INFORMATION RESOURCE SECURITY CONFIGURATION AND MANAGEMENT

Similar documents
UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

University of Alabama at Birmingham MINIMUM SECURITY FOR COMPUTING DEVICES RULE July 2017

Juniper Vendor Security Requirements

AUTHORITY FOR ELECTRICITY REGULATION

Standard CIP Cyber Security Systems Security Management

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017

The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems

Subject: University Information Technology Resource Security Policy: OUTDATED

Network Security Policy

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

Carbon Black PCI Compliance Mapping Checklist

POLICY 8200 NETWORK SECURITY

Altius IT Policy Collection Compliance and Standards Matrix

Altius IT Policy Collection Compliance and Standards Matrix

ISSP Network Security Plan

ISO27001 Preparing your business with Snare

Minimum Security Standards for Networked Devices

Total Security Management PCI DSS Compliance Guide

Cyber Insurance PROPOSAL FORM. ITOO is an Authorised Financial Services Provider. FSP No

Standard CIP Cyber Security Systems Security Management

The Common Controls Framework BY ADOBE

Information Security Policy

Client Computing Security Standard (CCSS)

Virginia Commonwealth University School of Medicine Information Security Standard

Critical Cyber Asset Identification Security Management Controls

NERC CIP VERSION 6 BACKGROUND COMPLIANCE HIGHLIGHTS

INFORMATION SECURITY. One line heading. > One line subheading. A briefing on the information security controls at Computershare

CS 356 Operating System Security. Fall 2013

Employee Security Awareness Training Program

Google Cloud Platform: Customer Responsibility Matrix. April 2017

Procedure: Bring your own device

Department of Public Health O F S A N F R A N C I S C O

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Information Security Data Classification Procedure

Information Technology Branch Organization of Cyber Security Technical Standard

Standard CIP 007 3a Cyber Security Systems Security Management

DETAILED POLICY STATEMENT

Information Security Controls Policy

Virginia State University Policies Manual. Title: Information Security Program Policy: 6110

Standard CIP 007 4a Cyber Security Systems Security Management

DIRECTIVE ON INFORMATION TECHNOLOGY SECURITY FOR BANK PERSONNEL. June 14, 2018

Standard: Event Monitoring

Changing face of endpoint security

Security Logging and Monitoring Standard

2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.

Checklist: Credit Union Information Security and Privacy Policies

HPE Intelligent Management Center

ISO COMPLIANCE GUIDE. How Rapid7 Can Help You Achieve Compliance with ISO 27002

a. UTRGV owned, leased or managed computers that fall within the regular UTRGV Computer Security Standard

Information technology security and system integrity policy.

Security Aspects Control Rationale Best Practices Self-Assessment (Click all that applicable) 1. Security Policy and Security Management

Technical Reference [Draft] DRAFT CIP Cyber Security - Supply Chain Management November 2, 2016

Information Security Incident Response and Reporting

Networking and Operations Standard

Mobile Device Policy. Augusta University Medical Center Policy Library. Policy Owner: Information Technology Support and Services

How do you track devices that have been approved for use? Are you automatically alerted if an unapproved device connects to the network?

Wireless Security Access Policy and Agreement

Effective: 12/31/17 Last Revised: 8/28/17. Responsible University Administrator: Vice Chancellor for Information Services & CIO

Access to University Data Policy

Google Cloud Platform: Customer Responsibility Matrix. December 2018

Data Sharing Agreement. Between Integral Occupational Health Ltd and the Customer

Information Technology Procedure IT 3.4 IT Configuration Management

Information Security for Mail Processing/Mail Handling Equipment

NETWORK AND CERTIFICATE SYSTEM SECURITY REQUIREMENTS

IC32E - Pre-Instructional Survey

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

Texas Health Resources

TARGET2-SECURITIES INFORMATION SECURITY REQUIREMENTS

Red Flags/Identity Theft Prevention Policy: Purpose

Policy. London School of Economics & Political Science. Network Connection IMT. Jethro Perkins. Information Security Manager. Version 1.

Teradata and Protegrity High-Value Protection for High-Value Data

BHIG - Mobile Devices Policy Version 1.0

Department of Public Health O F S A N F R A N C I S C O

EHR SECURITY POLICIES & SECURITY SITE ASSESSMENT OVERVIEW WEBINAR. For Viewer Sites

7.16 INFORMATION TECHNOLOGY SECURITY

01.0 Policy Responsibilities and Oversight

A Measurement Companion to the CIS Critical Security Controls (Version 6) October

ForeScout CounterACT. Continuous Monitoring and Mitigation. Real-time Visibility. Network Access Control. Endpoint Compliance.

What are PCI DSS? PCI DSS = Payment Card Industry Data Security Standards

NMHC HIPAA Security Training Version

Future Challenges and Changes in Industrial Cybersecurity. Sid Snitkin VP Cybersecurity Services ARC Advisory Group

Altius IT Policy Collection

Kenna Platform Security. A technical overview of the comprehensive security measures Kenna uses to protect your data

Baseline Information Security and Privacy Requirements for Suppliers

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

Virginia Commonwealth University School of Medicine Information Security Standard

GDPR Processor Security Controls. GDPR Toolkit Version 1 Datagator Ltd

HISPOL The United States House of Representatives Internet/ Intranet Security Policy. CATEGORY: Telecommunications Security

Information Security Controls Policy

Seven Requirements for Successfully Implementing Information Security Policies and Standards

SANS Top 20 CIS. Critical Security Control Solution Brief Version 6. SANS Top 20 CIS. EventTracker 8815 Centre Park Drive, Columbia MD 21045

This document is a preview generated by EVS

Online Services Security v2.1

CIS Controls Measures and Metrics for Version 7

CONNECTING TO THE COLLEGE NETWORK. Connecting to the College Network

ISE North America Leadership Summit and Awards

Enterprise Cybersecurity Best Practices Part Number MAN Revision 006

Education Network Security

Annual Report on the Status of the Information Security Program

CIS Controls Measures and Metrics for Version 7

Transcription:

INFORMATION RESOURCE SECURITY CONFIGURATION AND MANAGEMENT Policy UT Health San Antonio shall adopt and document Standards and Procedures to define and manage a secured operating configuration for all Information Resources owned, leased or under the control of the University. Security objectives shall include: a. hardware standards to ensure consistency in the platforms supported by UT Health San Antonio; b. a lifecycle framework to define the implementation, testing, availability, support and disposal of the Information Resource; c. security configuration (hardening) standards that address vulnerabilities, minimize risk and comply with all UT Health San Antonio policies; d. monitoring standards to ensure compliance with UT Health San Antonio Policies and Standards and protection against vulnerabilities; and e. standards for patch management and vendor support of application and operating system environment. The shall ensure that Information Resources are administered by professionally trained staff in accordance with UT Health San Antonio Policies, Standards and Procedures. All Owners and Custodians of UT Health San Antonio owned, leased, or controlled Information Resources must provide the Chief Information Security Officer with direct access to detailed security status including, but not restricted to the following: firewall rules; IPS/IDS rules; Page 1 of 9

security configurations and patch status; and sufficient access rights to servers and computing devices to independently perform traffic and event monitoring and log analysis. Network Security The Infrastructure and Security Engineering (ISE) Department of Information Management and Services (IMS) is designated as the Information Resource Owner and exclusively responsible for the UT Health San Antonio Network Infrastructure including, but not limited to, the local area network, wide area and telecommunications networks, Internet, OTS network and wireless/wi-fi networks. a. All network devices connecting to the UT Health San Antonio Network Infrastructure will be security hardened based on risk. b. The Network Infrastructure shall be segmented either physically or logically to reduce the scope of exposure of Information Resources commensurate with the risk. c. Configuration changes of network devices require approval of ISE and must be performed in compliance with Section 5.8.24, Change Management Security Policy in the Handbook of Operating Procedures (HOP), Standards and Procedures. d. No hardware device or software that provides network services shall be installed within or connecting to the UT Health San Antonio Network Infrastructure without ISE approval. i. All connections of the Network Infrastructure to external or third party networks (including Internet, telecommunications and business partner networks) must be approved by ISE. ii. No extension or retransmission of computer network services by installation of a router, switch, hub, wireless access point or controller, cellular signal booster, dual ported computer or software application is permitted unless approved by ISE. Page 2 of 9

e. All firewalls and network security devices must be installed and maintained by ISE unless explicitly permitted by the Chief Information Security Officer. f. Networking addresses for supported protocols are allocated, registered and managed by ISE. i. Network directory services and network address space services (including, but not limited to, DNS and DHCP services) shall be provided and managed by ISE. ii. Any Information Resource use of non-sanctioned protocols must be approved by ISE. g. ISE shall adopt Standards and Procedures for: i. configuring and managing baseline security hardened standards for all network devices; ii. defining networking protocol standards, segmentation architecture and address schemes/ranges; iii. administration of network directory and address space services; iv. managing access to the Network Infrastructure in accordance with Information Security Policies and Standards. v. testing and installing security updates and service packs to operating systems and applications for network devices; vi. monitoring network activity traversing a network device and the Network Infrastructure; ISE may disable or restrict access to devices or network segments that demonstrate suspicious or abnormal behavior or deemed vulnerable to attacks or breach; Page 3 of 9

vii. maintaining a list of authorized Networking Devices that connect to the UT Health San Antonio Network Infrastructure and associated connectivity and traffic flow diagrams; and viii. identifying and assigning appropriately trained administrators for all network devices. Server and Storage Device Security All computing and storage devices that provide access to or host centralized resources, services or applications to other computers on the UT Health San Antonio Network Infrastructure or external networks must be maintained in a manner that provides physical and logical security commensurate with risk. a. All servers, regardless of administration responsibility, must be located in Data Center owned, leased or otherwise controlled by Information and Management Services (IMS). i. Connectivity to servers and storage devices discovered outside of an approved Data Center shall be restricted. ii. Exceptions must be approved by the Vice President and Chief Information Officer. b. Storage devices that source data to centralized resources, services or applications or services to other computers on the UT Health San Antonio Network Infrastructure or external networks must be located in a Data Center owned, leased or otherwise controlled by IMS. Exceptions are allowed in the following circumstances: i. storage connected to scientific or medical instruments/devices. Appropriate Physical and Security Access Control Standards and Practices commensurate with the risk of the Data stored on these devices must be applied and the shall maintain documentation of these devices; and Page 4 of 9

ii. external storage devices used for local computer backup/archive. These storage devices must be encrypted per UT Health San Antonio Policies and Standards. c. Servers and data shall be segmented either physically or logically to reduce the scope of exposure commensurate with risk. i. Production servers and data must be segmented from test and development environments. ii. Internet accessible applications and data must be segmented from internal applications and databases; iii. Confidential data should not be stored on the same server or storage device as non-sensitive data. If both data types must be stored on the same server or storage device, compensating controls must be implemented to protect unauthorized access or disclosure of confidential data. d. Software installed on servers and storage devices is to be used in accordance with the applicable licensing agreement. Unauthorized or unlicensed use of software is prohibited. e. Servers with an Operating System that is no longer supported by its vendor may not be connected to the UT Health San Antonio network. i. Vendor support requires: timely issuance of security patches to mitigate vulnerabilities; or the Operating System is not designated as End-of- Life and End-of-Support by its vendor. ii. An exception may be granted to allow limited access to the server (e.g., access to internal UT Health San Antonio Page 5 of 9

networks or devices only) if upgrading the Operating System to a supported version or alternate platform adversely impacts its required use or function. f. All servers connecting to the UT Health San Antonio Network (including, but not limited to, the internal network, external or perimeter networks and business partner networks) will be security hardened based on risk. Minimum configuration Standards shall include: i. registration to the UT Health San Antonio Active Directory Domain; ii. encryption in compliance with UT Health San Antonio Policies, Standards and Procedures; iii. timely installation of security patches for the Operating System and application software installed on the server; iv. active and up-to-date anti-malware software in compliance with UT Health San Antonio Policies, Standards and Procedures; v. logging of access and Operating System functions; and vi. Reporting of its hardware and software configuration state to a centralized repository. g. To ensure patch management, vulnerability prevention updates and reporting of authorized computing assets. IMS shall: i. define baseline security hardened configuration Standards for all servers; ii. maintain documentation of authorized servers and their hardware and software configuration status including servers with operating systems that cannot connect to the UT Health San Antonio Active Directory Domain; Page 6 of 9

iii. facilitate testing and timely installation of service packs, hot fixes and security patches; and iv. identify and assign appropriately trained administrators. Computer Device Security Computing devices (including, but not limited to, workstations and laptops, regardless of operating systems) connecting to the UT Health San Antonio network or used to create, store or transmit Data must be maintained in a manner that provides physical and logical security commensurate with risk. a. Smartphones, tablets and any device utilizing an Operating System explicitly developed for mobile computing devices are exempt from this policy and must comply with Section 5.8.12, Mobile Device and Personally Owned Computing Policy in the HOP. b. All computing devices will be security hardened based on risk. Minimum configuration standards shall include: i. registration to the UT Health San Antonio Active Directory Domain; ii. encryption in compliance with UT Health San Antonio Policies, Standards and Procedures; iii. timely installation of security patches for the Operating System and application software installed on the computing device; iv. active and up-to-date anti-malware software in compliance with UT Health San Antonio Policies, Standards and Procedures; v. storage of confidential and mission critical data to servers or centrally managed storage devices; if confidential and/or mission critical data must be Page 7 of 9

stored on a computing device, the device shall be configured to regularly archive the data to a separate or external storage device. vi. logging of access and Operating System functions; and vii. reporting of its hardware and software configuration state to a centralized repository. c. Access to computing devices shall be granted in compliance with UT Health San Antonio Policies and Standards. Use of Administrator or other privileged accounts shall be limited to only required functions and segregated from a standard user accounts. d. Software installed on computing devices is to be used in accordance with the applicable licensing agreement. Unauthorized or unlicensed use of software is prohibited. e. Computing devices with an operating system that is no longer supported by its vendor may not be connected to the UT Health San Antonio network. i. Vendor support requires: timely issuance of security patches to mitigate vulnerabilities identified in the Operating System; or the Operating System is not designated as End-of- Life and End-of-Support by its vendor. ii. An exception may be granted to allow limited access to the server (e.g., access to internal UT Health San Antonio networks or devices only) if upgrading the Operating System to a supported version or alternate platform adversely impacts its required use or function. Page 8 of 9

f. Information Management and Services (IMS) shall maintain a central repository of hardware and software security status for each computing device. References U.T. System Policy 165 Standard 19 U.T. System Policy 165 Standard 20 Page 9 of 9

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback