Body
These are the current Information Security Standards for systems that contain restricted data (ex. GLBA, HIPAA, etc)
Detailed Information
A. Security Standards for Systems with Restricted Data
1. IT Security Standard: Access Control
1.1 The identification of authorized users of the information system and the specification of access privileges is fundamental to access control. Eligible UMS users are granted at least one unique user identification and password on the UMS network to ensure accurate auditing of access and actions; departments will not share individual user IDs for system access. Eligible non-UMS users must follow the established process for sponsored affiliates, guest/friend accounts, federated identities, social login, or documented trusted relationships.
1.2 Where possible, document access requirements and limit system access based on role versus by individual account
1.4 No one person should have responsibility for more than one related function. For example, the person with the authority to grant access should not be the person who fulfills the request, or audit functions should not be performed by the personnel responsible for administering access. At no time should any person fulfill and grant access to themselves.
1.5 Individuals should be granted the minimum access sufficient to complete their day-to-work job responsibilities. Individuals that are granted privileged access should use the least privileged account for day-to-day activities; privileged accounts should only be used when the elevated privilege is required by the system or application. All privileged accounts and functions requiring privileged account access should be identified.
1.8 The procedure to limit unsuccessful login attempts is defined and implemented. (ex. after 10 attempts account is locked for 10 minutes)
1.10 Inactivity time defined and configured so session is automatically locked with the screen display hidden via screen savers, photographs, blank screens etc.
1.11 Sessions will terminate when users log off systems. Users are required to log off restricted systems when finished with their sessions.
1.12 Where possible to reduce the overall attack surface of UMS systems, remote management services will not be internet-facing. For ex, client and server systems that require remote access (e.g. Windows Remote Desktop, Apple Remote desktop, SSH, Administrative Web Interfaces) will be configured to require utilizing a UMS:IT managed VPN service.
1.13 Users who need to access the UMS network and any sensitive university data from a non-university or public network must use the UMS Remote access VPN (Virtual Private Network) which meets this standard. The VPN also permits access to applications or data that require an on-campus connection. All UMS Internal systems accessible via w web browser must utilize HTTPS
1.14 Any remote access technologies (VPN, Team viewer etc) to restricted system must be identified and managed
1.16 All wireless access should be identified (device name, type, location).
1.19 Only UMS owned and managed Mobile devices are authorized and are identified. Employ full-device encryption or container-based encryption to protect the restricted data on mobile devices and computing platforms
1.20 Only UMS owned and managed devices or remote devices connected through a VPN are authorized to be directly connected to systems storing Restricted data. Any exception to this must be approved and documented.
1.21 Portable storage devices containing sensitive information can only be used with UMS owned devices and exceptions must be approved and documented
1.22 Review information posted or processed on publicly accessible information system to ensure that internal, confidential or restricted data is not included. This includes posting to web sites, social media, Google or Microsoft drives that are shared with anyone that doesn't have the appropriate need to know, or processing on external systems that haven't been preapproved by the University to process such data.
2. IT Security Standard: Awareness and Training
2.1 Users, managers, and system administrators of the information system will receive initial and annual training commensurate with their role and responsibilities. The training will provide a basic understanding of the need for information security, applicable policies, standards, and procedures related to the security of the information system, as well as user actions to maintain security and respond to suspected security incidents. The content will also address awareness of the need for operations security.
2.2 Ensure all information security related responsibilities are defined and assigned to designated personnel. Provide appropriate additional training for users of your unit systems and services that store or process sensitive university data.
2.3 Provide security awareness training that identifies indicators of potential insider threat as well as recognizing and reporting potential insider threats
3. IT Security Standard: Audit and Accountability
3.1 Create, protect, retain information system audit records (follow appropriate retention schedule based on data source and applicable regulations) in order to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity.
3.2 Correlate network activity to individual user information in order to uniquely trace and hold accountable users responsible for unauthorized actions.
3.3 Review and update audited events periodically or in the event of substantial system changes or as needed, to ensure that the information system is capable of auditing events, to ensure coordination with other organizational entities requiring audit-related information, and provide a rationale for why auditable events are deemed adequate to support security investigations.
3.5 Employ automated mechanisms across different repositories to integrate audit review, analysis, correlation, and reporting processes in order to support organizational processes for investigation and response to suspicious activities, as well as gain organization-wide situational awareness.
3.7 Use internal system clocks to generate time stamps for audit records, and records time stamps that can be mapped to UTC; compares system clocks with authoritative NTP servers, and synchronizes system clocks when the time difference is identified
3.9 Privileged users with log management capabilities are defined and management of logs is limited to the defined users.
4. IT Security Standard: Configuration Management
4.1 Baseline configurations will be developed, documented, and maintained for each information system type. Baseline configurations will include software versions and patch level, configuration parameters, network information including topologies, and communications with connected systems. Baseline configurations will be updated as needed to accommodate security risks or software changes. Deviations from baseline configurations will be documented.
4.3 Change management system that tracks, reviews, approves/disapproves and logs changes is established, documented and utilized.
4.9 User controls will be in place to prohibit the installation of unauthorized software. All software for information systems must be approved.
5. IT Security Standard: Identification and Authentication
5.1 Systems will make use of institutionally assigned accounts for unique access by individual. Service account are to be centrally managed. Local service accounts are to be identified.
5.2 All accounts in use will be assigned and managed by the university's identity management team. Accounts are provisioned as part of the established account creation process. Accounts are uniquely assigned to all faculty, staff upon hire; students upon matriculation. Access to systems will only be allowed after individuals or service accounts have been verified through login. System accounts that do not meet this requirement must be in the approved exceptions list
5.3 Any network access to servers and machines hosting or processing restricted data requires multifactor authentication provided by the university regardless if the account is privileged or unprivileged.
5.5 Login identifiers will not be reused within 10 years of de-provisioning
5.6 Accounts are rendered inaccessible 180 days after password expiration.
5.7 Account passwords must be a minimum of 8 characters and a mix of upper/lower case, numbers and symbols. Passwords can not be based on a username or a standalone word.
5.8 Systems must prevent the reuse of passwords.
5.10 All passwords must be cryptographically protected in both storage and transit
5.11 Obscure feedback of authentication information (i.s passwords).
6. IT Security Standard: Incident Response
6.1 Establish a written incident response plan designed to promptly respond to, and recover from, any security event materially affecting the confidentiality, integrity, or availability of customer information
6.2 All Security incidents must be tracked and documented in the IT ticketing system and reported to the CISO. The CISO will report incidents to appropriate external authorities based on investigations by the Information Security Office
6.3 Applicable organizational units must participate in incident response capability testing activities, such as tabletops hosted by the Information Security Office on an annual basis.
7. IT Security Standard: Maintenance
7.1 All systems, devices, supporting systems for organizational information systems must be maintained according to manufacturer recommendations or organizationally defined schedules. Procedures, schedules, and history of maintenance activity must be documented.
7.3 Any media containing sensitive information that is removed from the premises for maintenance must be purged according to NIST SP 800-88 guidelines for media sanitization.
7.5 All remote access to an information system for maintenance or diagnostics must occur using multi-factor authentication. A remote session must be disconnected when maintenance is complete.
7.6 All activities of maintenance personnel who are not authorized to have access to a system must be monitored.
8. IT Security Standard: Media Protection
8.1 Responsible parties for systems data will document and ensure proper access controls are in place for data in digital or print media. While not securely stored, media must be physically controlled and accounted for. The workflow for physically controlling such media and its secure storage must be documented.
8.3 All restricted data storage will be purged or destroyed using mechanisms in accordance with NIST SP 800-88 to ensure that no usable data is retrievable from storage devices identified in the workflow of these systems/services. At a minimum, all confidential data storage must be cleared.
8.6 All restricted data on media will be encrypted or physically locked prior to transport outside of the institution's secure locations.
8.9 Restricted Data backups will be encrypted on media at storage locations
9. IT Security Standard: Personnel Security
9.2 System/Data owners are responsible for having a documented process in place ensuring all access to systems and data based on the role being vacated are removed upon terminations and transfers
10. IT Security Standard: Physical Protection
10.1 Physical security protections (including guards, locks, cameras, card readers, etc.) will be implemented as necessary to limit physical access to the areas containing restricted systems to only authorized individuals. Any devices, such as printers or research equipment, that can't require users to authorize themselves before accessing sensitive data produced or contained within, shall not be placed in public areas.
10.2 Protect and monitor the physical facility and support infrastructure for organizational systems.
10.3 All visitors entering areas containing restricted systems or restricted data is being processed will be escorted by an authorized employee at all times.
10.4 Restricted systems area(ex Data Centers) physical access logs will be maintained and retained for 30 days
10.5 Physical access devices (such as card readers, proximity readers, and locks) will be maintained and operated according to the manufacturer recommendations. These devices will be updated with any changed access control information as necessary to prevent unauthorized access.
10.6 All alternate sites where sensitive data is stored or processed must have safeguarding measures defined and enforced
11. IT Security Standard: Risk Assessment
11.1 Perform annual risk assessments
11.2 Vulnerabilities will be scanned in accordance with the UMS Vulnerability Management Program
11.3 Vulnerabilities will be remediated in accordance with the UMS Vulnerability Management Program
12. IT Security Standard: Security Assessment
12.1 Perform annual controls assessment
12.2 Develop and implement plans of action designed to correct all priority deficiencies and reduce or eliminate all priority vulnerabilities in organizational systems.
12.3 Document and implement a process to continuously or periodically measure the security controls
12.4 Develop and maintain documentation on how each applicable UMS standards are being met for restricted systems.
13. IT Standard: System and Communications Protection
13.1External and key Internal boundaries of confidential and restricted systems are defined. Monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems.
13.2 Develop software and engineer architectural designs using an identified industry best practice framework or methodology
Evaluate externally developed solutions that transmit, access, store, or process restricted information prior to use.
13.3 Identify system management and user functionality and separate either physically or logically. (ex. separate admin accounts, separate devices, out-of-band interface, etc)
13.5 Identify all publicly accessible systems components and separate from internal networks either physically or logically
13.8 Encrypt data during transmission
13.10 Whenever cryptography is employed, establish and manage cryptographic keys
13.12 Disable remote activation of all collaborative computing devices (cameras, microphones etc)and configure devices to indicate to the user when in use.
13.15 Protect the authenticity of communications sessions to maintain the data integrity, and safeguard against man-in-the-middle attacks, session hijacking etc.
13.16 Encrypt data at rest
14. IT Standard: System and Information Integrity
14.2 An anti-malware solution is deployed on all systems, except for those that are at minimal risk from malware
14.4 Update anti-malware solutions when new releases are available (ex. AV Signature definitions, IDS/FW software etc)
14.5 Define and document the frequency of anti-malware scans. Perform periodic anit-malware scans of the information system and real-time scans of files from external sources as files are downloaded, opened, or executed.
14.6 Monitor organizational systems, including inbound and outbound communications traffic, to detect attacks and indicators of potential attacks.(Examples: Network & Host Firewall, IDS, endpoint protection, SIEM alerts and reports)