Add to collection(s) Add to saved
  1. Engineering & Technology
  2. Computer Science
  3. Information Security

ComputerSecurity_Procedures docx

advertisement 
University of Virginia School of Architecture
Computer Technologies Security: Guidelines and Procedures
Version 1.0 – July 30, 2003
The following is a list of policies and procedures which have been deemed necessary
for the best possible technology security for the School of Architecture and the
various students, faculty, and staff which make up the Community. Where possible,
source documents, including federal and/or state legal precedents, have been cited
and/or linked.
Security Awareness:
Risk Assessment- Assessment of outside risk and the School of Architecture’s ability
to respond to threats should occur at least once per calendar year. This assessment
should include, but not necessarily be limited to, ITC’s Self-Assessment Checklist.
Ref: COV ITRM Guideline: http://www.vita.virginia.gov/docs/psg/ITSecurityPolicy90-1R3.doc
ITC Self-Assement Checklist: http://www.itc.virginia.edu/security/checklist/checklist_intro.html
User Awareness/Training- Users should be made aware through an orientation
process of existing risks and what they can do to prevent them. Users should be
briefed on the availability of software and other in-place security measures and how
to interact with and what to expect from those security systems and procedures.
Ref: COV ITRM Guideline http://www.vita.virginia.gov/docs/psg/ITSecurityPolicy90-1R3.doc
Staff Technical Training- Staff should be trained and/or certified and up-to-date in
appropriate system administration and related skills. All of the School’s staff who
make use of computing technologies, regardless of department, should have a basic
level of training. Technical staff will be certified and/or trained to a higher degree.
Ref: COV ITRM Guideline http://www.vita.virginia.gov/docs/psg/ITSecurityPolicy90-1R3.doc
Technical Communications (Both to Staff and to Users)- Technologies and/or services
should be implemented to communicate technical information and notifications
regarding the status of security events and safeguards to all members of the
Community.
Ref: COV ITRM Guideline http://www.vita.virginia.gov/docs/psg/ITSecurityPolicy90-1R3.doc
Authentication and Authorization:
Authentication of Users- Authentication via “Best Practice” technology should be
required of all users in the community. Authentication should be required at User
logon to client computers and any other Point of Access to data and/or services
provided by the School of Architecture.
Ref: COV ITRM Guideline http://www.vita.virginia.gov/docs/psg/ITSecurityPolicy90-1R3.doc
Password Protection of Account Access- Password-protected logon to both network
services and individual client computers should be required at all times. Passwords
should comply with current best possible security practices. All passwords and
accounts will be unique and personal to a human individual, not generic or shared,
as in group accounts. All accounts will be received through either ITC of the
Computer Technologies Office of the School of Architecture.
Passwords and other sensitive account information should never be given out,
written down, distributed, or in any other way disseminated to any parties, either
within or outside of the Community.
Access to Wired and Wireless Networks- Access to the School’s networks via either a
physical Ethernet connection or a wireless connection should be limited to those
users which have submitted their computer’s MAC address to ITC and to the School
of Architecture.
Data Security:
Password Protected Screen Savers- Screen savers should be enabled on client
computers which activate after a maximum of ten (10) minutes of user inactivity.
The subsequent deactivation of these screen savers should be password protected.
Ref: COV ITRM Guideline http://www.vita.virginia.gov/docs/psg/ITSecurityPolicy90-1R3.doc
Controlled Network Authorization- Access to the School of Architecture’s network
from computers outside the network should be protected via firewall, IPSec, TCP
wrapper, VPN, and/or associated security technologies.
Sensitive Data Authorization and Access- Sensitive data should have a higher level of
authorization in order to access it. That is, in addition to password control and/or
authentication for access to the file system, additional (further) password and
authentication should be implemented to protect sensitive data. Current examples
of this technology are password protection of individual Excel spreadsheets or
“grant tables” in a database context.
Access to sensitive data will be given only to those with direct need for such access.
Computer (Machine) Security:
Up-to-date Antivirus and System Security Software- Individual computers on the
School’s networks should be updated with the most current version of antivirus
and/or security software, which should include, but not be limited to, virus
definitions, operating system updates, and the like.
Systems Interoperability Security:
Transmission of Data- Unencrypted Telnet, FTP, or R-Utilities should not be used.
Secure alternatives, such as SSH or SFTP should be used instead. E-mail of sensitive
information as clear text should never be performed, as this method is insecure. In
those cases where e-mail is required, such electronic transmissions must be
encrypted via a standard technology such as PGP.
Ref: COV ITRM Guideline http://www.vita.virginia.gov/docs/psg/ITSecurityPolicy90-1R3.doc
Transmission of Data- Internal- Data transferred across the School’s network should
use the best possible practice for security.
Physical Security:
Controlled Access to Important Systems- Servers, routers, and other hardware which
is critical to the School’s operation of its networks should be physically secured in
spaces to which access can be controlled through the use of keys or keypads. When
third parties need access to these systems or hardware (such as for maintenance),
they should be accompanied by an authorized member of the technical staff.
Ref: COV ITRM Guideline http://www.vita.virginia.gov/docs/psg/ITSecurityPolicy90-1R3.doc
Documentation of System Configurations for Critical Hardware- In order to make
possible tampering easier to recognize and correct, the physical setup of critical
hardware should be documented. That is, cable connections, drive locations, and
other physical characteristics of the setup of servers, routers, network equipment,
etc. should be recorded and/or catalogued.
Ref: COV ITRM Guideline http://www.vita.virginia.gov/docs/psg/ITSecurityPolicy90-1R3.doc
Theft Prevention Measures for Public Hardware- Computers, scanners, printers, and
other pieces of computing hardware which are in public spaces should be secured
physically through the use of security cables, padlocks, and the like.
Staff/Faculty Access to Personal Computers- Faculty and staff should follow the best
possible security practices to prevent unauthorized access to computers which they
use at their desks. This includes, but should not be limited to, password protected
screen savers, locking offices when unoccupied, and limiting or preventing access to
faculty/staff computers by students serving as teaching and/or research assistants.
Monitor Visibility- On computers in which especially sensitive information (such as
Social Security Numbers), is stored and/or displayed, the monitors and/or displays
of those computers should be physically arranged in such a way that the screen of
the monitor or display cannot be seen by anyone other than those persons which
are authorized to view the sensitive information.
Ref: HIPAA http://www.hhs.gov/ocr/hipaa
Threat Detection:
Intrusion Detection Mechanisms- Detection of attempts to illicitly gain access to the
School’s networks should occur on both sides of the School’s firewall. Best possible
practices include, but should not be limited to, external threat detection by ITC, and
internal detection of threats through the use of virus detection software, audit
tracking, audit logs, and Web service logs.
Ref: COV ITRM Guideline http://www.vita.virginia.gov/docs/psg/ITSecurityPolicy90-1R3.doc
Termination-Related Security:
Account Access for Users Who Leave the Community- When students graduate from
the School of Architecture, and in cases in which faculty or staff resign, retire, are
terminated, or in any other way leave the Community, account access to the School’s
network, physical hardware, and all other computing technology for that person
should be terminated.
In the case of students, a grace period of 60 should days should be extended past
graduation to ensure removal of data and other electronic materials from the
School’s networks and hardware. All faculty and staff should lose access privileges
immediately upon leaving the Community, unless arranged for separately and on an
individual basis.
Personal Data on School-Owned Hardware- Any and all personal or academic data
which is kept on office and/or portable computers should be removed by its owner
prior to leaving the Community. Data which is sensitive or proprietary to the School
shall not be taken with the employee upon termination, retirement, or resignation.
The School of Architecture will, upon repossession of the hardware, reformat,
delete, or otherwise make inaccessible all data and/or software which belonged to
the User. The School is not responsible for copying, backing up, or in any other way
safeguarding the data on the computer after its repossession.
Related documents
The Virginia Tech Writing Center How to Share your Google Doc
The Virginia Tech Writing Center How to Share your Google Doc
New Courses / Textbooks - RCPS Board Documents
New Courses / Textbooks - RCPS Board Documents
february 23-april 2 calendar 2009
february 23-april 2 calendar 2009
Appendix 1 to the Rules of Procedure
Appendix 1 to the Rules of Procedure
Person on the Witness stand (is also responsible for generating
Person on the Witness stand (is also responsible for generating
Animals / Pets - RCPS Board Documents
Animals / Pets - RCPS Board Documents
Download
advertisement