Extensive Project Security

Security Measures may be applied. Examples of systems include, but are not limited to:

• Desktop, laptop, or server computers running general purpose operating systems such as Windows, Mac OS, and Unix.
• Mobile devices (e.g., iPhone, iPod Touch and iPad; Android; ) to the Network server applications, such as an FTP-server application
• Web applications, such as a wiki
• Databases

All of the above systems may perform their own authentication and authorization, logging and auditing, and have their own configurations which must be managed, and each of them are considered a compliance object to be protected.

Basic System Security Measures

Password Protection:

1. Must be at least eight characters long.
2. Must NOT be dictionary or common slang words in any language, or be readily guessable.
3. Must include at least three of the following four characteristics in any order:upper case letters, lower case letters, numbers, and special characters, such as*!@#$%^&*.
4. Must be changed at least once per year.

Authentic and Authorization

1. Remove or disable accounts upon loss of eligibility: Accounts which are no longer needed must be disabled in a timely fashion using an automated or documented procedure.
2. Separate user and administrator accounts: Administrator accounts must not be used for non-administrative purposes. System administrators must be provisioned with non-administrator accounts for end-user activities, and a separate administrator account that is used only for system-administration purposes.
3. Use unique passwords for administrator accounts: Privileged accounts must use unique passwords that are not shared among multiple systems. Credentials which are managed centrally, such as the hashing/password combination, are considered a single account, regardless of how many systems they provide access to.
4. Throttle repeated unsuccessful login-attempts: A maximum rate for unsuccessful login attempts must be enforced. Account lockout is not required, but the rate of unsuccessful logins must be limited.
5. Enable session timeout: Sessions must be locked or closed after some reasonable period.

Firewall

Systems must be protected by a firewall which allows only those incoming connections necessary to fulfill the business need of that system. Client systems which have no business need to provide network services must deny all incoming connections. Systems that provide network services must limit access those services to the smallest reasonably manageable group of hosts that need to reach them.

Malware Protection

Systems running Microsoft or Apple operating systems must have anti-virus software installed and it must be configured to automatically scan and update.

Audit and Accountability

Synchronize system clock: The system clock must be synchronized to an authoritative time server run at least once per day.

Enable system logging and auditing: The facilities required to automatically generate, retain, and expire system logs must be enabled.

Follow an appropriate log retention schedule: System logs must be retained for 30-90 days and then destroyed unless further retention is necessary due to legal, regulatory, or contractual requirements.

Audit successful logins: Generate a log message whenever a user successfully logs on.

Audit failed login attempts: Generate a log message whenever a user attempts to log on without success.

Audit when a system service is started or stopped: Generate a log message when a system service is started or stopped.

Audit serious or unusual errors: Generate a log message when a serious or unusual error occurs, such as crashes.

Audit resource exhaustion errors: Generate a log message when a resource exhaustion error occurs, such as an out-of-memory error or an out-of-disk error.

Audit failed access attempts: Generate a log message when an attempt to access a file or resource is denied due to insufficient privilege.

Audit permissions changes: Generate a log message when the permissions of a user or group are changed.

Include appropriate correlation data in audit events: For each audit event logged be sure to include sufficient information to investigate the event, including related IP address, timestamp, hostname, username, application name and/or other details as appropriate.

Configuration Management Process

Configuration changes must be regulated by a documented configuration and change management process.

Data Handling and Security Measures

These Data Security Measures define the minimum security requirements that must be applied to the data types defined in the Reference for Data and System Classification. Some data elements, such as credit card numbers and patient health records, have additional security requirements defined in external standards. In addition, access and use of University Data is covered by the Administrative Data Management Policy. Please be sure to consult all appropriate documents when determining the appropriate measure to safeguard your data.

The best way to safeguard sensitive data is not to handle it at all, and business processes that can be amended to reduce or eliminate dependence on restricted data should be corrected. For example, the University ID number can often be substituted for a social security number and poses much less risk if accidentally disclosed.

• Access control: Access to confidential data must be provided on a least-privilege basis. No person or system should be given access to the data unless required by business process. In such cases where access is required, permission to use the data must be granted by the data steward.
• Sharing: Confidential data may be shared among the community. It may be released publicly only according to well-defined business processes, and with the permission of the data steward.

Storage Encryption

Restricted data must be encrypted using strong, public cryptographic algorithms and reasonable key lengths given current computer processing capabilities. Keys must be stored securely, and access to them provided on a least-privilege basis. If one-way hashing is used in lieu of reversible encryption, salted hashes must be used.

• Encrypt files containing restricted data using different keys or passwords than those used for system logon.
• Encrypt data stored in databases at the column-level.
• In addition to file and/or database encryption, implement full-disk encryption on portable devices containing restricted data.