UCLA Policy 401 Minimum Security Standards for Network Devices



Similar documents
LAMAR STATE COLLEGE - ORANGE INFORMATION RESOURCES SECURITY MANUAL. for INFORMATION RESOURCES

IT Security Standard: Computing Devices

Network Security Policy

PCI DSS Requirements - Security Controls and Processes

IT Governance Committee Review and Recommendation

Boston University Security Awareness. What you need to know to keep information safe and secure

OSU INSTITUTE OF TECHNOLOGY POLICY & PROCEDURES

FORT HAYS STATE UNIVERSITY CREDIT CARD SECURITY POLICY

Remote Access Policy HS 9453-D

Controls for the Credit Card Environment Edit Date: May 17, 2007

Network Security Policy

Information Security Policy

MONTSERRAT COLLEGE OF ART WRITTEN INFORMATION SECURITY POLICY (WISP)

Network Service Policy

Approved 12/14/11. FIREWALL POLICY INTERNAL USE ONLY Page 2

Enterprise Security Critical Standards Summary

Did you know your security solution can help with PCI compliance too?

ADM:49 DPS POLICY MANUAL Page 1 of 5

NETWORK INFRASTRUCTURE USE

THE PENNSYLVANIA STATE UNIVERSITY OFFICE OF HUMAN RESOURCES PASSWORD USAGE POLICY

Retention & Destruction

74% 96 Action Items. Compliance

HIGH-RISK SECURITY VULNERABILITIES IDENTIFIED DURING REVIEWS OF INFORMATION TECHNOLOGY GENERAL CONTROLS

STRATEGIC POLICY. Information Security Policy Documentation. Network Management Policy. 1. Introduction

California State Polytechnic University, Pomona. Desktop Security Standard and Guidelines

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

Specific observations and recommendations that were discussed with campus management are presented in detail below.

Hang Seng HSBCnet Security. May 2016

MIT s Information Security Program for Protecting Personal Information Requiring Notification. (Revision date: 2/26/10)

AUGUST 28, 2013 INFORMATION TECHNOLOGY INCIDENT RESPONSE PLAN Siskiyou Boulevard Ashland OR 97520

Dublin Institute of Technology IT Security Policy

Maruleng Local Municipality

TABLE OF CONTENT. Page 2 of 9 INTERNET FIREWALL POLICY

modules 1 & 2. Section: Information Security Effective: December 2005 Standard: Server Security Standard Revised: Policy Ref:

Miami University. Payment Card Data Security Policy

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

Information Technology Security Procedures

Step-by-Step Configuration

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

SonicWALL PCI 1.1 Implementation Guide

Procedure Title: TennDent HIPAA Security Awareness and Training

AASTMT Acceptable Use Policy

DATA SECURITY AGREEMENT. Addendum # to Contract #

Telework and Remote Access Security Standard

Information Technology Branch Access Control Technical Standard

Written Information Security Plan (WISP) for. HR Knowledge, Inc. This document has been approved for general distribution.

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Responsible Access and Use of Information Technology Resources and Services Policy

Frequently Asked Questions

Biological Sciences Computer Systems

University of Pittsburgh Security Assessment Questionnaire (v1.5)

Access Control BUSINESS REQUIREMENTS FOR ACCESS CONTROL

ARE YOU REALLY PCI DSS COMPLIANT? Case Studies of PCI DSS Failure! Jeff Foresman, PCI-QSA, CISSP Partner PONDURANCE

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Enterprise K12 Network Security Policy

Ovation Security Center Data Sheet

Department of Information Technology Remote Access Audit Final Report. January promoting efficient & effective local government

Hamilton College Administrative Information Systems Security Policy and Procedures. Approved by the IT Committee (December 2004)

How are we keeping Hackers away from our UCD networks and computer systems?

Data Management Policies. Sage ERP Online

Automation Suite for. 201 CMR Compliance

Policy on Connection to the University Network

KEY STEPS FOLLOWING A DATA BREACH

Building A Secure Microsoft Exchange Continuity Appliance

New River Community College. Information Technology Policy and Procedure Manual

UPSTREAMCONNECT SECURITY

Ti m b u k t up ro. Timbuktu Pro Enterprise Security White Paper. Contents. A secure approach to deployment of remote control technology

Network & Information Security Policy

New Mexico Highlands University (NMHU) Information Technology Services (ITS) Information Technology Resources Policy: Internet, Intranet, ,

Locking down a Hitachi ID Suite server

Minnesota State Colleges and Universities System Procedures Chapter 5 Administration. Guideline Payment Card Industry Technical Requirements

Desktop and Laptop Security Policy

UNIVERSITY OF ROCHESTER INFORMATION TECHNOLOGY POLICY

How To Write A Health Care Security Rule For A University

Cyber Security: Beginners Guide to Firewalls

Introduction. Purpose. Reference. Applicability. HIPAA Policy 7.1. Safeguards to Protect the Privacy of PHI

Server Protection Policy 1 1. Rationale 1.1. Compliance with this policy will help protect the privacy and integrity of data created by and relating

LogRhythm and PCI Compliance

The 12 Essentials of PCI Compliance How it Differs from HIPPA Compliance Understand & Implement Effective PCI Data Security Standard Compliance

FIREWALL CHECKLIST. Pre Audit Checklist. 2. Obtain the Internet Policy, Standards, and Procedures relevant to the firewall review.

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Massachusetts MA 201 CMR Best Practice Guidance on How to Comply

Introduction. PCI DSS Overview

References NYS Office of Cyber Security and Critical Infrastructure Coordination Best Practices and Assessment Tools for the Household

State of Illinois Department of Central Management Services GENERAL SECURITY FOR STATEWIDE NETWORK RESOURCES POLICY

CITY OF BOULDER *** POLICIES AND PROCEDURES

Visa U.S.A Cardholder Information Security Program (CISP) Payment Application Best Practices

Payment Card Industry (PCI) Data Security Standard Self-Assessment Questionnaire C and Attestation of Compliance

Essentials of PC Security: Central Library Tech Center Evansville Vanderburgh Public Library

Catapult PCI Compliance

REGION 19 HEAD START. Acceptable Use Policy

AIRDEFENSE SOLUTIONS PROTECT YOUR WIRELESS NETWORK AND YOUR CRITICAL DATA SECURITY AND COMPLIANCE

Dell SonicWALL Aventail Connect Tunnel User Guide

Cyber Security Beginners Guide to Firewalls A Non-Technical Guide

Determine if the expectations/goals/strategies of the firewall have been identified and are sound.

Section 12 MUST BE COMPLETED BY: 4/22

IT Security Procedure

Southern Law Center Law Center Policy #IT0014. Title: Privacy Expectations for SULC Computing Resources

Transcription:

UCLA Policy 401 Minimum Security Standards for Network Devices Issuing Officer: Associate Vice Chancellor, Information Technology Responsible Dept: Office of Information Technology Effective Date: November 18, 2005 Supersedes: New I. REFERENCES II. INTRODUCTION AND PURPOSE III. DEFINITIONS IV. STATEMENT V. ATTACHMENTS I. REFERENCES 1. UC Business and Finance Bulletin, IS-3, Electronic Information Security; 2. UCLA Policy 420, Notification of Breaches of Computerized Personal Information; 3. UCLA Procedure 350.6, Data Services. II. INTRODUCTION AND PURPOSE UCLA encourages the use of its electronic communications network in support of the University s mission. However, this resource is limited and may be vulnerable to attack or improper use. It must be wellmanaged and protected, and UCLA reserves the right to deny access to its electronic communications network by Devices that do not meet its standards for security. The purpose of this policy is to establish the Minimum Security Standards for all electronic Devices connecting to the UCLA Campus Network, in accordance with the principles endorsed by the UCLA Information Technology Planning Board March 31, 2005. Such standards serve to help protect not only the individual Device, but other Devices connected to the Campus Network. Portions of this policy are drawn from the UC Berkeley Minimum Security Standards for Networked Devices, issued January, 2004. This policy also identifies those with principal responsibility for compliance with the Minimum Security Standards, and for the enforcement of this policy, including taking corrective action. III. DEFINITIONS Campus Network: All UCLA networks connected to the campus backbone network, directly or indirectly, and whether or not behind a firewall or Network Address Translation (NAT) device. (NAT is an Internet standard that enables a local area network (LAN) to use one set of IP addresses for internal traffic and a second set of addresses for external traffic). Connectivity Service Provider: For the purposes of this policy, a unit, organization, or person that enables access to the Campus Network by UCLA faculty, students and staff and including for visiting scholars, conference attendees or other temporary visitors to UCLA. Network Device (Device): A computer, printer, wireless appliance or other piece of equipment that can connect to and communicate over the Campus Network. System Administrator: An individual who installs, configures and/or maintains any Device in his or her area of responsibility that is connected to the Campus Network. app_0401_0final.doc

UCLA Policy 401 Page 2 of 7 IV. STATEMENT This policy applies to all faculty, staff, students and contractors who connect a Network Device to the Campus Network. (i.e., when a Network Device will be assigned an Internet Protocol (IP) address that is routable on the Campus Network and, can be used to send data to, or receive data from, the Campus Network). This policy is applicable: regardless of how the Device is connected to the Campus Network (e.g., directly from a campus office or indirectly from a faculty member s home, for example using UCLA dialup or UCLA Virtual Private Network (VPN)); and whether or not the Device is owned by the University. Whenever anyone is connected to the Campus Network, he or she is expected to comply with this Policy. A. Compliance with Minimum Security Standards All Devices connecting to the Campus Network, whether physically located on campus property or not, must comply with the Minimum Security Standards in Attachment A. A Device that does not meet these Minimum Security Standards is subject to disconnection or having its access blocked to the Campus Network until remediation has been performed. More restrictive standards may be adopted at the department or unit level. Devices that host restricted data as defined in University of California Business and Finance Bulletin IS-3 may be required to conform to more rigorous security standards. Devices hosting specific types of data (e.g., as defined by UCLA Policy 420 or the Health Insurance Portability and Accountability Act (HIPAA)) may be subject to additional constraints. See the Protection of Personal Information Web site at http://www.bruintech.ucla.edu/policies/personal_info.htm for guidance. B. Responsibilities for Compliance and Enforcement System Administrators System Administrators shall ensure that every Device for which they are responsible is in compliance with the Minimum Security Standards. A System Administrator may be an IT staff member whose responsibilities include ongoing maintenance for all Devices in a department or computer lab. A faculty member functions as a System Administrator when his or her personally owned computer at home connects to the Campus Network (e.g., via the Bruin OnLine modem pool or through the campus VPN server). Connectivity Service Providers (CSP) Connectivity Service Providers shall take appropriate corrective action: 1. when a Device connected to the Campus Network is causing disruption (e.g., sourcing a denial-ofservice attack). In such situations, the CSP must have procedures in place to identify the problem Device and disconnect or block its access as appropriate. The Device may be reconnected only when the cause of the disruptive behavior has been addressed and provided it meets the Minimum Security Standards. Further, if the Device hosts personal information as defined in UCLA Policy 420, a potential security breach must be assumed and the procedures in that policy must be followed. 2. if a Device connected to the Campus Network is found not to meet the Minimum Security Standards (e.g., through a vulnerability scan). In such situations, the Device is subject to disconnection or having its access to the Campus Network blocked by the CSP unless remediation is completed in a timely manner. Under certain circumstances, a CSP may execute approved alternatives to the Minimum Security Standards, as listed in section C., below.

UCLA Policy 401 Page 3 of 7 C. Exceptions to the Minimum Security Standards A Device may connect to the Campus Network only if it meets the Minimum Security Standards. However, there may be various reasons why a Device does not meet these standards yet has a legitimate reason why it needs to connect to the Campus Network. In such cases, under the following circumstances, an exception may be made by employing alternate security measures. 1. Many common Devices either do not meet these standards (e.g., printers with a built-in web server) or it would be impractical for critical usability reasons (e.g., grid computers, some high-volume servers). In such cases, standard alternate security measures can be employed, thereby satisfying the Minimum Security Standards (See Attachment B). 2. Laptops and other Devices brought by visiting scholars, conference attendees and other temporary visitors to UCLA cannot be assumed to comply with these Minimum Security Standards. Therefore, a CSP must develop an appropriately secured environment in order to provide access to the Campus Network for such visitors. 3. Any other Device that cannot meet the Minimum Security Standards may still be connected to the Campus Network if an alternate method of providing equal or greater security is documented by the System Administrator and this alternate method is approved by the Connectivity Service Provider. All exceptions shall be documented in writing (electronically or otherwise) and kept on file by the Connectivity Service Provider. Such documentation shall be kept on file for as long as the Device associated with the exception is connected to the Campus Network. D. Recourse Appeals concerning decisions made or actions taken by a Connectivity Service Provider may be made to the Associate Vice Chancellor, Information Technology, who will consult with other campus officials, as appropriate, to make the final determination. V. ATTACHMENTS A. Minimum Security Standards for Network Devices. B. Implementing Guidelines for Minimum Security Standards for Network Devices. Issuing Officer /s/ James Davis Associate Vice Chancellor, Information Technology Questions concerning this policy or procedure should be referred to the Responsible Department listed at the top of this document.

UCLA Policy 401 Page 4 of 7 A T T A C H M E N T A Minimum Security Standards for Network Devices These minimum standards are intended to ensure the security of all Devices connected to the Campus Network. Any Device to be connected to the Campus Network must satisfy the following minimum standards, as appropriate, or adopt a standard alternate security measure (see Attachment B). 1. Software patch updates Devices to be connected to the Campus Network must run software for which critical security patches are made available in a timely fashion and must have all currently available security patches installed. Exceptions may be made for patches that compromise the usability of critical applications. 2. Anti-virus software Anti-virus software for any particular type of operating system must be running and up-to-date on every Device, including clients, file servers and mail servers. Products other than offered by the campus may be used if comparable. Exceptions may be made for anti-virus software that could compromise the usability of critical applications. 3. Host-based firewall software (software on a Device that helps protect the Device by controlling what network traffic is allowed to enter and leave the Device) System Administrators are responsible for ensuring that computers with native host-based firewall software included in the operating system have the firewall activated and properly configured. Exceptions may be made for firewall software that compromises the usability of critical applications. 4. Passwords Campus electronic communications systems or services that require users to be identified must identify and authorize users using secure authentication processes (e.g., digital certificates, biometrics, Smart Cards, one-time passwords or encrypted password transactions). When reusable passwords are employed, they must meet the minimum password complexity standards below. In addition, shared-access systems must be configured to enforce these standards whenever possible and appropriate and require that users change any pre-assigned passwords immediately upon initial access to the account. All default passwords for access to network-accessible Devices must be modified. Passwords that may be used by System Administrators for their personal access to a service or Device must not be the same as those used for privileged access to any service or Device. All passwords employed to authorize access to campus electronic communications systems or services must meet the following minimum password complexity standards. The password must: Contain six characters or more. Contain characters from at least two of the following three character classes: Alphabetic (e.g.: a-z, A-Z) Numeric (i.e. 0-9) Punctuation and other characters (e.g.:!@#$%^&*()_+ ~-=\`{}[]:";'<>?,./) 5. Unencrypted authentication Unencrypted Device authentication mechanisms are only as secure as the network upon which they are used. Traffic across the Campus Network may be surreptitiously monitored, rendering these authentication mechanisms vulnerable to compromise. To prevent password harvesting, passwords must not be sent in the clear and all campus Devices must use encrypted authentication mechanisms or otherwise secure

UCLA Policy 401 Page 5 of 7 authentication mechanisms. Passwords or protocols which provide no log on access to the system (e.g., anonymous FTP) are exempted from this requirement. 6. Unauthenticated email relays Campus Devices must not provide an active SMTP (an Internet protocol for sending email between Devices) service that allows unauthorized parties to relay email messages. Before transmitting email to a non-local address, the sender must authenticate with the SMTP service. Unless an unauthenticated relay service has been reviewed by Communications Technology Services as to configuration and appropriate use, it may not operate on the Campus Network. 7. Unauthenticated proxy services Although properly configured unauthenticated proxy servers may be used for valid purposes, such services commonly exist only as a result of inappropriate Device configuration. Unauthenticated proxy servers may enable an attacker to execute malicious programs on the server in the context of an anonymous user account. Therefore, unless an unauthenticated proxy server has been reviewed by Communications Technology Services as to configuration and appropriate use, it is not allowed on the Campus Network. In particular, software program default settings in which proxy servers are automatically enabled must be identified by the System Administrator and re-configured to prevent unauthenticated proxy services. 8. Physical security Unauthorized physical access to an unattended Device can result in harmful or fraudulent modification of data, fraudulent email use, or any number of other potentially dangerous situations. In light of this, where possible and appropriate, Devices must be configured to lock and require a user to re-authenticate if left unattended for more than 20 minutes. System Administrators are responsible for maintaining the physical security of devices in their care. 9. Unnecessary services If a service is not necessary for the intended purpose or operation of the Device, that service shall not be running.

UCLA Policy 401 Page 6 of 7 A T T A C H M E N T B Implementing Guidelines for Minimum Security Standards for Network Devices These Guidelines are intended to assist System Administrators and Connectivity Service Providers in achieving compliance with the Minimum Security Standards for Network Devices. Departments may choose to adopt higher standards of security for Devices than those stated in Attachment A if they are compliant with the UC Electronic Communications Policy and other relevant campus and University policies. A. Non-compliance with Minimum Security Standards An alternative to disconnecting a Device or blocking its access to the Campus Network is to put it into a quarantine area, providing users with limited access or a web-based service to assist with checking, updating or cleaning the Device. Further information may be found at: http://www.netreg.org http://www.microsoft.com/windowsserver2003/techinfo/overview/napoverview.mspx Connectivity Service Providers should make System Administrators aware of the Minimum Security Standards. When investigating a security incident, Connectivity Service Providers should also check the security of any other Device to which the compromised machine was connected. B. Exceptions to the Minimum Security Standards Many common Devices do not meet the Minimum Security Standards (e.g., printers with a built-in web server) or for some Devices it is not appropriate or practical to meet them for critical usability reasons (e.g., grid computers, some high-volume servers). In such cases, standard alternate security measures can be employed instead, thereby satisfying the fundamental requirements of the Minimum Security Standards. Use of these alternate methods should generally be automatically approved by a Connectivity Service Provider. Device or System Standard Exception Network printers Servers with critical applications that would be impacted by one or more of the Minimum Security Standards Older operating systems that cannot be upgraded Devices that cannot fully implement the minimum password complexity standards Security Actions for Automatic Approval by CSP Redirect HTTP traffic Firewall, change management, enhanced system monitoring Firewall, change management Use the strongest password possible within the restrictions of that particular system. C. Software patch updates Patch management software is available for Windows computers at discounted rates by going to the UCLA Software Central site at http://www.ats.ucla.edu/software/. Alternate patch management software may be used if comparable. D. Anti-virus software Anti-virus software is available free of charge to all UCLA faculty, students and staff (including personally owned computers) by going to www.bol.ucla.edu/software/sophos. Antivirus software is required for an operating system if it is listed as Supported on the web page noted above. If an operating system is listed

UCLA Policy 401 Page 7 of 7 as Unsupported, then it is only recommended that such software be used. Alternate anti-virus software may be used if comparable. E. Passwords Campus electronic communications systems or services that require users to be identified must identify and authorize users using secure authentication processes. However, this does not preclude anonymous access to such services where appropriate. Anonymous access does not exempt a Connectivity Service Provider from the requirement to have procedures in place to identify and isolate problem Devices on a network. In cases where a Device cannot implement the minimum password complexity standards (see Passwords in Attachment A), the strongest requirements that can be used within the restrictions of that particular system shall be used. Some user guidelines for avoiding poor passwords: Names of family, pets, friends, or co-workers. Names of well-known fictional characters. Computer terms and names, commands, sites, companies, hardware, or software. Birthdays or other personal information such as addresses or phone numbers. A set of characters in alphabetic or numeric order (e.g. abcdef), in a row on a keyboard (e.g. qwerty), or in a simple pattern (e.g. 123123). Any of the above spelled backwards. Any of the above preceded or followed by a digit (e.g., qwerty1, 1qwerty). A bank account PIN. F. Unencrypted authentication There are some situations where encrypted passwords are inappropriate or irrelevant. For example, for use with anonymous FTP or one-time passwords. G. Unauthenticated proxy services Unauthenticated proxies have implications for content licensed by UCLA for the UCLA community. Therefore, if Communications Technology Services approves an unauthenticated proxy service, it shall notify the UCLA Library that it has done so in order that the Library may block access from the appropriate addresses. Other units with such licensed content should contact Communications Technology Services to be notified as well. Proxy servers must conform to this policy. Devices that connect to the UCLA Campus Network only through a proxy server are not subject to this policy. H. Unnecessary services Systems Administrators should actively configure a system, making judgments about the services that must be available on the Device so that it meets its intended purpose or use, and eliminating unnecessary services.

2024 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information