Dublin Institute of Technology IT Security Policy



Similar documents
ABERDARE COMMUNITY SCHOOL

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

Newcastle University Information Security Procedures Version 3

How To Protect Decd Information From Harm

WEST LOTHIAN COUNCIL INFORMATION SECURITY POLICY

Rotherham CCG Network Security Policy V2.0

ISO27001 Controls and Objectives

INFORMATION TECHNOLOGY SECURITY STANDARDS

ISO Controls and Objectives

Network Security Policy

University of Aberdeen Information Security Policy

Central Agency for Information Technology

INFORMATION SECURITY MANAGEMENT SYSTEM. Version 1c

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Tameside Metropolitan Borough Council ICT Security Policy for Schools. Adopted by:

ICT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Policy Document. Communications and Operation Management Policy

ULH-IM&T-ISP06. Information Governance Board

NETWORK SECURITY POLICY

Information Security Policy

ICT Policy. Executive Summary. Date of ratification Executive Team Committee 22nd October Document Author(s) Collette McQueen

Information Security Management. Audit Check List

Mike Casey Director of IT

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Information Security Policies. Version 6.1

INFORMATION GOVERNANCE POLICY: NETWORK SECURITY

Network Security Policy

Information Security

ICT SECURITY POLICY. Strategic Aim To continue to develop and ensure effective leadership, governance and management throughout the organisation

Estate Agents Authority

NHSnet SyOP 9.2 NHSnet Portable Security Policy V1. NHSnet : PORTABLE COMPUTER SECURITY POLICY. 9.2 Introduction

Network Security Policy

Technical Standards for Information Security Measures for the Central Government Computer Systems

Incident Response Plan for PCI-DSS Compliance

Supplier Information Security Addendum for GE Restricted Data

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

STRATEGIC POLICY REQUIRED HARDWARE, SOFTWARE AND CONFIGURATION STANDARDS

HIPAA Security Alert

Information Resources Security Guidelines

REMOTE WORKING POLICY

Information Security Policy

PCI DSS Requirements - Security Controls and Processes

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

Guidelines for smart phones, tablets and other mobile devices

ISO IEC ( ) INFORMATION SECURITY AUDIT TOOL

Cyber Self Assessment

University of Liverpool

Islington ICT Physical Security of Information Policy A council-wide information technology policy. Version 0.7 June 2014

LEEDS BECKETT UNIVERSITY. Information Security Policy. 1.0 Introduction

Data Access Request Service

Physical Security Policy

A practical guide to IT security

INFORMATION SECURITY PROCEDURES

Information Security Risk Assessment Checklist. A High-Level Tool to Assist USG Institutions with Risk Analysis

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

SUPPLIER SECURITY STANDARD

NETWORK SECURITY GUIDELINES

Network Security Policy

Information security controls. Briefing for clients on Experian information security controls

FINAL May Guideline on Security Systems for Safeguarding Customer Information

28400 POLICY IT SECURITY MANAGEMENT

Use of Exchange Mail and Diary Service Code of Practice

Policy Document. IT Infrastructure Security Policy

IM&T Infrastructure Security Policy. Document author Assured by Review cycle. 1. Introduction Policy Statement Purpose...

NETWORK SECURITY POLICY

How To Ensure Network Security

Data Security Incident Response Plan. [Insert Organization Name]

Working Together Aiming High!

Access Control Policy

Nine Steps to Smart Security for Small Businesses

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

A Guide to Information Technology Security in Trinity College Dublin

Central Texas College District Human Resource Management Operating Policies and Procedures Manual Policy No. 294: Computer Security Policy

TELEFÓNICA UK LTD. Introduction to Security Policy

Supplier IT Security Guide

Information Security Policy Manual

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

Data Network Security Policy

Acceptable Use Guidelines

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

GFI White Paper PCI-DSS compliance and GFI Software products

Use of The Information Services Active Directory Service (AD) Code of Practice

The Ministry of Information & Communication Technology MICT

Information Security Policy. Policy and Procedures

Draft Information Technology Policy

How To Audit Health And Care Professions Council Security Arrangements

Transcription:

Dublin Institute of Technology IT Security Policy BS7799/ISO27002 standard framework David Scott September 2007 Version Date Prepared By 1.0 13/10/06 David Scott 1.1 18/09/07 David Scott 1.2 26/09/07 David Scott* * Following Directorate, ISSC, Final PWC review & minor errata correction. Page 1 of 16 9/30/2009

Contents 1.1 OBJECTIVES... 3 1.2 OUR POLICY... 3 2 INTRODUCTION... 4 2.1 STATEMENT OF AUTHORITY... 4 3 THE INFORMATION ENVIRONMENT... 5 3.1 INFORMATION SECURITY INCIDENT MANAGEMENT... 5 4 PHYSICAL SECURITY... 6 4.1 SECURING OFFICES, ROOMS AND FACILITIES... 6 4.2 SECURE AREAS ACCESS... 6 4.3 CABLING SECURITY... 6 4.4 EQUIPMENT MAINTENANCE... 7 4.5 SECURE DISPOSAL OR REUSE OF EQUIPMENT... 7 4.6 REMOVAL OF PROPERTY... 7 4.7 SECURITY OF EQUIPMENT OFF-PREMISE... 7 4.8 PHYSICAL SECURITY INCIDENTS... 8 5 ACCESS CONTROL... 9 5.1 USER ACCESS SETUP AND REVIEW OF USER ACCOUNTS... 10 5.2 PRIVILEGE MANAGEMENT... 11 5.3 GENERIC USER ACCOUNTS... 11 5.4 EMAIL... 11 5.5 FILE STORAGE... 12 5.6 THE WEB... 12 5.7 INTERNET ACCESS... 12 5.8 CAMPUS NETWORK... 12 5.9 FIREWALL SECURITY POLICY... 13 6 INFORMATION SYSTEMS MAINTENANCE & TECHNICAL VULNERABILITY MANAGEMENT... 15 6.1.1 Patch Management... 15 6.1.2 Remote Access to Systems... 15 6.1.3 Anti-Virus Security... 16 Page 2 of 16 9/30/2009

Statement 1.1 Objectives To provide a strategic focus and direction for Information Security Management, to define the Dublin Institute of Technology s Policy for Information Security and to state our commitment to the security of Institute Information assets. 1.2 Policy We are committed to protecting the confidentiality of all our information and ensuring that information is accurate, complete, and available in a timely and efficient manner to those who are authorised to use it. Our key Information Security objectives are: To support our academic and administrative processes and help our teams to achieve their goals To help protect against risks inherent in the use of information systems To comply with all relevant laws & regulations. In order to achieve our security objectives, we will operate and maintain an Information Security Governance environment for the secure and efficient processing of information in accordance with recognised best practices. The Chief Information Systems Officer will ensure adherence to these best practices by creating and maintaining an Information Security Management System (ISMS) appropriate to the Institute. This includes: Implementing an Information Security Forum to take ownership and provide leadership membership of this forum will include representatives from all business areas Creating an Information Security/Compliance Office to ensure effective security and efficient communications Providing a structured set of Polices and Procedures to support the Information Security Organisation Conducting risk assessments to identify key areas of risk and the controls required to mitigate these risks to acceptable levels. Enforcement of all policies across all areas of the Institution. Ensuring the Institutes compliance with the relevant legislation Information Security is the responsibility of all the Institutes staff, students, contractors and third parties with access to Institute information. We are obliged to take breaches of policy seriously and it is incumbent upon all of us to read and understand the security policies that apply to us in performing our duties. Signed on behalf of the Institute: Page 3 of 16 9/30/2009

2 Introduction The purpose of this policy is to define a framework on how to protect the Dublin Institute of Technology s computer systems, network and all information contained within, or accessible on or via these computer systems from all threats whether internal, external, deliberate or accidental. It is the policy of the Institution to ensure that: All central computer systems and information contained within them will be protected against unauthorised access. All members of the Institute are aware that it is their responsibility to adhere to this policy. All parties accept total responsibility for maintaining, adhering to and implementing this policy within their areas. The integrity of all central computer systems, the confidentiality of any information contained within or accessible on or via these systems in the responsibility of Information Services. All regulatory and legislative requirements regarding computer security and information confidentiality and integrity will be met by Information Services and the Institute. All breaches of security will be reported to and investigated by a nominated security officer usually within Information Services. The primary role of the Institute s function regarding education and research is not hindered All Policies must comply with BS 7799/ISO27002 standards 2.1 Statement of Authority The CISO will have authority to develop, implement and enforce IT security policy. In addition all users have a responsibility to report promptly (to Information Services) any incidents which may have security significance to the Institute. Page 4 of 16 9/30/2009

3 The Information Environment Information Services plan, implement, maintain and operate a range of central Information servers, core network switches, edge network switches, backup systems, and the overall network infrastructure interconnecting these systems. The Information environment is defined as all central Information resources and network infrastructure including those managed and overseen by Information Services and other DIT IT support units and all information devices that can physically connect, and have been authorised to connect, to this environment. All are covered by this policy, including Information hardware and software, any Institute related data residing on these machines or accessible from these machines within the campus network environment and any media such as CD-ROMs, DVD- ROMs and backup tapes that may at times be accessible. Information Services also considers all temporary and permanent connections via the Institute network, casual laptop docking points, the Wireless network, and the Virtual Private Network to be subject to the provisions of this policy. Information resources not owned by the Institute may be connected to the Institute s network. However, all such resources must function in accordance with Institute regulations governing the use of ICT resources. Information Services reserves the right to remove any technical resources or devices which do not comply with Institute IT Security policy. Information Services reserves the right to monitor, log, collect and analyse the content of all transmissions on networks maintained by both Information Services and individual Faculties, Schools, Departments and other organisations at any time deemed necessary for performance and fault diagnostic purposes. Any network monitoring will be performed in accordance with this Policy. 3.1 Information Security Incident Management All Incidents, including Information Security Instances, should be reported to the Support Desk immediately. All Incidents will then be logged by the Support Desk and will be passed for resolution, where necessary to the Incident CoOrdinator. The Incident CoOrdinator will monitor and manage the Incident and will communicate with all relevant parties and stakeholders until the Incident is resolved. Please refer to the DIT Incident and Problem Management process in the more detailed DIT IS Organisational Security Policies for a comprehensive description of the process to be followed. Page 5 of 16 9/30/2009

4 Physical Security Information Services provides a secure data centre/s with protected power arrangements and climate controlled environment. Primarily for the provision of central information and network facilities individual departments and, if appropriate, individuals, are encouraged to make use of the facility for applicable teaching or research projects. Any computer equipment in general office environments should be within physically secure rooms outside of general office hours. Personal computing devices in public areas should contain a device or mechanism for securing and protecting the main components and contents of the computer from theft. 4.1 Securing offices, rooms and facilities Computer rooms, data centres, offices and other locations either housing critical information processing facilities or from where such facilities might be accessed must have good physical security. Equipment that supports critical business activities must be physically protected from security threats and environmental hazards and must be sited, or protected, to reduce the risks of damage, interference and unauthorised access. Consideration should also be given to any security threats posed by neighbouring accommodation. Whether offices or computer rooms, physical security protection should be based on defined perimeters with security enforced at an appropriate level for each one. Only authorised persons should be admitted to such areas and appropriate entry controls should be implemented to achieve this. Everyone should be required to wear visible identification and encouraged to challenge strangers. Visitors to secure areas should only be granted access for specific, authorised purposes and should be supervised. As security could be compromised by allowing members of the public temporary access for enquiry or delivery purposes, separate enquiry, delivery or loading areas should be provided outside secure areas. 4.2 Secure Areas Access Details of locations are to be recorded and checks to be performed to restrict access to secured areas are to be implemented as per this policy. 4.3 Cabling Security Cables carrying data or supporting Information Services also require protection from interception or damage. Cabling within buildings should be protected, by using conduit or by avoiding routes through public areas, and cables between buildings should be underground where possible (or subject to adequate alternative protection). Where cables form part of a loop, consideration should be given to using separate routes in order to reduce loss in the event of damage. Page 6 of 16 9/30/2009

4.4 Equipment Maintenance Equipment should be correctly maintained to ensure its continued availability and integrity, a record of all faults or suspected faults should be kept, and servicing should only be performed by authorised personnel. Equipment supporting critical business operations should be protected by an uninterruptible power supply (UPS) and UPS equipment should be regularly tested in accordance with manufacturer s recommendations. 4.5 Secure Disposal or reuse of Equipment All data will need to be completely erased from equipment prior to disposal and all items of equipment containing storage media must be checked to ensure that sensitive data is removed or overwritten prior to disposal. All erased data must be rendered irretrievable (use of standard deletion software may be insufficient as it could be possible to use undelete software to restore the data). If a system, or its permanent storage, is required to be repaired by a third party then the significance of any data held must be considered. Damaged storage devices containing sensitive data may require a risk assessment, to determine if the device should be destroyed, repaired or discarded. Damaged storage devices should remain the property of DIT and should only be removed from site with the permission of the IS Support Manager. 4.6 Removal of Property Equipment containing stored data or software must not be taken off site by employees, unless formal authorisation has been obtained from management, the asset s owner, and the appropriate Information Services Support Manager. Prior to authorisation, consideration should be given to the risks associated with the removal of any of the organisation s information, and the impact these risks might have on business operations. 4.7 Security of Equipment off-premise If equipment is to be used outside DIT s premises, remote users need to abide by the following guidelines: Personal computers should not be used at home for business activities if virus controls are not in place. When traveling, equipment (and media) should not be left unattended in public places. Portable computers should be carried as hand luggage when traveling. Time-out protection should be applied. Portable computers are vulnerable to theft, loss or unauthorised access when traveling. All mobile devices should have an appropriate form of access protection (e.g. passwords or encryption) applied to prevent unauthorised access to their contents. Passwords or other access tokens for access to the organisation s systems should never be stored on mobile devices where they may be stolen and give Page 7 of 16 9/30/2009

the thief unauthorised access to information assets. Manufacturer s instructions regarding the protection of equipment should be observed at all times, e.g. to protect against exposure to strong electromagnetic fields. Security risks (e.g. of damage, theft) may vary considerably between locations and this should be taken into account when determining the most appropriate security measures. 4.8 Physical Security Incidents A Physical Security Incident can be described as an issue that affects the physical barriers and control procedures that are implemented to act as preventive measures and countermeasures against threats to resources and sensitive information. If a suspected physical security incident is identified the following actions should be taken: 1. DON T panic overreaction may cause more damage 2. DO report your concerns to the Support Desk (x3123) all reported Incidents will be treated as highly confidential 3. DO provide as much detail as possible when reporting the Incident 4. If the Incident is clearly a significant breach of security, contact the CISO immediately. All such Incidents will then be recorded by the Support Desk and will be assigned to the Incident CoOrdinator if appropriate. For further details on the process of Incident Management, please refer to the DIT Incident and Problem Management process in the detailed DIT IS Organisational Security Policies. Page 8 of 16 9/30/2009

5 Access Control The organisation s systems shall be managed by suitably trained and qualified staff to oversee their day to day running and to preserve security and integrity in collaboration with individual system owners. All systems management staff shall be given relevant training in information security issues. Access controls shall be maintained at appropriate levels for all systems by ongoing proactive management and any changes of access permissions must be authorised by the manager of the system or application. A record of access permissions granted must be maintained. Access to all information services shall use a secure log on process and access to the organisation s business systems shall also be limited by time of day or by the location of the initiating terminal or both. Where systems store data classified as Confidential or Strictly Confidential, additional steps must be taken to prevent unauthorised access. These may include encrypting the data, ensuring appropriate separation of duties, logging all attempts to read or access sensitive data, and reviewing log reports to monitor access to this data. Please refer to the acceptable usage policy for staff and students for further details and account eligibility. All access to information services is to be logged and monitored to identify potential misuse of systems or information. Inactive connections to the organisation s business systems shall shut down after a defined period of inactivity to prevent access by unauthorised persons. Password management procedures shall be put into place to ensure the implementation of the requirement of the information security policies and to assist users in complying with best practice guidelines. Please refer to the DIT Password Policy in the more detailed DIT IS Organisational Security Policies for further information on the password policy in operation in DIT. Access to operating system commands is to be restricted to those persons who are authorised to perform systems administration or management functions. Use of such commands should be logged and monitored. The implementation of new or upgraded software must be carefully planned and managed. Formal change control procedures, with audit trails, shall be used for all changes to systems. All changes must be properly tested and authorised before moving to the live environment. Page 9 of 16 9/30/2009

Capacity demands of systems supporting business processes shall be monitored and projections of future capacity requirements made to enable adequate processing power, storage and network capacity to be made available. Security event logs, operational audit logs and error logs must be properly reviewed and managed by qualified staff. System clocks must be regularly synchronised using the DIT Time Service. Systems and data must only be accessible via a login account assigned to a specific user, using a secure password. Access to resources must be granted on a need-to-know basis, with user profiles matched to the user s role in the company. 5.1 User access setup and review of user accounts Where new staff or external third parties need access to DIT computing resources, the formal access application channels need to be followed. For further details on obtaining access to DIT resources please refer to: E-mail - http://support.dit.ie/ictsupport/forms/email_account_form.pdf Staff phone application/amendment form www.dit.ie/ict_services DIT Business Applications Banner - http://support.dit.ie/ictsupport/forms/banner_account_form.pdf Other software - http://support.dit.ie/ictsupport/forms/application_account_form.pdf Active Directory Domain Administrator please refer to the Domain Administrator Application Form in the more detailed DIT IS Organisational Security Policies. ICT Domain User a/c please refer to the Application for Active Directory (ICT Domain) User Account in the more detailed DIT IS Organisational Security Policies. Procedures shall be established for all information systems to ensure that users access rights are adjusted appropriately, and in a timely manner, whenever there is a change in business need, a user changes their role, or a user leaves the organisation. Users access rights will be reviewed at regular intervals. This will ensure that DIT implement robust security controls and identify breaches of access control standards. It is also essential to ensure that the changing role of individuals within the organisation receives commensurate and prompt changes to their access rights. Page 10 of 16 9/30/2009

When access levels are to be modified, requested amended requirements should be sent to Information Services. The amended access levels need to be approved by local management before they are amended. When access levels are no longer required, formal notification should be sent from Human Resources to Information Services. Upon receipt of such notification, access levels should be revoked from user. 5.2 Privilege Management Access to all systems must be authorised by the owner of the system and a record must be maintained of such authorizations. This will also including the appropriate access rights or privileges that the user requires. 5.3 Generic User Accounts It is the policy of DIT not to issue generic user accounts. Existing generic user accounts are to be reviewed and discontinued if no named user can be identified. Access to all DIT computing resources will only be granted upon completion of the procedures outlined in the User access setup and review of user accounts section, outlined above. 5.4 Email When using email, users should refer to http://www.dit.ie/dit/ict_services/regulations/staffregs.html. The following security matters apply to email. All users should issue a disclaimer as part of their e-mail configuration. Bulk e-mailing and the creation of unauthorised contracts should also be avoided. All mail sent to noc@dit.ie should be checked frequently by a mail system administrator. Mail systems must be set up so as to prevent relaying from outside the domain to outside the domain except when the incoming connection has been properly authenticated as coming from an authorised user. The Institute should make use of reputable block-listing sites for configuring our mail systems to minimise the amount of spam delivered to the DIT users. Consideration will be given to implementing other techniques such as grey listing or content filtering and the latest anti-spam technologies, including the possibility of outsourcing these functions. All relevant legislation must be considered when scanning the content of emails, whether for virus protection or for other reasons, and IS will endeavour to ensure all users are aware of the conditions that their incoming and outgoing emails might be monitored. IS are aware that email is likely to be mission-critical and will endeavour to take appropriate measures to protect the facility from being completely, or partially, disabled through malicious or accidental action. Page 11 of 16 9/30/2009

Please refer to the Home Usage Policy - Webmail and be familiar with the policy on http://www.dit.ie/dit/ict_services/regulations/staffregs.html before accessing e-mail via DIT Webmail. These details are available in the more detailed DIT IS Organisational Security Policies document. 5.5 File Storage All users should have access to the centrally managed networked file storage. When using this facility, users should refer to http://www.dit.ie/dit/ict_services/regulations/staffregs.html. It should be appreciated that for most applications the security of files on the server is considered to be adequate. However files held on a networked file storage should never be considered completely secure. For this reason Information Services do not recommend that you hold sensitive information such as exam papers or results on any networked file server. 5.6 Web Pages All users,and sections have the right to publish web pages under the appropriate sub domain of dit.ie. Individual users and managers will be identified and be responsible for content in these areas and the Institute reserves the right to remove access to any material which it deems inappropriate, illegal or offensive. Users should not in any way use web space for commercial purposes. This policy applies to all DIT hosted web sites eg fp6-project-icing.eu approved through the Domain Naming Policy. For further details on this, please refer to http://www.dit.ie/dit/ict_services/regulations/domain_naming_policy.pdf Users shall not in any way use web space to publish material which deliberately undermines IT security at the Institute or elsewhere. Users shall not publish any information regarding open accounts, passwords, PINs, illegally obtained software licenses, hacking tools, common security exploits or similar unless there are specific and legitimate reasons to do so. E.g. - in order to demonstrate a problem to enable a fix, or similar. 5.7 Internet Access The campus network is connected to the Internet via HEANET. Information Services operate and maintain a firewall with the aim of protecting the campus network and Computer systems from unauthorized or illegal access or attack from the external environment. For further details on the policies surrounding the use of the Internet, please refer to the HEAnet Acceptable Usage Policy, the DIT Internet Usage Policy and the Declaration of Agreement to Comply with Internet Usage & Remote Access Policies all located in the DIT IS Organisational Security Policies document. 5.8 Campus Network Page 12 of 16 9/30/2009

Individuals must seek permission from local support representatives before connecting any machine to the LAN. Information Services may disconnect any unauthorised host from the network without warning if discovered. 5.9 Firewall Security Policy The DIT firewall is a fundamental component in the overall security architecture of DIT. Firewall configuration demands skill from the firewall administrators, requiring a considerable understanding of network protocols and computer security. Improper configuration or mismanagement of the firewall can render a firewall worthless as a security tool. The firewall secures the perimeter of the DIT network. All connections from the Internet to internal DIT address space must first pass through the firewall. A Default Deny policy is in operation on the firewall where the default condition of the firewall is to deny ALL connectivity - from anywhere, to anywhere. Exceptions to the firewall policy must be requested using the Internet Server Service Registration Form available at http://support.dit.ie/ictsupport/forms/internet_service_registration_form.pdf Outgoing Connections These are connections to machines and services external to DIT from machines within DIT. The policy is default deny. All connections to machines and services external to the DIT from machines within DIT are generally allowed with the exception of Connections which would conflict with other information systems policies. Connections from machines at DIT that are known to be insecure. Any other connections which represent an unnecessary security risk to DIT. Incoming Connections These are connections to machines and services within DIT from machines outside DIT. The policy is default deny. Connections to machines and services within DIT from machines external to DIT will be not be allowed unless they have first been approved by the CISO. Approval will be based on the following criteria The connection is required for DIT business. The connection does not represent an unnecessary security risk to DIT. Page 13 of 16 9/30/2009

The connection does not use an insecure protocol where a more secure alternative exists. The connection does not involve unnecessary replication of functionality. The cost of implementing the exception is proportional to the benefit to DIT. For more details on the configuration of the firewall in DIT and the process for approval, please refer to the Firewall policy contained in DIT IS Organisational Security Policies. Page 14 of 16 9/30/2009

6 Information Systems Maintenance & Technical Vulnerability Management 6.1.1 Patch Management The purpose of this policy is to ensure computer systems attached to the network in DIT are updated accurately and timely with security protection mechanisms (patches) for known vulnerabilities and exploits. These mechanisms are intended to reduce or eliminate the vulnerabilities and exploits with limited impact to the business. All security patches must be applied as soon as possible after their release and a log of the status of all patches will be recorded. A more detailed policy on patch management in DIT is available in the Patch Management Policy in the DIT IS Organisational Security Policies document. 6.1.2 Remote Access to Systems Remote access is defined as accessing systems from a physically separate network. This may include: Connections direct across the Internet VPN Connections Direct dial connections via approved service providers Other methods Any user with a valid Dublin Institute computer account may access systems as appropriate. Remote access is allowed via secure methods only. Remote connections to any campus IT services are subject to the same rules and regulations, policies and practices just as if they were physically on the campus. VPN facilities are generally provided to IT staff for the purpose of remote systems administration. The preferred approach for suppliers who support applications remotely is via the VPN and occasionally direct through the firewall on a case by case basis. Information Services should provide the only VPN and dial-in service that can be used. All connections via these services will be logged. No other remote access service shall be installed or set up, including single modems connected to servers or workstations. Any active dial-in services found to be in existence will be removed from the network. For further details on the policies surrounding remote access, please refer to the DIT Remote Access Policy and the Declaration of Agreement to Comply with Internet Usage & Remote Access Policies in the detailed DIT IS Organisational Security Policies document. This policy and associated declaration contain details relating to remote access exceptions, remote devices and third party accounts. Page 15 of 16 9/30/2009

6.1.3 Anti-Virus Security Information Services will provide means by which all users can download and install current versions of site-licensed virus protection software. Users must ensure that they are running with adequate and up-to-date anti-virus software at all times. If any user suspects viral infection on their machine, a complete virus scan should be performed. If Information Services detect a machine behaving abnormally due to a possible viral infection it will be disconnected from the network until deemed safe. Reconnection will usually be after liaison with the owner or local supporter. In the event of a serious widespread virus attack emergency procedures will be invoked. This will ensure the immediate action by all relevant IT Staff to ensure the security of Institute Informational resources through viral scan and disconnection. For further details on the anti-virus policies and procedures in operation in DIT, please refer to the DIT Ant-Virus Policy in the DIT IS Organisational Security Policies document. This contains information relating to product definition updates, file transfer and service level agreements. Page 16 of 16 9/30/2009

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information