GET IN TOUCH
Request further information.
Extensive Project Security
Security Measures may be applied. Examples of systems include, but are not limited to:
All of the above systems may perform their own authentication and authorization, logging and auditing, and have their own configurations which must be managed, and each of them are considered a compliance object to be protected.
Basic System Security Measures
Authentic and Authorization
Systems must be protected by a firewall which allows only those incoming connections necessary to fulfill the business need of that system. Client systems which have no business need to provide network services must deny all incoming connections. Systems that provide network services must limit access those services to the smallest reasonably manageable group of hosts that need to reach them.
Systems running Microsoft or Apple operating systems must have anti-virus software installed and it must be configured to automatically scan and update.
Audit and Accountability
Synchronize system clock: The system clock must be synchronized to an authoritative time server run at least once per day.
Enable system logging and auditing: The facilities required to automatically generate, retain, and expire system logs must be enabled.
Follow an appropriate log retention schedule: System logs must be retained for 30-90 days and then destroyed unless further retention is necessary due to legal, regulatory, or contractual requirements.
Audit successful logins: Generate a log message whenever a user successfully logs on.
Audit failed login attempts: Generate a log message whenever a user attempts to log on without success.
Audit when a system service is started or stopped: Generate a log message when a system service is started or stopped.
Audit serious or unusual errors: Generate a log message when a serious or unusual error occurs, such as crashes.
Audit resource exhaustion errors: Generate a log message when a resource exhaustion error occurs, such as an out-of-memory error or an out-of-disk error.
Audit failed access attempts: Generate a log message when an attempt to access a file or resource is denied due to insufficient privilege.
Audit permissions changes: Generate a log message when the permissions of a user or group are changed.
Include appropriate correlation data in audit events: For each audit event logged be sure to include sufficient information to investigate the event, including related IP address, timestamp, hostname, username, application name and/or other details as appropriate.
Configuration Management Process
Configuration changes must be regulated by a documented configuration and change management process.
Data Handling and Security Measures
These Data Security Measures define the minimum security requirements that must be applied to the data types defined in the Reference for Data and System Classification. Some data elements, such as credit card numbers and patient health records, have additional security requirements defined in external standards. In addition, access and use of University Data is covered by the Administrative Data Management Policy. Please be sure to consult all appropriate documents when determining the appropriate measure to safeguard your data.
The best way to safeguard sensitive data is not to handle it at all, and business processes that can be amended to reduce or eliminate dependence on restricted data should be corrected. For example, the University ID number can often be substituted for a social security number and poses much less risk if accidentally disclosed.
Restricted data must be encrypted using strong, public cryptographic algorithms and reasonable key lengths given current computer processing capabilities. Keys must be stored securely, and access to them provided on a least-privilege basis. If one-way hashing is used in lieu of reversible encryption, salted hashes must be used.
Request further information.