Policy 3 - Audit Policy

1.0 Purpose
The purpose of this policy is to advise users of security scanning procedures and precautions used by Murray State University to audit their network and systems. Other persons or entities, unless authorized, are prohibited from performing any such audits.

Audits may be conducted to:
  • Ensure integrity, confidentiality, and availability of information and resources 
  • Investigate possible security incidents to ensure conformance to MSU Information Technology policies 
  • Monitor user or system activity where appropriate 
Any questions or comments about this policy should be directed to Information Systems.

2.0 Scope
This policy covers all computer and communication devices owned or operated by Murray State University, any computer or communication device connected to the MSU network, any computer or communication device which has been connected to the MSU network if it is believed such computer or communication device has been used contrary to any MSU Information Technology policy while so connected, and all computers and communication devices that are attempting in any manner to interact or interface with the MSU network.

3.0 Policy
Murray State University shall utilize auditing software to perform electronic scans of their networks, servers, switches/routers, firewalls, and/or any other systems at Murray State University. This also includes scans of any electronic communication and e-mails regardless of by or to whom the communications are sent.

These tests may include:
  • User and/or system level access to any computing or communications device 
  • Access to information that may be produced, transmitted or stored on Murray State University equipment or premises 
  • Access to work areas (labs, offices, cubicles, storage areas, etc.) 
  • Access to interactively monitor and log traffic on Murray State University networks 
  • Penetration testing 
  • Password Auditing 
  • Scanning for Personally Identifiable Information 
3.1 Network Control
Internal security testing on all Murray State University owned networks requires the prior approval of the Chief Information Officer. This includes all computers and equipment that are connected to the network at the time of the test.

4.0 Enforcement
Anyone found to have violated this policy may be subject to disciplinary action, up to and including suspension of access to technology resources or termination of employment. A violation of this policy by a temporary worker, contractor or vendor may result in the termination of their contract or assignment with Murray State University.

5.0 Definitions
Murray State University Network
Being connected to a Murray State University network includes the following:
  • If you have a network capable device (ex. laptop) plugged into a Murray State University owned building, then you are connected to the MSU LAN (local area network). 
  • If you have a wireless capable device (ex. laptop, iPhone) and connect to MSUWireless or MSUSecure, then you are connected to the MSU WLAN (wireless local area network). 
  • If you connect from a computer through the Murray State University VPN (virtual private network), you are then connected to the MSU LAN (local area network).