Table of contents
The IT-1 Standard for IT Security Roles and Responsibilities states that the security of IT resources is a shared responsibility between the campus units operating these resources, the technical staff supporting these resources, and the user community using and potentially storing these resources. The Standard below sets forth requirements for how IT resources are to be securely managed.
Definitions
For the purpose of this document, sensitive data is information categorized as High (Level 3) by the IT-2 UMD Data Classification Standard.
Implementation
It is possible to implement compensating controls for standard items that achieve the same results. Compensating controls should be reviewed in advance with the Division of IT (DIT) Security Office to ensure suitability.
Standards
For a computer system to be managed securely, unit management must:
- Fully understand the sensitivity of the function or operation being supported by the system and the data being stored and/or manipulated on the system.
- Employ technical staff with the expertise necessary to appropriately maintain the hardware, operating systems, systems software, programs and other associated components of the system to which they are assigned.
- Ensure that technical staff understands their responsibilities and the consequences of poorly managed systems. Consequences include compromise of systems, damage to data or systems, disclosure of sensitive data, potential legal liability for the department and the University, and possible loss of federal or other funding for the department and the University as a whole.
- Provide or procure secure locations for sensitive systems.
- Provide necessary initial and refresher training to technical staff as hardware or software components are revised or added.
- Ensure that assignments and job plans account for time required for systematic and periodic audit and maintenance of systems.
- Participate in the periodic campus information risk assessment.
For a computer system to be managed securely, unit technical staff must abide by the following standards.
Data protection
- Fully understand the sensitivity of the function or operation being supported by the system and the data being stored or manipulated on the system.
- Encrypt stored sensitive data wherever possible to minimize disclosure if the system is compromised. Ensure that sensitive data can be recovered.
- Encrypt sensitive data being transmitted to-and-from the system to ensure the data is protected in transit.
- Securely remove data from media once that data or device is no longer required, in order to prevent unauthorized disclosure of data. Drive destruction is a very effective method.
System security
- Choose not to employ operating systems or software for which security support is no longer provided. If you must, strictly limit network access to those systems.
- Proactively seek out and apply vendor-supplied fixes necessary to repair security vulnerabilities, within a time frame commensurate with the level of risk.
- Remove or disable unneeded services and software, especially those that are network accessible.
- Unless a system is on a private network, scan computers for security vulnerabilities at least monthly, to ensure new vulnerabilities are promptly identified and addressed. Scans should also be conducted:
- Immediately after installation or configuration of a new system is completed.
- Immediately after introduction of a new operating system or an upgrade to an existing operating system.
- Immediately after installation or upgrade of networking or other system software.
- Install and maintain anti-virus software on operating systems for which the University has licensed such software and maintain current virus pattern files.
- Subscribe to vendor and other advisory services applicable to the operating environment being maintained.
- Stay current on security issues that affect the University environment by subscribing to the weekly IT security update and visiting the Security section of the DIT website.
Access control
- Ensure that IT resources are secured against theft and systems holding sensitive data are protected from unauthorized physical access.
- Deploy encrypted communications methods for secure access to the system.
- Where technically possible, only allow legitimate and authorized network access to systems.
- Require all users to be identified and authenticated before access is allowed.
- Perform day-to-day work as a non-privileged user and use only privileged accounts for tasks that require additional capabilities.
- Ensure that all accounts require a password. When technically feasible, utilize CAS (Central Authentication Service) for authentication to leverage central account management and multi-factor authentication.
- Where technically practicable, use multi-factor authentication for privileged access to servers, applications and network infrastructure.
- Ensure that re-usable passwords are not sent over the network in clear-text.
Accountability
- If a system is capable, log the following list of system activities. Work with DIT to determine if these logs are a good candidate for inclusion in the centralized Splunk enterprise logging solution:
- Successful user logins, including the location from which the logins originated.
- Unsuccessful login attempts, including the location from which the attempts originated.
- Unsuccessful file access attempts.
- Successful file accesses for files and databases containing sensitive data.
- The following activities must be reported immediately to the DIT IT Security Office (301-226-4225):
- Suspected or actual security breaches of university information or of information systems.
- Systematic unsuccessful attempts to compromise information.
- Suspected or actual weaknesses in the safeguards protecting university information or information systems.
- Missing or stolen equipment. Such incidents must also be reported to University Police.
If you need any assistance or guidance, contact us at it-compliance@umd.edu.