Volume VII: Information Technology
Chapter B: Security
Issuing Office: OVPIT
Responsible Officer: Vice Chancellor for Information Services
Responsible Office: VCIS
Originally Issued: May 25, 2005
Revised: November 18, 2011
Calumet Revision: December 16, 2011
TABLE OF CONTENTS
Controlled access to IT Resources is essential for Purdue University Calumet to continue its mission of learning, discovery, and engagement. This policy describes a comprehensive approach to Authentication and Authorization that can support current needs for electronic access and accommodate future services and technologies by employing standardized mechanisms for Identification, Authentication, and Authorization.
This policy is guided by the following objectives:
- To ensure that Purdue Calumet can, without limitation, operate and maintain its IT Resources;
- To ensure that Purdue Calumet can, without limitation, protect the security and functionality of University IT Resources and the data stored on those resources;
- To protect the University’s other property, rights, and resources;
- To preserve the integrity and reputation of the University;
- To safeguard the privacy, property, rights, and data of users of University IT Resources;
- To comply with applicable existing federal, state, and local laws; and
- To comply with existing University policies, standards, guidelines, and procedures.
Access Control. Identification, Authentication, and Authorization are controls that facilitate access to and protect University IT Resources and data. Access to non-public IT Resources will be achieved by unique User Credentials and will require Authentication.
Purdue University Calumet will assign a Purdue University Identifier (PUID) and User Credentials for Identification and Authentication purposes to each individual that has a business, research, or educational need to access University IT Resources.
Authorization for University IT Resources depends on the individual’s relationship, or relationships, to the University and the requirements associated with that relationship. In all cases, only the minimum privileges necessary to complete required tasks are assigned to that individual. Privileges assigned to each individual will be reviewed on a periodic basis and modified or revoked upon a change in status with the University.
No Unencrypted Authentication. Unencrypted Authentication and Authorization mechanisms are only as secure as the network they use. Traffic across the network may be surreptitiously monitored, rendering these Authentication and Authorization mechanisms vulnerable to compromise. Therefore, all University IT Resources must use only encrypted Authentication and Authorization mechanisms unless otherwise authorized by the Vice Chancellor for Information Services.
Users of University IT Resources must comply with this policy and related standards and expiry periods issued by the University in support of this policy.
Centralized and departmental IT units and IT Resource owners are responsible for ensuring appropriate enforcement of this policy and related standards on University IT Resources within their areas of responsibility. The formal Security Policy/Procedure Exception Form must be filed and approved by the Vice Chancellor for Information Services for any University IT Resource that is unable to comply with these policy requirements.
Violations of this policy or any other University policy or regulation may result in the revocation or limitation of IT Resource privileges as well as other disciplinary actions, or may be referred to appropriate external authorities.
This policy covers students, faculty, staff, and all individuals or entities using any University IT Resources and all uses of such IT Resources.
Standards supporting the implementation of this and other Purdue University Calumet IT Policies are available at:
Request for Security Policy/Procedures Exception is available at:
For questions regarding this policy, contact:
Assistant Director for Information Security and Assurance firstname.lastname@example.org
|Authentication||The process through which a user proves his or her identity by providing sufficient User Credentials.|
|Authorization||The process of determining which services, privileges, and resources an authenticated user is entitled to access.|
|Identification||The process of establishing User Credentials in order to access and use University IT Resources.|
|IT Resource||All tangible and intangible computing and network assets provided by or for the University to further its mission of discovery, learning, and engagement. Examples of such assets include, but are not limited to, hardware, software, wireless access, network bandwidth, mobile devices, electronic information resources, printers, and paper.|
|PUID||Purdue University system unique and persistent identifier assigned to an individual upon initial association with the University.|
|User Credential||Information used to access University IT Resources. This type of information includes, but is not limited to, usernames, passwords, tokens, smartcards, biometric data, and digital certificates.|
November 18, 2011: Policy number changed to VII.B.1 (formerly V.1.2).
June 16, 2009: Updated URL in Related Documents section.
August 16, 2011 — Updated URL in Related Documents section.