POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND. October Table of Contents

Similar documents
Information Security Policy

University of Pittsburgh Security Assessment Questionnaire (v1.7)

SECURITY & PRIVACY DOCUMENTATION

Cyber Security Program

Checklist: Credit Union Information Security and Privacy Policies

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

POLICY 8200 NETWORK SECURITY

ORA HIPAA Security. All Affiliate Research Policy Subject: HIPAA Security File Under: For Researchers

Information technology security and system integrity policy.

Acceptable Use Policy

UTAH VALLEY UNIVERSITY Policies and Procedures

Employee Security Awareness Training Program

Standard for Security of Information Technology Resources

Baseline Information Security and Privacy Requirements for Suppliers

Policy and Procedure: SDM Guidance for HIPAA Business Associates

<Criminal Justice Agency Name> Personally Owned Device Policy. Allowed Personally Owned Device Policy

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Name of Policy: Computer Use Policy

Lakeshore Technical College Official Policy

ISSP Network Security Plan

7.16 INFORMATION TECHNOLOGY SECURITY

HIPAA Compliance Checklist

201 CMR COMPLIANCE CHECKLIST Yes No Reason If No Description

Information Security in Corporation

Virginia Commonwealth University School of Medicine Information Security Standard

Information Security Data Classification Procedure

3 rd Party Certification of Compliance with MA: 201 CMR 17.00

Security Standards for Electric Market Participants

Sample BYOD Policy. Copyright 2015, PWW Media, Inc. All Rights Reserved. Duplication, Reproduction or Distribution by Any Means Prohibited.

WHITE PAPER- Managed Services Security Practices

Springfield, Illinois Police Department

Objectives of the Security Policy Project for the University of Cyprus

HIPAA Privacy & Security Training. Privacy and Security of Protected Health Information

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

Sample Security Risk Analysis ASP Meaningful Use Core Set Measure 15

HIPAA Security and Privacy Policies & Procedures

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

The Common Controls Framework BY ADOBE

ICT Security Policy. ~ 1 od 21 ~

EXHIBIT A. - HIPAA Security Assessment Template -

HPE DATA PRIVACY AND SECURITY

Information Security Management Criteria for Our Business Partners

2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

A practical guide to IT security

Annual Report on the Status of the Information Security Program

ADIENT VENDOR SECURITY STANDARD

Is your privacy secure? HIPAA Compliance Workshop September Presented by: Andrés Castañeda, Senior Manager Steve Nouss, Partner

DETAILED POLICY STATEMENT

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

Projectplace: A Secure Project Collaboration Solution

Subject: University Information Technology Resource Security Policy: OUTDATED

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Data Security Policy for Research Projects

Red Flags/Identity Theft Prevention Policy: Purpose

ISO27001 Preparing your business with Snare

UCOP ITS Systemwide CISO Office Systemwide IT Policy. UC Event Logging Standard. Revision History. Date: By: Contact Information: Description:

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

a. UTRGV owned, leased or managed computers that fall within the regular UTRGV Computer Security Standard

Security Policies and Procedures Principles and Practices

Trust Services Principles and Criteria

SOC-2 Requirement Solution Brief. EventTracker 8815 Centre Park Drive, Columbia MD SOC-2

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

The University of British Columbia Board of Governors

ISC10D026. Report Control Information

2016 SC REGIONAL HOUSING AUTHORITY NO. 3 S EIV SECURITY POLICY

SDR Guide to Complete the SDR

Table of Contents. PCI Information Security Policy

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

The University of Tennessee. Information Technology Policy (ITP) Preamble

Juniper Vendor Security Requirements

Mobile Device policy Frequently Asked Questions April 2016

University of Liverpool

Institute of Technology, Sligo. Information Security Policy. Version 0.2

A company built on security

Florida Government Finance Officers Association. Staying Secure when Transforming to a Digital Government

Electronic Network Acceptable Use Policy

HISPOL The United States House of Representatives Internet/ Intranet Security Policy. CATEGORY: Telecommunications Security

Introduction. Controlling Information Systems. Threats to Computerised Information System. Why System are Vulnerable?

II.C.4. Policy: Southeastern Technical College Computer Use

Web Cash Fraud Prevention Best Practices

Standard CIP 007 4a Cyber Security Systems Security Management

FERPA & Student Data Communication Systems

Writer Corporation. Data Protection Policy

HELPFUL TIPS: MOBILE DEVICE SECURITY

Controls Electronic messaging Information involved in electronic messaging shall be appropriately protected.

University Policies and Procedures ELECTRONIC MAIL POLICY

Standard CIP Cyber Security Systems Security Management

GM Information Security Controls

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

AUTHORITY FOR ELECTRICITY REGULATION

Payment Card Industry (PCI) Data Security Standard

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

QuickBooks Online Security White Paper July 2017

INFORMATION ASSET MANAGEMENT POLICY

Seven Requirements for Successfully Implementing Information Security Policies and Standards

Watson Developer Cloud Security Overview

Regulation P & GLBA Training

The Honest Advantage

INFORMATION TECHNOLOGY DATA MANAGEMENT PROCEDURES AND GOVERNANCE STRUCTURE BALL STATE UNIVERSITY OFFICE OF INFORMATION SECURITY SERVICES

Transcription:

POLICY FOR DATA AND INFORMATION SECURITY AT BMC IN LUND October 2005 Table of Contents Introduction... 1 Purpose Of This Policy... 1 Responsibility... 1 General Policy... 2 Data Classification Policy... 2 Access Control Policy... 3 Virus Prevention Policy... 4 Acceptable Use Policy... 4 Internet Security Policy... 4 Intrusion Detection Policy... 5 Exceptions... 5

INTRODUCTION This Data and Information Security Policy is written with consideration to the fact that the BMC is made up of a large number of different units with different needs for and different uses of computers, data handling and the data network. This policy is not intended to limit or restrict the academic freedom. This policiy applies to all units and network users within the BMC. The BMC data network is connected to LUNET, the Lund University NETwork, and to SUNET, the Swedish University NETwork. This policy document is based on the LUNET security policy, the Lund University rules for using data networks (Dnr: I D9 2218/2001), and the SUNET security policy. It is in all aspects an implementation of rules of these policies. It is not necessarily an implementation of each and every rule of these policies. Thus the rules of these policies are superior to this document, and are all in effect. If there is any dispute regarding the meaning of a rule, SUNET has the preferential right of interpretation. The purpose of the policy is: PURPOSE OF THIS POLICY to establish a set of rules to protect the BMC's data, applications, networks, and computer systems from unauthorized access, unauthorized alteration, or destruction. to prescribe tools and methods to identify and prevent unauthorized access, unauthorized alteration, or destruction of BMC or University data, applications, networks and computer systems. to define tools and methods to protect the reputation of the University and the BMC, and allow the University to satisfy its legal and ethical responsibilities with regard to its networks' and computer systems' connectivity to the worldwide Internet. to prescribe effective methods for responding to external complaints and queries about real or perceived abuses of the BMC networks and computer systems. RESPONSIBILITY The BMC Board is responsible for implementing this policy. The BMC Board should ensure that: o the data and information security policy is updated on a regular basis and published as appropriate; o network and system administrators, data custodians and users have adequate knowledge and competence to carry out their assignments. The Lund University data security office specifies competence requirements for installing, configuring and running systems and applications, connected to the LUNET (Dnr: I A9 6461/2001) The BMC Board shall appoint a person to be responsible for security implementation, incident response, periodic user access reviews, and education of the data and information security policy including information about current virus infection risks. Users are responsible for safe handling and storage of all University authentication devices and login information. Authentication tokens (such as a Secure ID card) should not be stored near a computer that may be used to access the University's network or system resources. If an authentication device is lost or stolen, the loss must be immediately reported to the appropriate issuing unit so that the device can be disabled. Page 1

GENERAL POLICY Vulnerability and risk assessment tests of the network and external network connections should be conducted on a regular basis. At a minimum, testing should be performed annually. Security reviews of servers, firewall(s), router(s) and monitoring platforms for breaches of security shall be conducted on a regular basis. These reviews will include monitoring access logs and results from intrusion detection software, where used. Education should be implemented to ensure that users understand data security issues, levels of confidentiality, and the mechanisms to protect the data. This should be tailored to the role of the individual, network administrator, system administrator, data custodian, and users. Violation of the Information Security Policy may result in disciplinary actions as authorized by the University. DATA CLASSIFICATION POLICY It is essential that the University's and the BMC's critical data be protected. All data should be reviewed on a periodic basis and classified according to its use, sensitivity, and importance. We have specified three classes below: o Sensitive - Information assets that would cause severe damage to the University, individuals, groups of individuals or organizations if disclosed or modified. Data covered by state legislation, such as "Datalagen" or "Personuppgiftslagen" are in this class, as are passwords. Payroll, personnel, and some financial information is also in this class because of privacy requirements. o Important- Source code, data logs, scientific experimental results, student's marks etc. that would not expose the University or the BMC to loss if disclosed, but must be protected to prevent unauthorized destruction or modification. o Public - Information that may be freely disseminated. The SUNET security policy (securityinfo 2 and 5) sets detailed standards for the appropriate protection levels for each data classification. All information resources should be categorized and protected according to the requirements set for each classification, and the data classification and its corresponding level of protection should be consistent when the data is replicated, moved and worked at. Data custodians have the responsibility for the integrity of the data stored. The individuals entrusted with the data are responsible for protecting the data consistent with the security requirements defined by the data custodian. All appropriate data should be backed up, and the backups tested periodically, as part of a documented, regular process. Backups of secure data must be handled with the same security precautions as the data itself. When systems are disposed of or repurposed, data should be certified deleted or disks destroyed consistent with industry best practices for the security level of the data. Sensitive data should be encrypted during transmission, in accordance with the SUNET security policy No system or network subnet within BMC may have a connection to the Internet without the means to protect the information consistent with its confidentiality classification. Page 2

ACCESS CONTROL POLICY Access to the network and servers and systems will be achieved by individual and unique logins, and will require authentication. Authentication includes the use of passwords, smart cards, biometrics, or other recognized forms of authentication. o Users must not share usernames and passwords, nor should they be written down or recorded in unencrypted electronic files or documents. All users shall secure their username or account, password, and system from unauthorized use. o All users of critical systems (e.g. containing data protected by law or University policy) must have a strong password, whose definition is established and documented by SUNET (securityinfo 4) or the BMC Board. Passwords of empowered accounts, such as administrator, root or supervisor accounts, must be changed more frequently, consistent with guidelines established by the said bodies. o Logins and passwords must not be coded into programs or queries. o Passwords must not be placed in emails unless they have been encrypted. If this is not possible, then another secure means must be used to communicate the password to the user. o Default passwords on all systems must be changed after installation. All administrator or root accounts will be given a password that conforms to the password selection criteria when a system is installed, rebuilt, or reconfigured. Intruder detection must be implemented on all servers. Accounts will be locked after a prespecified number of invalid attempts and will remain locked until reset consistent with unit policy. Terminated network users should have their accounts disabled upon transfer or termination. Since there could be delays in reporting changes in user responsibilities, periodic user access reviews should be conducted by the BMC information security person. Transferred network user's access must be reviewed and adjusted as found necessary. Monitoring must be implemented on all sensitive systems (that support monitoring) to record logon attempts and failures, successful logons (date and time of logon and logoff). Personnel who have broad system access, such as superuser, should use other less powerful accounts for performing non-administrative tasks. Activities performed by those with administrator or superuser rights must be logged where it is feasible to do so. There should be a documented procedure for reviewing system logs. Page 3

VIRUS PREVENTION POLICY All University owned servers and workstations will be protected with an approved, licensed antivirus software product that will be updated to the current vendor recommended level. All incoming data including electronic mail will be scanned for viruses. Outgoing electronic mail will be scanned. System or network administrators will inform users when a virus has been detected. Virus scanning logs will be maintained whenever email is centrally scanned for viruses. The willful introduction of computer "viruses" or disruptive/destructive programs into the University environment is prohibited, and violators may be subject to prosecution. ACCEPTABLE USE POLICY University computer resources will be used in a manner that is compliant with University policies and Swedish law and regulations. It is against University policy to install or run software requiring a license on any University computer without a valid license. Use of the University's computing and networking infrastructure by University network users unrelated to their University positions must be limited in both time and resources and must not interfere in any way with University functions or the network user's duties. It is the responsibility of network users to consult their supervisors, if they have any questions in this respect. Uses that interfere with the proper functioning or the ability of others to make use of the University's networks, computer systems, applications and data resources are not permitted. Examples are downloading of large amounts of data for private use - movies, music etc. Use of University computer resources for personal profit is not permitted. Business use or distribution of material for money is forbidden. Decryption or attempts of decryption of passwords is not permitted, except by authorized staff performing security reviews or investigations. Use of network sniffers shall be restricted to system administrators who must use such tools to solve network problems. Auditors or security officers in the performance of their duties may also use them. They must not be used to monitor or track any individual's network activity except under special authorization in every single case from the Lund University data security group.. The University data security group and the BMC information security responsible person have the right to monitor data- and logfiles in any equipment connected to or having been connected to the LUNET, as part of an investigation of abuse or other incidents. This includes the right to temporarily seize any such equipment for examination. INTERNET SECURITY POLICY All connections to the Internet will go through a properly secured connection point to ensure the network is protected. Public servers carrying information intended to be available from outside the BMC network must be connected to network sockets assigned by the BMC information security responsible person. Page 4

INTRUSION DETECTION POLICY Operating system and application software logging processes must be enabled on all host and server systems. Where possible, alarm and alert functions, as well as logging and monitoring systems must be enabled. System integrity checks of host and server systems housing sensitive or important University data should be performed. Server, firewall, and critical system logs should be reviewed frequently. Where possible, automated review should be enabled and alerts should be transmitted to the administrator when a serious security intrusion is detected. Intrusion tools should be installed where appropriate and checked on a regular basis. System or network administrators must monitor appropriate sources for security related information, relevant threats, vulnerabilities, incidents and relevant service patches, upgrades, or updates and ensure all security related patches are applied on all machines under their control. EXCEPTIONS In certain cases, compliance with specific policy requirements may not be immediately possible. Reasons include, but are not limited to, the following: Required commercial or other software in use is not currently able to support the required features; legacy systems are in use which do not comply, but near-term future systems will, and are planned for; costs for reasonable compliance are prohibitive. In such cases, units must develop a written explanation of the compliance issue and a plan for coming into compliance in a reasonable amount of time and submit them to the BMC Board for written approval. Page 5

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback