Policy 8060 Data ISP Detail
Updated February 2016
Information Service Providers – Data Security Guidelines
More extensive information security requirements than individuals.
Beyond controlling access and protecting against physical threats, they must play a more proactive role implementing and enforcing security policies and procedures, auditing access, threats, and vulnerabilities, and developing or conforming to university access, authentication, and authorization standards and practices.
Establishing information security procedures
Service providers must establish specific information security procedures governing the information resources they manage. These procedures must meet the Minimum Security Standards for Systems set by the Chief Information Security Officer (CISO), the university’s records retention policy, as well as other university policies, contractual agreements, and governing federal, state and local laws. Service Providers must designate personnel to maintain and assure the integrity of the information resources, systems and networks for which they are responsible, or assign this responsibility to the CISO. Any local personnel who take on these responsibilities must work closely with the CISO to achieve the objectives of this policy.
Computer systems (servers, desktops, portable devices, etc.), network components (switches, routers, etc.), the cable infrastructure and other facilities must be physically protected commensurate with the level of risk faced by the university should they be compromised. Power, temperature, water and fire monitoring devices should be used where appropriate. Locks, cameras and alarms must be installed in technology centers and closets to discourage and alert personnel to unauthorized access. Service Providers are responsible for ensuring that components required to conduct mission critical business are incorporated into
the physical planning component of the university’s strategic plan.
Service Providers must take steps to protect their servers and mainframes from compromise from either internal or external individuals or entities. They must select operating systems and other software that is securable and modify default passwords and configuration options to reduce potential vulnerabilities. Service Providers must ensure that security patches are consistently updated. They must periodically verify audit and activity logs, examine performance data, check for evidence of unauthorized access, the presence of viruses, or any other indicators of integrity loss. Service Providers must cooperate with and avail themselves of any central services providing support for and/or review of these activities as well as performing more sophisticated procedures such as penetration testing and real-time intrusion detection.
Service Providers who develop, maintain, or modify key applications relating to financial data, human resources, student records, etc., must deploy adequate procedures for change control, separation of test and production environments, and separation of responsibilities for staff involved in these functions. They must proactively cooperate with Internal Audit and the Office of Information Technology to ensure that policies are respected and that adequate procedures are in place.
Service Providers who support authorized access to university information must implement designs, policies, and procedures that protect the integrity of those services. Network security should be maintained through a combination of technologies including switched networks, strong authentication requirements, encryption and firewalls. Network access, including modem and other remote access, must be implemented using university standards for hardware, software, authentication protocols, and access controls.
Because the loss of integrity of any device or server on the network provides a platform for launching attacks on the entire network, the Network Security team at the request of the Chief Information Security Officer, in concert with the Offices of Information Technology and Internal Audit will periodically probe the network and network servers for vulnerabilities, using software tools designed for this purpose. Service Providers are expected to participate in and cooperate with this process, review reports, and take corrective actions where necessary.
In granting individuals access privileges to information resources, Service Providers must adhere to policies established by the data custodians and the university. Protocols specifying access authorizations must be produced in a format conducive to auditing and audit trails must be maintained at appropriate levels. User identifiers must respect the centrally generated assignments, and systems and applications must support available university-wide standards and facilities supporting authentication, authorization, and single sign-on.
Shared, guest and anonymous accounts should be avoided. Any anonymous accounts must be restricted to servers containing unrestricted data and not residing within a zone protected by a firewall.
Service Providers shall periodically review user identifiers and access privileges and revise them as required by changes in job functions, transfers and employment status. Where university-wide facilities are deployed to aid user identifier management, individual systems and applications should interface with them whenever possible.
When passwords are used for authentication, Service Providers should install password mechanisms that provide strong security while aiding users with the selection and management of strong passwords. Where independent password files must be maintained, they must be protected by encryption and access controls. Appropriate restrictions regarding password lengths and the use of personal data or dictionary words for passwords must be implemented, using software enforcement where possible.
Initial user passwords may deviate from this only if the
user is required, by the software, to change the password upon first use. Administrators and help desk personnel should be able to reset passwords following established procedures, but never able to view them. The assignment of root access or similar capabilities must be strictly controlled and very limited. Passwords to accounts with privileges that may be needed in emergency recovery situations should be made available via lock boxes rather than distributed on an anticipatory basis.
Service Providers are responsible for ensuring the continued availability of university information resources and for planning for the resumption of mission critical business information services following the loss of equipment, data, and/or technology rooms due to flood, fire, equipment failure, natural disasters, etc. Inherent in this requirement is the need to provide effective procedures for backing up university data.
Appropriate schedules should be established for backing up servers and other devices containing important data, retaining copies, and refreshing media. Schedules and retention periods should support requirements for restoring data after accidental loss or corruption, natural disasters, and record keeping requirements as identified by the data custodians.
To ensure availability and functionality of backups, copies must be stored in secure, environmentally controlled, off- site locations. Encryption/decryption applications and copies of cryptographic keys must be stored in safe locations if they are required to restore backup data to useable form. Archived data is to be retained for legal/historical purposes and should be recopied periodically. When applications change, either the original application shall be retained so as to be able to usefully access the archived data or the archived data should be converted to a format and medium that is useable by the new or other available application.
Incident handling and reporting
Service Providers must report suspected or known compromises of information resources to managers and per the university’s Incident Response Procedure on the same business day that they become aware of the compromise. They must preserve and protect evidence and cooperate with any investigation. Where appropriate, they must repair vulnerabilities and impose additional security measures to protect against future compromises.