Information Security Controls Policy Classification: Policy Version Number: 1-00 Status: Published Approved by (Board): University Leadership Team Approval Date: 30 January 2018 Effective from: 30 January 2018 Next Review Date: 30 January 2019 Document Authors: Service Assurance, ICT (D. Chambers, S. Doyle, S. Jones) Document Owner: Head of Service Assurance, ICT (Stewart Doyle) Department/Contact: help@hull.ac.uk Summary: This policy sets out the high-level objectives that demonstrate the University s approach to a number of key areas in information security. This provides the framework upon which a range of technical controls can be built and maintained. Scope: This policy applies to all University members Collaborative provision: Not mandatory Assessment: Not applicable (where relevant) Consultation: Not applicable (where relevant) Relevant legal frameworks: See relevant section of overarching Information Governance and Assurance Policy Related documents: Information Governance and Assurance Policy Published locations: Public website (www.hull.ac.uk) and SharePoint (share.hull.ac.uk) Document Communication Available upon request. and Implementation Plan: All printed versions of this document are classified as uncontrolled. A controlled version is available from the university website.
Information Security Controls Policy Introduction This policy is based upon the 10 steps to cyber security, originally published in 2012 and promoted by the National Cyber Security Centre (NCSC) as an effective method to protect organisations from cyber-attacks. The 10 steps provide a framework that can be used to establish policies and controls within the University of Hull to mitigate information security risks and cyber security risks in particular. This policy, and subsidiary policies, complement policies and guidelines that cover more general information risks, for example the Data Protection policy and guidelines. Purpose This policy sets out high-level objectives that demonstrate the University s approach to a number of key areas in information security. This provides the framework upon which a range of technical controls can be built and maintained. Scope This policy applies to all ICT systems owned or managed by the University. The term information system will be used to denote any such system, typically involving hardware and software components. This policy, its subsidiary policies and the controls apply to all members of the University. Implementation The principles and objectives outlined in this policy will be implemented through an evolving framework of security controls based on current industry best practice and guidance, as published by the NCSC for example. Principles and objectives The following outlines the high-level requirements of the Security Controls Framework that will guide the technical controls and standards adopted by the University. 1. Secure configuration Establishing and actively maintaining the secure configuration of systems is a key security control. Systems that are not effectively managed will be vulnerable to attacks that may have been preventable. 1.1. All information systems must be vendor (or community) supported, unless developed and supported by ICT. 1.2. All information systems must be kept up to date by applying essential patches to the underlying operating system and applications. 1.3. An inventory of hardware and software shall be maintained and kept up to date at all times. 1.4. All information systems shall maintain a secure configuration. 1.5. Vulnerabilities will be managed in order to maintain a secure configuration that satisfies the objectives of this policy. Information Security Controls Policy v1-00 1
1.6. Secure configuration will be managed in accordance with ICT Service Management processes. 1.7. If feasible, ports and functionality that do not support a specific need should be disabled. 1.8. University members shall not attempt to install software from unauthorised sources. 1.9. Users with normal privileges will be limited in their ability to amend device configurations. 1.10. To limit the potential of an attacker gaining wide reaching system access, privileged users will not use their privileged accounts for day-to-day activities such as email and internet browsing. 2. Network security Networks need to be protected against both internal and external threats. Failing to protect University networks appropriately will leave the University vulnerable to a variety of attacks. 2.1. Only network traffic that supports University activity will be permitted. 2.2. The firewall will deny traffic by default. Only authorised ports, protocols and applications that support University activity will be permitted to exchange data across the boundary. 2.3. Inbound and outbound data will be examined for malicious content. 2.4. There will be no direct routing between internal and external networks. 2.5. Critical information systems shall be identified, grouped and isolated. 2.6. All wireless access points will be appropriately secured. 2.7. Administrator access to any network component will be properly authenticated and authorised. 2.8. Error messages will not return information that may be useful to attackers. 2.9. Network intrusion detection and prevention tools will be deployed and configured by suitably qualified staff. 2.10. Regular penetration testing will be conducted along with simulations of attacks to ensure the objectives of this policy are being met. 3. Managing user privileges The University should understand what level of access employees need to information, services and resources in order to do their job otherwise it will not be possible for those responsible to manage user rights effectively. Failure to manage rights effectively leads to a number of risks including privilege misuse, increased attack capability, and the ability to negate existing security controls. 3.1. The subsidiary User management policy will outline the responsibilities of information risk owners in relation to managing user rights and privileges. 3.2. User accounts will be managed through their lifespan, including when University members leave or change roles or status. Information Security Controls Policy v1-00 2
3.3. A number of password and authentication standards will be implemented. These will seek an effective balance between security and usability. 3.4. Users will be provided with the minimum rights necessary to perform their role in the interests of the University. 3.5. Highly privileged accounts will be tightly controlled and reviewed regularly. Administrators will use normal accounts for standard business use. 3.6. User activity may be monitored. Out of bounds activity may trigger incident response processes. 3.7. Logs should be sent to a dedicated platform that is separated from the core network. Access to logs will be strictly controlled. 4. User education and awareness All University members have a critical role to play in helping to protect the organisation, but this should not affect their ability to perform their role. Failure to effectively support users with the right tools and awareness may leave the University vulnerable to risks such as legal and regulatory sanction, non-reporting of security incidents, and external attack. 4.1. ICT shall maintain guidance for University members to support the objectives of this policy. 4.2. Specific security policies may be produced for specific business systems to outline specific responsibilities within those systems. 4.3. An induction process shall take place, and acceptance of responsibilities will be formally acknowledged and retained. 4.4. Information security training will be mandatory for all staff and a platform will be provided to users to enquire about security risks and discuss advice. 4.5. Staff in specific roles may be required to undertake additional specialist training. 4.6. Mechanisms to test the effectiveness of user security training will be developed and deployed. 4.7. A security culture will be promoted throughout the organisation, where the reporting of incidents will be encouraged. 4.8. University formal disciplinary processes will ensure that the sanctions detailed in this policy are enforceable at a practical level. 5. Incident response and management Security incidents will inevitably happen and will vary in their level of impact. All incidents need to be managed effectively, particularly those serious enough to warrant invoking business continuity or disaster recovery plans. The University will develop its incident management capability to detect, manage and analyse security incidents in line with supporting policies. Information Security Controls Policy v1-00 3
5.1. Security incidents will normally be handled through the Incident Management component of the Service Management processes within ICT. These may be escalated via the associated Major Incident Management process. 5.2. Where personal data is involved, the Breach Management policy (part of the University Data Protection policy) must be followed. This policy includes procedures that should be followed for out of hours reporting. 5.3. If a security incident suggests a breach of the financial regulations may have taken place then the Finance Office and/or Director of Finance must be informed. 6. Malware prevention Malware (malicious software) can cause material harm to systems, including disruption of critical business systems and unauthorised export of sensitive information or data loss. The range of technologies used to introduce malware span the entire infrastructure, and the risk of attack is wide and varied. 6.1. Anti-malware standards will be implemented across the IT infrastructure. Adherence to these standards is required of all business and academic areas. 6.2. All data will be scanned at the network perimeter for malicious content. 6.3. Access will be blocked to known malicious websites. 6.4. A "defence in depth" approach will be taken to ensure that end user devices connecting to the network are sufficiently protected. 6.5. Anti-malware and malicious code checking solutions will be deployed to scan inbound and outbound objects for malicious content. 6.6. Content filtering solutions may be deployed on external gateways to prevent the delivery of malicious code via common desktop applications such as the web browser. 6.7. Where business processes can support it, common browser plugins and scripting languages will be disabled. 6.8. "Autorun" will be disabled where there is no business impact, to prevent the automatic execution of malicious code. 7. Monitoring Monitoring provides the means to assess how systems are being used and whether they are being attacked. Without the ability to monitor our systems we may not be able to detect or react to attacks, or to account for activity. 7.1. A monitoring strategy will be based on business need and an assessment of risk. 7.2. All networks, systems and services will be included in the strategy. This may include the use of network, host based and wireless Intrusion Detection Systems (IDS). These solutions should provide both signature based capabilities to detect known attacks, and heuristic capabilities to detect unusual system behaviour. 7.3. Inbound and outbound traffic traversing the network boundaries will be monitored for unusual activity. Unusual traffic should invoke incident response procedures. Information Security Controls Policy v1-00 4
7.4. Monitoring of user activity should identify the unauthorised or accidental misuse of systems. Monitoring user activity will comply with all legal or regulatory constraints. 7.5. Monitoring systems will be regularly 'tuned' to ensure that attacks are effectively detected, and associated costs are kept in line with expectation. 7.6. A central, automated log management platform will be employed. 7.7. There will be a resilient and synchronised timing source to support monitoring and analysis of logs. 7.8. Incident management and response capabilities will be in place to respond appropriately to incidents detected by monitoring solutions. 7.9. Processes will be implemented to test monitoring capabilities, learn from incidents and improve monitoring efficiency. 8. Removable media Removable media introduces the capability to transfer and store huge volumes of sensitive information as well as the ability to import malicious content. Failure to apply any controls to removable media could expose the University to the risks of information loss, introduction of malware, and reputational damage. 8.1. The subsidiary Removable media policy will outline the limitations of removable media, along with any technical controls that may be implemented where there is a sufficiently high risk to information. 9. Mobile and remote working Mobile working and remote access extends the transit and storage of information (or operation of systems) beyond the University infrastructure, typically over the internet. Mobile devices will also be typically used in spaces that are subject to risks such as oversight of screen, or theft/loss of devices. As such, the University must establish sound mobile working practices to mitigate against these risks. 9.1. The subsidiary Mobile and remote working policy outlines the risks associated with mobile working and remote access, and establishes responsibilities and processes for its authorised use. 9.2. A secure baseline for devices used for mobile and remote working will be enforced to ensure that only sufficiently protected devices are able to connect to the network. 9.3. Where a device used for mobile and remote working supports it, it should be encrypted. In instances where encryption is not supported, no University data shall be stored on the device. 9.4. All information travelling over a remote connection (usually via the internet) shall be appropriately encrypted. 9.5. Incident management plans should be sufficiently flexible to deal with the range of incidents that will occur as a result of mobile working practices. Information Security Controls Policy v1-00 5