Section: Information Technology
Policy Number: 915Responsible Office: Information Technology
Effective Date: 5/1/19Revised: 5/1/19
The purpose of this policy is to provide information to St. John’s University’s (St. John’s) IT Department, and the entire University Community, to improve the resistance to, detection of, and recovery from the effects of malicious code.
Malicious code describes software designed to exploit, infiltrate or damage a computer system without the informed consent of the computer user. It includes, but is not limited to, computer viruses, worms, trojan horses, rootkits, spyware and adware. Malicious code is typically distributed over the Internet by e-mail or via web pages.
This policy applies to the University Community. Adherence to this policy helps safeguard the confidentiality, integrity and availability of the University’s information assets, and protects the interest of the University, its customers, personnel and business partners.
In order to prevent information loss due to infection by, and spread of, malicious code and to ensure continued uninterrupted services for St. John’s computers and networks, St. John’s utilizes a viable end point control solution.
Any device or system that may be affected by computer virus, malware, phishing, mobile code, or email spam that connects to the St. John’s network has the standard end-point protection solution installed and running at all times, as configured or approved by the IT Department.
Endpoint protection is configured to automatically clean and remove an infected file or to quarantine the infected file if automatic cleaning is not possible. The software is configured to update itself automatically on a regular basis.
Employees are prohibited from disabling or tampering with the installed software unless authorized to do so by the IT Department. Should there be an incident where a device is detected or suspected to be compromised, access to University resources is removed and St. John’s follows protective measures in accordance with the 923 Information and Cyber Security Risk Incident and Response Policy/Standards for proper guidance to appropriate incident responses.
The following are definitions relevant to the policy:
The University reserves the right to audit networks and systems on a periodic basis to ensure compliance with this policy. Instances of non-compliance must be presented to and reviewed and approved by the CIO, the Director of Information Security, or the equivalent officer(s).
All breaches of information security, actual or suspected, must be reported to, and investigated by the CIO and the Director of Information Security.
Those who violate security policies, standards, or security procedures are subject to disciplinary action up to and including loss of computer access and appropriate disciplinary actions as determined by the University.