The University of Texas at El Paso. Information Security Office Minimum Security Standards for Systems

Similar documents
a. UTRGV owned, leased or managed computers that fall within the regular UTRGV Computer Security Standard

90% 191 Security Best Practices. Blades. 52 Regulatory Requirements. Compliance Report PCI DSS 2.0. related to this regulation

Server Security Checklist

SERVER HARDENING CHECKLIST

University of Alabama at Birmingham MINIMUM SECURITY FOR COMPUTING DEVICES RULE July 2017

Google Cloud Platform: Customer Responsibility Matrix. December 2018

01.0 Policy Responsibilities and Oversight

Total Security Management PCI DSS Compliance Guide

Employee Security Awareness Training Program

UT HEALTH SAN ANTONIO HANDBOOK OF OPERATING PROCEDURES

Google Cloud Platform: Customer Responsibility Matrix. April 2017

Information Security Data Classification Procedure

University of Sunderland Business Assurance PCI Security Policy

How To Establish A Compliance Program. Richard E. Mackey, Jr. SystemExperts Corporation

Standard CIP Cyber Security Critical Cyber Asset Identification

The Honest Advantage

Standard CIP Cyber Security Critical Cyber Asset Identification

IT Services IT LOGGING POLICY

Information Technology General Control Review

Overview: Compliance and Security Management PCI-DSS Control Compliance Suite Overview

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY September 20, 2017

SECURITY POLICY FOR USER. 1.Purpose: The policy aims at providing secure and acceptable use of client systems.

Ensuring Desktop Central Compliance to Payment Card Industry (PCI) Data Security Standard

7.16 INFORMATION TECHNOLOGY SECURITY

Cyber Security Program

Altius IT Policy Collection Compliance and Standards Matrix

NORTH AMERICAN SECURITIES ADMINISTRATORS ASSOCIATION Cybersecurity Checklist for Investment Advisers

Standard: Event Monitoring

Department of Public Health O F S A N F R A N C I S C O

THE UNIVERSITY OF TEXAS-PAN AMERICAN OFFICE OF AUDITS & CONSULTING SERVICES. Computer Administrative Rights Report No

Policy. Sensitive Information. Credit Card, Social Security, Employee, and Customer Data Version 3.4

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

Altius IT Policy Collection Compliance and Standards Matrix

Security Standards for Electric Market Participants

Data Inventory and Classification, Physical Devices and Systems ID.AM-1, Software Platforms and Applications ID.AM-2 Inventory

INFORMATION ASSET MANAGEMENT POLICY

Payment Card Industry Internal Security Assessor: Quick Reference V1.0

State of Colorado Cyber Security Policies

Information Technology Procedure IT 3.4 IT Configuration Management

Checklist: Credit Union Information Security and Privacy Policies

Web Cash Fraud Prevention Best Practices

Access to University Data Policy

Recommendations for Implementing an Information Security Framework for Life Science Organizations

UNIVERSITY OF MASSACHUSETTS AMHERST INFORMATION SECURITY POLICY October 25, 2017

INFORMATION RESOURCE SECURITY CONFIGURATION AND MANAGEMENT

2.4. Target Audience This document is intended to be read by technical staff involved in the procurement of externally hosted solutions for Diageo.

Gramm Leach Bliley Act 15 U.S.C GLBA/HIPAA Information Security Program Committee GLBA, Safeguards Rule Training, Rev.

Solution Pack. Managed Services Virtual Private Cloud Security Features Selections and Prerequisites

SECURITY & PRIVACY DOCUMENTATION

ANNEX. Organizational and technical measures

Firewall Policy. Prepared By Document Version Phone Number Kevin Kuhn Version /

Institute of Technology, Sligo. Information Security Policy. Version 0.2

Oracle Hospitality OPERA Cloud Services Security Guide Release 1.20 E June 2016

LOGmanager and PCI Data Security Standard v3.2 compliance

New York Department of Financial Services Cybersecurity Regulation Compliance and Certification Deadlines

DATA BACKUP AND RECOVERY POLICY

Payment Card Industry (PCI) Data Security Standard

Client Computing Security Standard (CCSS)

STATE OF NEW JERSEY. ASSEMBLY, No th LEGISLATURE. Sponsored by: Assemblywoman ANNETTE QUIJANO District 20 (Union)

University of Pittsburgh Security Assessment Questionnaire (v1.7)

Criminal Justice Information Security (CJIS) Guide for ShareBase in the Hyland Cloud

Children s Health System. Remote User Policy

Virginia Commonwealth University School of Medicine Information Security Standard

Juniper Vendor Security Requirements

Section 3.9 PCI DSS Information Security Policy Issued: November 2017 Replaces: June 2016

<Criminal Justice Agency Name> Personally Owned Device Policy. Allowed Personally Owned Device Policy

Payment Card Industry (PCI) Qualified Integrator and Reseller (QIR)

Morningstar ByAllAccounts Service Security & Privacy Overview

PDQ Guide for the PCI Data Security Standard Self-Assessment Questionnaire C (Version 1.2)

Oracle Hospitality ecommerce Integration Cloud Service Security Guide Release 18.1 E

SECTION: SUBJECT: PCI-DSS General Guidelines and Procedures

TECHNICAL AND ORGANIZATIONAL DATA SECURITY MEASURES

OPERA Version 4.0+ PABP Guide and PCI Data Security Standard Adherence

UCOP ITS Systemwide CISO Office Systemwide IT Policy. UC Event Logging Standard. Revision History. Date: By: Contact Information: Description:

Carbon Black PCI Compliance Mapping Checklist

201 CMR COMPLIANCE CHECKLIST Yes No Reason If No Description

SECURITY PRACTICES OVERVIEW

INFORMATION ASSURANCE DIRECTORATE

IT SECURITY RISK ANALYSIS FOR MEANINGFUL USE STAGE I

Best Practices Guide to Electronic Banking

NYDFS Cybersecurity Regulations

Altius IT Policy Collection

ISSUE N 1 MAJOR MODIFICATIONS. Version Changes Related Release No. PREVIOUS VERSIONS HISTORY. Version Date History Related Release No.

Oracle Data Cloud ( ODC ) Inbound Security Policies

University of Ulster Standard Cover Sheet

GM Information Security Controls

HIPAA Compliance Checklist

Mobile Device policy Frequently Asked Questions April 2016

TAC 202 Requirements 2017

Policy Document. PomSec-AllSitesBinder\Policy Docs, CompanyWide\Policy

ACM Retreat - Today s Topics:

INTERNATIONAL SOS. Information Security Policy. Version 2.00

Standard CIP Cyber Security Systems Security Management

Information Security Controls Policy

Department of Public Health O F S A N F R A N C I S C O

Guidelines for Data Protection

ADIENT VENDOR SECURITY STANDARD

Page 1 of 15. Applicability. Compatibility EACMS PACS. Version 5. Version 3 PCA EAP. ERC NO ERC Low Impact BES. ERC Medium Impact BES

Security Principles for Stratos. Part no. 667/UE/31701/004

Policy. London School of Economics & Political Science. Remote Access Policy. IT Services. Jethro Perkins. Information Security Manager.

Transcription:

The University of Texas at El Paso Information Security Office Minimum Security Standards for Systems 1

Table of Contents 1. Purpose... 3 2. Scope... 3 3. Audience... 3 4. Minimum Standards... 3 5. Security Review for New Security Software and Appliances... 8 6. Non-Compliance and Exceptions... 8 7. Related Policies, Procedures, Best Practices and Applicable Laws... 9 8. Revision History... 9 9. Approvals... 10 2

1. Purpose The University of Texas at El Paso ( UTEP, also referred to as the University ) Minimum Security Standards for Systems 1 policy serves as a supplement to The University of Texas at El Paso Acceptable Use of Information Resources Policy, which was drafted in response to Texas Administrative Code 202 and UTS165 Information Resources Use and Security Policy. Adherence to the standards will increase the security of systems and help safeguard University Information Resources. These minimum standards exist in addition to all other university policies and federal and state regulations governing the protection of the University's Information Resources. Compliance with these requirements does not imply a completely secure system. Instead, these requirements should be integrated into a comprehensive system security plan. 2. Scope These standards apply to all devices, physical or virtual, connected to the University Network through a physical, wireless, or VPN connection where data is classified as Confidential, Controlled, or (see The University of Texas at El Paso Data Classification Standard). Systems that store and/or process credit card information must also comply with UTEP s Minimum Security Standards for Merchant Payment Card Processing requirements. 3. Audience All users with systems connected to the University Network as in Section 2 above. 4. Minimum Standards This section lists the minimum standards that shall be applied and enabled in Confidential, Controlled, or data systems that are connected to the University Network. Standards for Confidential data are generally required. If products are not available from reputable commercial or reliable open source communities for a specific requirement, then the specific requirement is waived until an appropriate solution is available. In such cases a Security Exception Report shall be filed (see The University of Texas at El Paso Security Exception Reporting Process). System owners and custodians, lead researchers, and/or systems administrators are expected to use their professional judgment in managing risks to the information and systems they use and/or support. All security controls should be proportional to the confidentiality, integrity, and availability (CIA) requirements of the data processed by the system. 1 Adapted from the Minimum Standards for Security Systems (https://security.utexas.edu/policies/standards_systems), with permission from ITS, The University of Texas at Austin, Austin, Texas 78712-1110 3

4.1 Backups 4.1.1 System administrators should establish and follow a procedure to carry out regular system backups. 4.1.2 Backups must be verified at least monthly, either through automated verification, through customer restores, or through trial restores. 4.1.3 Systems administrators must maintain documented restoration procedures for systems and the data on those systems. 4.2 Change Management 4.2.1 There must be a change control process for systems configuration. This process must be documented. 4.2.2 System changes should be evaluated prior to being applied in a production environment. Patches must be tested prior to installation in the production environment if a test environment is available. If a test environment is not available, the lack of patch testing should be communicated to the service subscriber or data customer, along with possible changes in the environment due to the patch. 4

4.3 Computer Virus Prevention 4.3.1 Anti-virus software must be installed and enabled. 4.3.2 Anti-spyware software must be installed and enabled. Installing and enabling anti-spyware software is required if the machine is used by administrators to browse Web sites not specifically related to the administration of the machine. 4.3.3 Anti-virus and, if applicable, anti-spyware software should be configured to update signatures daily. 4.3.4 Systems administrators should maintain and keep available a description of the standard configuration of anti-virus software. 4.4 Physical Access 4.4.1 Systems must be physically secured in racks or areas with restricted access. Portable devices shall be physically secured if left unattended. 4.4.2 Backup media must be secured from unauthorized physical access. If the backup media is stored off-site, it must be encrypted or have a documented process to prevent unauthorized access. 4.5 System Hardening 4.5.1 Systems must be set up in a protected network environment or by using a method that assures the 5

system is not accessible via a potentially hostile network until it is secured. 4.5.2 Operating system and application services security patches should be installed expediently and in a manner consistent with change management procedures. Products no longer receiving security updates from the vendor (e.g., unsupported) are not authorized. 4.5.3 If automatic notification of new patches is available, that option should be enabled. 4.5.4 Services, applications, and user accounts that are not being utilized should be disabled or uninstalled. 4.5.5 Methods should be enabled to limit connections to services running on the host to only the authorized users of the service. Software firewalls, hardware firewalls, and service configuration are a few of the methods that may be employed. 4.5.6 Services or applications running on systems manipulating Confidential data should implement secure (that is, encrypted) communications as required by confidentiality and integrity needs (see Data Encryption Guidelines). 4.5.7 Systems will provide secure storage for Confidential data as required by confidentiality, integrity, and availability (CIA) needs. Security can be provided by means such as, but not limited to, encryption (see Data Encryption Guidelines), access controls, file system audits, physically securing the storage media, or any combination thereof as deemed appropriate. 4.5.8 If the operating system supports it, integrity checking of critical operating system files should be enabled and tested. Third-party tools may also be used to implement this. 6

4.5.9 Integrity checking of system accounts, group memberships, and their associated privileges should be enabled and tested. 4.5.10 The required University warning banner should be installed. 4.5.11 Whenever possible, all non-removable or (re-) writeable media must be configured with file systems that support access control. 4.5.12 Access to non-public file system areas must require authentication. 4.5.13 Strong password requirements shall be enabled, as technology permits, based on the category of data the account is allowed to access (UTEP Data Classification Standards). 4.5.14 Apply the principle of least privilege to user, administrator, and system accounts. 4.6 Security Monitoring 4.6.1 If the operating system comes with a means to log activity, enabling and testing of those controls is required. 4.6.2 Operating system and service log monitoring and analysis should be performed routinely. This process should be documented. 4.6.3 The systems administrator must follow a documented backup strategy for security logs (for example, account management, access control, data integrity, 7

etc.). Security logs should retain at least 14 days of relevant log information (NOTE: data retention requirements for specific data should be considered. For example, Payment Card Industry audit trail history and log retention should be retained for at least one year depending on PCI system classification SAQ-XX, etc.). 4.6.4 All administrator or root access must be logged. 4.7 Remote Administration 4.7.1 Systems, including but not limited to servers, desktops, laptops, routers, tablets, etc., accessible from the internet must be securely accessed using two-factor authentication. If two-factor authentication is not available, then it must be accessed using the University s Virtual Private Network (VPN). 5. Security Review for New Security Software and Appliances Departments evaluating the implementation of new security software or appliances, involving Confidential type data, should request a security review by sending a written description of the proposed implementation to the Information Security Office prior to selecting vendors or products. Security reviews tend to be informal and can often be performed quickly, while ensuring that best practices are being considered. 6. Non-Compliance and Exceptions For all system administrators if any of the minimum standards contained within this document cannot be met on systems manipulating Confidential or Controlled data that you support, an Exception Process must be initiated that includes reporting the non-compliance to the ISO, along with a plan for risk assessment and management (See Security Exception Reporting Process). Non-compliance with these standards may result in revocation of system or network access, notification of supervisors, and reporting to the Data Owner and Information Security Office. 8

7. Related Policies, Procedures, Best Practices and Applicable Laws The policies and practices listed here inform the system hardening procedures described in this document and with which you should be familiar (This is not an all-inclusive list of policies and procedures that affect information technology resources). The University of Texas at El Paso employees are required to comply with both institutional rules and regulations and applicable UT System rules and regulations. In addition to University and System rules and regulations, The University of Texas at El Paso employees are required to comply with state and federal laws and regulations. UTEP Information Resources Use and Security Policy Standard 2: Acceptable Use of Information Resources Standard 9: Data Classification Security Exception Reporting Process Protection of Sensitive Digital Research Data UTS165 Information Resources Use and Security Policy Texas Administrative Code 202 8. Revision History Version Date Author Description of Change 1.0 September 28, 2007 ISO Document Created 1.1 March 29, 2010 ISO Reviewed 2.0 July 20, 2011 ISO Document revised to reflect current requirements. 3.0 December 22, 2015 ISO Document revised to reflect standardized Revision History and Approvals. Updated links to point to most current ISO Policy and Standards, and changed terminology to reflect new data classification terms. 3.1 March 23, 2017 ISO Review document, update links and fix table formatting 3.2 May 23, 2017 ISO Added section 4.7.1 Remote Access and fixed additional links 9

9. Approvals Name Title Role Date Gerard D Cochrane Jr Chief Information Security Officer Approval 09/28/2007 Gerard D Cochrane Jr Chief Information Security Officer Approval 03/29/2010 Gerard D Cochrane Jr Chief Information Security Officer Approval 07/20/2011 Gerard D Cochrane Jr Chief Information Security Officer Approval 12/22/2015 Gerard D Cochrane Jr Chief Information Security Officer Approval 03/23/2017 Gerard D Cochrane Jr Chief Information Security Officer Approved 05/23/2017 10

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback