University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template



Similar documents
Attachment A. Identification of Risks/Cybersecurity Governance

IT Security Standard: Computing Devices

Application Development within University. Security Checklist

REGULATIONS FOR THE SECURITY OF INTERNET BANKING

FINAL May Guideline on Security Systems for Safeguarding Customer Information

HIPAA Security Alert

LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

Policy Title: HIPAA Security Awareness and Training

Information Security Policy and Handbook Overview. ITSS Information Security June 2015

Client Security Risk Assessment Questionnaire

Guide to Vulnerability Management for Small Companies

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

Top Three POS System Vulnerabilities Identified to Promote Data Security Awareness

Policies and Procedures Audit Checklist for HIPAA Privacy, Security, and Breach Notification

FINAL DoIT v.8 APPLICATION SECURITY PROCEDURE

HIPAA Privacy and Security Risk Assessment and Action Planning

Cybersecurity Health Check At A Glance

(Unofficial Translation)

Information security controls. Briefing for clients on Experian information security controls

Wellesley College Written Information Security Program

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

SITA Security Requirements for Third-Party Service Providers that Access, Process, Store or Transmit Data on Behalf of SITA

ISO Controls and Objectives

IBX Business Network Platform Information Security Controls Document Classification [Public]

University of Kent Information Services Information Technology Security Policy

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Music Recording Studio Security Program Security Assessment Version 1.1

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Office of Inspector General

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

HIPAA Security COMPLIANCE Checklist For Employers

UNIVERSITY OF CALIFORNIA, SANTA CRUZ 2015 HIPAA Security Rule Compliance Workbook

SUBJECT: SECURITY OF ELECTRONIC MEDICAL RECORDS COMPLIANCE WITH THE HEALTH INSURANCE PORTABILITY AND ACCOUNTABILITY ACT OF 1996 (HIPAA)

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

Supplier Information Security Addendum for GE Restricted Data

Information Security Policies. Version 6.1

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

Service Children s Education

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

OCIE CYBERSECURITY INITIATIVE

Information Security Policy September 2009 Newman University IT Services. Information Security Policy

APPENDIX G ASP/SaaS SECURITY ASSESSMENT CHECKLIST

Valdosta Technical College. Information Security Plan

University of Illinois at Chicago Health Sciences Colleges Information Technology Group Security Policies Summary

CITY OF BOULDER *** POLICIES AND PROCEDURES

Supplier IT Security Guide

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

SAMPLE TEMPLATE. Massachusetts Written Information Security Plan

Section 3.9 PCI DSS Information Security Policy Issued: June 2016 Replaces: January 2015

VIRGINIA STATE UNIVERSITY RISK ANALYSIS SURVEY INFORMATION TECHNOLOGY

Best Practices For Department Server and Enterprise System Checklist

Standard: Information Security Incident Management

Did you know your security solution can help with PCI compliance too?

HIPAA Information Security Overview

Determine if the expectations/goals/strategies of the firewall have been identified and are sound.

Standard: Event Monitoring

Account Management Standards

INCIDENT RESPONSE CHECKLIST

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

Pointsec Enterprise Encryption and Access Control for Laptops and Workstations

Rule 4-004M Payment Card Industry (PCI) Monitoring, Logging and Audit (proposed)

Ohio Supercomputer Center

modules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref:

Security Tool Kit System Checklist Departmental Servers and Enterprise Systems

Health Insurance Portability and Accountability Act (HIPAA) and Health Information Technology for Economic and Clinical Health Act (HITECH)

System Security Plan University of Texas Health Science Center School of Public Health

Chapter 84. Information Security Rules for Street Hail Livery Technology System Providers. Table of Contents

SUPPLIER SECURITY STANDARD

Retention & Destruction

Log Management Standard 1.0 INTRODUCTION 2.0 SYSTEM AND APPLICATION MONITORING STANDARD. 2.1 Required Logging

PCI Compliance. Top 10 Questions & Answers

DHHS Information Technology (IT) Access Control Standard

Incident and Disaster Tolerance/Response Policy

Healthcare Management Service Organization Accreditation Program (MSOAP)

How are we keeping Hackers away from our UCD networks and computer systems?

INFORMATION SECURITY GOVERNANCE ASSESSMENT TOOL FOR HIGHER EDUCATION

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

Vice President of Information

Unified Security Anywhere HIPAA COMPLIANCE ACHIEVING HIPAA COMPLIANCE WITH MASERGY PROFESSIONAL SERVICES

micros MICROS Systems, Inc. Enterprise Information Security Policy (MEIP) August, 2013 Revision 8.0 MICROS Systems, Inc. Version 8.

University of Liverpool

IT NETWORK AND INFRASTRUCTURE FILE SERVER POLICY (for Cheshire CCGs)

VMware vcloud Air HIPAA Matrix

Information Security Policy Manual

EVALUATION REPORT. Weaknesses Identified During the FY 2014 Federal Information Security Management Act Review. March 13, 2015 REPORT NUMBER 15-07

Name: Position held: Company Name: Is your organisation ISO27001 accredited:

Appendix 4-2: Sample HIPAA Security Risk Assessment For a Small Physician Practice

How To Protect Decd Information From Harm

Standard: Data Center Security

Appendix 1c. DIRECTORATE OF AUDIT, RISK AND ASSURANCE Internal Audit Service to the GLA REVIEW OF NETWORK/INTERNET SECURITY

HIPAA SECURITY RISK ASSESSMENT SMALL PHYSICIAN PRACTICE

Security It s an ecosystem thing

Larry Wilson Version 1.0 November, University Cyber-security Program Critical Asset Mapping

ISO27001 Controls and Objectives

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

Data Management Policies. Sage ERP Online

PCI Compliance Top 10 Questions and Answers

POLICIES. Campus Data Security Policy. Issued: September, 2009 Responsible Official: Director of IT Responsible Office: IT Central.

INFORMATION SECURITY PROGRAM

Transcription:

University of California, Riverside Computing and Communications IS3 Local Campus Overview Departmental Planning Template Last Updated April 21 st, 2011 Table of Contents: Introduction Security Plan Administrative Controls Operational and Technical Controls o Identity and access management o Access controls o Systems and Application Security o Network Security o Change Management o Audit Logs o Encryption Physical and Environmental Controls o Risk mitigation measure o Physical access controls o Inventories of devices including their movement o Disposition of equipment o Portable devices and media

Introduction Campus organization and departments must utilize appropriate safeguards to protect sensitive and/or protected information resources based upon the sensitivity of data in question, legal requirements, and risks to the university. These safeguards are expressed within a technical information security plan. Security Plan The information security plan should include measures to enhance the security of information assets, including administrative, operational, technical, physical and environmental controls. Components of this plan should include the following measures. Administrative Controls Administrative controls include establishing sound authentication and authorization processes and procedures with respect to positions that require access to information resources. The emphasis of these processes and procedures is on security, with an aim to provide information workers guidance as they perform their duties. People in the organization should be identified as responsible for determining who has access to what information resources and their level of privilege. Once that is done, procedures should be implemented to: o authorize access only for those who need it, with the least permissions necessary o change access when task assignments change or when people leave the University o initial access authorization, changes, and termination should be recorded and retained o follow principles of separation of duties with restricted or essential data o review on a regular basis the work of people with privileged access Some positions need access to restricted information as part of their duties, and may be deemed critical positions. Such positions should have appropriate background checks as part of the selection process, and procedures should be developed to revoke access in cases of termination or disciplinary action. Procedures should be developed for appropriate action if unauthorized access is discovered, including reporting the action (whistleblower policy), and steps to take when it is discovered. Operational and Technical Controls Passwords, network controls, change management and controls to reduce risk from known threats constitute examples of technology and/or operational controls that, if implemented effectively, improve chances of meeting security objectives. o Identity and access management Departments should use identity and access management processes that provide secure, authenticated access to network based services. Control measures should be secure and provide accountability.

o Access controls Access controls typically include login accounts or the use of a campus identifier, should be instantiated in a manner consistent with campus standards, and records of access should be kept in accordance with audit log guidelines. Appropriate password management should include periodic identification of weak passwords and use of sufficiently strong encryption technologies. The risk of using the same password for multiple applications should be noted, and for critical positions, mitigated in some way, for example with two factor methods. Passwords and other authentication credentials should be considered restricted information and should be protected in transit or at rest. Passwords should be strong and not shared. If circumstances require sharing, a way to determine who accessed Resources should be devised and logged. Automatic logouts or session timeouts should be in place for all devices with access to restricted resources. Privileged accounts should only be used for authorized purposes and procedures commensurate with the level of risk, should be in place to prevent abuse. privileged users should be informed of their responsibility to keep Resources secure and not divulge information discovered as part of routine duties the number of privileged accounts should be few privileged users should have non-privileged accounts to perform duties that don't need root privileged account use should be logged privileged account use should be monitored and reviewed regularly o Systems and application security The security of applications and systems should be the responsibility of people knowledgeable about information technology. They should be aware of applicable UC, campus and departmental policies. They should develop operational security plans commensurate with the level of risk of each resource via periodic risk assessments, and regularly evaluate resource exposure to potential threats. Backup plans should be devised to include recovery of systems with essential data in the case of disaster, as well as to encrypt restricted data. Personal or desktop computers with restricted or essential data should be included in the backup plan. Retention of backups must comply with UC policy regarding electronic data retention. Measures should be deployed to protect systems with restricted or essential data from malicious software. These systems should also be kept up to date with respect to security and other important patches. Application development and maintenance should conform to the specification in BFB IS-10 as well as any local standards, procedures, guidelines and conventions. Developers should conduct an analysis of how personal information should be collected, stored, shared and managed for any application that will be used to process personal information. Internal Audit should be involved early in the application development process.

o Network security All department servers and personal machines should follow local minimum requirements for network connectivity. Firewalls and/or IDS or IPS devices should be used to limit system attacks, with special attention paid to systems with essential and/or restricted data. o Change management Changes to resources with essential or restricted data should include: monitoring and logging of all changes steps to detect unauthorized changes confirmation of testing authorization for moving application programs to production tracking movement of hardware and other infrastructure components periodic review of logs back out plans, and user training o Audit logs Organizations are encouraged to develop a centralized log management infrastructure to protect logs on systems of record and to provide forensics and problem debug capabilities. o Encryption Strong encryption must be used for restricted information in transit and at rest. Other information at rest may need timely or continual availability. Some information is subject to the California Public Records act, and an authoritative copy should be stored in a known location in unencrypted form. Key management is an important part of any encryption strategy, since the risk exists of information becoming unavailable. An encryption key management plan shall: ensure keys are backed up specify procedures if keys are compromised or suspected to be compromised specify a method to determine if keys have been compromised regular review of encryption keys strength include user training on cryptographic key best practices Physical and Environmental Controls Policies and procedures should be developed for the physical protection of Resources supporting restricted and or essential data. The following guidelines may help:

o Risk mitigation measures Preparation should be made for emergency conditions such as earthquakes, fire, flooding and environmental conditions exceeding limits. Controls should also be in place to protect from theft. o Physical access controls Controls should be in place limiting and logging physical access to restricted or essential Resources. o Inventories of devices including their movement Procedure should be in place to track inventory; when it is installed, when it is moved, and when it is decommissioned. o Disposition of equipment Procedures should ensure complete removal of restricted or sensitive data for final disposition of hardware and electronic media. o Portable devices and media Procedures should be in place to guide users on the physical security of portable devices and media.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information