OIT Information Security Review Policy

Summary

This policy describes the requirements and constraints for securing university-owned computing resources; e.g., computer, server or application. It also provides best practice recommendations to guide users in further steps to protect network-connected systems.

Purpose

The purpose of this policy is to ensure that all university-owned computing resources installed on the network are maintained at appropriate levels of security while at the same time not impeding the ability of users and support staff to perform their work.

Definitions

Application - A software program that runs on a computer.

Desktop/Workstation - A computer primarily used to provide direct access to applications and for use usually by one individual.

Server - A computer used primarily to provide network-based services (e.g., applications, Web, file, or email), for use typically by multiple users.

System Software - Programs that run in the background, enabling applications to run. These programs include assemblers, compilers, file management tools, and the operating system itself.

University-owned computing resources - Computer and computer-related equipment and applications acquired and maintained all or in part by funds through the University.

Scope

 

This policy applies to all critical university-owned computing resources owned, managed, or hosted by the Office of Information Technology and residing on the university network regardless of whether they are connected via a firewall. 

 

A critical university-owned computing resource is a server or application, which, if compromised, could significantly harm the University.  Examples of significant harm could include legal liability, reputational damage, interruption of critical business functions, and disclosure of confidential information.

 

Examples of critical university-owned computing resources include those which:

 

  • Contain sensitive or confidential data including, but not limited to, personally identifiable information, medical records, payroll information, student grades and transcripts, or social security numbers; or

  • Are used in planning, managing, or operating major academic, research, or administrative functions of the University.

Statement of Policy

REVIEW

Before a device or application is placed on the network and into production, the security team will evaluate its security posture.  The team will review the following items for information and compliance:

  • System Criticality

  • Data Sensitivity

  • Proposed Hardware

  • Proposed Software

  • Data Encryption Requirements

  • Proposed Hosting Requirements/Special Considerations

    • Data steward

    • System administrator(s):

      • Application Server

      • Web Server

      • Application

  • Data Center Assets Required

  • Decommissioning Plans

SCANNING AND ACCESS

 

Critical systems must be scanned for security vulnerabilities. Any serious issue must be corrected.

 

Remote access (i.e., any access other than from the console) to privileged accounts (e.g., root, Administrator) must use strong authentication.

 

All user access to critical hosts must be authenticated. Minimally, all accounts must have a password. Users must not be allowed access from trusted hosts without the use of strong authentication.

 

There must be a regular program of maintaining current virus signatures and real-time scanning for viruses native to that operating system.

 

OIT may conduct a post implementation review to ensure the computing device or application is still in compliance with the issued security statement.

 

Requests for new access, changes to current access or termination of access to university-owned computing resources may include:

 

  • Computers;

  • Servers;

  • Applications;

  • Reporting tools;

  • Data marts or data warehouses built from the central University data store; or

  • Third-party products.

 

All such requests will be directed to and coordinated by the system administrator.  System administrators may modify requests, as they deem appropriate. 

In response to a request for new user IDs and passwords, system administrators will ensure that the requested access is commensurate with completion of any required general system training as well as required departmental specific training. 

Recommendations and Best Practices

Most computer systems as shipped by the vendor are very insecure. Steps must be taken by the system administrator at the time of installation and connection to ensure that certain known vulnerabilities are eliminated.

The following related practices are strongly recommended by OIT:

  • Remove un-needed services.

  • Limit access to needed services and log all successful and unsuccessful access.

  • Locate critical hosts behind a firewall. 

  • Encrypt stored and transmitted sensitive data where possible. 

  • Configure systems carefully to enhance security.

  • Avoid using the same password on critical hosts and less secure computers. 

  • Avoid storing clear text passwords and private keys wherever possible.

  • All servers and applications must run at the latest patch level. Any deviations from latest patch level in order to accommodate application functionality must be thoroughly assessed for risk and documented.

  • All operating systems on which antivirus/anti-malware software is commonly used must have appropriate antivirus/anti-malware software installed.

  • All servers will employ a host firewall that is configured to permit remote administrative access from trusted hosts only and permit public access only to public-facing application ports.

  • Sensitive web server communications (login) must be protected by SSL.

  • Sensitive communications from mobile reader devices to application server must be encrypted with SSL or a similar mechanism.

Compliance

Verification - OIT may actively use security scanners to scan all critical systems.

Responsibility - Responsibility for remedy lies with the system administrator and system owner.

Policy Location

The OIT Information Security Review Policy is posted on the OIT website: http://www.uah.edu/oit/.


Approved: 09/16/2013

Policy Number IT0913-02