POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND October 2005 Table of Contents Introduction... 1 Purpose Of This Policy... 1 Responsibility... 1 General Policy... 2 Data Classification Policy... 2 Access Control Policy... 3 Virus Prevention Policy... 4 Acceptable Use Policy... 4 Internet Security Policy... 4 Intrusion Detection Policy... 5 Exceptions... 5
INTRODUCTION This Data and Information Security Policy is written with consideration to the fact that the BMC is made up of a large number of different units with different needs for and different uses of computers, data handling and the data network. This policy is not intended to limit or restrict the academic freedom. This policiy applies to all units and network users within the BMC. The BMC data network is connected to LUNET, the Lund University NETwork, and to SUNET, the Swedish University NETwork. This policy document is based on the LUNET security policy, the Lund University rules for using data networks (Dnr: I D9 2218/2001), and the SUNET security policy. It is in all aspects an implementation of rules of these policies. It is not necessarily an implementation of each and every rule of these policies. Thus the rules of these policies are superior to this document, and are all in effect. If there is any dispute regarding the meaning of a rule, SUNET has the preferential right of interpretation. The purpose of the policy is: PURPOSE OF THIS POLICY to establish a set of rules to protect the BMC's data, applications, networks, and computer systems from unauthorized access, unauthorized alteration, or destruction. to prescribe tools and methods to identify and prevent unauthorized access, unauthorized alteration, or destruction of BMC or University data, applications, networks and computer systems. to define tools and methods to protect the reputation of the University and the BMC, and allow the University to satisfy its legal and ethical responsibilities with regard to its networks' and computer systems' connectivity to the worldwide Internet. to prescribe effective methods for responding to external complaints and queries about real or perceived abuses of the BMC networks and computer systems. RESPONSIBILITY The BMC Board is responsible for implementing this policy. The BMC Board should ensure that: o the data and information security policy is updated on a regular basis and published as appropriate; o network and system administrators, data custodians and users have adequate knowledge and competence to carry out their assignments. The Lund University data security office specifies competence requirements for installing, configuring and running systems and applications, connected to the LUNET (Dnr: I A9 6461/2001) The BMC Board shall appoint a person to be responsible for security implementation, incident response, periodic user access reviews, and education of the data and information security policy including information about current virus infection risks. Users are responsible for safe handling and storage of all University authentication devices and login information. Authentication tokens (such as a Secure ID card) should not be stored near a computer that may be used to access the University's network or system resources. If an authentication device is lost or stolen, the loss must be immediately reported to the appropriate issuing unit so that the device can be disabled. Page 1
GENERAL POLICY Vulnerability and risk assessment tests of the network and external network connections should be conducted on a regular basis. At a minimum, testing should be performed annually. Security reviews of servers, firewall(s), router(s) and monitoring platforms for breaches of security shall be conducted on a regular basis. These reviews will include monitoring access logs and results from intrusion detection software, where used. Education should be implemented to ensure that users understand data security issues, levels of confidentiality, and the mechanisms to protect the data. This should be tailored to the role of the individual, network administrator, system administrator, data custodian, and users. Violation of the Information Security Policy may result in disciplinary actions as authorized by the University. DATA CLASSIFICATION POLICY It is essential that the University's and the BMC's critical data be protected. All data should be reviewed on a periodic basis and classified according to its use, sensitivity, and importance. We have specified three classes below: o Sensitive - Information assets that would cause severe damage to the University, individuals, groups of individuals or organizations if disclosed or modified. Data covered by state legislation, such as "Datalagen" or "Personuppgiftslagen" are in this class, as are passwords. Payroll, personnel, and some financial information is also in this class because of privacy requirements. o Important- Source code, data logs, scientific experimental results, student's marks etc. that would not expose the University or the BMC to loss if disclosed, but must be protected to prevent unauthorized destruction or modification. o Public - Information that may be freely disseminated. The SUNET security policy (securityinfo 2 and 5) sets detailed standards for the appropriate protection levels for each data classification. All information resources should be categorized and protected according to the requirements set for each classification, and the data classification and its corresponding level of protection should be consistent when the data is replicated, moved and worked at. Data custodians have the responsibility for the integrity of the data stored. The individuals entrusted with the data are responsible for protecting the data consistent with the security requirements defined by the data custodian. All appropriate data should be backed up, and the backups tested periodically, as part of a documented, regular process. Backups of secure data must be handled with the same security precautions as the data itself. When systems are disposed of or repurposed, data should be certified deleted or disks destroyed consistent with industry best practices for the security level of the data. Sensitive data should be encrypted during transmission, in accordance with the SUNET security policy No system or network subnet within BMC may have a connection to the Internet without the means to protect the information consistent with its confidentiality classification. Page 2
ACCESS CONTROL POLICY Access to the network and servers and systems will be achieved by individual and unique logins, and will require authentication. Authentication includes the use of passwords, smart cards, biometrics, or other recognized forms of authentication. o Users must not share usernames and passwords, nor should they be written down or recorded in unencrypted electronic files or documents. All users shall secure their username or account, password, and system from unauthorized use. o All users of critical systems (e.g. containing data protected by law or University policy) must have a strong password, whose definition is established and documented by SUNET (securityinfo 4) or the BMC Board. Passwords of empowered accounts, such as administrator, root or supervisor accounts, must be changed more frequently, consistent with guidelines established by the said bodies. o Logins and passwords must not be coded into programs or queries. o Passwords must not be placed in emails unless they have been encrypted. If this is not possible, then another secure means must be used to communicate the password to the user. o Default passwords on all systems must be changed after installation. All administrator or root accounts will be given a password that conforms to the password selection criteria when a system is installed, rebuilt, or reconfigured. Intruder detection must be implemented on all servers. Accounts will be locked after a prespecified number of invalid attempts and will remain locked until reset consistent with unit policy. Terminated network users should have their accounts disabled upon transfer or termination. Since there could be delays in reporting changes in user responsibilities, periodic user access reviews should be conducted by the BMC information security person. Transferred network user's access must be reviewed and adjusted as found necessary. Monitoring must be implemented on all sensitive systems (that support monitoring) to record logon attempts and failures, successful logons (date and time of logon and logoff). Personnel who have broad system access, such as superuser, should use other less powerful accounts for performing non-administrative tasks. Activities performed by those with administrator or superuser rights must be logged where it is feasible to do so. There should be a documented procedure for reviewing system logs. Page 3
VIRUS PREVENTION POLICY All University owned servers and workstations will be protected with an approved, licensed antivirus software product that will be updated to the current vendor recommended level. All incoming data including electronic mail will be scanned for viruses. Outgoing electronic mail will be scanned. System or network administrators will inform users when a virus has been detected. Virus scanning logs will be maintained whenever email is centrally scanned for viruses. The willful introduction of computer "viruses" or disruptive/destructive programs into the University environment is prohibited, and violators may be subject to prosecution. ACCEPTABLE USE POLICY University computer resources will be used in a manner that is compliant with University policies and Swedish law and regulations. It is against University policy to install or run software requiring a license on any University computer without a valid license. Use of the University's computing and networking infrastructure by University network users unrelated to their University positions must be limited in both time and resources and must not interfere in any way with University functions or the network user's duties. It is the responsibility of network users to consult their supervisors, if they have any questions in this respect. Uses that interfere with the proper functioning or the ability of others to make use of the University's networks, computer systems, applications and data resources are not permitted. Examples are downloading of large amounts of data for private use - movies, music etc. Use of University computer resources for personal profit is not permitted. Business use or distribution of material for money is forbidden. Decryption or attempts of decryption of passwords is not permitted, except by authorized staff performing security reviews or investigations. Use of network sniffers shall be restricted to system administrators who must use such tools to solve network problems. Auditors or security officers in the performance of their duties may also use them. They must not be used to monitor or track any individual's network activity except under special authorization in every single case from the Lund University data security group.. The University data security group and the BMC information security responsible person have the right to monitor data- and logfiles in any equipment connected to or having been connected to the LUNET, as part of an investigation of abuse or other incidents. This includes the right to temporarily seize any such equipment for examination. INTERNET SECURITY POLICY All connections to the Internet will go through a properly secured connection point to ensure the network is protected. Public servers carrying information intended to be available from outside the BMC network must be connected to network sockets assigned by the BMC information security responsible person. Page 4
INTRUSION DETECTION POLICY Operating system and application software logging processes must be enabled on all host and server systems. Where possible, alarm and alert functions, as well as logging and monitoring systems must be enabled. System integrity checks of host and server systems housing sensitive or important University data should be performed. Server, firewall, and critical system logs should be reviewed frequently. Where possible, automated review should be enabled and alerts should be transmitted to the administrator when a serious security intrusion is detected. Intrusion tools should be installed where appropriate and checked on a regular basis. System or network administrators must monitor appropriate sources for security related information, relevant threats, vulnerabilities, incidents and relevant service patches, upgrades, or updates and ensure all security related patches are applied on all machines under their control. EXCEPTIONS In certain cases, compliance with specific policy requirements may not be immediately possible. Reasons include, but are not limited to, the following: Required commercial or other software in use is not currently able to support the required features; legacy systems are in use which do not comply, but near-term future systems will, and are planned for; costs for reasonable compliance are prohibitive. In such cases, units must develop a written explanation of the compliance issue and a plan for coming into compliance in a reasonable amount of time and submit them to the BMC Board for written approval. Page 5