IT Security Awareness  

Security is Everyone’s Job

Cyberspace is a dangerous place. St. George’s University is committed to protecting its information assets and technological resources—and those of all members of the SGU community—from damage or compromise. All of us should become familiar with these security policies and exercise responsibility when conducting the business of the University. We must all aim to maintain the confidentiality and integrity of information while maintaining reliable access to it.

Who Is Responsible? All of Us!

The Executive Director of Information Technology will establish an Information Security Program and collaborate with academic and administrative officials to foster compliance with it.

Information Security Officers, appointed by the Executive Director for each campus, are responsible for local compliance.

Deans, department chairs, and appropriate administrative officials are responsible for establishing specific security procedures.

All SGU community members are responsible for the protection of their passwords, card access keys, or other access controls. Don’t share these credentials without proper authorization.

Personnel who manage, operate, and support University Resources, including individuals who manage their own systems, are expected to follow all applicable SGU policies, follow departmental procedures, and use appropriate professional practices in providing for the security of the systems they manage.
 
Systems personnel should accurately classify and document the nature of the information resources being managed and ensure the implementation of security measures appropriate to that classification. They should also document and communicate to support personnel procedures for action in response to security incidents or other emergency events.

Please familiarize yourself with these requirements. Some may not apply to you directly, but if everyone knows how the system works, we all will be better equipped to deal with emergencies and attacks on our computing resources.

NOTE: The following terms used in this bulletin are defined specifically in Appendix A:

 

Authorized Individual
Electronic Information Resource
Encryption
Essential Resource		 Resource Custodian
Resource Proprietor
Restricted Information or Data
Restricted Resource

Table of Contents

Information Security Plan
1. Designate Authority
2. Assess the risks
3. Create a Security Plan and Apply Controls

3.1 Administrative Workforce Controls

3.1.1. Hiring
3.1.2. Identity and Access Management
3.1.3. Steps for Resource Proprietors

3.2 Operational and Technical Controls

3.2.1. Passwords and other authentication credentials      
3.2.2. Session protection
3.2.3. Privileged access
3.2.4. Backup and retention
3.2.5. System protection
3.2.6. Patch management
3.2.7. System and applications software development
3.2.8. Network Security  
3.2.9. Change Management
3.2.10. Audit Logs
3.2.11. Encryption

i. Access
ii. Transit
iii. Storage
iv. Key management

3.3 Physical and Environmental Controls

3.3.1.   Physical Access Controls
3.3.2.   Tracking Reassignment or Movement of Devices and Stock Inventories
3.3.3. Disposition of Equipment
3.3.4. Portable Devices and Media

4. Responding to Security Breaches and Disruptions

4.1. Defining Violations
4.2 Defining Personal Information
4.3 Systemwide Notification Procedures

4.3.1. Reporting Restricted Information
4.3.2. Reporting Security Breaches Involving Personal Information
4.3.3. Specific Responsibilities
4.3.3.1. Supervisors and department heads
4.3.3.2. Employees, contractors or consultants
4.3.3.3. Resource Proprietors
4.3.3.4. Resource Proprietor or Custodian
4.3.3.5. Resource Proprietors

5. Security Awareness Training
6. Third-party Agreements
7. Minimum Requirements for Network Connectivity

7.1. Access Control
7.2. Encrypted Authentication
7.3. Patch Management Practices
7.4. Malicious Software Protection
7.5. Removal of Unnecessary Services
7.6. Host-based Firewall Software
7.7. Authenticated Email Relay
7.8. Authenticated Network Proxy Servers  
7.9. Session Timeout

Appendix A. Definitions
Appendix B. Encryption

Information Security Plan

Each campus will develop a Security Plan and Security Breach Notification Plan. The Information Security Officer will send a copy of the plan—and any subsequent changes to it—to the Executive Director of Information Technology. The plan should contain, at a minimum, the following components:

Top

1. Designate Authority

Each Campus Information Security Officer will act as the lead authority responsible for reporting to the Executive Director of IT. The ISO will ensure that Campus incident response and notification procedures are followed and coordinate with Campus counsel. The ISO may delegate responsibilities to other personnel, when appropriate.

Top

2. Assess the Risks

The Information Security Officers should:

  1. conduct an inventory of campus electronic information resources, including where personal information is used and stored;
  2. identify the primary employee positions that have access to the data;
  3. identify the Resource Proprietor and Custodian of the data;
  4. determine the level of security necessary for the protection of the resources.

Units or departments should:

  1. periodically assess risk, ideally using teams composed of campus administrators, managers, faculty, and IT and other personnel associated with secure information;
  2. consider all University information assets or electronic resources held or managed by the unit as a whole or by individuals in the unit;
  3. determine potential adverse impacts on the University’s reputation, operations, and assets;
  4. classify information assets according to the level of security assigned to them;
  5. determine the appropriateness and frequency of security awareness training for staff and management.

Top

3. Create a Security Plan and Apply Controls

After completing a risk assessment, the unit or department involved should develop an information security plan that considers the acceptable level of risk for systems and processes and identifies cost-effective strategies for mitigating that risk. The security plan should account for the management, use, and protection of information that has some level of confidentiality, and identify the procedures and controls necessary to enhance security for information assets.

The unit should select appropriate mechanisms, including administrative, operational, technical, physical and environmental measures, to safeguard information. See Appendix C for a list of selected threats and vulnerabilities, the risks they pose, and selected security controls.

Resources classified as Restricted require the highest level of protection; resources classified as Essentialmust be included in emergency and disaster recovery planning.

3.1. Administrative Workforce Controls

3.1.1. Hiring

Who needs to access Resources in order to perform assigned tasks? A discussion of the knowledge and skills necessary to maintain security—and the responsibility for it—should be part of the employment process for any position that requires IT skills. Make it clear that all members of our workforce should:
A. act to ensure the confidentiality and integrity of data against unauthorized access, modification, or destruction;
B. comply with license agreements, terms and conditions, and laws pertaining to intellectual property, and with identified security procedures.

SGU may deem some positions with job responsibilities requiring access to Restricted or EssentialResources as Critical Positions. Campuses should ensure that candidates for these posts undergo applicable background checks as part of the selection process.

Where there is a concern that access to Restricted or EssentialResources endangers the integrity of such Resources, management should act to restrict, suspend or terminate access of staff working in critical positions in the event of disciplinary action or termination.

3.1.2. Identity and Access Management

Campuses should establish a strategy that ensures accurate identification of authorized University community members and provides secure, authenticated access to network-based services. University access control measures should include secure and accountable means of authorization and authentication.

Authorization is the process of determining whether or not an identified individual or class has been granted access rights to an information and determining what type of access is allowed, e.g., read-only, create, delete, and/or modify.

Authentication is the process of confirming that a known individual is correctly associated with a given electronic credential, for example, by use of passwords to confirm correct association with a user or account name.

3.1.3. Steps for Resource Proprietors

Administrators should assign responsibility for systems and application security to a Resource Proprietor knowledgeable about the information technology used in the system and in providing security for such technology. This individual should determine security plans as appropriate to the supported systems, applications, and data.

  1. Authorize access, both logical and physical, only to Authorized Individuals who have a legitimate business reason to access specific Resources. Limit authorization of access to the least permission necessary for the performance of duties. (Access controls typically consist of, but are not limited to, log-in accounts set up directly on the Resource or use of a “Net ID.”) Retain records of the approval.
  2. Modify access, as appropriate, when duties change.
  3. Revoke access upon termination, or when job duties no longer require access, except where specifically permitted by University policy and by the Resource Proprietor.
  4. Ensure proper disposition of electronic information resources upon termination. If any electronic information resources are subject to a litigation hold, the office that issued the hold notice should be notified to ensure preservation of relevant information before final disposition of electronic information resources.
  5. Follow the principle of separation of duties when assigning job responsibilities relating to Restricted or EssentialResources. No one individual should have authorization for both installing and configuring programs and updating data for the same application. For example, a system programmer can create a critical piece of operating system code, but another individual should authorize its use and the manipulation of data. Such controls keep a single individual from subverting a critical process.
  6. Periodically audit or review the system administration work of personnel with access to privileged accounts on shared servers, especially for those functions that are not otherwise audited or reviewed in the course of being completed.
  7. Inform staff who are granted privileged accounts of the responsibilities and constraints associated with such access. The Resource Proprietor may choose to require the Individual’s signature to document approval of the release of Restricted Data.
  8. Remove or re-assign authorization and access for individuals who have terminated or announced their decision to terminate.
  9. Immediately revoke the privileged access of individuals placed on investigatory leave.
3.2. Operational and Technical Controls

Appropriate measures should safeguard against unauthorized access to data whenever a Resource manages or contains information classified as having a high Security Impact. This includes not only the primary operational copy of the information, but also data extracts and backup copies.

Campuses should ensure the timely maintenance of access controls to ensure that authentication credentials, such as passwords or authentication keys, meet Campus standards and that access privileges are revoked in a timely manner.

The right of access to modify data should be granted according to procedures that ensure data integrity. Exceptions may be made on a case-by-case basis but should always be performed in a controlled manner and with the knowledge of the Resource Proprietor.

Restricted Data: The proliferation of data greatly increases risks of unauthorized access, particularly when data is stored in ad hoc analysis tools such as spreadsheets and desktop databases. When a unit or department copies data for analysis or research, it should delete Restricted Data whenever possible or “de-identify” it by removing data elements that, in combination with other data, would result in the identification or description of an individual. If it is not possible to delete Restricted Data, the user should implement adequate security measures. Note that Restricted Data is one form of Restricted Resources,as defined in Appendix A.

Do not transfer Restricted Data to another individual or system without approval of the Resource Proprietor. Before Restricted Data is transferred to a destination system, the Resource Proprietor should establish agreements to ensure that Authorized Individuals implement appropriate security measures.

See Appendix B, Guidelines for Restricted Information, for additional information.

These guidelines do not require the employment of any specific technological control, but the selected method should be adequate to ensure sufficient protection of the electronic information resource.

3.2.1. Passwords and other authentication credentials

The Campus Program should identify appropriate password management conventions, including periodic identification of weak passwords, password encryption, and other security measures as deemed appropriate. Campus password management conventions should take into account the increased risk if passwords are used to access multiple applications, such as by means of a Campus Single Sign-on (NetID). Passwords and other authentication credentials are considered “restricted” information and require the highest level of security protection whether in storage or transit.

Passwords to individual accounts should never be shared with other individuals unless specifically approved and documented as an exception to policy by the Resource Proprietor responsible for the Resource being accessed.

If it is determined that passwords need to be shared in a specific instance, the Resource Proprietor should record who accessed the Resource or other in some other way provide an audit trail.

3.2.2. Session protection

Secure screensavers, automatic logout, and/or other means of session protection minimize the risk of unauthorized users gaining control of the working session if an individual leaves a computer unattended. Use such measures on all devices with access to Restricted Resources. Also see Section 7, Minimum Requirements for Network Connectivity.

3.2.3. Privileged access

System administrators routinely require access to Resources to perform such vital system functions as installing or modifying applications; programming; establishing user IDs, accounts, or passwords and maintaining authorization for those accounts; correcting problems; and other broadly-defined system or electronic information resource functions. Such “superuser,” “root,” or “administrative” access is privileged and may be used only for authorized purposes.
 
As privileged accounts are especially sensitive, Campuses should establish procedures to ensure that abuse will not occur and fully inform personnel assigned privileged accounts on the appropriate access and disclosure of information. Procedures should include an agreement to be reviewed or signed and filed, as appropriate to the needs and function of the Resource.

  1. Users of privileged accounts should not use them to seek out personal or confidential information relating to others, or to disclose or otherwise use what they may have observed, either incidentally or resulting from authorized monitoring.
  2. Only those personnel whose job duties require them should have privileged accounts.
  3. Personnel who require privileged accounts should use non-privileged accounts when not performing system administration tasks.
  4. Where feasible, users of privileged accounts should log activities, and an independent and knowledgeable person should review the logs on a regular basis.
  5. Use of privileged accounts should be monitored periodically to ensure they are being used for authorized purposes.

 

For additional guidelines on logging, refer to Audit and System Logs at the end of this section.

3.2.4. Backup and retention    

Sound professional system administration practices require the implementation of routine backup of applications and data. These backup requirements extend to Essential or Restrictedapplications and data stored on personal computers as well as on shared systems.

  1. Backup copies of applications and data associated with Essential Resources must be sufficient to satisfy emergency planning and disaster recovery requirements, application or other Resource processing requirements, and any essential functional requirements of any Resource Proprietor dependent upon such data.
  2. Store backup copies of essentialdata at a secure site, preferably off-campus. 
  3. Administrators should encrypt Restricted Data if there is a risk to the physical security of stored backup copies.
  4. If electronic information resources are subject to a litigation hold, the responsible administrator should suspend disposition schedules that may result in destruction of the resource.
  5. Backup and other retention services for data must also comply with St. George’s University policies regarding data retention.
3.2.5. System protection

Administrators should deploy measures to limit access to systems that host Restricted or Essential Resources and to protect systems from “malicious software.”

The term “malicious software” (or “malware”) poses serious threats, not only to the specific computer where the software has been installed, but potentially to other networked devices. Malware includes such programs as viruses, worms, Trojan horses, and spyware. They are usually installed on a device under false pretenses and without an individual’s knowledge and can potentially affect any type of computer or server on the network. Malicious programs may damage or consume resources, use devices to infect other networked devices, or expose information or user credentials.

3.2.6. Patch management

Systems personnel should, in a timely manner, update versions of the operating system and application software when security patches become available.

3.2.7. System and applications software development

Developers should analyze how personal information should be collected, stored, shared, and managed for any application that will be used to process personal information. In order to obtain advice on establishing proper controls, campuses should involve Campus Internal Audit and/or the Executive Director of IT early in the process of developing administrative systems.

3.2.8. Network Security  

Each campus should deploy firewalls and Intrusion Detection/Prevention Systems (IDS/IPS) at the campus border to augment normal system security measures and especially to limit access to systems that host Restricted or Essential Resources. The aim is to prevent denial of service attacks, malicious code, or other traffic that threatens systems within the network or violates campus information security policies.

3.2.9. Change Management

All modifications to a system should follow a planned, supervised management process, particularly in the case of any Restricted or Essential Resource. Personnel making changes to a system should:

  1. monitor and log all changes,
  2. take steps to detect unauthorized changes,
  3. confirm testing,
  4. obtain authorization for moving application programs to production,
  5. track movement of hardware and other infrastructure components,
  6. periodically review logs
  7. have a back-out plan, also referred to as a roll-back plan
  8. conduct user training.

3.2.10. Audit Logs

Most components of an IT infrastructure are capable of producing logs chronicling their activity over time. These logs often contain very detailed information about the activities of applications and the layers of software and hardware that support them. With proper management, these logs can be of great benefit in a variety of scenarios to enhance security, system performance and resource management, to monitor access controls, to reconstruct security incidents, and to achieve regulatory compliance.
 
SGU urges campuses to develop a management infrastructure for log records. In particular, a log management infrastructure can capture information and aid analysis about access, change monitoring, cost allocation, malfunction, resource utilization, security events, and user activity. Campuses should manage audit logs in a manner that promotes these benefits while protecting the confidentiality and integrity of the logged information.
 

3.2.11. Encryption

When appropriate, employ suitably strong encryption measures for information in storage and during transmission. Encryption is not, however, a substitute for other security measures required in this bulletin.

i. Access

Information stored in encrypted form is useless in the event of the loss of the encryption key. When using encryption, therefore, consider the nature of the information and the University’s requirements for its timely or continual availability. Appropriate University officials must have access at all times to:

  1. records subject to disclosure under various laws;
  2. records required to be accessible for defined periods of time in compliance with the SGU Records Disposition Policy;
  3. other information that may be required to conduct the University's business.

ii. Transit

RestrictedInformation should be encrypted during transmission through measures strong enough to minimize the risk of the information’s exposure if it is intercepted or misrouted.

iii. Storage

Store at least one copy (the authoritative copy) of any such information in a known location in unencrypted form. If the information is encrypted, make the means to decrypt it available to more than one person.
 
Retain RestrictedInformation on portable equipment only if protective measures safeguard the confidentiality and integrity of the data in the event of theft or loss of the portable equipment.

iv. Key management

Users who control and manage encryption keys and key management software and hardware must be conscious of their unique role. Campuses shall conduct applicable background checks for such employees and implement encryption key management plans that:

  1. Ensure that data can be decrypted when access to data is necessary. Use key backup or other strategies to enable decryption, so that data can be recovered in the event of loss or unavailability of cryptographic keys.
  2. Address compromised handling, or even suspected compromised handling, of encryption keys. In addition the plan should address the impact of a compromised key on system software, hardware, other cryptographic keys, or encrypted information.
  3. Include a process to determine whether any encryption keys may have been compromised as a result of any security incident.
  4. Include periodic review to ensure suitably strong encryption.

See Appendix B for current encryption strategies.

3.3. Physical and Environmental Controls

Hurricane, earthquake, fire, flood, power outage, theft, damage. Each campus needs to establish procedures for the physical protection of its Resources against catastrophic failure. In particular, campuses should develop procedures to protect departmental or central facilities containing Resources that support Restricted or Essential systems or data. All such facilities should conform to the following recommended guidelines.

3.3.1.   Physical Access Controls

Implement appropriate locking or other physical security mechanisms for all equipment vulnerable to unauthorized removal. Use combination locks, key locks, badge readers, manual sign in/out logs, verification of identification, etc., as appropriate to track all individuals logging on and off. Limiting physical access to facilities may also include technical mechanisms, such as use of proximity card readers. In those instances, technical access control guidelines apply. Maintain records of access events consistent with audit log guidelines.

3.3.2.   Tracking Reassignment or Movement of Devices and Stock Inventories

  1. Complete and maintain physical inventories of equipment.
  2. Track the receipt, reuse, and removal of hardware and electronic media, including documentation of hardware reassignment. Conduct removal of Restrictedor other sensitive information in accordance with procedures below regarding final disposition of equipment.
  3. Maintain records documenting repairs and modifications to physical components of the facility related to security, such as hardware, walls, doors, and locks.
  4. Track financial instruments, such as check stock and produced checks.

3.3.3. Disposition of Equipment  

Make sure that equipment being reassigned or disposed has been stripped of Restricted or other sensitive information as appropriate. Shred, overwrite a disk, or employ professional data destruction services. Alternately, use sufficiently strong disk encryption. If electronic media or hardware is subject to a litigation hold, be sure that relevant data is not lost.

3.3.4. Portable Devices and Media

RetainRestricted Information on portable equipment (laptop computers, PDAs, Smart Phones, memory sticks, CD ROMs, etc.) only if you have used protective measures, such as encryption, in the event of theft or loss of the equipment.

Top

4. Responding to Security Breaches and Disruptions


Again, each campus must develop an incident response process to determine whether a security breach has occurred and to notify affected parties. Send a copy of the plan—and any subsequent changes—to the Executive Director of Information Technology. Include any specific, local procedures as well as systemwide actions.

If a campus is considering notification of a security breach, it should coordinate with the Office of General Counsel.

4.1. Defining Violations

It is a violation of University policy for individuals to attempt to gain unauthorized access to Resources or in any way willfully damage, alter, or disrupt the operations of Resources. This includes capturing or tampering with passwords, encryption keys, or any other mechanisms that could permit unauthorized access.

Further, it is a violation of University policy for an unauthorized person to acquire unencrypted, computerized personal information and compromise its security, confidentiality, or integrity. Good faith acquisition of personal information by a University employee or agent for University purposes does not constitute a security breach, provided that the personal information is not used or subject to further unauthorized disclosure.

4.2 Defining Personal Information

Personal information includes an individual’s first name or first initial and last name, in combination with any one or more of the following:

  1. Social Security Number;
  2. driver’s license number or governmental identification card number;
  3. financial account number, credit or debit card number, in combination with any required security code, access code, or password that would permit access to an individual’s financial account;
  4. medical information, including any information regarding an individual's medical history, mental or physical condition, or medical treatment or diagnosis by a health care professional.
  5. health insurance information, including an individual's health insurance policy number or subscriber identification number, any unique identifier used by a health insurer to identify the individual, or any information in an individual's application and claims history, including any appeals records.

The list of data elements considered personal information may be expanded based on departmental risk assessments.

4.3 Systemwide Notification Procedures

In the case of a security breach, all campuses must follow the systemwide procedures presented here. In addition, campuses may develop detailed local guidelines based upon the steps in these systemwide procedures.

4.3.1. Reporting Restricted Information

The Campus Information Security Officer or the ISO’s delegate shall report immediately in writing to the Executive Director of IT any security breach involving Restricted Information. If it is possible that the security breach involves medical or health insurance information, consult the Dean of the School of Medicine.
 
The ISO shall report in writing to the Executive Director of IT when the incident is closed. Include a description of the incident, including the number of individuals impacted; a copy of any notifications; a summary of how the incident was handled and what actions were taken to prevent further breaches of security.

Mitigation or notification requirements may differ, depending on governmental statutes, the nature of the information at risk in the event of a security breach, or contractual agreements. For example, a breach of confidentiality of electronic Protected Health Information (ePHI) requires mitigation, to the extent practicable, of “harmful effects,” and business associate agreements may require notification to governmental agencies.

4.3.2. Reporting Security Breaches Involving Personal Information

As soon as possible, notify individuals whose personal information is reasonably believed to have been acquired by an unauthorized person. Delay notification only when a law enforcement agency feels notification will impede a criminal investigation or when necessary to discover the scope of the breach and restore the integrity of the system.

In coordination with campus counsel, campuses may determine the language to be used in the notification, which may be either a written, hard copy notice or an e-mail.

If sufficient contact information is not available for direct hard copy or e-mail notice, use a substitute method, such as prominent display on the campus’s website or other commonly used website for at least forty-five days. Consult both campus counsel and the campus community relations or public information office to develop the substitute notice.

4.3.3. Specific Responsibilities

4.3.3.1. Supervisors and department heads are responsible for promptly reporting any known or suspected policy violations to the Resource Proprietor or Custodian, the Internal Security Audit department, the Locally Designated Official, or the Executive Director of IT.

4.3.3.2. Employees, contractors or consultants who become aware of the occurrence of any violation should report the violation promptly to their supervisor (or their client within the University in the case of contractors or consultants), department head, or the Internal Audit department. Resource Proprietors or Custodians should be notified of such violations in accordance with departmental procedures.

4.3.3.3. Resource Proprietors may withdraw the privileges of any individuals who violate these Guidelines. Appeals of such decisions should follow normal Campus conflict-resolution procedures.

4.3.3.4. Depending on the nature of the violation and the likelihood of a recurrence, the Resource Proprietor or Custodian should act promptly to prevent future violations to the extent feasible, and/or remove the means by which the violation occurred. Depending on the nature of the violation, the Resource Proprietor or Custodian shall consult with other Campus authorities in accordance with policies governing potential disciplinary action.

4.3.3.5. In the event of security breaches involving possible unlawful action, Resource Proprietors should notify the employee’s immediate supervisor, Executive Director of IT, or other appropriate official. Notification should occur before any action is taken, unless prompt emergency action is required to prevent bodily harm, significant property loss or damage, evidence of one or more violations of law or of University policy, or significant liability to the University or to members of the University community.

The University reserves the right to revoke access to any Resource for any individual who violates the provisions of this bulletin.

Top

5. Employ Education and Security Awareness Training

It is important that all members of the University community receive appropriate security awareness training. Department heads and supervisors should see that training programs include a review of security policy, procedures, and standards at University-wide, campus and departmental levels.

Training materials should include topics such as password management and use, best practices for protecting restricted information, incident reporting, and security reminders regarding current threats to technical environments in which individuals are working.

Training must conform to regulations governing specific categories of Restricted Information, such as student data subject to FERPA, personal information as defined in Section D above, financial data subject to the Financial Services Modernization Act of 1999 (Gramm-Leach-Bliley Act), electronic Protected Health Information subject to HIPAA, and credit card holder information subject to the Payment Card Industry Data Security Standards.

Top

6. Third-party Agreements

When campuses or departments establish agreements with contractors, consultants, or external vendors, they must include assurances that the contracting party will safeguard information in accordance with the law and University policies. Units engaging non-University contractors or consultants to work on Restricted or Essential Electronic Information Resources must perform applicable background checks and consider limiting outside vendor access to those Resources.
When providing access to or passing Restricted Information to a third party agent of the University, include in the written contractual agreements terms and conditions that:

  1. prevent disclosure of Restricted Information by the agent or affiliate to other third parties, including subcontractors, except as required or permitted by the approved University agreement or contract terms;
  1. require all agents and affiliates to observe laws and University policies for privacy and security;
  2. require a specific plan by the agent or affiliate for the implementation of administrative, technical, or physical security strategies as outlined in this bulletin;
  3. require a plan for the destruction or return of Restricted Information upon completion of the agent’s or affiliate’s contractual obligations;
  4. specify permissions and restrictions on access or authorization necessary to fulfill contractual obligations.

Security measures on destination systems should be commensurate with security measures on the originating system.
Agreements should include requirements regarding retention or disposition of data after the data is no longer needed on the destination system.

The Campus or department should terminate access when contractual obligations have been completed.

Top

7. Minimum Requirements for Network Connectivity

Each Campus shall establish minimum standards for devices connected to their networks. Standards must address, at the least:
7.1. Access Control

Allow only authorized individuals access to networked devices. Passwords are typical access controls. Shared-access systems must enforce password or other authorization/authentication standards whenever possible. In situations where systems ship with default passwords for network accessible devices, change those passwords upon first use.
7.2. Encrypted Authentication

Protect against surreptitious monitoring of passwords. Use encryption-capable services, such as SSH, SFTP, SCP, SSL, HTTPS, POPS, and IMAPS, to meet this requirement.
7.3. Patch Management Practices

Ensure timely update of security patches. Networked devices must run versions of operating system and application software for which security patches are made available. Install these as soon as possible, except when patches may compromise the usability of critical applications following Campus exception procedures. SGU may grant exceptions but require additional management measures.
7.4. Malicious Software Protection

Protect networked devices from malicious software, such as viruses, spyware, and other types of malware. Keep anti-virus and malware software when readily available, running and up-to-date, and have current virus definition files installed on all network devices.
7.5. Removal of Unnecessary Services

Disable, turn off, or remove services unnecessary for the intended purpose or operation of a device.
7.6. Host-based Firewall Software

When host-based firewall software is readily available for specific operating systems, run it and configure it to limit network communications to only those services requiring to access to network devices.
7.7. Authenticated Email Relay

Prevent unauthorized third parties from relaying e-mail messages. Devices shall not provide an active SMTP service that allows unauthorized individuals to send or relay e-mail messages, i.e., to process an e-mail message where neither the sender nor the recipient is a local user.
7.8. Authenticated Network Proxy Servers   

Prevent unauthorized access to Internet-based Resources. Network proxy servers should employ authentication to protect devices that allow unauthenticated access from SGU locations.
7.9. Session Timeout

Do not leave devices that access Restricted or Essentialservices unattended for an extended period of time. Employ such measures as session timeouts or lockouts that require re-authentication before users return to interactive use.

Top

Appendix A. Definitions

Authorized Individual

A University employee, student, contractor, or other individual affiliated with the University who has been authorized by a Resource Proprietor (or his or her designee) to access a Resource for the purpose of performing job duties or other functions directly related to the individual’s affiliation with the University. The Resource Proprietor grants authorization for a specific level of access to a Resource, unless the level is otherwise defined by University policy.

Electronic Information Resource (Resource)

A resource used in support of University activities that involves the electronic storage, processing or transmitting of data, as well as the data itself. These resources are valued information assets of the University. Electronic Information Resources include but may not be limited to application systems, operating systems, tools, communications systems, data (in raw, summary, and interpreted form), other electronic files, and associated computer servers, desktops (workstations), portable devices (laptops, PDAs, Smart phones, etc.) or media (CD ROM, memory sticks, flash drives).

Encryption

Encryption is the process of converting data into a cipher or code in order to prevent unauthorized access. The technique obfuscates data in such a manner that a specific algorithm and key are required to interpret the cipher. The keys are binary values that may be interpretable as the codes for text strings, or they may be arbitrary numbers. Appropriate management of these keys allows one to store or transmit encrypted data “in plain sight” with little possibility that it can be read by an unauthorized entity. For example, encryption can protect the privacy of Restricted Data that is stored on a laptop computer, even if that laptop computer is stolen. Similarly, it can protect data that is transmitted over a network, for example, even if that network is tapped by an unauthorized third party.

Essential Resource

The University designates a Resource as Essential if its failure to function correctly and on schedule could result in (1) a major failure by a Campus to perform a mission-critical function, (2) a significant loss of funds or information, or (3) a significant liability or other legal exposure to a Campus.

Resource Custodian

A person authorized by the University to have physical or logical control over a specific Electronic Information Resource. This includes, for example, central Campus information technology departments with maintenance responsibility for an application; departmental system administrators of a local area network; and database administrators for Campus-wide or departmental databases. Resource Custodians provide a service to a Resource Proprietor.

Resource Proprietor (may also be referred to as Resource Guardian)

The individual assigned responsibility for the information and the processes supporting a specific University function. Resource Proprietors are responsible for ensuring compliance with governmental statutory regulation or University policy regarding the release of information according to procedures established by the University, a Campus, or a department, depending on the situation.

Responsibilities of Resource Proprietors may include, for example: specifying the uses for a departmentally-owned server; establishing the functional requirements during development of a new application or maintenance of an existing application; and determining which individuals may have access to an application or to data accessible via an application. All Electronic Information Resources are University resources, and Resource Proprietors are responsible for ensuring that these Resources are used in ways consistent with the mission of the University as a whole.

Restricted Information or Data

Restricted Information or Data describes any confidential or personal information that is protected by law or policy and that requires the highest level of access control and security protection, whether in storage or in transit.

Restricted Resource

A Resource that supports the storage, transmission, or processing of Restricted Information.

Top

Appendix B. Encryption

Restricted data should be encrypted whenever it is stored in or transmitted across an untrusted environment.

Application Scenario

Recommendations

All Scenarios

You don’t need to protect data you don’t have. Restricted data should be retained only when necessary.
Never store the encryption key with the encrypted data; use an alternate secure method to convey the decryption measure to the recipient.
Resource Proprietors and Custodians should assess the sensitivity of the data they store or transmit. Consider all copies of the data, including backup copies, “shadow” copies, and extractions used for analysis (e.g., spreadsheets) or software testing.
When restricted data cannot be given an appropriate level of physical protection when it is stored or transmitted, it should be encrypted with an appropriate “strength.” For commonly-deployed encryption algorithms, this implies a key length of 128 bits to 256 bits.
Restricted data cannot be protected with encryption while it is being processed. Other security measures must be employed to protect data while it is being processed.

“Whole Disk” Encryption

The priority for implementation of “whole disk” encryption should be 1) mobile devices and media, then 2) other devices and media for which appropriate physical security is not provided.
Campuses should implement managerial and technical infrastructures to facilitate the encryption of mobile devices and media.

File Encryption

Campuses should promulgate recommended tool sets to facilitate file encryption.

Backup and Archiving

Assess backup procedures to ensure that backup copies of restricted data are appropriately protected by physical and/or technical means, particularly when sent off-site.

Interactive Sessions

Interactive sessions that transmit restricted data should be encrypted. Note that login passwords should often be considered to be restricted, even when no other restricted data is transmitted.

 

Application Scenario Recommendations


File Transfers

When encrypted files are transmitted, transmit the keys via a method other than that used for the encrypted files themselves.

Web-Based Applications

The X.509 certificates installed on servers should be acquired from Certificate Authorities that are included in common browser distributions.
Limit the display of restricted data to only what is required by the application. When restricted data must be displayed, however, send it with the “Cache-Control: no-cache” HTTP header to limit caching by web browsers. Application developers should also be aware that not all browsers honor this control for all file types.
Admonish authorized users of applications that display restricted data not to use web browsers that are shared with people who do not have the same level of authorization.

Electronic Mail

Campuses should promulgate recommended tools for sending encrypted data through electronic mail. This is likely to include the tool set identified under “File Encryption.”

Network Printer Communication

Resource Custodians for departmental and campus print services should assess the secure printing needs of their communities and provide solutions and education, as appropriate.

Remote File Services

Resource Custodians for departmental and campus file service organizations should assess the need to protect restricted data on their servers and implement encrypted protocols (and provide user education) as appropriate.

Application-to-Application Communication

Use SOAP with HTTPS or some other commonly-available encrypted protocol to transmit restricted data when possible. When not possible, use a Virtual Private Network to transmit the data. 

Virtual Private Network (VPN)

Implement VPNs to protect restricted information when other methods are not feasible.
Campuses should assess the need for a VPN to encrypt traffic for devices in untrusted or hostile portions of the network, such as campus wireless networks or the rest of the Internet.

Application-Level Encryption

When it is necessary to implement encryption within an application, utilize a suitably strong, well-tested encryption algorithm, preferably from an “off the shelf” library.

Encryption Strength

Be careful to use an appropriately strong algorithm. For commonly-deployed encryption algorithms, this implies a key length of 128 to 256 bits.

Key Management

Campuses should implement key management services to ensure appropriate controls have been applied.

Top