Policies and Guidelines

Official University policies are located on the Policies and Procedures website.  All students, faculty, and staff are expected to comply with the policies below that are designed to protect University IT resources.  All students, faculty, and staff are encouraged to review and comply with the guidelines below to prevent security incidents that could lead to a violation of University policies. 

policies

UM1535 - Acceptable Use of Information Technology Resources

UM1691 - Campus Data Security Policy

UM1337 - Data Access

UM1566 - Security and Protection of Electronic Information Resources


Guidelines

Data Storage

In compliance with University policy UM1691 - Campus Data Security Policy, restricted University data must be protected against physical theft or loss, electronic invasion, or unintentional exposure.  ITS has developed guidelines to recommend appropriate storage services and locations to be utilized for the all classifications of University data. Please refer to the Guidelines for Storage of University Electronic Data page for a listing of storage services and locations by data classification.

Data Encryption

ITS has developed standards for encryption to ensure confidential data is protected from disclosure. In compliance with University policy UM1691 - Campus Data Security Policy, employees, in cooperation with their Local Support Provider (LSP), are responsible for protecting restricted University data to which they have access. 

ITS has the following recommendations for encryption software:

Web servers

Web servers hosted on the University of Memphis network must adhere to established system security guidelines and be maintained using system administration best practices including keeping operating systems (OS) and server software patched, and removing or disabling unnecessary services, applications, and ports. Only required web server modules and/or extensions should be enabled.

Directory listing should be turned off so that search engines and web browsers can't list and identify all of the files stored in the document root of the web server.

Web server logs must be maintained in a directory that is not web-accessible. Log files should be reviewed regularly for signs of out-of-the-ordinary behavior.

Web site security

Web pages that display or collect sensitive or confidential information must be hosted on a secure server supporting an encrypted web protocol (https) with a digital certificate issued by a trusted certificate authority. The University of Memphis ITS Web Services group (webservices@memphis.edu) manages an account with a trusted root certification authority and will work with clients from across campus who need to obtain an SSL certificate for official department or unit web servers in the memphis.edu domain.

Scripts executed on Web servers are particularly prone to security breaches, especially if they don't validate user-supplied data before accessing files or operating-system services. Script code should be reviewed and scanned for known security risks.

Peer-to-Peer file sharing

Peer-to-Peer (P2P) file sharing allows individuals to share files with other users. Additional information about P2P file sharing can be found in a Wikipedia article located here.  There are many potential legal issues surrounding inappropriate use of P2P applications and users of these programs are encouraged to review and abide by applicable copyright laws that can be reviewed here.  Violation of copyright laws or other inappropriate use of P2P file sharing may result in a violation of policy UM1535 - Acceptable Use of Information Technology Resources.  Sharing of some types of music, videos, movies, and documents are examples that may constitute violations of University policy.

Equipment Disposal

In compliance with University policy UM1691 - Campus Data Security Policy, data should be securely erased from equipment prior to disposal.  Deleting files from your computer or laptop does not permanently remove the data. The hard drive must be overwritten (sometimes called "wiping" the drive) before disposal to ensure that deleted files cannot be recovered.  An example of a free program used to overwrite a computer or laptop hard drive is Darik's Boot and Nuke (DBAN).

Family Educational and Privacy Rights Act

The University adheres to the requirements of the Family Educational and Privacy Rights Act (FERPA).  Additional information regarding FERPA is located on the Registrar's website