UA System Security Guidelines
The university computing environment is made up of a variety of operating systems, devices and applications. Inasmuch as the following classes of controls apply to each of those things and technical controls exist the guidance below should be a default state and exceptions documented.
- University owned equipment and software will have a responsible party and be indexed by University asset tags and/or serial numbers.
- Systems and network equipment will be classified based on the type of data it contains, availability requirements for the services they offer and how critical they are to operations.
- University owned devices capable of attaching to the Unified Active Directory Domain (Windows) or Casper (OS X) will do so.
- Accounts should only given to current student, faculty, staff, alumni, and sponsored affiliates.
- User accounts will come from UA Unified Active Directory with authorization based on group or role based access rights assigned to an individual.
- Guest account will be set to expire when expected activity is completed.
- Account inactivity and/or removal periods will be established and documented.
- Accounts will be protected at a minimum with passwords.
- Accounts with administrative rights have higher standards for protection applied to them.
- Account sharing is not permitted with the exception of documented and required shared service accounts in support of automated business operations.
- Accounts will lock after a specified number of failed access attempts.
- Passwords will conform to, at minimum, NIST LOA2.
- Passwords expiration will be set to, at most, 400 days.
System security patches or updates and security mechanisms
- Systems and software will be patched/updated at least quarterly with routine patches/updates to keep software current.
- Security related patches/updates will be applied within 5 business days of release after completion of testing.
- Security patches/updates for exploits in the wild will be patched within 48 hours after completion of testing.
- Where systems can not be patched due to negative impact to business operations a Plan of Action & Mitigations report will be presented to the appropriate ISO.
Encryption and authentication
- Only secure authentication methods will be used.
- When sensitive data is exchanged encrypted transfer protocols will be used.
- 128 bits encryption keys are the minimum acceptable length and Advanced Encryption Standard (AES) will be the preferred algorithm unless it is not an available option.
- 256 bit encryption keys are recommended.
- Systems storing data classified as “Restricted” in the UA Data Classification schema will be stored on encrypted media.
- System administrators will disable unused/needed system/network services.
- System administrators will define and implement compensating controls system/network services they determine are risky or vulnerable.
- Services will only be made available to their target audience.
- Systems and software will log all security events, authentication and authorization events to a centralized log repository not on the system they were generated on.
- Logs will be kept for a minimum of 180 days and a maximum of 3 years unless otherwise required by law, applicable regulation or funding agency.
- Each major unit or department should monitor the network and systems for abuse and intrusion within their span of control.
- Abuse or intrusions (including malware) should be reported to the UA CIRT group through the appropriate Information Security Officer.
- Systems used by individuals will be secured by physical restraints in their primary work area when unattended.
- Server and networking equipment will reside in a secured, limited access space.
- Critical systems or devices or those containing Restricted data will reside a server room managed or approved by a major unit IT department.
- Enterprise or workgroup assets, not individuals’ workstations, will not be used for incidental personal use.
- Individuals’ workstations will not be used to provide enterprise or workgroup services.
Network Access Controls
- Layers of network access controls will be used to scope access appropriately.
- Access controls will deny by default all unsolicited access with the exception of declared ports and protocols.
- Hosts will utilize host based firewalls as a second layer.
Where there are special security requirements that exceed the level of security provided in the controls above they need to be documented and observed. Examples of this would be resources covered by special regulation or funding agency requirement. Please contact email@example.com with the special considerations, the resources covered, a point of contact for the resources and a statement of what security services the system owners/operators are relying on central IT service providers to provide in terms of security.
- Risk assessments will be conducted and documented prior to IT system implementation for management review.
- Assessments will be affirmed or updated at least annually.
- Significant* changes to IT systems should trigger a reassessment.
Incident and Breach Notification
- Campus ISOs will be notified of all incidents and/or suspected breaches in accordance with the Information Security Breach Notification procedure at the campus.
- Campus ISOs will notify OIT Security Oversight Services of all breaches and include an assessment of impact.
- Internal or removable storage media leaving physical control of the organization needs to be sanitized with a multi pass algorithm.
- Media that is not functional for sanitization needs to be physically destroyed.
- Flash based media needs to be physically destroyed as multi pass sanitation does not work on this media.
* Significant changes are defined as those that add new functionality or fundamental alteration of existing functionality. Some examples might be enabling a previously unused file transfer protocol or using different software to provide a services. Creation of a system or service is always a significant change.