These are the current Information Security Standards for all systems containing confidential or internal data.
Detailed Information
B. Security Standards for Systems with Confidential or Internal Data
1. IT Security Standard: Access Control
1.1 The identification of authorized users of the information system and the specification of access privileges is fundamental to access control. Eligible UMS users are granted at least one unique user identification and password on the UMS network to ensure accurate auditing of access and actions; departments will not share individual user IDs for system access. Eligible non-UMS users must follow the established process for sponsored affiliates, guest/friend accounts, federated identities, social login, or documented trusted relationships.
1.2 Where possible, document access requirements and limit system access based on role versus by individual account
1.4 No one person should have responsibility for more than one related function. For example, the person with the authority to grant access should not be the person who fulfills the request, or audit functions should not be performed by the personnel responsible for administering access. At no time should any person fulfill and grant access to themselves.
1.8 The procedure to limit unsuccessful login attempts is defined and implemented. (ex. after 10 attempts account is locked for 10 minutes)
1.10 Inactivity time defined and configured so session is automatically locked with the screen display hidden via screen savers, photographs, blank screens etc.
1.12 Where possible to reduce the overall attack surface of UMS systems, remote management services will not be internet-facing. For ex, client and server systems that require remote access (e.g. Windows Remote Desktop, Apple Remote desktop, SSH, Adminstrative Web Interfaces) will be configured to require utilizing a UMS:IT managed VPN service.
1.13 Users who need to access the UMS network and any sensitive university data from a non-university or public network must use the UMS Remote access VPN (Virtual Private Network) which meets this standard. The VPN also permits access to applications or data that require an on-campus connection. All UMS Internal systems accessible via w web browser must utilize HTTPS
1.16 All wireless access should be identified (device name, type, location).
1.22 Review information posted or processed on publicly accessible information system to ensure that internal, confidential or restricted data is not included. This includes posting to web sites, social media, Google or Microsoft drives that are shared with anyone that doesn't have the appropriate need to know, or processing on external systems that haven't been preapproved by the University to process such data.
2. IT Security Standard: Awareness and Training
2.1 Users, managers, and system administrators of the information system will receive initial and annual training commensurate with their role and responsibilities. The training will provide a basic understanding of the need for information security, applicable policies, standards, and procedures related to the security of the information system, as well as user actions to maintain security and respond to suspected security incidents. The content will also address awareness of the need for operations security.
2.2 Ensure all information security related responsibilities are defined and assigned to designated personnel. Provide appropriate additional training for users of your unit systems and services that store or process sensitive university data.
2.3 Provide security awareness training that identifies indicators of potential insider threat as well as recognizing and reporting potential insider threats
3. IT Security Standard: Audit and Accountability
3.1 Create, protect, retain information system audit records (follow appropriate retention schedule based on data source and applicable regulations) in order to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity.
3.7 Use internal system clocks to generate time stamps for audit records, and records time stamps that can be mapped to UTC; compares system clocks with authoritative NTP servers, and synchronizes system clocks when the time difference is identified
3.9 Privileged users with log management capabilities are defined and management of logs is limited to the defined users.
4. IT Security Standard: Configuration Management
Not applicable at this time
5. IT Security Standard: Identification and Authentication
5.1 Systems will make use of institutionally assigned accounts for unique access by individual. Service account are to be centrally managed. Local service accounts are to be identified.
5.2 All accounts in use will be assigned and managed by the university's identity management team. Accounts are provisioned as part of the established account creation process. Accounts are uniquely assigned to all faculty, staff upon hire; students upon matriculation. Access to systems will only be allowed after individuals or service accounts have been verified through login. System accounts that do not meet this requirement must be in the approved exceptions list
5.5 Login identifiers will not be reused within 10 years of de-provisioning
5.6 Accounts are rendered inaccessible 180 days after password expiration.
5.7 Account passwords must be a minimum of 8 characters and a mix of upper/lower case, numbers and symbols. Passwords can not be based on a username or a standalone word.
5.8 Systems must prevent the reuse of passwords.
5.10 All passwords must be cryptographically protected in both storage and transit
5.11 Obscure feedback of authentication information (i.s passwords).
6. IT Security Standard: Incident Response
6.1 Establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information
6.2 All Security incidents must be tracked and documented in the IT ticketing system and reported to the CISO. The CISO will report incidents to appropriate external authorities based on investigations by the Information Security Office
7. IT Security Standard: Maintenance
7.1 All systems, devices, supporting systems for organizational information systems must be maintained according to manufacturer recommendations or organizationally defined schedules. Procedures, schedules, and history of maintenance activity must be documented.
7.3 Any media containing sensitive information that is removed from the premises for maintenance must be purged according to NIST SP 800-88 guidelines for media sanitization.
8. IT Security Standard: Media Protection
8.1 Responsible parties for systems data will document and ensure proper access controls are in place for data in digital or print media. While not securely stored, media must be physically controlled and accounted for. The workflow for physically controlling such media and its secure storage must be documented.
8.3 All restricted data storage will be purged or destroyed using mechanisms in accordance with NIST SP 800-88 to ensure that no usable data is retrievable from storage devices identified in the workflow of these systems/services. At a minimum, all confidential data storage must be cleared.
9. IT Security Standard: Personnel Security
9.2 System/Data owners are responsible for having a documented process in place ensuring all access to systems and data based on the role being vacated are removed upon terminations and transfers
10. IT Security Standard: Physical Protection
Not applicable at this time
11. IT Security Standard: Risk Assessment
11.2 Vulnerabilities will be scanned in accordance with the UMS Vulnerability Management Program
11.3 Vulnerabilities will be remediated in accordance with the UMS Vulnerability Management Program
12. IT Security Standard: Security Assessment
12.2 Develop and implement plans of action designed to correct all priority deficiencies and reduce or eliminate all priority vulnerabilities in organizational systems.
13. IT Standard: System and Communications Protection
13.1External and key Internal boundaries of confidential and restricted systems are defined. Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
13.3 Identify system management and user functionality and separate either physically or logically. (ex. separate admin accounts, separate devices, out-of-band interface, etc)
13.5 Identify all publicly accessible systems components and separate from internal networks either physically or logically
13.16 Encrypt data at rest
14. IT Standard: System and Information Integrity
14.2 An anti-malware solution is deployed on all systems, except for those that are at minimal risk from malware
14.4 Update anti-malware solutions when new releases are available (ex. AV Signature definitions, IDS/FW software etc)
14.5 Define and document the frequency of anti-malware scans. Perform periodic anit-malware scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
14.6 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.(Examples: Network & Host Firewall, IDS, endpoint protection, SIEM alerts and reports)