Skip to Navigation | Skip to Main Content

Campus IT Security Technical Advisory Committee (ITSTAC)

Colorado State University

Charge to the Committee

The Campus IT Security Committee (CSC) is constituted to address issues associated with appropriate use of information technology by students, faculty and staff (including administrators) at Colorado State University. The committee is charged with:

  1. Devising policies for acceptable and appropriate use of information technology, achieving an appropriate balance among protection of individuals' rights, protection of the information technology resource, and the reputation of the University.
  2. Recommending disciplinary actions to take against those who violate these policies.
  3. Devising appropriate technical recommendations for implementation at the University.
  4. Giving due consideration such that these policies and procedures may be carried so that they do not conflict with existing and emerging policies and procedures at the University, particularly any issues of charging back for network services.

It is envisioned that two subcommittees, one to address policy issues, and the other to address technical issues, may at the committee's option, be formed to address the issues above. The committee shall have all of its recommendations approved by CSU Legal Counsel, who shall act in an advisory capacity, in the course of the committee's activities. The Committee shall also seek input on its activities from the broadest practicable constituencies that it deems appropriate, possibly the Council of Deans, CAAG, ASCSU, GSA, Faculty Council, the University Information Technology Support Services committee (UITSS), the University Instructional Technology Committee (UITC), etc.

The committee shall forward to the Information and Instructional Technology Planning Group (IITPG) a progress report in November 2000, and a final report, if possible, in May of 2001. The IITPG shall review this report and forward the final report and its recommendations to the Information Technology Executive Committee (ITEC) in June 2001.

Finally, the Committee is charged with reviewing and modifying this charge as it deems appropriate as its first formal activity.

Areas of focus for the committee

Policy Issues

  • To elevate the awareness of potential security threats and the potential consequences the University faces as a result
  • Acceptable and Appropriate Use Policy
    • Acceptable use - what the law permits
    • Appropriate use - what we should be doing (perhaps more restrictive than what we legally can do), how to use information technology best to support and advance the mission of the University
    • See interim policy at http://www.acns.colostate.edu/?page=aup
  • Information Content
    • Web pages, e-mail, other interpersonal communications
  • Distinction between university-owned equipment, and student-owned equipment (e.g. residence halls and apartments)
  • Distinction between faculty and student use to foster and create new knowledge and use by staff for the work function
  • Notification - are individuals to be notified before, during or after an investigation occurs?
  • Best use of limited resources: network capacity, disk space, etc.
    • Handling of MP3 files ("Napster") and other "recreational" traffic
  • Establish "General Principles"
  • Establish and publish recommended disciplinary actions for various types of offenses
    • Public relations concerns

Technical Issues

  • Incident Response and Recovery
    • Single point of contact, with established and publicized step-by-step procedures
    • Develop appropriate actions when security violations are suspected
    • Course of action for following up on violations originating outside of CSU
  • Review physical infrastructure
  • General recommendations for securing central and departmental servers, desktop computers, and other network-attached devices
    • Security measures recommended for various platforms and environments
    • This may include such things as Kerberos authentication and authorization, Public Key Infrastructure (PKI), intrusion detection, secure (strongly encrypted) connections to central and departmental servers
    • Evaluate network-based solutions including firewalls and other network architectures that provide various degrees of protection for several classes of computers.
  • To develop "best practices" guidelines for University IT staff to use as a baseline for their environment. This will include recommendations for password management, tightening security on servers and desktop machines, etc.
  • Central and local staffing issues
    • Draw upon local expertise (departmental IT support personnel)
    • Appropriate activities for central and local support staff
    • To create a pool of local resources the University can draw upon when expertise in specific areas is required