Summary of Technical Information Security for Information Systems and Services Managed by NUIT (Newcastle University IT Service)

Transcription

1 Introduction This document provides a summary of technical information security controls operated by Newcastle University s IT Service (NUIT). These information security controls apply to all NUIT managed systems and services. 1. Information security policy Operation of all NUIT managed systems and services is governed through Newcastle University s Information Security Policy. This policy is available to download from: 2. Information security training All NUIT employees must attend and complete information security training that is delivered by the NUIT Information Security Team. Information security training is delivered to the wider University community by the NUIT Information Security Team and is managed through the Staff Development Unit. 3. Information security guidance NUIT regularly publishes and updates information security guidance on the University s web site. This guidance is targeted at all members of the wider University community and is available to download from: 4. Physical security All NUIT managed information systems and services are located in the secure NUIT data centre. Access to the NUIT data centre is restricted to authorised personnel only. All access is logged through the electronic door entry system. Door access is controlled using ID cards that are unique to each member of NUIT. All visitors to NUIT are required to report to the NUIT Service Desk. The data centre s air temperature and humidity is controlled and monitored to prevent overheating and damage to critical NUIT managed ICT equipment using a HVAC (Heating, Ventilation and Air Conditioning) System. All critical NUIT managed ICT equipment is connected to a UPS (Uninterruptible Power Supply) to ensure safe shutdown and preservation of data during power outages. Page 1 of 5 v1.5 / July 2014

2 The NUIT data centre is alarmed and monitored by CCTV. The alarm and CCTV are connected to Newcastle University s security office. The security office will immediately investigate suspicious activity upon detection. The security office has a radio link to Northumbria Police. 5. Servers All NUIT managed servers are hardened in compliance with vendor recommendations. All servers are in receipt of the latest security updates. All Windows servers run antivirus software. 6. Workstations All NUIT managed desktop PCs run Windows 7 and are hardened in compliance with Microsoft recommendations. All workstations run antivirus software and are in receipt of the latest security updates. 7. Laptops All NUIT issued laptops are AES-256 encrypted using Microsoft Bitlocker and are hardened in compliance with Microsoft recommendations. All laptops run antivirus software and are in receipt of the latest security updates. NUIT recommend that the storage of sensitive and confidential data on laptops is risk assessed and 8. Tablets NUIT has produced guidance that shows users how they can secure and encrypt the most common types of tablet computer. This guidance is available to download from: NUIT recommend that the storage of sensitive and confidential data on tablets is risk assessed and 9. Portable storage devices NUIT can provide password protected and encrypted portable storage devices to University staff. These devices use only recognised non-proprietary encryption algorithms that are proven to be secure such as AES-256. Page 2 of 5 v1.5 / July 2014

3 NUIT recommend that the storage of sensitive and confidential data on portable storage devices is risk assessed and 10. All NUIT managed is encrypted between the client and the server on the internal network. NUIT can provide software and documented procedures for sharing encrypted data by with external parties. NUIT recommend that the ing of sensitive and confidential data is risk assessed and authorised by the relevant manager such as the data owner. 11. File System Access Control Lists (ACLs) All NUIT managed servers, workstations and laptops run file systems that support ACLs. 12. User access control All user access to NUIT managed information systems and services is controlled through Active Directory. All users are assigned a UID (User Identification) that is unique to them. Password complexity is enforced through group policies. Access to all data stored on the NUIT file-store is controlled using permissions. 13. Remote access Off-site access to NUIT managed systems and services is through the Remote Access System. The remote access system uses an encrypted HTTPS connection that is verified using an SSL certificate provided by a recognised certificate authority. All logons to the Remote Access System are logged. NUIT recommend that all remote access to sensitive and confidential data is risk assessed and 14. Network security The campus network is firewalled at the network perimeter. Additional firewalling (using the built-in firewall) is active on servers. All other intermediary network devices are hardened in accordance with vendor recommendations. Network security scanning is continuously performed to identify misconfigured and unauthorised devices. Page 3 of 5 v1.5 / July 2014

4 Traffic flows are monitored for network activity (egress and ingress) that may be attributed to malicious software and other forms of malicious activity. Traffic flows that are believed to be malicious are terminated. The private network is segregated from the public network using Network Address Translation and Access Control Lists for traffic management and filtering. The private network is further segregated into wired and wireless security domains, each using different private IP address ranges. All private IP addresses in use across the University consist of non-routable IP addresses as defined through RFC1918. Further segregation of network traffic is achieved through the use of VLANs and subnetting. Access to the wireless network is through a RADIUS authentication system that is interfaced to the campus Active Directory. The wireless connection is encrypted using WPA2 Enterprise. 15. Information security management The security of all NUIT managed information systems and services have recently been subject to independent external auditing. The recommendations from this audit form the basis of an on-going programme of work to ensure that information risk is continuously assessed and mitigated. NUIT has a dedicated Information Security Team, which includes a member who is trained in ISO/IEC 27001:2005 and ISO/IEC 27001:2013 auditing, and is also a certified PCI-SSC ISA (Internal Security Assessor). An internal information security risk assessment is completed every three months. The findings of this risk assessment are subject to review by the NUIT Information Security Forum and form the basis of a risk treatment plan. This risk treatment plan is a key part of an on-going quality assurance process to ensure that technical and non-technical information security risks are correctly mitigated through the identification, implementation and continued improvement of NUIT managed information security controls. 16. Forensic readiness System level and user activity logs are generated for all critical parts of the NUIT managed ICT infrastructure. These logs form a key part of the University s programme of forensic readiness. Forensic readiness first responder training has been delivered to core NUIT staff and is cascaded to relevant University personnel. Page 4 of 5 v1.5 / July 2014

5 17. Disaster recovery All data stored on the NUIT file-store is backed-up on a regular basis to a tape library and an adjacent file-store located in a secure DR (Disaster Recovery) data centre. This ensures that all data can be recovered in the event of a disaster. 18. Secure data disposal NUIT has a contract with a specialist data disposal company to ensure the secure disposal of old hard disk drives that have been used in NUIT managed ICT equipment. 19. Security incident response All security incidents reported to NUIT are managed through the NUIT incident response process. 20. Campus Code of Connection NUIT has developed a campus Code of Connection for non-nuit managed devices connected to the campus network. The Code of Connection is used to establish an information security baseline and is reviewed and updated on a regular basis- Page 5 of 5 v1.5 / July 2014