Access authorization
1) Employee - Employees of the PIDS will be authorized access to research and administrative computer platforms and systems to the extent necessary to perform individual job duties.
2) Visitor - Visitors to the PIDS are not authorized access to PIDS computer platforms or systems. Exceptions may be requested from the Policy Administrator.
3) Vendor and maintenance - Vendors will be authorized no access to PIDS computer platforms or systems except as required to perform their respective duties to the PIDS.

Physical plant controls
1) Computer Room - The PIDS Computer Rooms will be secured at all times. Authorized personnel may occupy the computer rooms. Visitors will be escorted by authorized MIS or other appropriate personnel.
2) Workstations - Workstations will be located in secure areas. Windows and doors to these areas will be secured when the room is not occupied by the workstation user(s).
3) Emergency equipment
1) Fire detectors and extinguishers - Fire detectors and extinguishers will be installed and should be tested periodically.
2) Emergency notification - Emergency telephone numbers will be posted in a key area of the computer room.Lists will be updated as needed.
3) Evacuation procedures - Evacuation routes will be posted in key areas of the computer center. Route maps will be updated as needed.

Equipment inventory
1) Hardware, Workstations, and Network Equipment - An accurate hardware inventory will be maintained by the Administrative and Finance Department of the PIDS.
2) Software - An inventory of critical software applications will be maintained by the MIS Unit. The inventory will include locations of archival copies of installation media for recovery purposes.

Electrical requirements
1) Supply requirements - Power requirements of computer requirements of computer equipment will be calculated by the MIS Unit when installing equipment to ensure the supply circuit is adequately sized and protected.
2) Filtered/Uninterruptible power supply - Main computing platforms and critical network equipment will be equipped with filtered or uninterruptible power supplies as needed.

Housekeeping
1) Airconditioning - The PIDS Computer Room airconditioning units will receive regular maintenance servicing and air filter changes or cleaning as specified by the equipment manufacturer.
2) Dusting - MIS printers and other devices producing dust will be cleaned weekly. A maintenance schedule in support of this requirement will be posted in the computer center.
3) Smoking - Smoking is not allowed in computer center facilities.
4) Food and drink - Food and drink are not permitted in computer rooms and they are discouraged near workstations elsewhere at the PIDS offices.

Contingency plan - Space and electrical diagrams sufficient to show space and electrical requirements of computer rooms and network facilities will be maintained by the MIS Unit. The diagrams will be updated as needed.

Userid and password administration
1) Password changing requirements - Passwords should be changed regularly, at least once every two months.
2) Status notification - User departments should inform the MIS Unit of termination of employment of personnel holding computer accounts. In order to ensure unneeded and unauthorized accounts are routinely purged, periodic user audits will be performed.
3) Minimum password length and content - User-selected password will conform to the following standards.
1) Passwords will consist of no fewer than six characters.
2) Passwords must contain at least one digit or special character except "@" and "#".
3) Passwords should not appear in any known system dictionary or consist of telephone numbers or spouse's name.

System access requirements
1) Inactivity time-out - System connections idle for more than fifteen minutes on administrative systems will be disconnected automatically by the system.
2) Unauthorized access attempts - Unauthorized access attempts will be logged. User accounts suspected as targeted or intrusion will be examined for access. Verified system level intrusions will be reported to law enforcementauthorities if appropriate.

System maintenance requirements
1) System backup requirements - System backups will be maintained under a four-week rotation incorporating off-site storage.
2) Obsolete userids - User id accounts will be examined for obsolescence at six-month intervals. User accounts for persons leaving the employ of the PIDS will be deleted at termination.
3) Data set reviews - Data sets should be reviewed annually by the set owner. Obsolete sets should b e deleted when no longer needed.

Contingency planning requirements
1) Off site storage - File backups copies will be stored in the vault located in the RSD Director's office. Only current week backup copies will be stored on site.
2) Tested backups - Monthly backup media will be tested for usability. The preferred method is verification following backup. However, this test may include a restoral to a temporary directory files selected from the backup. Tapes in the archive will be tested annually using the preceding method.
3) Tested disaster recovery program stored off-site - A complete copy of the tested Disaster Recovery Plan will be stored in the off-site storage facility. As new processes are added to the plan and tested, they will be incorporated into the copy of the stored plan.

Records management requirements
1) Userid and system authorization requirements - User authorization forms and requests will be maintained for two years following account closure.
2) System logs - System logs will be maintained for two years.
3) User incident reports - User incident reports will be maintained for two years.

Service request
1) Development or acquisition authorization - Authorization to begin application development or acquisition will be issued by the Director, Research Services Department upon receipt and approval of a proposal for the application. The proposal will identify the owner, the data set(s) to be accessed, and required logic parameters.
2) Owner approvals - The owner of the application under development will be required to approve the application at four states of development. These will be the prototype, the alpha release, the beta release, and the final release. Commercial software released will be tested by the owner as soon practicable following the installation.
3) Owner development involvement - The owner must provide consultation as needed in developing the prototype and beta versions of the application. Other involvement may be requested during the interface development.
4) Owner sign-off upon completion - At the conclusion of the beta testing phase, the owner will certify the suitability of the application. No such acceptance is required for commercial releases.

Programming standards
1) Structured programming methods - Program coding will be completed using structured methods. Clearly written and commented coding methods will be used.
2) Uniform coding - Uniform methods will be followed to ensure the maintainability of the code. These methods will beclearly defined and modified as needed.
3) Data dictionary - The PIDS will maintain a complete data dictionary of all administrative data. This dictionary will be available on-line at all times.
4) Comments in code - Program code will be commented for maintenance purposes. Comments will consist of logic parameters and purpose, date of modification, and author.
5) Optimization, tracing and documentation - Program code will be documented using a step-through trace of the application.

Promotion to production requirements
1) Required authorization - Internally developed software systems will move to production only upon completion of the approval process. This process will include beta testing and owner approval in writing.
2) Peer review of coding - Application code will be reviewed and approved by the MIS Unit designated programmers to ensure compliance with data classification requirements. Recommended changes will be incorporated prior to beta testing of the product.
3) Structured walk-through - Application code will receive a structured walk through to ensure proper logic design and assist in the location of inconsistencies in the protection required by the data classification.

Documentation - Documentation for software systems will be developed and tested along with the software product. The documentation will consist of user guides, program maintenance guides, and in-code commentary.

Systems Programming
As changes to operating systems are implemented, effective controls should be maintained and changes should be documented so that only authorized and tested modifications are executed.

Authorization
1) System changes - System changes will be approved by the systems administrator prior to testing and implementation.Unsatisfactory systems under test will be updated, rolled back, or removed from the support platform.
2) System establishment - Systems will be established by owner request or maintenance agreement with the approval of the MIS Unit.

Promotion to production
1) Changes thoroughly tested - Prior to production use, all system changes will be tested to ensure output is consistent with the structured walk-through.
2) Structured walk-through - A structured walk-through of system changes will be conducted by the MIS Unit staff personnel during testing and prior to implementation.
3) Back-out procedures - Prior to testing and implementation, adequate back out procedures will be in place to ensure a timely roll back of the system.

Contingency planning requirements
1) System media stored off-site - System media for the current system implementation will be stored off-site along with system backups.
2) System documentation stored off-site - Adequate documentation for system installation and configuration will be stored off-site.

Software Controls
1) Tested updates to network communications software - Updates to network communications software will be tested prior to installation. Where possible, testing will be conducted in concert with the vendor.
2) Restricted access to system parameter files - System parameter files will be available only to authorized system personnel. Authorized modifications may be made to these files.
3) Operational Controls - System recovery/restart process controlled - The system recovery and restart processes will be controlled by automation of the process.

Hardware Protection
1) Secure communications cabinets and closets - Communications closets and cabinets will be secured to prevent access by unauthorized persons.
2) Transmission hardware - Transmission hardware will be located in secure areas such as cabinets and closets. Access to the hardware will be limited to authorized personnel.
3) Telephone rooms and/or wiring closets - Telephone rooms and wiring closets will be secured at all times.
4) Modems, control units and other devices - Access to modems, control units and other devices will be limited to authorized personnel.
5) Remote User Identification - Access control packages (userid and password) - Where appropriate, access control packages and necessary hardware will be implemented to ensure remote users are identified and authorized access to the available systems.

Operations Security

Inventory and Control
1) Review of electrical requirements - Electrical requirements for central computing resources will be analyzed periodically. The review will include an update of electrical services added or deleted during the previous period.
2) Review of media library - Periodically, the MIS Unit will review the contents of the media library for adherence to storage and backup requirements.

Physical Access Controls
1) Control of the computer room areas - The computer room will be secured at all times. Only authorized personnel may occupy the computer room. Visitors will be escorted by authorized computer center personnel.
2) Control of remote processing areas and network clients - Remote processing areas will be secured when not in use. During extended periods of non-use, network and computer access from these areas will be suspended.
3) Stock storage areas - Access to stock storage areas will be limited to authorized personnel.

Contingency Plans
1) Emergency plan documented and tested annually - Emergency plans will be produced and tested by the affected personnel annually. Exceptions to this plan will be reported to the PIDS Management Committee.
2) Backup plan documented and tested annually - The backup plan will be documented and tested annually or more often as required. Exceptions to this plan will be reported to the PIDS Management Committee and incorporated into the plan following testing of the required measures.
3) Disaster recovery plan documented and tested annually - The disaster recovery plan will be tested at least annually. Exceptions to this plan will be reported to the PIDS Management Committee and incorporated into the plan following testing of the required measures.
4) Emergency system access controls - Emergency system access controls will be established and maintained by the systems administrator. These controls will be sufficient to allow the continuation of operations in the event appropriate systems personnel are unavailable to recover the failed systems.

1) Software inventory - An accurate software inventory will be maintained by the user. This inventory will consist of license agreements and invoices for products installed by the user. Installed site licensed products will be inventoried by product serial number and date of installation.
2) Access - Secure after working hours - Workstations will be located in secure areas. Windows and doors to these areas will be secured when the room is not occupied by the workstation user(s). If physical security is otherwise unavailable, workstations will be secured to furniture items using cable-lock systems.

Environmental Security
1) System controls - System controls will be accessible only to authorized the MIS Unit personnel. This is required to ensure that personal desires to not override the workstation requirements, causing failure or unstable operations.
2) File servers - File servers will be accessible only by authorized personnel. This is required to prevent failure or unstable operations.

Support Lists
1) Hardware - Hardware support lists will be developed for each platform installed by the MIS Unit. This list will consist of platform, current support level, the vendor of the services, and how to contact the provider of support.
2) Software - Software support lists will be developed for each product installed by the MIS Unit. This list will consist of product, current support level, the vendor of the services, and how to contact the provider of support.

Central Ordering - In order to ensure compatibility of existing systems, hardware and software products will be specified by the MIS Unit. Hardware or software not receiving such approval may be obtained at the user's risk and without CIS support.

Removable disk controls - Access to removable disk equipment will be limited to authorized individuals only, utilizing controls appropriate for the information stored thereon.

Software code of ethics - PIDS Sof tware Use Policy - The PIDS has established a Software Use Policy with regard to the ethical use of software by the PIDS.

Contingency Plans - The user will be responsible for developing contingency plans for the individual workstation.

Data Backup - Off site storage - Data backup of the individual workstation will be the responsibility of the user. Off-site storage, if required, must be arranged by the user.

Data Sensitivity - Sensitive data will not be stored on individual workstations.

Virus protection - Protection from virus infection will be implemented by the user. Protection measures to be implemented will include physical controls, such as refusal of disks of unknown origin prior to virus scanning. Virus detection software will be obtained by the user as required.

Documentation requirements - System configuration will be documented at installation by the MIS Unit and when modifications are provided by the MIS Unit. User changes will not be documented except as part of an MIS Unit contact.

User training - User training will consist of a brief introduction to the equipment and familiarization with documentation at set up. Workshops will be offered at regular intervals to address specific training needs.

Administration - The Disaster Recovery Plan will be administered by the Security Policy Administrator.

Testing - Portions of the Disaster Recovery Plan will be tested annually. The tests will be designed to ascertain the level of business resumption provided by the plan. Off-site stored documentation will be tested as part of this process and updated as required.

Backup Plan - A vigorous file backup plan will be implemented for all centrally installed servers at the MIS Unit. This plan will be cyclic and include rotation and retention of backup media. The backup plan consists of the following steps:

1) Weekly: full dump backups will be made.
2) Daily: incremental backups will be made.
3) Monthly: the last full dump of each backup will be retained as a monthly backup.
4) Annually: the last full dump made during the calendar year will be retained as annual backup.
5) Annual and monthly backup media will be retained for two years.
6) Backup media will be randomly tested at ninety day intervals by attempting to restore files from the system root level as well as data and user levels to the null device. This step will reveal parity errors or other problems that may be associated with the backup media.

User Education
Upon approval for computer access, the user will receive copies of the the MIS Unit Policy and Procedure applicable to the system for which access is requested. Every user will receive instructions on logging into and out of the requested resource. These instructions will include comprehensive instructions on selection and updating of the user's password, as well as contact instructions for accounts that appear to have been violated. the user application will refer to the receipt of these documents by the user.