Minimum Standards for Connecting to the UCLA Network
|
|
- Charlene McKinney
- 5 years ago
- Views:
Transcription
1 Minimum Standards for Connecting to the UCLA Network Last April, the CSG approved a set of minimum standards for connecting to the UCLA network that were based on a policy that had been developed by Berkeley. Since then, there have been lessons learned from SB1386 incidents both here at UCLA and also, in particular, the October SB1386 incident at Berkeley; also, similar policies are now in place at UC San Diego, UC Davis and UC Office of the President. At the time, the next step was to return to the ITPB with the standards in UCLA policy format. However, we are first proposing revisions reflecting SB1386 lessons learned, updated campus security needs and new policies of our sister campuses. Simultaneously, we are proposing an implementation timeline and an enforcement strategy. Proposed revisions to April 2004 CSG-approved standards A full comparison of the wording from April 2004 and the proposed revisions are attached. Changes have been highlighted. A summary of content changes from the April version: 1) Software patch updates Now applies to all devices, not just desktop computers. 2) Antivirus No content changes. 3) Host based firewall A new standard (for UCLA) that requires systems with a native firewall to have the firewall enabled. 4) Passwords Implement full Berkeley password complexity standards, excluding the requirement eight-character minimum, resulting in additional requirements for passwords. 5) Unencrypted authentication This is a new standard (for UCLA). The UCLA document was modified from the Berkeley standard to add the possibility to use secure authentication such as MD-5 or pass-cards recognizing that secure authentication may not depend upon encryption. Also the UCLA version dropped specifically replacing insecure services such as FTP recognizing that those protocols may be useful in situations where servers are supplying public information or data. 6) No unauthenticated relays Has been revised to recognize that authorized users may not be local and that machine-to-machine authentication provides adequate security in certain situations. 7) No unauthenticated proxy servers Relaxes the prohibition on unauthenticated proxy servers by allowing CTS review for exceptions. 8) Physical security This is a new standard (for UCLA) from Berkeley s policy. 9) Unnecessary services This is a new standard (for UCLA) from Berkeley s policy. 10) Exceptions clause Devices that may be unable to meet these standards but may be in common use and for which there are well-known alternate security arrangements (e.g., for printers with embedded web services, clusters, etc.) are recognized. Connectivity for visitors and others outside the UCLA community has been reworded for greater clarity. CSG February 22, 2005 Page 1 of 7
2 11) Departmental network devices This section has been removed as it refers to best practices rather than standards. Proposed implementation timeline All new equipment purchases/acquisitions shall immediately meet these minimum standards in order to connect to the campus network. All devices shall meet these minimum standards by October 1, Proposed enforcement (following full implementation) Systems may connect to the campus network only if they meet the minimum standards. If a system is causing disruption and does not meet the minimum standards, it will be disconnected from the campus network and not reconnected until both the cause of the disruptive behavior is addressed and the minimum standards are met. Systems containing personal information as defined by SB1386 shall follow UCLA Policy 420. If a connected system is found not to meet the minimum standards (e.g., during the course of a scan), it may be disconnected, and will not be reconnected until the minimum standards are met. Systems containing personal, sensitive or confidential data in this situation will be disconnected, and will not be reconnected until the minimum standards are met. CSG February 22, 2005 Page 2 of 7
3 CSG-approved UCLA Minimum Standards (April 2004): General Statement: Each device that connects to a network must meet minimum security standards. Standards must be reasonable and flexible to balance the requirements of people who use the network to conduct their duties with the responsibilities of those who protect the network and the devices connected to it. Standards must be broadly communicated, easily adaptable and widely accepted as reasonable. (Excerpted from the UCLA Security Resolutions document adopted by the ITPB March 2004.) 1.Software patch updates Campus owned desktops under management by IT departments shall keep the computers up-to-date and patched to the level of critical security patches. 2. Anti-virus software UCLA licenses, antivirus software for the UCLA campus. All members of the UCLA community shall install, activate and keep up-to-date antivirus software on all vulnerable computers including servers, gateways, desktop computers, laptop computers and home computers connecting to UCLA networks. While some systems may be immune from the effects of a virus, system administrators should recognize that each system can still send or transmit a virus to unsuspecting users. If a system cannot support anti-virus software or if the user has other methods of achieving the same level of anti-virus protection, alternative methods of protection are acceptable as an exception. Proposed final UCLA Minimum Standards: Each device that connects to a network must meet minimum security standards. Standards must be reasonable and flexible to balance the requirements of people who use the network to conduct their duties with the responsibilities of those who protect the network and the devices connected to it. Standards must be broadly communicated, easily adaptable and widely accepted as reasonable. (Excerpted from the UCLA Security Resolutions document adopted by the ITPB March 2004.) 1. Software patch updates Campus networked devices must run software for which security patches are made available in a timely fashion. They also must have all currently available security patches installed. Exceptions may be made for patches that compromise the usability of critical applications. 2. Anti-virus software Anti-virus software for any particular type of operating system currently listed on the Campus software distribution website must be running and up-to-date on every level of device, including clients, file servers, mail servers, and other types of campus networked devices. Exceptions may be made for anti-virus software that compromises the usability of critical applications. 3. Host-based firewall software 3. Host-Based firewall software Any computer system with a native firewall included in the operating Page 3 of 7 2/15/2005
4 system must be activated and configured. Exceptions may be made for firewall software that compromises the usability of critical applications. 4. Passwords UCLA campus information service providers must have a suitable process for authorizing any use of information services under their control. No campus electronic communications service user accounts shall exist without passwords or other secure authentication system, e.g. biometrics, Smart Cards. These measures must meet minimum complexity requirements: Contain at least eight characters, contain digits and punctuation characters as well as letters and not be a dictionary word. All default passwords for network-accessible device accounts must be modified. Passwords used for privileged access must not be the same as those used for non-privileged access. 4. Passwords Campus electronic communications systems or services must identify users and authorize access by means of passwords or other secure authentication processes (e.g., digital certificates, biometrics or Smart Cards). When passwords are used, they must meet the Minimum Password Complexity Standards. In addition, shared-access systems must enforce these standards whenever possible and appropriate and require that users change any pre-assigned passwords immediately upon initial access to the account. All default passwords for access to network-accessible devices must be modified. Passwords used by system administrators for their personal access to a service or device must not be the same as those used for privileged access to any service or device. 5. No unencrypted authentication 5. No unencrypted authentication Unencrypted device authentication mechanisms are only as secure as the network upon which they are used. Traffic across the Campus Network may be surreptitiously monitored, rendering these authentication mechanisms vulnerable to compromise. Therefore, all campus devices must use encrypted authentication mechanisms or use secure authentication mechanisms for example MD-5. Page 4 of 7 2/15/2005
5 6. No unauthenticated relays Campus devices must not provide an active SMTP service that allows unauthorized third parties to relay messages, i.e., to process an message where neither the sender nor the recipient is a local user. Before transmitting to a non-local address, the sender must authenticate with the SMTP service. Unless an unauthenticated relay service has been reviewed by CTS and approved as to configuration and appropriate use, it may not operate on the campus network. 6. No unauthenticated relays Campus devices must not provide an active SMTP service that allows unauthorized parties to relay messages. Before transmitting to a non-local address, the sender must authenticate with the SMTP service. Unless an unauthenticated relay service has been reviewed by CTS as to configuration and appropriate use, it may not operate on the Campus Network. 7. No unauthenticated proxy services Although properly configured proxy servers may be used for valid purposes, non-authenticated services commonly exist only as a result of inappropriate device configuration. Unauthenticated proxy servers may enable an attacker to execute malicious programs on the server in the context of an anonymous user account. Unauthenticated proxy servers are not allowed on the UCLA network. In particular, software program default settings in which proxy servers are automatically enabled must be identified by the system administrator and re-configured to prevent unauthenticated proxy services. For more information on the types of software typically used for proxy services see: 8. Physical security. 7. No unauthenticated proxy services Although properly configured unauthenticated proxy servers may be used for valid purposes, such services commonly exist only as a result of inappropriate device configuration. Unauthenticated proxy servers may enable an attacker to execute malicious programs on the server in the context of an anonymous user account. Therefore, unless an unauthenticated proxy server has been reviewed by CTS as to configuration and appropriate use, it is not allowed on the campus network. In particular, software program default settings in which proxy servers are automatically enabled must be identified by the system administrator and re-configured to prevent unauthenticated proxy services. 8. Physical security Unauthorized physical access to an unattended device can result in harmful or fraudulent modification of data, fraudulent use, or any number of other potentially dangerous situations. In light of this, where possible and appropriate, devices must be configured to "lock" and require a user to reauthenticate if left unattended for more than 20 minutes. 9. Unnecessary services 9. Unnecessary services Page 5 of 7 2/15/2005
6 If a service is not necessary for the intended purpose or operation of the device, that service shall not be running. 10) Exception Anyone who wishes to connect to the UCLA network, but cannot meet minimum connectivity standards, may demonstrate to the NC or IT dept. head, they can achieve the same goals as set out in the minimum connectivity standards using other means of security. Computers that are not institutionally owned or not part of the UCLA community such as visiting scholars represent an exception to these minimum standards and unit service providers may take necessary steps to secure departmental networks while allowing outside users. 11) Departmental network devices All campus connectivity points (where organizations connect with the Campus backbone) will be maintained with the most reasonably current functional recommended up-to date versions of operating systems and the security practices as defined by a best practices document updated according to changing technology and approved by CSG. Connectivity points will function as chokes or governors for securing campus traffic while introducing the least level of latency or brittleness. Network devices connecting to the campus backbone should be monitored for at a minimum, flow statistics. Departments must have the ability to identify sources of traffic and have the ability to control the flow of traffic from specific sources or disconnect specific sources. 10) Exception A device that cannot meet these minimum standards may still be connected to the Campus Network if (a) an alternate method of providing equal or greater security is documented in writing and (b) this alternate method is approved by the Connectivity Service Provider. Approved exceptions will be filed with CTS. Recognizing that some devices that cannot meet these standards may be relatively commonplace (e.g., printers with built-in web servers, grid computers, etc.), standard exceptions may be granted for these devices. Where there is a need to provide connectivity for visitors, outside scholars and conference attendees, unit service providers must take necessary steps to secure departmental networks while allowing outside users to access appropriate network resources. Dropped: Page 6 of 7 2/15/2005
7 Minimum Password Complexity Standards: All passwords employed to authorize access to Campus electronic communications systems or services must meet the following standards: The password MUST: Contain characters from at least two of the following three character classes: Alphabetic (e.g.: a-z, A-Z) Numeric (i.e. 0-9) Punctuation and other characters ~-=\`{}[]:";'<>?,./) The password MUST NOT be: A derivative of the username. A word found in a dictionary (English or foreign). Names of family, pets, friends, or co-workers. Computer terms and names, commands, sites, companies, hardware, or software. Birthdays or other personal information such as addresses or phone numbers. A set of characters in alphabetic or numeric order (e.g. abcdef), in a row on a keyboard (e.g. qwerty), or in a simple pattern (e.g ). Any of the above spelled backwards. Any of the above preceded or followed by a digit (e.g., qwerty1, 1qwerty) Your bank account pin. Page 7 of 7 2/15/2005
IMPLEMENTATION POLICY AND PROCEDURES FOR SECURING NETWORKED DEVICES
UNIVERSITY OF CALIFORNIA, BERKELEY BERKELEY DAVIS IRVINE LOS ANGELES RIVERSIDE SAN DIEGO SAN FRANCISCO SANTA BARBARA SANTA CRUZ ECONOMETRICS LABORATORY Institute of Business and Economic Research ECONOMETRICS
More informationRetiree bmail Application
Retiree bmail Application (Get or keep an @berkeley.edu email address) UC Berkeley Retirement Center 101 University Hall, Berkeley, CA 94720-1550 ucbrc@berkeley.edu retirement.berkeley.edu Tel: (510) 642-5461
More informationMinimum Security Standards for Networked Devices
University of California, Merced Minimum Security Standards for Networked Devices Responsible Official: Chief Information Officer Responsible Office: Information Technology Issuance Date: Effective Date:
More informationUniversity of Alabama at Birmingham MINIMUM SECURITY FOR COMPUTING DEVICES RULE July 2017
University of Alabama at Birmingham MINIMUM SECURITY FOR COMPUTING DEVICES RULE July 2017 Related Policies, Procedures, and Resources UAB Acceptable Use Policy, UAB Protection and Security Policy, UAB
More informationTABLE OF CONTENTS. Lakehead University Password Maintenance Standard Operating Procedure
TABLE OF CONTENTS 1.0 General Statement... 3 2.0 Purpose... 3 3.0 Scope... 3 4.0 Procedure... 3 4.1 General... 3 4.2 Requirements... 4 4.3 Guidelines... 4 5.0 Failure to comply... 6 2 1.0 GENERAL STATEMENT
More informationPassword Policy Best Practices
Password Policy Best Practices 1.0 Overview Passwords are an important aspect of information security, and are the front line of protection for user accounts. A poorly chosen password may result in the
More informationTennessee Technological University Policy No Password Management
Tennessee Technological University Policy No. 852 Password Management Effective Date: January 1, 2014 Policy No: 852 Policy Name: Password Management Policy Policy Subject: Password Management Date Revised:
More informationControls Electronic messaging Information involved in electronic messaging shall be appropriately protected.
I Use of computers This document is part of the UCISA Information Security Toolkit providing guidance on the policies and processes needed to implement an organisational information security policy. To
More informationStandard For IIUM Wireless Networking
INTERNATIONAL ISLAMIC UNIVERSITY MALAYSIA (IIUM) Document No : IIUM/ITD/ICTPOL/4.3 Effective Date : 13/11/2008 1.0 OBJECTIVE Standard For IIUM Wireless Networking Chapter : Network Status : APPROVED Version
More informationCOMPUTER PASSWORDS POLICY
COMPUTER PASSWORDS POLICY 1.0 PURPOSE This policy describes the requirements for acceptable password selection and maintenance to maximize security of the password and minimize its misuse or theft. Passwords
More informationTroubleshooting. EAP-FAST Error Messages CHAPTER
CHAPTER 6 This chapter describes EAP-FAST error messages. This chapter also provides guidelines for creating strong passwords. The following topics are covered in this chapter:, page 6-1 Creating Strong
More informationNETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS
NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS Scope and Applicability: These Network and Certificate System Security Requirements (Requirements) apply to all publicly trusted Certification Authorities
More informationUniversity Network Policies
BACKGROUND Washington State University s network infrastructure and network services are vital to carry out the mission of the University. Policies are needed to ensure the continued integrity of these
More informationCompTIA Security+(2008 Edition) Exam
http://www.51- pass.com Exam : SY0-201 Title : CompTIA Security+(2008 Edition) Exam Version : Demo 1 / 7 1.An administrator is explaining the conditions under which penetration testing is preferred over
More informationCalifornia State Polytechnic University, Pomona. Server and Network Security Standard and Guidelines
California State Polytechnic University, Pomona Server and Network Security Standard and Guidelines Version 1.7 April 4, 2008 Table of Contents OVERVIEW...3 AUDIENCE...3 MINIMUM NETWORK AND SERVER SECURITY
More informationII.C.4. Policy: Southeastern Technical College Computer Use
II.C.4. Policy: Southeastern Technical College Computer Use 1.0 Overview Due to the technological revolution in the workplace, businesses such as Southeastern Technical College (STC) have turned to computer
More information(1) Top Page. Before Using GCMS Plus. Chapter3. Top Page. Top Page is the initial screen displayed after you log in. My Menu
Chapter Before Using GCMS Plus Cautions for Smooth (1) is the initial screen displayed after you log in. My Menu The frequently-used screens can be registered as a My Menu item by each user. Create My
More informationPASSWORD POLICY. Policy Statement. Reason for Policy/Purpose. Who Needs to Know This Policy. Website Address for this Policy.
Responsible University Administrator: Vice Provost for Academic Affairs Responsible Officer: Chief Information Officer Origination Date: N/A Current Revision Date: 02/19/13 Next Review Date: 02/19/17 End
More informationAccess Control Procedure
HIPAA Security Procedure # Last Revised: 3/15/2006 Approved: Scope of Procedure The scope of this Policy covers the unique user identification and password, emergency access, automatic logoff, encryption
More informationDONE FOR YOU SAMPLE INTERNET ACCEPTABLE USE POLICY
DONE FOR YOU SAMPLE INTERNET ACCEPTABLE USE POLICY Published By: Fusion Factor Corporation 2647 Gateway Road Ste 105-303 Carlsbad, CA 92009 USA 1.0 Overview Fusion Factor s intentions for publishing an
More informationHISPOL The United States House of Representatives Internet/ Intranet Security Policy. CATEGORY: Telecommunications Security
HISPOL 003.0 The United States House of Representatives Internet/ Intranet Security Policy CATEGORY: Telecommunications Security ISSUE DATE: February 4, 1998 REVISION DATE: August 23, 2000 The United States
More informationSERVER HARDENING CHECKLIST
SERVER HARDENING CHECKLIST WINDOWS 2003 SERVER CHECKLIST This checklist contains server hardening procedures for Windows 2003 Server. The procedures listed in this document are a balance of industry best
More information90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation
Compliance Report PCI DSS 2.0 Generated by Check Point Compliance Blade, on April 16, 2018 15:41 PM O verview 1 90% Compliance About PCI DSS 2.0 PCI-DSS is a legal obligation mandated not by government
More informationAcceptable Use Policy
Acceptable Use Policy 1. Overview The Information Technology (IT) department s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to Quincy College s established
More informationAcceptable Use Policy
Acceptable Use Policy 1. Purpose The purpose of this policy is to outline the acceptable use of computer equipment at Robotech CAD Solutions. These rules are in place to protect the employee and Robotech
More informationDIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL. June 14, 2018
DIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL June 14, 2018 A. Overriding Objective 1.1 This Directive establishes the rules and instructions for Bank Personnel with respect to Information
More informationAcceptable Use Policy
Acceptable Use Policy 1. Overview ONS IT s intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to ONS established culture of openness, trust and integrity.
More informationEXCERPT. NIST Special Publication R1. Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations
EXCERPT NIST Special Publication 800-171 R1 Protecting Controlled Unclassified Information in Nonfederal Systems and Organizations An Excerpt Listing All: Security Requirement Families & Controls Security
More informationProjectplace: A Secure Project Collaboration Solution
Solution brief Projectplace: A Secure Project Collaboration Solution The security of your information is as critical as your business is dynamic. That s why we built Projectplace on a foundation of the
More informationIT Governance Committee Review and Recommendation
IT Governance Committee Review and Recommendation Desired Change: Approval of this policy will establish Security Standards for the UCLA Logon Identity for anyone assigned a UCLA Logon ID/password and
More informationClient Computing Security Standard (CCSS)
Client Computing Security Standard (CCSS) 1. Background The purpose of the Client Computing Security Standard (CCSS) is to (a) help protect each user s device from harm, (b) to protect other users devices
More informationLocking down a Hitachi ID Suite server
Locking down a Hitachi ID Suite server 2016 Hitachi ID Systems, Inc. All rights reserved. Organizations deploying Hitachi ID Identity and Access Management Suite need to understand how to secure its runtime
More informationEXAM - CAS-002. CompTIA Advanced Security Practitioner (CASP) Exam. Buy Full Product.
CompTIA EXAM - CAS-002 CompTIA Advanced Security Practitioner (CASP) Exam Buy Full Product http://www.examskey.com/cas-002.html Examskey CompTIA CAS-002 exam demo product is here for you to test the quality
More informationTestpassport http://www.testpassport.net Exam : SY0-301 Title : Security+ Certification Exam 2011 version Version : Demo 1 / 5 1.Which of the following is the BEST approach to perform risk mitigation of
More information7.16 INFORMATION TECHNOLOGY SECURITY
7.16 INFORMATION TECHNOLOGY SECURITY The superintendent shall be responsible for ensuring the district has the necessary components in place to meet the district s needs and the state s requirements for
More informationPASS4TEST. IT Certification Guaranteed, The Easy Way! We offer free update service for one year
PASS4TEST \ http://www.pass4test.com We offer free update service for one year Exam : SY0-301 Title : CompTIA Security+ Certification Exam (SY0-301) Vendor : CompTIA Version : DEMO 1 / 5 Get Latest & Valid
More informationInternal Audit Report DATA CENTER LOGICAL SECURITY
Internal Audit Report DATA CENTER LOGICAL SECURITY Report No. SC 12 06 June 2012 David Lane Principal IT Auditor Jim Dougherty Principal Auditor Approved Barry Long, Director Internal Audit & Advisory
More informationCS 356 Operating System Security. Fall 2013
CS 356 Operating System Security Fall 2013 Review Chapter 1: Basic Concepts and Terminology Chapter 2: Basic Cryptographic Tools Chapter 3 User Authentication Chapter 4 Access Control Lists Chapter 5 Database
More informationJacksonville State University Acceptable Use Policy 1. Overview 2. Purpose 3. Scope
Jacksonville State University Acceptable Use Policy 1. Overview Information Technology s (IT) intentions for publishing an Acceptable Use Policy are not to impose restrictions that are contrary to Jacksonville
More informationA guide to the Cyber Essentials Self-Assessment Questionnaire
A guide to the Cyber Essentials Self-Assessment Questionnaire Introduction Cyber Essentials and Cyber Essentials Plus Information brought to you by APMG International 1 P a g e Cyber Essentials was always
More informationNEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE
COMPLIANCE ADVISOR NEW YORK CYBERSECURITY REGULATION COMPLIANCE GUIDE A PUBLICATION BY THE EXCESS LINE ASSOCIATION OF NEW YORK One Exchange Plaza 55 Broadway 29th Floor New York, New York 10006-3728 Telephone:
More informationA guide to the Cyber Essentials Self-Assessment Questionnaire
A guide to the Cyber Essentials Self-Assessment Questionnaire Apply for certification at https://ces.apmg-certified.com/ Introduction Cyber Essentials and Cyber Essentials Plus Information brought to you
More informationSecurity Standards for Electric Market Participants
Security Standards for Electric Market Participants PURPOSE Wholesale electric grid operations are highly interdependent, and a failure of one part of the generation, transmission or grid management system
More informationServer Security Checklist
Server identification and location: Completed by (please print): Date: Signature: Manager s signature: Next scheduled review date: Date: Secure Network and Physical Environment 1. Server is secured in
More informationPOLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND. October Table of Contents
POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND October 2005 Table of Contents Introduction... 1 Purpose Of This Policy... 1 Responsibility... 1 General Policy... 2 Data Classification Policy...
More informationCyber Essentials Questionnaire Guidance
Cyber Essentials Questionnaire Guidance Introduction This document has been produced to help companies write a response to each of the questions and therefore provide a good commentary for the controls
More information1) Are employees required to sign an Acceptable Use Policy (AUP)?
Business ebanking Risk Assessment & Controls Evaluation As a business owner, you want to be sure you have a strong process in place for monitoring and managing who has access to your Business ebanking
More informationInformation technology security and system integrity policy.
3359-11-10.3 Information technology security and system integrity policy. (A) Need for security and integrity. The university abides by and honors its long history of supporting the diverse academic values
More informationNomination of the. June 4, 2004 PROJECT LEADERS:
Nomination of the Berkeley Campus Information Technology Security Policy and the Minimum Standards for Security of Berkeley Campus Networked Devices for the LARRY SAUTTER AWARD June 4, 2004 PROJECT LEADERS:
More informationPOLICY 8200 NETWORK SECURITY
POLICY 8200 NETWORK SECURITY Policy Category: Information Technology Area of Administrative Responsibility: Information Technology Services Board of Trustees Approval Date: April 17, 2018 Effective Date:
More informationGFI MailSecurity 2011 for Exchange/SMTP. Administration & Configuration Manual
GFI MailSecurity 2011 for Exchange/SMTP Administration & Configuration Manual http://www.gfi.com info@gfi.com The information and content in this document is provided for informational purposes only and
More information1. Post for 45-day comment period and pre-ballot review. 7/26/ Conduct initial ballot. 8/30/2010
Standard CIP 011 1 Cyber Security Protection Standard Development Roadmap This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes
More informationHPE Intelligent Management Center
HPE Intelligent Management Center EAD Security Policy Administrator Guide Abstract This guide contains comprehensive information for network administrators, engineers, and operators working with the TAM
More informationGuidelines for Use of IT Devices On Government Network
Guidelines for Use of IT Devices On Government Network October 2014 Version 1.0 Department of Electronics and Information Technology Ministry of Communications and Information Technology Government of
More informationStandard: Event Monitoring
October 24, 2016 Page 1 Contents Revision History... 4 Executive Summary... 4 Introduction and Purpose... 5 Scope... 5 Standard... 5 Audit Log Standard: Nature of Information and Retention Period... 5
More informationHosts have the top level of webinar control and can grant and revoke various privileges for participants.
Introduction ClickMeeting is an easy-to-use SaaS webinar platform used worldwide. It was built using highend technology, with data security as the highest priority. The platform meets stringent security
More informationUT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES
ACCESS MANAGEMENT Policy UT Health San Antonio shall adopt access management processes to ensure that access to Information Resources is restricted to authorized users with minimal access rights necessary
More informationHELPFUL TIPS: MOBILE DEVICE SECURITY
HELPFUL TIPS: MOBILE DEVICE SECURITY Privacy tips for Public Bodies/Trustees using mobile devices This document is intended to provide general advice to organizations on how to protect personal information
More informationInformation Security Controls Policy
Information Security Controls Policy Classification: Policy Version Number: 1-00 Status: Published Approved by (Board): University Leadership Team Approval Date: 30 January 2018 Effective from: 30 January
More informationStandard for Security of Information Technology Resources
MARSHALL UNIVERSITY INFORMATION TECHNOLOGY COUNCIL Standard ITP-44 Standard for Security of Information Technology Resources 1 General Information: Marshall University expects all individuals using information
More informationPassword Standard Version 2.0 October 2006
Password Standard Version 2.0 October 2006 TABLE OF CONTENTS 1.1 SCOPE 2 1.2 PRINCIPLES 2 1.3 REVISIONS 3 2.1 OBJECTIVE 4 3.1 POLICY 4 3.2 PROTECTION 4 3.3 LENGTH 4 3.4 SELECTIONS 4 3.5 EXPIRATION 5 3.6
More informationCorporate Policy. Revision Change Date Originator Description Rev Erick Edstrom Initial
Corporate Policy Information Systems Acceptable Use Document No: ISY-090-10 Effective Date: 2014-06-10 Page 1 of 5 Rev. No: 0 Issuing Policy: Information Systems Department Policy Originator: Erick Edstrom
More informationStandard CIP 007 4a Cyber Security Systems Security Management
A. Introduction 1. Title: Cyber Security Systems Security Management 2. Number: CIP-007-4a 3. Purpose: Standard CIP-007-4 requires Responsible Entities to define methods, processes, and procedures for
More informationTIME SYSTEM SECURITY AWARENESS HANDOUT
WISCONSIN TIME SYSTEM Training Materials TIME SYSTEM SECURITY AWARENESS HANDOUT Revised 11/16/2017 2018 Security Awareness Handout All System Security The TIME/NCIC Systems are criminal justice computer
More informationNEN The Education Network
NEN The Education Network School e-security Checklist This checklist sets out 20 e-security controls that, if implemented effectively, will help to ensure that school networks are kept secure and protected
More informationE-Security policy. Ormiston Academies Trust. James Miller OAT DPO. Approved by Exec, July Release date July Next release date July 2019
Ormiston Academies Trust E-Security policy Date adopted: Autumn Term 2018 Next review date: Autumn Term 2019 Policy type Author Statutory James Miller OAT DPO Approved by Exec, July 2018 Release date July
More informationExecutive Summery. Siddharta Saha. Downloaded from
1 Executive Summery In the last quarter of century the world has seen a tremendous growth in IT and IT enabled services. IT infrastructure of any organization is the most precious since business process
More informationDefine information security Define security as process, not point product.
CSA 223 Network and Web Security Chapter One What is information security. Look at: Define information security Define security as process, not point product. Define information security Information is
More informationInformation Security Policy for Associates and Contractors
Information Security Policy for Associates and Contractors Version: 1.13 Date: 11 October 2016 Reference: 67972761 Location: Livelink Contents Introduction... 3 Purpose... 3 Scope... 3 Responsibilities...
More informationMaria Hishikawa MSIX Technical Lead Sarah Storms MSIX Contractor Security
Migrant Student Information Exchange (MSIX) Security, Privacy and Account Management Webinar Deloitte Consulting LLP. February 22, 2018 Maria Hishikawa MSIX Technical Lead Sarah Storms MSIX Contractor
More informationCompTIA E2C Security+ (2008 Edition) Exam Exam.
CompTIA JK0-015 CompTIA E2C Security+ (2008 Edition) Exam Exam TYPE: DEMO http://www.examskey.com/jk0-015.html Examskey CompTIA JK0-015 exam demo product is here for you to test the quality of the product.
More informationWeb Cash Fraud Prevention Best Practices
Web Cash Fraud Prevention Best Practices Tips on what you can do to prevent Online fraud. This document provides best practices to avoid or reduce exposure to fraud. You can use it to educate your Web
More informationGDPR Draft: Data Access Control and Password Policy
wea.org.uk GDPR Draft: Data Access Control and Password Policy Version Number Date of Issue Department Owner 1.2 21/01/2018 ICT Mark Latham-Hall Version 1.2 last updated 27/04/2018 Page 1 Contents GDPR
More informationDate Approved: Board of Directors on 7 July 2016
Policy: Bring Your Own Device Person(s) responsible for updating the policy: Chief Executive Officer Date Approved: Board of Directors on 7 July 2016 Date of Review: Status: Every 3 years Non statutory
More informationDRAFT 2012 UC Davis Cyber-Safety Survey
DRAFT 2012 UC Davis Cyber-Safety Survey UNIT INFORMATION Enter the following information. Person completing report Email Phone Unit (include sub-unit information, if appropriate) College/School/Office
More informationComputing Policies / Procedures
(TIEHH) 1207 GILBERT DRIVE * LUBBOCK, TX 79416 * 806-885-4567 (tel) * 806-885-2132 (fax) Computing Policies / Procedures Contents PURPOSE... 2 REVIEW... 2 POLICY/PROCEDURE... 3 1. Acceptable Use Policy...
More informationANATOMY OF AN ATTACK!
ANATOMY OF AN ATTACK! Are Your Crown Jewels Safe? Dom Kapac, Security Evangelist WHAT DO WE MEAN BY CROWN JEWELS? Crown jewels for most organizations are critical infrastructure and data Data is a valuable
More informationSecurity+ Guide to Network Security Fundamentals, Third Edition. Chapter 3 Protecting Systems
Security+ Guide to Network Security Fundamentals, Third Edition Chapter 3 Protecting Systems Objectives Explain how to harden operating systems List ways to prevent attacks through a Web browser Define
More informationComputer Security: Cyber Essentials KAMI VANIEA 1
Computer Security: Cyber Essentials DR. KAMI VANIEA KAMI VANIEA 1 First, the news http://www.sbrcentre.co.uk/images/site_images/20522_small BusinessTheCyberRiskReportVoRFINALFeb2016.pdf http://www.informationisbeautiful.net/visualizations/worldsbiggest-data-breaches-hacks/
More informationCIP Cyber Security Configuration Change Management and Vulnerability Assessments
Standard Development Timeline This section is maintained by the drafting team during the development of the standard and will be removed when the standard becomes effective. Development Steps Completed
More informationG/On OS Security Model
Whitepaper G/On OS Security Model Technical Whitepaper with Excitor comments on CESG Guidance 1 About this document This document describes the security properties of G/On OS, which is a Linux based, client
More informationHIPAA Assessment. Prepared For: ABC Medical Center Prepared By: Compliance Department
HIPAA Assessment Prepared For: ABC Medical Center Prepared By: Compliance Department Agenda Environment Assessment Overview Risk and Issue Score Next Steps Environment NETWORK ASSESSMENT (changes) Domain
More informationAcceptable Use Policy
Acceptable Use Policy. August 2016 1. Overview Kalamazoo College provides and maintains information technology resources to support its academic programs and administrative operations. This Acceptable
More informationKenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data
Kenna Platform Security A technical overview of the comprehensive security measures Kenna uses to protect your data V3.0, MAY 2017 Multiple Layers of Protection Overview Password Salted-Hash Thank you
More informationUCL Policy on Electronic Mail ( )
LONDON S GLOBAL UNIVERSITY UCL Policy on Electronic Mail (EMAIL) Information Security Policy University College London Document Summary Document ID Status Information Classification Document Version TBD
More informationInformation Security Key Elements. for. irunway. Information Security. May 31, Public
Information Security Key Elements for irunway Information Security May 31, 2010 Contents 1 Introduction... 3 2 Key Elements of Controls for Information Security... 4 2.1 Physical Elements... 4 2.2 System
More informationHow to Encrypt Files Containing Sensitive Data (using 7zip software or Microsoft password protection) How to Create Strong Passwords
How to Encrypt Files Containing Sensitive Data (using 7zip software or Microsoft password protection) How to Create Strong Passwords School IT Systems Support Standards and School Effectiveness Hertfordshire
More informationPost-Class Quiz: Access Control Domain
1. In order to perform data classification process, what must be present? A. A data classification policy. B. A data classification standard. C. A data classification procedure. D. All of the above. 2.
More informationCN!Express CX-6000 Single User Version PCI Compliance Status Version June 2005
85 Grove Street - Peterboro ugh, N H 0345 8 voice 603-924-6 079 fax 60 3-924- 8668 CN!Express CX-6000 Single User Version 3.38.4.4 PCI Compliance Status Version 1.0 28 June 2005 Overview Auric Systems
More informationInformation Security at the IEA DPC. IEA General Assembly October 10 12, 2011 Malahide, Ireland
Information Security at the IEA DPC IEA General Assembly October 10 12, 2011 Malahide, Ireland General remarks Impossible to cover all aspects of information security in a short presentation Only sketch
More informationINTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE ASIA/PAC RECOMMENDED SECURITY CHECKLIST
INTERNATIONAL CIVIL AVIATION ORGANIZATION ASIA and PACIFIC OFFICE Aeronautical Telecommunication Network Implementation Coordination Group (ATNICG) ASIA/PAC RECOMMENDED SECURITY CHECKLIST September 2009
More informationENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE
ENDNOTE SECURITY OVERVIEW INCLUDING ENDNOTE DESKTOP AND ONLINE INTRODUCTION In line with commercial industry standards, the data center used by EndNote employs a dedicated security team to protect our
More informationBEETLE /mopos Tablet Mobile POS solution
BEETLE /mopos Tablet Mobile POS solution Windows 8.1 Security Advice (July 2015) We would like to know your opinion on this publication. Please send us a copy of this page if you have any constructive
More informationEnforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security Cisco Italy
Enforcing PCI Data Security Standard Compliance Marco Misitano, CISSP, CISA, CISM Business Development Manager Security Cisco Italy 2008 Cisco Systems, Inc. All rights reserved. 1 1 The PCI Data Security
More informationInformation Security Management System ISO/IEC 27001:2013
Information Security Management System ISO/IEC 27001:2013 OF ICT FACILITIES PENGGUNAAN KEMUDAHAN ICT For PTM Use Only Date: 7 th June Written By: Junnaini Ismun Pengerusi Jawatankuasa ISMS Verified By:
More informationPage 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES
002 5 R1. Each Responsible Entity shall implement a process that considers each of the following assets for purposes of parts 1.1 through 1.3: i. Control Centers and backup Control Centers; ii. Transmission
More informationUniversity of Sunderland Business Assurance PCI Security Policy
University of Sunderland Business Assurance PCI Security Policy Document Classification: Public Policy Reference Central Register IG008 Policy Reference Faculty / Service IG 008 Policy Owner Interim Director
More informationWHAT IS CORPORATE ACCOUNT TAKEOVER? HOW DOES IT HAPPEN?
WHAT IS CORPORATE ACCOUNT TAKEOVER? Corporate Account Takeover (also referred to as CATO) is a type of fraud where criminals gain access to a business financial accounts to make unauthorized transactions.
More information7. How do I obtain a Temporary ID? You will need to visit HL Bank or mail us the econnect form to apply for a Temporary ID.
About HL Bank Connect 1. What is HL Bank Connect? HL Bank Connect provides you with the convenience of accessing your bank accounts and performing online banking transactions via the Internet. 2. What
More informationSECURING CORPORATE ASSETS WITH TWO FACTOR AUTHENTICATION
SECURING CORPORATE ASSETS WITH TWO FACTOR AUTHENTICATION Introduction Why static passwords are insufficient Introducing two-factor Authentication Form Factors for OTP delivery Contact information OTP generating
More information