources in a manner that degrades or demeans other individuals.
Protect your access
Each person requiring access to Purdue University computing resources is given a unique User-ID allowing access to those resources. Users are responsible for all activities involving their personal UserID. Do not share passwords. Shared or group UserIDs are not permitted.
Currently, password is the primary mechanism used to secure access to software and data. For this reason passwords must be stored in protected locations, must not be shared and must not be viewable in clear text. The use of strong passwords must be enforced. A strong password is:
- At least 8 characters long.
- Difficult to guess or crack but easy to remember (see guidelines for tips on how to create such passwords).
- Periodically changed.
Lock Your Workstation
Staff using Purdue computers and/or workstations must activate and utilize a password protection method to secure their workstation. It is expected that any user of one of these devices will activate a lock facility prior to leaving the machine unattended.
Management Authority
Purdue University uses access controls and other security measures to protect the confidentiality, integrity, and availability of the information handled by computers and communications systems. In keeping with these objectives, management maintains the authority to:
- restrict or revoke any user's privileges
- take any other steps deemed necessary to manage and protect its information systems and data.
This authority may be exercised with or without notice to the involved users.
Management Responsibilities
User-IDs may be granted to specific users only when approved in advance by the user's immediate supervisor. Prior to being granted to users, business application system privileges must be approved by the involved information owners.
All Purdue University computing systems privileges must be promptly terminated at the time that a worker ceases to provide services to Purdue University. When a workers responsibilities change, their computing system privileges must be adjusted as appropriate.
Management must clearly specify in writing the assignment of stewardship and custodian responsibilities for databases, master files, systems and other shared collections of information.
Management must establish specific written policies regarding the categories of people who will be granted permission to access various types of information. These policies must also specify limitations on the use of this information by those to whom access will be granted.