Summary of Technical Information Security for Information Systems and Services Managed by NUIT (Newcastle University IT Service)



Similar documents
ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October Document Author(s) Collette McQueen

Supplier Information Security Addendum for GE Restricted Data

Codes of Connection for Devices Connected to Newcastle University ICT Network

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

Newcastle University Information Security Procedures Version 3

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Policy Document. IT Infrastructure Security Policy

Client Security Risk Assessment Questionnaire

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

IBX Business Network Platform Information Security Controls Document Classification [Public]

SNAP WEBHOST SECURITY POLICY

Network Security Policy

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

ULH-IM&T-ISP06. Information Governance Board

Electronic Prescribing of Controlled Substances Technical Framework Panel. Mark Gingrich, RxHub LLC July 11, 2006

System Security Plan University of Texas Health Science Center School of Public Health

Policy Document. Communications and Operation Management Policy

Rotherham CCG Network Security Policy V2.0

Supplier Security Assessment Questionnaire

Payment Card Industry Self-Assessment Questionnaire

The Practice of Internal Controls. Cornell Municipal Clerks School July 16, 2014

Intel Enhanced Data Security Assessment Form

Retention & Destruction

Network Security Policy

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Corporate Account Takeover (CATO) Risk Assessment

SITECATALYST SECURITY

Mike Casey Director of IT

Security. TestOut Modules

How To Audit Health And Care Professions Council Security Arrangements

Network Security Guidelines. e-governance

FBLA Cyber Security aligned with Common Core FBLA: Cyber Security RST RST RST RST WHST WHST

Network and Security Controls

IT - General Controls Questionnaire

Music Recording Studio Security Program Security Assessment Version 1.1

Small Business IT Risk Assessment

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Today s Topics. Protect - Detect - Respond A Security-First Strategy. HCCA Compliance Institute April 27, Concepts.

Stable and Secure Network Infrastructure Benchmarks

Managing internet security

INFORMATION SECURITY PROGRAM

Physical Security Policy

Security Whitepaper:

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

Lauren Hamill, Information Governance Officer. Version Release Author/Reviewer Date Changes (Please identify page no.) 1.0 L.

How To Protect Decd Information From Harm

ICANWK406A Install, configure and test network security

Developing Network Security Strategies

Service Children s Education

Fundamentals of Network Security - Theory and Practice-

HIPAA Security Alert

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

Log Management Standard 1.0 INTRODUCTION 2.0 SYSTEM AND APPLICATION MONITORING STANDARD. 2.1 Required Logging

A Decision Maker s Guide to Securing an IT Infrastructure

Question Name C 1.1 Do all users and administrators have a unique ID and password? Yes

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

Secure Compute Research Environment Data Security Plan (DSP)

HC3 Draft Cloud Security Assessment

Defence Cyber Protection Partnership Cyber Risks Profile Requirements

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.

Information Technology Security Procedures

University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary

How To Ensure Network Security

Cyber Essentials Scheme

Understanding Sage CRM Cloud

University of Pittsburgh Security Assessment Questionnaire (v1.5)

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction Policy Statement Purpose...

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Payment Card Industry Data Security Standard

¼ããÀ ããè¾ã ¹ãÆãä ã¼ãîãä ã ããõà ãäìããä ã½ã¾ã ºããñ à Securities and Exchange Board of India

Network Security. Mike Trice, Network Engineer Richard Trice, Systems Specialist Alabama Supercomputer Authority

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

by New Media Solutions 37 Walnut Street Wellesley, MA p f Avitage IT Infrastructure Security Document

Reducing the Cyber Risk in 10 Critical Areas

1B1 SECURITY RESPONSIBILITY

Your security is our priority

Hosted Testing and Grading

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

Security Whitepaper: ivvy Products

Security Management. Keeping the IT Security Administrator Busy

FileCloud Security FAQ

Security Controls for the Autodesk 360 Managed Services

Company Co. Inc. LLC. LAN Domain Network Security Best Practices. An integrated approach to securing Company Co. Inc.

The Education Fellowship Finance Centralisation IT Security Strategy

JK0 015 CompTIA E2C Security+ (2008 Edition) Exam

Transcription:

Introduction This document provides a summary of technical information security controls operated by Newcastle University s IT Service (NUIT). These information security controls apply to all NUIT managed systems and services. 1. Information security policy Operation of all NUIT managed systems and services is governed through Newcastle University s Information Security Policy. This policy is available to download from: http://www.ncl.ac.uk/itservice/policies 2. Information security training All NUIT employees must attend and complete information security training that is delivered by the NUIT Information Security Team. Information security training is delivered to the wider University community by the NUIT Information Security Team and is managed through the Staff Development Unit. 3. Information security guidance NUIT regularly publishes and updates information security guidance on the University s web site. This guidance is targeted at all members of the wider University community and is available to download from: http://www.ncl.ac.uk/itservice/security 4. Physical security All NUIT managed information systems and services are located in the secure NUIT data centre. Access to the NUIT data centre is restricted to authorised personnel only. All access is logged through the electronic door entry system. Door access is controlled using ID cards that are unique to each member of NUIT. All visitors to NUIT are required to report to the NUIT Service Desk. The data centre s air temperature and humidity is controlled and monitored to prevent overheating and damage to critical NUIT managed ICT equipment using a HVAC (Heating, Ventilation and Air Conditioning) System. All critical NUIT managed ICT equipment is connected to a UPS (Uninterruptible Power Supply) to ensure safe shutdown and preservation of data during power outages. Page 1 of 5 v1.5 / July 2014

The NUIT data centre is alarmed and monitored by CCTV. The alarm and CCTV are connected to Newcastle University s security office. The security office will immediately investigate suspicious activity upon detection. The security office has a radio link to Northumbria Police. 5. Servers All NUIT managed servers are hardened in compliance with vendor recommendations. All servers are in receipt of the latest security updates. All Windows servers run antivirus software. 6. Workstations All NUIT managed desktop PCs run Windows 7 and are hardened in compliance with Microsoft recommendations. All workstations run antivirus software and are in receipt of the latest security updates. 7. Laptops All NUIT issued laptops are AES-256 encrypted using Microsoft Bitlocker and are hardened in compliance with Microsoft recommendations. All laptops run antivirus software and are in receipt of the latest security updates. NUIT recommend that the storage of sensitive and confidential data on laptops is risk assessed and 8. Tablets NUIT has produced guidance that shows users how they can secure and encrypt the most common types of tablet computer. This guidance is available to download from: http://www.ncl.ac.uk/itservice/security/encryption/encryptionprocedures NUIT recommend that the storage of sensitive and confidential data on tablets is risk assessed and 9. Portable storage devices NUIT can provide password protected and encrypted portable storage devices to University staff. These devices use only recognised non-proprietary encryption algorithms that are proven to be secure such as AES-256. Page 2 of 5 v1.5 / July 2014

NUIT recommend that the storage of sensitive and confidential data on portable storage devices is risk assessed and 10. Email All NUIT managed email is encrypted between the client and the server on the internal network. NUIT can provide software and documented procedures for sharing encrypted data by email with external parties. NUIT recommend that the emailing of sensitive and confidential data is risk assessed and authorised by the relevant manager such as the data owner. 11. File System Access Control Lists (ACLs) All NUIT managed servers, workstations and laptops run file systems that support ACLs. 12. User access control All user access to NUIT managed information systems and services is controlled through Active Directory. All users are assigned a UID (User Identification) that is unique to them. Password complexity is enforced through group policies. Access to all data stored on the NUIT file-store is controlled using permissions. 13. Remote access Off-site access to NUIT managed systems and services is through the Remote Access System. The remote access system uses an encrypted HTTPS connection that is verified using an SSL certificate provided by a recognised certificate authority. All logons to the Remote Access System are logged. NUIT recommend that all remote access to sensitive and confidential data is risk assessed and 14. Network security The campus network is firewalled at the network perimeter. Additional firewalling (using the built-in firewall) is active on servers. All other intermediary network devices are hardened in accordance with vendor recommendations. Network security scanning is continuously performed to identify misconfigured and unauthorised devices. Page 3 of 5 v1.5 / July 2014

Traffic flows are monitored for network activity (egress and ingress) that may be attributed to malicious software and other forms of malicious activity. Traffic flows that are believed to be malicious are terminated. The private network is segregated from the public network using Network Address Translation and Access Control Lists for traffic management and filtering. The private network is further segregated into wired and wireless security domains, each using different private IP address ranges. All private IP addresses in use across the University consist of non-routable IP addresses as defined through RFC1918. Further segregation of network traffic is achieved through the use of VLANs and subnetting. Access to the wireless network is through a RADIUS authentication system that is interfaced to the campus Active Directory. The wireless connection is encrypted using WPA2 Enterprise. 15. Information security management The security of all NUIT managed information systems and services have recently been subject to independent external auditing. The recommendations from this audit form the basis of an on-going programme of work to ensure that information risk is continuously assessed and mitigated. NUIT has a dedicated Information Security Team, which includes a member who is trained in ISO/IEC 27001:2005 and ISO/IEC 27001:2013 auditing, and is also a certified PCI-SSC ISA (Internal Security Assessor). An internal information security risk assessment is completed every three months. The findings of this risk assessment are subject to review by the NUIT Information Security Forum and form the basis of a risk treatment plan. This risk treatment plan is a key part of an on-going quality assurance process to ensure that technical and non-technical information security risks are correctly mitigated through the identification, implementation and continued improvement of NUIT managed information security controls. 16. Forensic readiness System level and user activity logs are generated for all critical parts of the NUIT managed ICT infrastructure. These logs form a key part of the University s programme of forensic readiness. Forensic readiness first responder training has been delivered to core NUIT staff and is cascaded to relevant University personnel. Page 4 of 5 v1.5 / July 2014

17. Disaster recovery All data stored on the NUIT file-store is backed-up on a regular basis to a tape library and an adjacent file-store located in a secure DR (Disaster Recovery) data centre. This ensures that all data can be recovered in the event of a disaster. 18. Secure data disposal NUIT has a contract with a specialist data disposal company to ensure the secure disposal of old hard disk drives that have been used in NUIT managed ICT equipment. 19. Security incident response All security incidents reported to NUIT are managed through the NUIT incident response process. 20. Campus Code of Connection NUIT has developed a campus Code of Connection for non-nuit managed devices connected to the campus network. The Code of Connection is used to establish an information security baseline and is reviewed and updated on a regular basis- http://www.ncl.ac.uk/itservice/security/coco Page 5 of 5 v1.5 / July 2014

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information