New Systems and Services Security Guidance



Similar documents
RL Solutions Hosting Service Level Agreement

Brazosport College VPN Connection Installation and Setup Instructions. Draft 2 March 24, 2005

GFI White Paper PCI-DSS compliance and GFI Software products

CS 356 Lecture 25 and 26 Operating System Security. Spring 2013

Automation Suite for. 201 CMR Compliance

RemotelyAnywhere. Security Considerations

Use of The Information Services Active Directory Service (AD) Code of Practice

Host Hardening. Presented by. Douglas Couch & Nathan Heck Security Analysts for ITaP 1

How To Protect Your Data From Being Stolen

Security Policy JUNE 1, SalesNOW. Security Policy v v

Policy Document. Communications and Operation Management Policy

Data Access Request Service

1 Introduction 2. 2 Document Disclaimer 2

Guideline on Auditing and Log Management

Critical Security Controls

Application Security Testing. Generic Test Strategy

Supplier Information Security Addendum for GE Restricted Data

FIREWALL POLICY November 2006 TNS POL - 008

A Decision Maker s Guide to Securing an IT Infrastructure

Introduction. PCI DSS Overview

TEMPLE UNIVERSITY POLICIES AND PROCEDURES MANUAL

Internet Security Protecting Your Business. Hayden Johnston & Rik Perry WYSCOM

How to complete the Secure Internet Site Declaration (SISD) form

Central Agency for Information Technology

U06 IT Infrastructure Policy

External Supplier Control Requirements

Data Protection Act Bring your own device (BYOD)

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Useful Tips for Reducing the Risk of Unauthorized Access for Network Cameras Important

Server Security Checklist (2009 Standard)

Guidance End User Devices Security Guidance: Apple OS X 10.9

Information security controls. Briefing for clients on Experian information security controls

Locking down a Hitachi ID Suite server

Medical Device Security Health Group Digital Output

Compliance Guide ISO Compliance Guide. September Contents. Introduction 1. Detailed Controls Mapping 2.

What Do You Mean My Cloud Data Isn t Secure?

Codes of Connection for Devices Connected to Newcastle University ICT Network

Remote Authentication and Single Sign-on Support in Tk20

THE OPEN UNIVERSITY OF TANZANIA

TASK TDSP Web Portal Project Cyber Security Standards Best Practices

74% 96 Action Items. Compliance

PCI DSS Policies Outline. PCI DSS Policies. All Rights Reserved. ecfirst Page 1 of 7

Specific recommendations

Windows Remote Access

Plain English Guide To Common Criteria Requirements In The. Field Device Protection Profile Version 0.75

Galveston College Wireless Network Users Setup Guide Version 1.0

Web Security School Final Exam

Using Automated, Detailed Configuration and Change Reporting to Achieve and Maintain PCI Compliance Part 4

05.0 Application Development

FileCloud Security FAQ

Windows Operating Systems. Basic Security

6. AUDIT CHECKLIST FOR NETWORK ADMINISTRATION AND SECURITY AUDITING

Hong Kong Baptist University

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Web Plus Security Features and Recommendations

Sophos Mobile Control SaaS startup guide. Product version: 6

Reducing the Cyber Risk in 10 Critical Areas

Managed ICT Services. User Guide. Possibilities that are built in. Telstra Corporation Limited ABN

1. Why is the customer having the penetration test performed against their environment?

BYOD Guidance: BlackBerry Secure Work Space

DBC 999 Incident Reporting Procedure

IT Best Practices Audit TCS offers a wide range of IT Best Practices Audit content covering 15 subjects and over 2200 topics, including:

MCTS Guide to Microsoft Windows 7. Chapter 7 Windows 7 Security Features

How To Control Vcloud Air From A Microsoft Vcloud (Vcloud)

University of California, Riverside Computing and Communications. IS3 Local Campus Overview Departmental Planning Template

A practical guide to IT security

Portal Administration. Administrator Guide

Protecting Your Organisation from Targeted Cyber Intrusion

Implementation Guide

ensure prompt restart of critical applications and business activities in a timely manner following an emergency or disaster

1 Purpose Scope Roles and Responsibilities Physical & Environmental Security Access Control to the Network...

2012 Risk Assessment Workshop

Section 12 MUST BE COMPLETED BY: 4/22

2. From a control perspective, the PRIMARY objective of classifying information assets is to:

Copyright

Architecture. The DMZ is a portion of a network that separates a purely internal network from an external network.

Critical Issues with Lotus Notes and Domino 8.5 Password Authentication, Security and Management

<COMPANY> PR11 - Log Review Procedure. Document Reference Date 30th September 2014 Document Status. Final Version 3.

Need to be PCI DSS compliant and reduce the risk of fraud?

Where every interaction matters.

CA Performance Center

COMMONWEALTH OF PENNSYLVANIA DEPARTMENT S OF PUBLIC WELFARE, INSURANCE AND AGING

The Education Fellowship Finance Centralisation IT Security Strategy

Sophos Enterprise Console Help. Product version: 5.1 Document date: June 2012

Database Security Guideline. Version 2.0 February 1, 2009 Database Security Consortium Security Guideline WG

GiftWrap 4.0 Security FAQ

Virtual Code Authentication User s Guide. June 25, 2015

a) Encryption is enabled on the access point. b) The conference room network is on a separate virtual local area network (VLAN)

CONTENTS. PCI DSS Compliance Guide

Introduction to Endpoint Security

SafeGuard Enterprise Web Helpdesk. Product version: 6 Document date: February 2012

Cyber Essentials Questionnaire

Configuration Information

Internet Access Gateway Logon Instructions IAG Platform, XP

TEXAS AGRILIFE SERVER MANAGEMENT PROGRAM

SafeGuard Enterprise Web Helpdesk. Product version: 6.1

Remote Administration

Transcription:

New Systems and Services Security Guidance Version Version Number Date Author Type of modification / Notes 0.1 29/05/2012 Donna Waymouth First draft 0.2 21/06/2012 Donna Waymouth Update re certificates 0.3 05/10/2012 Donna Waymouth Updated introduction 1.1 29/05/2013 Donna Waymouth & Paul Sandy Minor Updates. Presented at ISSG Reference Title Related Policies IT Governance and Compliance Page 1 of 5

Contents Security Good Practice for New Systems... 3 System Services... 3 Login & Passwords... 3 Logon Banners... 4 Internet... 4 General... 5 Sensitive Services... 5 IT Governance and Compliance Page 2 of 5

Security Good Practice for New Systems This document is for use by anyone setting up a new service, or substantially upgrading an existing system, for use on the University network. Prior to connecting any new server or service to the University of Exeter network, we must try to ensure that it does not undermine the security of existing data and systems. As such, any new system should be reviewed against a number of security good practice requirements. Please note this is not an exhaustive list, and some items may not apply in certain cases due to the different functions of platforms. When any part of this security guidance is included as an input to the tendering process, it should be considered as highly desirable, not mandatory. Depending on the nature of the data to be stored or processed by the system or service, the weighting attributed to these security questions will need to be varied. If further information or clarification is required on any aspect of this guidance please contact the IT projects team on ITprojects@exeter.ac.uk System Services In order to reduce the number of vulnerabilities available for a malicious user to attack, it is important to deploy only the system services necessary for the service to function correctly and remove any default or sample data they could make use of: a) Any services that are not required for the platform to function correctly should be disabled. Where possible code / libraries for those services should be removed. b) The service banner eg IIS should be changed so it does not advertise the software type, version or revision number. c) All system supplied passwords must be changed d) Any unused default accounts must be removed e) All sample code / development libraries / code or tools used for debugging or testing must be removed from the platform Login & Passwords Passwords are the first line of defence for any IT system hence they must offer a suitable level of security for the platform: a) New services should be incorporated into the University single sign-on platform whereever possible. Local logons must not be used in parallel unless there are overriding Business Continuity/Disaster Recovery requirements. b) No generic logins should exist. Please note, in the case of root, SU should be used so that the originating user can be identified c) The login page must not provide any error messages that indicate whether a UserID exists. d) The login page must not provide an error messages that indicates whether the UserID or Password is incorrect, just that the login has not been successful. e) Do not pre-fill userid with the previous logged on user at that computer. f) Do not offer a remember me or a keep me signed in function if possible. g) Where local authentication is required: Password complexity including capital and lowercase, numeric and symbols, in line with university password policy must be implemented. h) Consider whether an account lockout is appropriate eg delay for return to the login screen, lockout of account for x minutes after 3 incorrect login attempts, account lockout until reset by support team / y of z previously defined questions. A lockout of 2 minutes after 3 incorrect login, extended to 10 minutes after 10 incorrect login attempts is recommended. IT Governance and Compliance Page 3 of 5

i) Systems that handle personal or sensitive data should provide the user with information on when and from what device they last successfully logged in. j) Consider whether multiple concurrent logins should be permitted from different browsers using the same source IP address from different IP addresses If concurrent logins are not required, this activity should be prevented by the platform k) Login forms and transmitted credentials must be protected with encryption eg https. l) Any transmitted data that may contain personal, confidential, financial or sensitive information in either direction should be protected with encryption eg https. m) Ensure that only those people who should have access to a system are authorised and have valid accounts. Do not create accounts for all University members or all staff unless this is actually required. Logon Banners It is important to tell people that they should not attempt to connect to the server unless they are authorised to do so: A login banner must be set at any login prompt indicating that this platform s use is restricted such as: This computer system is operated on behalf of the University of Exeter. Only authorised users are entitled to connect and/or login to this computer system. If you are not sure whether you are authorised, then you are not and should DISCONNECT IMMEDIATELY. Your connection may be monitored for lawful purposes. This computer system is operated on behalf of the University of Exeter. Only current staff are entitled to connect to and/or login to this computer system. If you are not currently employed by the University of Exeter you should DISCONNECT IMMEDIATELY. This message may be a pop-up window or a statement immediately above or below the login fields. Internet Internet connectivity makes the system available directly to your required userbase, but also to malicious users: a) Access to internet facing platforms must be filtered by a security device so that only those services required are accessible to internet hosts. b) If the web platform is not intended to be indexed by search engines or similar include a /robots.txt file in the websites root directory. Please note this will not be observed by malware: User-agent: * Disallow: / c) Self-signed certificates must not be used on any internet facing services. d) Requests for certificates for any platform should be placed through the Exeter IT Helpdesk. The certificate s expiry date will then be monitored to ensure continuity of encryption services. Please Note. These certificates are not of a commercial grade for payment transactions. IT Governance and Compliance Page 4 of 5

General It is important that the new service is protected against known threats and updated when necessary to prevent exploitation or data leakage. a) Install anti-virus / anti-malware software. The platform must be incorporated into the antivirus management platform to ensure automated updates. b) The platform must be included in any system monitoring platform c) The platform must be included in the backup schedule d) Out of band management should be used. If platform management is over the same network interface as the standard user access, consider what continuity arrangements need to be made in the case of routing issues, denial of service etc. e) All management traffic must be encrypted. f) Management access on remote platforms must be restricted to University of Exeter IP address range. g) All authentication data must be encrypted. h) A nominated role holder must be identified as the owner of the platform i) Prior to going live a support team must be identified as being responsible for updates / patching of the platform. j) All test data must be removed from the platform k) Secure coding should be adopted to prevent compromise. Further information can be found at www.owasp.org or http://cwe.mitre.org/top25 l) Internet facing systems must be security scanned prior to launch. Sensitive Services Fines or legal action can be brought against organisations that do not look after personal or sensitive data appropriately. a) Any system that is internet facing and will handle sensitive information eg personal data, financial data should be penetration tested prior to launch. Please contact infosecurity@exeter.ac.uk for more information about penetration testing and associated costs. b) Any critical or high impact vulnerabilities must be fixed prior to access from the internet / go live. IT Governance and Compliance Page 5 of 5

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information