OIA Acceptable Use and Security Policy

All OIA systems must be used in accordance with the Acceptable Use Policy of Information Systems at Virginia Tech (http://www.policies.vt.edu/acceptableuse.php for details) as well as state level policies.

In addition, all OIA faculty, staff, and students must run as standard users. All machines will have a local administrator account whose ID and password will be known only to OIS employees. Domain level administrator accounts will only be known to OIS full time faculty and staff. In specific situations, users may be issued a local administrator account. However, they must sign an agreement that states that the account is to be used only in emergency situations [define situations here]. Signature also indicates that the user accepts the responsibility for any problems that may be created or security breaches that might occur due to improper use of the account.

OIA attempts to keep all computers in line with the guidelines provided on the NIST site relating to FISMA as well as at the ISACA site related to COBIT. There is also a VITA presentation (slides 119-127) that provides further justification for this policy. Slide 127 includes links to Microsoft’s web site further indicating the importance of not being a local administrator.

In addition to the security activities, OIS takes a minimalist approach to setting up and configuring computers. There are a core set of programs that are installed on all machines. In addition, OIS tries to maintain a list of known programs that are considered safe and will be installed upon request assuming necessary licenses (where needed) are available.