Application Security

1.0 Overview

Computer applications must be configured and operated in a manner that minimizes risks to the security, confidentiality and integrity of customer information that could result in the unauthorized disclosure, misuse, alteration destruction or other compromise of such information.

2.0 Purpose

This policy is designed to lay out the steps that must be taken to ensure that applications are configured and operated in a manner that maximizes security.

3.0 Scope

This policy applies to any individual who has a device attached to Clarkson’s computer network and who deals with University owned computer data.

4.0  Policy

Because software systems are so complex, it is common for security-related problems to be discovered only after the software has been in widespread use.  The period of time between the discovery of a problem and a patch being applied is referred to as the window of vulnerability.  The magnitude of risk is directly proportional to the length of the window of vulnerability.  By shortening this window, we are able reduce our risk of .  As such, it is important that all software packages be patched on a regular basis, with security patches being applied as soon as they become available.

Several applications that are deployed as University standards should have default settings; these applications include Symantec Anti-Virus, Microsoft Windows, and Microsoft Office.  Mandatory settings for these applications are found in the Anti-Virus and Updates Policies, respectively.

Many applications make use of encryption as an additional level of security; however often times the terms and settings relating to security can be confusing.  Therefore, the guidelines set forth in the Acceptable Encryption Policy should be followed whenever encryption is used.

Email is an application that is used by most employees for a wide variety of communications.  Recent legislation has set mandatory time periods for email retention.  The Email Security and Retention Policy clearly delineates the requirements for this area.

All requirements given in the above mentioned policies shall be followed at all times.

5.0 Enforcement

Failure to follow this policy will result in the offender(s) being subject to disciplinary action up to and including a formal written letter of corrective action.

6.0 Revision History

Draft Policy – 19 April 2005 – jfiske

Draft Policy – 5 May 2005 – jfiske

Draft Policy – 10 February 2006 – jfiske

Approved Policy v1.0 – 4 November 2013 – jfiske