50+ Security Policies (2019)

 

Security Policies (2019)

 

SECURITY POLICIES OVERVIEW 2019

Organizations should produce and maintain an overall security policy, which will set the other policies that may be required. This blog explores the 50+ Security Policies used in companies or Organizations.

 

In general, security policies need not be lengthy documents, since they do not require a great level of detail – this can be incorporated in lower-level documents such as processes, procedures and work instructions.

 

For ease of use and clarity, a security policy should generally contain no more than eight sections:

  1. an overview, stating what aspect of the organization’s operations the policy is intended to address;
  2. the actual purpose of the policy;
  3. the scope of the policy – both what is within the scope and what is not;
  4. the policy statements themselves – usually the largest part of the policy document;
  5. requirements for compliance – including, if appropriate, the penalties for failing to observe the policy, whether these are required by the organization, the sector regulator, national legislation, national or international standards, or whether they are simply good practice;
  6. any related standards, policies, and procedures; definitions of terms used within the policy; revision history.

 

The overall security policy would normally contain policy statements along the lines of:

 

The organization’s information must be protected in line with all relevant legislation, sector regulations, business policies, and international standards, in particular, those relating to data protection, human rights and freedom of information.

 

Each of the organization’s information assets will have a nominated information owner who will accept responsibility for defining the appropriate uses of that asset and ensuring that appropriate security measures are in place to protect it.

 

The organization’s information will only be made available to those who have a legitimate business need. All the organization’s information will be classified according to an appropriate level of privacy and sensitivity. 

 

The integrity of the organization’s information assets must be maintained at all times. Individuals who have been granted access to information have the responsibility to handle it in an appropriate manner and according to its classification.

 

The organization’s information must be protected against unauthorized access.

  1. Compliance with the organization’s information security policies will be enforced.
  2. organizational security steps fall broadly into four areas:
  3. directive policies that state ‘thou shalt’ or ‘thou shalt not’;
  4. administrative policies, that is those that are underpinned by an administrative function;
  5. communal policies which large parts of the organization must work together; technical policies that require specific hardware, software or both.

 

The following policies and operational controls are likely to be implemented by SMEs and within medium to large organizations.

 

DIRECTIVE POLICIES

Directive policies are concerned with individual behaviors and tell individuals either what they should do or should not do. As with all policies, there should be some mention not only of the consequences of failing to adhere to them but also of the penalties for failing to do so.

 

Acceptable use

Acceptable use policies are those to which all users of the organization’s network and services, whether temporary staff, contractors or permanent members of staff, should adhere. 

 

Acceptable use will normally include such areas as personal access (browsing, shopping, etc.) to the internet and email. It may also cover the use of organizational facilities when posting on blogs and social media.

 

Information retention

This policy determines the duration for which information can be stored, and how it should be disposed of when the end of the retention period is reached. This policy will have strong links with the Information Classification Policy and any data protection legislation requirements.

 

Data and information retention

The organization’s data and information retention policy will link closely with its Information Classification Policy and where appropriate must take into account the requirements of data protection, human rights and freedom of information legislation, since this will impact on the amount of time for which personal information may be stored, for example, as required by Principle 5 of the Data Protection Act.

 

Information classification

Information classification

The organization is likely to possess many different types of information, including publicly available information; information that should be restricted to staff generally; and information that should be available only to very specific members of staff.

 

The information classification policy should define these levels, avoiding generic terms such as ‘confidential’ or ‘restricted’, since these can have different meanings, not only between the public and private sectors but also between similar organizations.

 

For each type of information, the policy will dictate how and where the information is stored (and in some cases where it may not be stored); its retention period; how it is labeled; the extent to which it may be shared; how and where it must be backed up; how it is transported; and finally, how it is destroyed when no longer required.

 

Peer-to-peer (P2P) networking

One of the simplest methods for distributing malware is by concealing it inside files being shared on peer-to-peer (P2P) networks.

 

Unless it is a business imperative, organizations should enforce a policy forbidding the use of P2P networking, including P2P on company computers used at home and on individuals’ personal computers used on the organization’s network.

 

ADMINISTRATIVE POLICIES

Administrative policies deal more with the steps that individuals or groups of individuals take in order to protect the wider organization. These policies will determine the capabilities of all users within the organization as opposed to the dos and don’ts of individual users.

 

Access control

Access control

This determines how applications and information are accessed and can be achieved in a number of ways, including role-based, time of day or date, level of privilege, and whether access is read-only or read and write.

 

An access control policy can quite reasonably include the requirement for different methods of authentication, such as single sign-on, digital certificates, biometrics, and token-based authentication.

 

Change control

Uncontrolled changes are a frequent cause of problems in systems and services. The change control policy will describe the process for making changes to the systems and their supporting network, including the operating system and applications.

 

This may involve a detailed analysis of the proposals prior to any attempt at implementation, and will usually include functionality and load testing prior to roll out.

 

Hand in hand with the change control function is that of change management, which includes informing users of impending changes and having a back-out process that would be invoked should the change fail for any reason.

 

Termination of access

When employees leave the organization, it is vital that their access permissions are terminated. If an employee transfers to a new department or to a new role within the existing department, then existing permissions should still be terminated (as opposed to being modified), and then reinstated at levels appropriate to the new role.

 

Viruses and malware

Viruses

Viruses and other malware can infect systems without warning and must be dealt with in a formalized manner rather than an ad hoc approach that may do more harm than good. The policy will define who will address the problem and the procedure they will follow to identify, isolate if possible, and remove or quarantine the virus.

 

Passwords

Password management is a key aspect of information security policy and one that is frequently overlooked.

Users are notoriously bad at password management. They will (when they can get away with it) use passwords they find easy to remember, such as their mother’s maiden name, their birthday or the name of their pet, all of which are relatively simple for an attacker to guess or discover.

 

Users should be warned of the dangers of this practice and advised how to create strong passwords.

Passwords

In the past, the general advice has always been to recommend a minimum password length; to use a complex combination of letters, numbers and other symbols; and to force the user to change their password at intervals.

 

The USA’s National Institute of Standards and Technology has recently changed its view on passwords and has published a draft of a new standard – SP 800 63-3,2 which deals with digital identity. The draft currently makes three recommendations of things that organizations should do, and four that they should avoid.

 

Things that organizations should do:

Since users are only human, instead of placing the burden on the user, place the burden on the verifier. It is much easier to write one piece of software than it is to force hundreds or thousands of users to conform to a set of rules, and this is also less stressful on the users.

 

Size matters – by all means, check for password length and encourage users to make use of longer passwords. Check the passwords the users enter against a dictionary list of known poorer bad passwords, and require the users to try again if the test proves positive.

 

Things that organizations should avoid:

Complex rules for composition, such as a combination of upper and lower case letters, numbers and other keyboard symbols. These are almost impossible for users to remember (especially if they are required to have different passwords for each application), and may only result in users writing them down.

 

Password hints can help the users remember their passwords, but they can also provide clues to an attacker. Since the originator of a targeted attack may well have undertaken considerable research into their target, such clues could easily betray the user’s credentials.

 

Credentials chosen from lists are similarly of dubious value. Such choices mother's maiden name, the town of birth, name of the first school and so on are just as likely to be known to a serious attacker as the hints described above.

 

Expiration of passwords after a finite period of time does little to improve password security and only serves to complicate matters for the user. Users should have the option to change their password if they feel that it may have been compromised, but forcing them to do it without good cause only adds to their burden.

 

The policy should also include a statement regarding the changing of default passwords, especially those that allow root access to systems and network devices such as firewalls and routers.

 

Occasionally, passwords are embedded within applications, especially in cases where one application must connect and exchange data with another without human intervention.

 

The use of embedded passwords should be avoided wherever possible, since they may be widely known and therefore represent a potential avenue of attack, but if they must be used, they should be changed from the manufacturer’s default.

 

No password is immune from a ‘brute force’ search in which an attacker’s computer tries every combination of characters until it eventually finds the right one. Using long passwords will make this much more complicated, and the attacker may simply give up and move on to another, possibly easier, target.

 

Users also have a habit of using the same password on multiple systems. Attackers know this, and if they discover one of a user’s passwords, it will normally allow them to access other systems as well. Users should have a different password for each system to which they require access.

 

Users should also be discouraged from reusing passwords, and where available, some access control systems, such as Microsoft’s Active Directory, can be configured to forbid reuse within a certain period of time.

 

Removable media

Removable media, including USB memory sticks, DVDs and external disk drives can all be not only a source of malware if they have been infected on another system outside the organization, but also a means of users removing information from the organization without authority.

 

Although not obviously seen as removable media, there are many USB devices that can easily act as removable media and become a source of malware, including so-called smartphones, tablet computers, and even e-cigarettes. System hardware can be easily configured to prevent the use of removable media unless the user has a very specific, authorized need.

 

Shared network resources

Shared network

Shared network drives are an extremely useful resource, allowing staff to move large volume files around the organization. However, they suffer from one serious failure and that is that there is usually no audit trail of who copied files onto the hard drive and who subsequently copied them off.

 

Additionally, some forms of malware such as worms can infect multiple shared drives within a network.

If files are to be shared between users within the organization, or with users outside the organization, then a collaborative system such as Microsoft SharePoint should be considered, since this allows the organization to select who can make use of the system to share files, and retain an audit trail of who has done what and when.

 

Segregation of duties

It is all too easy for organizations to allocate people who understand IT to wide-ranging roles, and in some situations, this is a mistake, since it can provide administration-level users with the capability to create and allocate high-level user accounts for people who do not or should not have them.

 

This can lead, for example, to a member of staff being able both to order goods and authorize their purchase, which can lead to fraudulent activities. The correct method of addressing this is to ensure that a particular type of user account cannot carry out both functions – in other words, to completely segregate the duties and access permissions of two account types.

 

Backups and restoral

organizations should always operate a policy that demands that information is backed up; including the backup intervals (which may differ for different information elements); the backup method (for example, full or incremental);

 

the media upon which backups are stored; whether backup media is kept on the organization’s premises (but not the same location as that of the data being backed up) or at a third party location; the maximum time allowed for recovering the data including transport from third-party sites; and how often backup media is tested for reliable restoral.

 

Most large organizations will have a backup policy, but as with all policies, this should be regularly reviewed to ensure that the correct systems are being backed up to some form of removable (encrypted) media, which is then stored off-site in a secure location.

 

However, that is only half the story, since many organizations have discovered to their cost that after a period of time, some backup tapes or disks cannot be read, and so it is essential to perform a test restoral of data at intervals as a sanity check.

 

As an alternative to conventional backups, some organizations rely on the use of cloud services to maintain a long-term store of data, and whilst this might be a cost-effective solution, it does require careful planning and management, since it is often very easy to delete files stored in the cloud, which rather defeats the object of the exercise.

 

Another increasingly popular alternative is where the move to virtualization has occurred and storage area networks (SAN) are becoming widely used, configured with a second SAN for backup. The SAN can be updated daily or by regular snapshots during the day. However, additional backups to other media would normally be recommended.

 

Antivirus software

Antivirus software

Some organizations have begun to move away from antivirus software, having been put off by stories in the media about its lack of effectiveness, especially when new malware appears but has not yet been addressed by the antivirus software author. These are called ‘zero-day’ vulnerabilities since once they become known, the author has no time at all in which to provide a fix.

 

However, even if antivirus software does not identify and trap every vulnerability, it will prevent known vulnerabilities from causing problems by neutralizing or quarantining the offending virus, so it is still very much worthwhile maintaining an antivirus capability, and ensuring that it is kept fully up to date.

 

Software updates

Many of the key applications upon which organizations rely – for example, Microsoft Windows, Internet Explorer and Office; Adobe Acrobat Reader, Mozilla Firefox or Google Chrome – are all targets in which attackers find vulnerabilities.

 

The authors of this software will invariably produce updates to fix known vulnerabilities at regular intervals, and it is essential that organizations keep these operating systems and applications fully up to date with the latest patches.

 

Failure to do this can result in an attacker taking advantage of the gap between the vulnerability becoming known and the organization applying the patch to fix it.

 

Where possible and practicable, automatic updating should be applied, since this does not require further manual input from support staff, and reduces the ‘patch gap’ to a minimum.

 

Additionally, any software update that will result in a major change to the operating system or applications should have a back-out plan so that the organization can revert quickly and easily to the original version.

 

Remote access/guest/third-party access

Whether or not an organization makes use of VPNs for network access, it will be necessary to define how staff and third-party contractors are able to access the network and its systems. This policy will also link closely with other policies such as access control, security awareness, and passwords.

 

Wireless/mobile devices

mobile devices

This type of policy will set out the organization’s requirements for implementing wireless access points around its premises; how the wireless infrastructure devices must be configured and secured, including the encryption method; whether the SSID is broadcast; and which bands and channels are to be used.

 

When considering devices that make use of Bluetooth for communications, it should only be enabled when it is actually required and then turned off. Once initially configured for use, the organization should ensure that the device’s visibility is set to ‘Hidden’ so that it cannot be scanned by other Bluetooth devices.

 

If device pairing is mandated, all devices must be configured to ‘Unauthorised’, which then requires authorization for each connection request. Applications that are unsigned or sent from unknown sources should be rejected.

 

For mobile devices supplied by the organization, there will also need to be a section of the policy that regulates when and where these may be used over wireless networks that are not owned or provided by the organization, for example, public wireless or third-party networks.

 

This policy will also include a definition of what information may be stored on the device; what applications may be loaded onto it; whether it may be used to gain access to the wider internet; and whether information stored on the device is or becomes the intellectual property of the organization.

 

Bring your own device (BYOD)

This policy will overlap to a certain extent with the mobile device policy described above, but in this case, the device – such as a laptop computer, tablet computer or smartphone– will be the personal property of the staff member as opposed to being owned by the organization.

 

The policy may include statements regarding use by friends or members of the user’s family, and may also require separate login procedures for access to the organization’s network and, where necessary, hard disk drive encryption.

 

Peripherals

By default, many operating systems install auxiliary services that are not critical to the operation of the system and which provide avenues of attack.

 

When configuring users’ computers, system administrators can disable and remove unnecessary services and peripherals such as USB ports, SD card slots and CD/DVD drives, which, once they are removed, cannot be enabled or used. This policy may form part of a more general procurement policy on the organization’s IT infrastructure.

 

Isolation of compromised systems

Organizations that have detected that a system has been compromised would be well advised to isolate it quickly from the network in order to prevent possible malware from spreading to other systems on the network.

 

Once removed, it would be useful to perform a forensic analysis on the system, using a specialist organization if the relevant skills are not available internally, and finally to restore the systems to normal operation using trusted media.

 

Browser add-ons and extensions

Attacks on internet browsers, add-ins and extensions are becoming increasingly prevalent, and it is critical that attackers should not be able to use vulnerabilities in software such as Microsoft’s Internet Explorer or Adobe’s Acrobat Reader or Adobe Flash to gain access to systems.

 

Organizations should make use of the vendor’s automatic update or software distribution facilities to install patches as soon as they become available.

 

AutoRun

AutoRun is a facility provided on Microsoft Windows that permits a command file on media such as a USB memory stick, CD or DVD to execute when it is inserted into the computer.

 

This is an extremely simple way for an attacker to gain access to a system, since the user may be totally unaware that the media is infected and may not notice the program is running.

 

Turning off AutoRun will probably be a minor inconvenience both to users and to system administrators. It is interesting to note that Apple’s OS X operating system does not support this kind of facility.

 

Adobe Acrobat Reader

Adobe’s Portable Document Format (PDF) has become the de facto standard format for sharing information. Almost any file, presentation or document can be exported or converted into PDF format and will look identical on any type of computer, smartphone or tablet that has Acrobat Reader software loaded.

 

However, an increasing number of cyber-attacks are being conducted by inserting malware into PDF documents, which are then transferred to the device.

 

Organizations can protect their machines from such attacks hidden inside PDF files by hardening Acrobat Reader, by downloading the advice from the NSA.

 

Outsourcing

Organizations may find it economically advantageous to outsource certain aspects of their operations. This is becoming increasingly so in the case of the organization’s ICT infrastructure, and outsource service providers may offer to provide not only data storage but also the operating system hardware and software and the application software required for the organization’s operations.

 

In some cases, this will be provided at a dedicated third party site, as is frequently used in DR arrangements; or may be provided in a more virtual environment such as cloud services.

 

In either case, it will be vital that the organization has a clear policy regarding the selection of suppliers for this type of service, which will form the basis of a service level agreement (SLA), and should also include an exit policy should the organization decide to move away from a supplier.

 

COMMUNAL POLICIES

Communal policies are those that may have an impact not only on individuals within the organization but also on the wider context of the business and the environment in which it exists.

 

Contingency planning

Contingency planning determines how data or access to systems is made available to users during the prescribed hours of operation. The policy will cover what measures are to be put in place to ensure that access is available in the event of failure of either the systems themselves or the means of accessing them such as a web server and the associated supporting network.

 

A contingency planning policy will often link directly to business continuity or to a disaster recovery policy.

 

Incident response

The organization’s incident response policy will detail how incidents are reported, investigated and how they are resolved. In the event that certain predefined failure thresholds are exceeded, additional measures such as business continuity and disaster recovery plans may need to be invoked.

 

An incident may also require communication regarding the incident to be made available to staff, customers, third-party suppliers, the public at large and, if the organization is part of a highly regulated sector (such as energy, finance or transport), the incident may also require notification to the sector regulator.

 

As with business continuity and disaster recovery plans, incident response plans should be reviewed at regular intervals or when any major aspect of the organization’s business changes, and also tested at regular intervals.

 

User awareness and training

User awareness and training

Since many of the cybersecurity issues we experience are caused by users, making them aware of the risks they face – including the major threats, vulnerabilities and potential impacts – is a highly important step to achieving better cybersecurity.

 

Awareness is the first step and introduces users gradually to the things they need to know and understand so that security becomes second nature to them, and they cease to foster bad security habits and move towards a position where they are fully committed to good security practice.

 

This is then supplemented with training for those people who are more actively involved in day-to-day security operations, and who require specialist training courses in order to properly fulfill their role.

 

TECHNICAL POLICIES

Technical policies are those of a purely technical nature. They may be necessary either in order to allow other policies previously described to operate successfully, or may stand on their own.

 

Spam email filtering

Spam email is the bane of most people’s lives. It can range from the simply annoying to the positively alarming. Nowadays, most email service providers check email passing through their systems and filter out those that have been previously flagged as spam.

 

However, this may not remove all spam email, as new spam messages will always arise, and some filters may either never add them to their blacklist, or it may take time for the spam to be reported. organizations can make use of their own spam filters such as SpamAssassin, which will remove unwanted email from entering users’ inboxes and junk mail folders.

 

Alternatively, organizations may outsource email scanning to a specialist organization such as Message Labs. It is also vitally important to instruct users as part of the organization's awareness programme on how to identify spam and junk mail even if it originates from a known and normally trusted source.

 

Audit trails

These allow an organization to follow a sequence of events in cases where security incidents have occurred and, where necessary, to be able to show that a user has or has not carried out a particular action. Such evidence might be required in cases where legal proceedings take place, in which case the audit trail must also be forensically robust.

 

Firewalls

Firewall policies will determine the way in which firewalls are deployed and configured to form an integral part of the network, especially with regard to the rules that must be applied and subsequently maintained.

 

Firewalls should be used to block all incoming connections from the internet to services that the organization does not wish to be available. By default, all incoming connections should be denied, and only allowed for those services that the organization explicitly wishes to offer to the outside world.

 

Good practice also calls for the IP address of the incoming session to be a valid public IP address and not an IP address associated with the business itself. For example, if the business has a block of 32 public IP addresses these must be filtered out.

 

In addition to firewalls, it may be an advantage to partition the organization’s network into separate areas by splitting them according to their function, such as research and development, operations and finance, making it more difficult for an attacker to reach a particular service (see the later item on VPNs).

 

It is also common practice for organizations to create another barrier between the external and internal networks by introducing a so-called demilitarised zone or DMZ. 

 

Good practice also requires that any outgoing connection from the organization to the internet originates from a specific proxy server or service located on a DMZ and not within the main network.

 

Firewalls come in various shapes and sizes. Many require specialized hardware on which to operate and require well-trained staff to configure and maintain them.

 

The decision on which type of firewall to use and how it should be configured is best left to specialist advice, since it must not only provide protection for the business against unwanted intrusion but also meet the business needs as regards what can and cannot be transmitted through it.

 

Other firewalls come built into desktop operating systems – these are much simpler and require little if any, configuration. On user computers, these should always be enabled, and the user’s access should prevent them from changing this by providing them with a non-administrative account.

 

Encryption

Encryption

The information encryption policy will go hand in hand with the information classification policy, in that it will define, for certain levels of information classification (for example, secret or top secret), how sensitive information will be encrypted and how the encryption keys will be managed and exchanged.

 

For example, information classified at a certain level could be exchanged between two people using a straightforward encryption mechanism such as PGP, with each owning their own encryption keys, whilst other information might require the use of a full-blown public key management system, with encryption keys centrally managed and distributed.

 

The policy should additionally make the distinction between information in transit (for example, within emails) and information at rest – that is stored on hard drives or other media, especially if stored in the cloud.

 

For information at rest, encrypting the hard drive of a mobile user’s computer is relatively straightforward, and means that the device cannot be used without the user’s password to decrypt the data, making the information useless to anyone who steals it.

 

On Apple Mac computers, turning on the free built-in FileVault software will encrypt the entire hard drive, whilst for Windows users, there are two options.

 

The first, for Professional or Enterprise versions of Windows, is to enable the inbuilt BitLocker software. The second, for other versions of Windows, is to download and install the free VeraCrypt encryption software.

 

Business data that is being stored in the cloud should always be encrypted, since it is always uncertain in which country or countries the cloud storage is located, and those countries’ jurisdictions may not place a high level of protection on data, even to the extent of intercepting and analyzing it themselves.

 

Sensitive information that is being moved to another location – whether by some form of media like a memory stick or by email – should always be encrypted, so that, again, anyone who is able to intercept the transmission or steal the media will be unable to access the information.

 

The key lengths used in symmetric encryption algorithms such as Data Encryption Standard (DES), 3DES and AES are typically 56, 112, 128 or 256 bits in length, whereas the keys used in asymmetric or public key cryptography are used in the initial set-up of an encrypted session that determines the actually fixed encryption key that will be used by the symmetric algorithm during the session.

 

These keys are not typically used for the main encryption work because they require too much computation resource.

 

Secure Socket Shell (SSH) and Transport Layer Security (TLS) keys

Transport Layer Security

Secure Socket Shell (SSH), is a network protocol that provides administrators with a secure method of access to remote systems. It provides a means of strong authentication and encrypted communication between two systems over an insecure network, especially the internet.

 

It is widely used by network administrators for the remote management of systems and applications, enabling them to log on to another system, execute commands and move files between systems.

 

The Transport Layer Security (TLS) protocol provides both confidentiality and integrity between two communicating applications exchanging information such as that between a user’s web browser and an internet banking or e-commerce application. TLS is also used in VPN connections, instant messaging services, and Voice-Over IP (VoIP) applications.

 

Both SSH and TLS make use of encryption keys (as described above) to secure the transfers and are typically 256 bits in length

 

Abuse of SSH and TLS keys is not uncommon. In order to reduce the likelihood of insiders taking advantage of these when they leave the organization, which renders critical network infrastructure open to malicious access, it is recommended that organizations rotate SSH and TLS keys at intervals.

 

Digital certificates

Digital certificates are widely used to provide authentication of websites, particularly when conducting financial transactions. Digital certificates can be purchased from accredited certification authorities (CAs) both for personal use and by organizations.

 

However, it is important to remember to renew the certificate (normally annually), since failure to do so renders the certificate useless, and users whose web browser detects this will receive a notification that the certificate has expired. This may result in their deciding not to continue with the online transaction.

 

[Note: You can free download the complete Office 365 and Office 2019 com setup Guide.]

 

Email attachments

Email attachments

As an integral part of their awareness training, employees should be instructed that they should not open email attachments unless they are expecting them.

 

Additionally, users should be forbidden to execute software that has been downloaded from the internet unless it has been scanned for viruses and tested for security vulnerabilities. Users who visit a compromised website can unintentionally introduce malware.

 

Organizations should configure email servers to block or remove emails that contain those file attachments that are commonly used to spread malware, such as .vbs, .bat, .exe, .pif, .zip and .scr files.

 

Network security

Network security policies are very wide-ranging, taking into account how the organization's networks can be secured against intrusion using a combination of firewalls, intrusion detection software, antivirus software, operating system, and application patching and password protection. 

 

These should include fixed and wireless local area networks (LANs), VPNs, wide area networks (WANs) and SANs.

 

Virtual private networks (VPNs)

The use of virtual private networks is commonplace, especially in larger organizations, and a policy will be required that sets out how and where these are deployed; who may make use of them (for example, for remote access by staff, guests and third-party contractors); and how they are configured and secured.

 

The use of VPNs should be part of the organization’s strategy that includes network segregation and firewall deployment.

 

Physical access

Physical access

This will define how access to the physical areas of the organization is controlled and may include perimeter fencing and gates with movement detection and/or CCTV systems, electronically controlled gates and physical security guards.

 

Within the organization’s sites, physical access control will normally be governed by electronic door access systems, whether by personal identification number (PIN), wire-less proximity card or a combination of both.

 

The supporting system will dictate the levels and locations of access available to individual members of staff, visitors and contractors. Internally, infrared movement detection and CCTV systems are also frequently used, especially in highly sensitive areas.

 

Intrusion detection systems (IDS)

As with many security tools, intrusion detection systems are just one weapon in the security manager’s armory. As the name suggests, their purpose is to try to identify when unauthorized intrusion to a network or computer system is being attempted, and they are available in a variety of forms:

 

Host intrusion detection systems (HIDS) are installed on individual computer systems, and monitor that system’s configuration only. If a HIDS perceives an abnormal change in a system configuration, it will send an alert message to a console for a security operator to examine.

 

Network intrusion detection systems (NIDS) are installed on internal networks and subnetworks in order to detect abnormal network traffic such as attacks on firewalls. They will also report to a console if they detect an attack but additionally can take some form of action, such as to change firewall rules.

 

Under certain circumstances, it may be necessary to undertake such work using forensic techniques and to retain hard drives and data for possible use in legal proceedings. Human beings, who are almost unique in having the ability to learn from the experience of others, are also remarkable for their apparent disinclination to do so.

 

changing people’s behavior

security liabilities

For the most part, one of the greatest security liabilities in any organization is caused by the user. They may not act deliberately, but often they will unintentionally perform acts of cyber vandalism that will cause untold problems for the IT and security support staff.

 

Their actions (or inactions) may be that they behave inappropriately and release information or allow information to be released, but this may often be due to the fact that they have not been properly trained by the organization to react appropriately to information security events.

 

Some – but not all – of this can be corrected by educating and training the users in good security practice, making them aware of the risks that they will face when using both their own and the organization’s systems.

 

The ‘not all’ referred to above covers two different aspects of human behavior – first, when the user simply forgets or ignores their training, and second, when they are carrying out some action in a very deliberate manner, either to cause loss of the organization’s information (selling it to a competitor for example) or to cause damage or loss as an act of revenge.

 

However, making users aware of the threats, vulnerabilities, and impacts that they may face is an essential precursor to training.

 

There is little that the organization can do to ensure that users never make a mistake, although some organizations as a means of reducing the likelihood levy a fine on staff who leave sensitive documents or their computer unattended.

 

Preventing or reducing the likelihood of information theft or damage to systems and information can be achieved to a certain extent by implementing very strict access control mechanisms and introducing monitoring software that looks for anomalies in user behavior and flags up an early warning if something out of character is detected.

 

Banks and credit card companies adopt a similar approach as a means of early detection of fraud, and will often contact a customer immediately if they appear to be making purchases that do not match previous spending patterns.

 

Although it may appear obvious, it is worth stating that awareness and training are two different but inter-related concepts. Awareness provides users with the information they need in order to avoid making mistakes, whilst training equips them with the skills they require to deal effectively with challenging situations when they arise. 

 

This blog focuses mainly on changing people’s behavior so that the instances of people-related cyber-attacks can be reduced.

 

TECHNICAL SECURITY ADVICE

TECHNICAL SECURITY

There are many activities covered by technical security, so I have tried to break these down into a few distinct areas.

 

Device locking

Physical locks are fine, provided that no-one can access your device without the need to remove it. The device should be equipped with a password, and a password-protected screensaver should cut in at a suitable interval once the device is unattended.

 

Further protection can be provided by setting the device to delete its data after a number of incorrect password attempts, but this must take into consideration the need for all the data to be backed up.

 

Encryption

File encryption

One relatively simple step to prevent unauthorized access to information on a computer, CD/DVD or USB memory stick is to use encryption. There are two distinct methods of achieving this:

 

File encryption – in cases where one or two files are of a confidential nature, its easy to encrypt the individual files, and provide the encryption key securely to those who should have access.

 

Drive encryption – in cases where there are multiple files that require protection,or where access to the computer’s operating system or applications could constitute a significant threat, the entire drive can be encrypted.

 

When the user switches on the machine, a boot-level password is required to be entered before the computer will even commence starting.

 

Operating systems and applications

Operating systems

Every computer has a specific operating system, whether it be Linux, Windows or Mac OS X, or indeed a proprietary operating system used by more specialized computer hardware.

 

New or replacement operating systems should only ever be purchased or acquired through a reputable supplier – normally Microsoft and Apple for their operating systems, and a variety of trusted suppliers for Linux.

 

Once installed, it is essential to ensure that these operating systems are kept up to date, and the suppliers will usually provide a free online updating system to allow this to happen – provided of course that the facility has been enabled.

 

The same is true for key applications – for example, computers that run Microsoft Office applications can receive updates at the same time as the Windows operating system updates, and Microsoft Office applications that run on Mac OS X can check automatically for updates.

 

Regular updates contain not only fixes for problems but also from time to time introduce new features. In these cases, larger organizations should always test an updated operating system or application in a sterile environment before introducing it to the user community to ensure that it does not cause any conflict with existing corporate services.

 

Antivirus software should be installed – especially on Windows PCs, which are the most prone to virus attacks, but also on Apple Mac computers, which although considerably less susceptible, are still at risk from malware.

 

Some security specialists claim that antivirus software will only catch around 5 percent of viruses, but it is always wise to have it installed since failure to do so could still result in a successful attack.

 

It is also essential to install regular antivirus updates – most antivirus software will do this automatically – and to perform regular scans of the computer in case a virus was already present on the machine before the antivirus software was brought completely up to date. Ensure that operating systems and key applications are kept fully up to date.

 

Enable automatic updates if at all possible

Keep antivirus threat databases updated. Even though this doesn’t guarantee100 percent protection, a good antivirus system will catch the main viruses.

 

User Account Control (UAC)

In recent years, Microsoft Windows introduced the concept of User Account Control or UAC. This facility prevents users with non-administrative privileges from installing software.

 

If several people share the use of a single computer, make sure that all their user accounts are non-administrative, and retain just one master administrative account that is only ever used when required.

 

 Even if you are the only user of a computer, it is essential to allocate a non-administrative account and to use this instead of the master administrative account, since unauthorized access to this account will enable the user to take complete control of the computer.

 

Similar constraints apply to Apple Mac computers, in which non-administrative users are automatically unable to install software, and additionally, the system can be set to prevent an administrative user from installing software that does not originate from the Mac App Store or from an accredited developer.

 

Firewalls

Firewalls

If the computer has a built-in firewall capability (for example in Windows versions 7, 8 and 10), this should always be enabled, as it is usually quite reliable.

 

There is no need to buy third party firewall software or enable the firewall that comes with many antivirus products since doing so can cause compatibility issues.

 

The firewall can be configured (using an administrative user account) to prevent or allow access by certain applications, providing an additional layer of security. Windows 10 offers built-in firewall software called Defender, although it requires enabling.

 

Antivirus software

Antivirus

Although it is claimed that most antivirus software only traps a small proportion of malware, this small proportion may be sufficient to cause damage or allow malware to infect the user’s computer. 

 

Install a reputable antivirus package, such as Norton, AVG, McAfee or Kaspersky. Many of these are free. An antivirus option is built into Windows 10’s Defender firewall software.

 

Most antivirus packages offer features in addition to antivirus such as protection when surfing the internet, for example, URL checking.

Enable automatic updating, which will ensure that the latest virus profiles are available. Enable the software to conduct regular scans of the computer, so ensuring that any malware that was present before a new virus was identified can be removed.

 

Java

Although it is an occasionally useful application, Java is known to suffer from a number of vulnerabilities, and unless it is essential that it is used on the computer, it is best turned off, so cutting off another means of attack. It can always be turned back on temporarily or reinstalled if required.

 

Application software updates

Reputable software companies will always provide updates, not only when they have developed new features, but also when they have identified and fixed vulnerabilities in the software. 

 

If a known application, such as Microsoft Office or Adobe Acrobat flags up that an update is available, it is always best to allow the update to take place.

 

Better still, if the operating system permits automatic updates to take place, this is worth enabling, as it means that your applications are up to date without the need for you to make a decision.

 

Miscellaneous user activities

User-related activities are often the cause of many of the cybersecurity issues we face, including misuse – and occasionally abuse – of networks, systems and services.

 

Keeping users on the straight and narrow is also a management responsibility, and this involves the monitoring of user behavior and occasionally some form of remedial (possibly disciplinary) action in order to resolve matters. There are a number of general guidelines that both individual and company users can and should follow.

 

User passwords

User passwords

Passwords are like toothbrushes – they should be changed regularly and never shared. Most people (myself included) struggle to keep track of passwords. Whenever you access a new service on the internet, shop for goods or register for information, you are obliged to select a username and password.

 

There is a great deal of common sense in this – it helps the supplier to identify individual users; it keeps your transactions separate from those of others, and it provides you as a user with a degree of confidence that the website you are using is relatively secure.

 

Unfortunately, this means that we have multiple usernames and passwords, and we have difficulty remembering them all, so we write them down somewhere, which never a good idea since the piece of paper is likely either to be found by someone who should not know your passwords or be lost forever in the recycling bin.

 

The great temptation is to use the same username and password for as many logins as possible, but this is the first step on a slippery slope since if an attacker finds one instance of it, he will have the opportunity to use it elsewhere.

 

An attacker will often be able to guess your username since many websites invite you to use your email address for this, so if you do find yourself in the unfortunate position of having multiple passwords, there are a number of ways in which you can make your life simpler whilst retaining a measure of security.

 

Avoid all passwords that include all or part of your name, the names of family members (especially your mother’s maiden name) and pets. These are usually extremely easy to guess or discover. If you must use simple passwords, use those that can’t be easily guessed, such as fictitious’ words, like ‘gunzles wiped’.

 

Where possible, use a mixture of upper and lower case letters, numbers and other symbols. Longer passwords are always more secure than shorter ones.

 

Do not write passwords down where other people can find them. If you find complex passwords difficult to memorize, or if you have a large number of them, use a password management tool such as KeePass for Microsoft Windows or mSecure for Mac OS X.

 

That way, you will only have to remember the one password to access that. There are many such tools available.

 

Screen Locking

Screen locking

When moving away from your computer in a location where others could obtain access to it, it is always advisable to engage the screensaver, suitably protected by a password. On corporate user computers, this should be set to happen automatically after a pre-determined period of time.

 

Configure a screensaver with password protection to cut in after no more than five minutes of inactivity. 

 

If possible, configure a shortcut to enable the screensaver – a single keystroke or mouse movement are both ideal. Never leave a computer unattended in a public place unless the password-protected screensaver has been enabled and the computer is physically secured.

 

Least privilege

When configuring new users of a system, always follow the rule of least privilege, meaning that they only have the level of access they actually require, as opposed to being made a system administrator.

 

All too often when people buy a new computer, they set their own account as the system administrator. Instead, they should set up the computer using administrative privileges, and then create their own user account without them.

 

If that account’s username and password are obtained by someone else, they can only then access a limited set of functions on the system itself, and not be able to make system changes.

 

As mentioned earlier in the blog, organizations with systems administrators must ensure that they have two accounts, one with administrative privileges and one for day-to-day email and office work. It should be a security policy rule that no-one should ever undertake day-to-day activities with an account that has elevated or administrative privileges.

  1. Never configure a guest user on a computer to have administrative privileges.
  2. Always ensure that guest user accounts have password protection turned on.
  3. Always set up the main user of a computer with a non-administrative account.
  4. Use the administration account user for essential systems changes only.

 

Surfing the internet

internet

There is so much information available on the internet that it’s difficult to do anything these days without downloading photographs or documents. When visiting websites, and downloading from them, users should take care to ensure that they are reaching a legitimate website. 

 

There are proactive preventative steps the user or the organization can take by putting controls into place to reduce the likelihood of a successful attack, and also simple steps that users themselves can take to avoid risks when surfing the web. The latter was covered earlier in the blog so we will focus on the proactive preventative steps here:

 

Internet browsers are able to block pop-up windows that can contain malware scripts linking to websites that contain malware. Microsoft Internet Explorer, Mozilla Firefox, Apple Safari, and Google Chrome all have this capability using freely available add-in software, such as AdBlock.

 

The ‘protected’ mode on browsers allows a high degree of anonymous web surfing. It isn’t guaranteed to be 100 percent effective, but using it should hide your computer’s identity from most prying eyes.

 

Parental control can be set in both Microsoft Windows and Apple Mac operating systems to safeguard underage web surfers. In Windows, they are located within the Control Panel application and in Mac they can be found under Preferences.

 

Adware and spyware are aggravating intrusions that we experience when we surf the internet. Much of this can be disabled within the internet browser, by disabling pop-up windows for example.

 

However, this will only solve part of the problem, so the use of an ‘add-ins or extensions’ such as Adblock Plus to the browser can block some adware and spyware, and there are commercial adware blockers available to download.

 

Be cautious though – some of these ‘free’ applications can actually install adware and spyware instead of removing it.

 

Encryption of stored and shared information

Encryption

Encryption is a method of maintaining confidentiality and integrity by scrambling information, usually referred to as ‘plain text’, so that is cannot be read or changed by unauthorized persons.

 

In order to encrypt information, a ‘key’ – invariably a very large number – is used in conjunction with software known as an encryption algorithm to change the plain text to ‘ciphertext’.

 

The ciphertext can only be decrypted by using the correct key in conjunction with the same algorithm. There are two different flavors of encryption used to ensure confidentiality:

 

Symmetric encryption, in which the sender and recipient of information share an identical key. Symmetric encryption keys are more at risk of being discovered since more than one person has access to them. For this reason, they must be changed at intervals, for example daily, or even changed each time they are used.

 

Asymmetric encryption, also known as public key encryption, in which both sender and recipient each have two keys, one of which is published publicly, and the other of which is kept private. The recipient’s public key is used by the sender to encrypt the information, and the recipient’s private key is used by them to decrypt the information.

 

Symmetric and asymmetric encryption methods are normally used for the encryption of information being transmitted to others, which can be achieved by using an application such as Pretty Good Privacy (PGP), which not only encrypts the information you wish to send;

 

but also allows the digital signing of messages, which provides an increased level of trust for the recipient. PGP can also be used to encrypt hard disk drives, but this application of it is less common.

 

To ensure integrity, a one-way encryption method is adopted, in which a key is used in conjunction with a so-called ‘hashing’ algorithm that scrambles the plain text in such a way that it cannot be reversed.

 

Uses of this type of encryption include:

Hard disk drive encryption in which either the entire hard disk drive or selected files are encrypted. Microsoft Windows (but not all versions) uses an application called BitLocker, whilst Apple Mac OS X has FileVault built into the operating system to achieve this.

 

There are also a number of third parties and open sources drive encryption products such as PGPDisk and SecureDoc.

 

The storage of passwords, where the user enters their password, which is then hashed, and the resulting hash value is compared with a previously stored value. Storage of information in the cloud also demands that the information should be encrypted since this is invariably stored in locations over which users have no control.

 

PROTECTION OF SHARED INFORMATION

information rights management

When information is being shared, the originator may consider it necessary to restrict its onward distribution, or to ensure that the information can be revoked or deleted in situations where it is no longer valid, or when its level of sensitivity has changed.

 

This can be achieved by the use of a technique sometimes known as ‘information rights management’, which works by encrypting the information – for example, a text document – and allowing it to be opened by the recipients provided they can identify themselves to the central sharing resource.

 

Further, the document can be provided with additional protection choices, so that it can never be copied, including the copying of selected parts of the document and thereby preventing it being pasted into an unprotected document; or printed, preventing its onward distribution in physical or scanned form.

 

If the document is forwarded to another recipient, it will be necessary for them in turn to have access rights on the central sharing resource, and if the originator decides to remove the original document, any remaining copies will not be able to be opened since the original document’s metadata that enables decryption will also be deleted.

 

As with information classification, originators must ensure that the information has been appropriately protected, and again, recipients must have sufficient trust in the integrity of the originator so that they can have the same level of confidence in the accuracy and reliability of the information.

 

It makes good business sense in organizations that have a requirement for very strict confidentiality to run all incoming or outgoing emails through a scanning system that is able to detect and isolate any message containing particular words or phrases, or which can direct encrypted messages to a central verification point prior to their release.

 

ANONYMISATION OF SHARED INFORMATION

cybersecurity

Situations will inevitably arise when a participating organization does not wish to be identified as having been the victim of an attack (possibly even more so for a successful attack) or other cybersecurity situation in which they have become embroiled.

 

The reasons for this are generally connected with commercial interests, and organizations may be reluctant for a competitor who is part of the same information sharing community to know whom the incident affected since this might place that organization at a competitive disadvantage or have a negative effect on their share price or public reputation.

 

At the same time, however, they might still wish details of the exploit to be made available to the wider community.

 

In face-to-face situations, such an organization might well approach the Trust Master and request that they raise the matter without identifying the originator.

 

The Trust Master will take great pains to ensure that this request for anonymity is respected, ensuring that even having omitted the originator’s identity, the information passed on contains no clues or additional metadata that might reveal, infer, suggest or identify the originator in any way.

 

In the context of a centralized information sharing system, the Trust Master’s role must be performed by the system itself in conjunction with the originator of the information being shared. There are two general courses of action:

 

The originator can select an ‘anonymise’ option on the system’s preferences when setting up the specific information to be shared. This will remove any reference as to who originally submitted the information.

 

However, should the information include other documents, for example, word processed documents, spreadsheets or presentations, the originator will be responsible for completely anonymizing these.

 

The originator can select an ‘anonymise via the Trust Master’ option instead. In this situation, the originator openly sends the information to the Trust Master, who then submits it to the community as if it had come from the Trust Master alone.

 

Here, the application of trust works slightly differently. Originators must again ensure that nothing in the information being shared can reveal their identity, nor could their identity be inferred from the content detail.

 

They must also have trust in both the information sharing system and the Trust Master that their identity will not be revealed. No additional trust is required here by the recipient.

 

Organizations or groups of communities, who wish to provide their own centralized systems for information sharing may later wish to interconnect these so that they can widen the scope of their operations;

 

since some cybersecurity situational submissions will inevitably be of significant interest to other sectors, and sharing information with them would be highly beneficial if not essential, and this can often avoid possible duplication of effort.

 

In order to supplement the ISO/IEC 27001 standard, the ISO produced an additional standard, ISO/IEC 27010:2015, that covers the secure exchange of information between centralized systems.

 

 Contact – and therefore trust – may already have been established between these different groups, communities or sectors, in which case information might be freely shared between them, following the same rules as those for sharing within a sector.

 

Alternatively, if no previous contact has been established and therefore no degree of trust exists, the Trust Masters in those sectors wishing to share information can act, as intermediaries and initiate a limited degree of information sharing – possibly one-way only in the first instance – and subsequently encourage bilateral information sharing as an increasing level of trust develops.

 

Finally, once trust is fully established between the sectors, the Trust Masters may set preferences in the information sharing system that allow individual sector users to share information – either on a one-to-one basis with a peer in another sector or more widely to a whole sector.

 

Originators of information should have the same degree of trust in users within a different sector as they do for users within their own sector. The information should be classified, protected and anonymized in exactly the same way. 

 

From the recipient’s point of view, the only thing that matters is that they have trust in the originators of the information and therefore in the information itself.

 

ROUTES TO INFORMATION SHARING

routes to sharing information

There are four major routes to sharing information regarding cybersecurity issues, each of which has its own unique characteristics:

  1. warning, advice and reporting points (WARPs);
  2. the Cyber Security Information Sharing Partnership (CiSP);
  3. computer emergency response teams (CERTs) and computer security incident response teams (CSIRTs);
  4. security information exchanges (SIEs) and information sharing and analysis centers (ISACs).

Additionally, an excellent Good Practice Guide to Network Security Information Exchanges has been written by the European Union Agency for Network and Information Security (ENISA).

 

Warning, advice and reporting points (WARPs)

WARPs are a UK initiative that began in 2002 under the auspices of the National Infrastructure Security Coordination Centre (NISCC), which is now known as CPNI. WARPs allow their members to receive and share up-to-date cyber threat information and best practice.

 

WARPs are now provided by CERT-UK’s CiSP. Members of current WARPs tend to be a regional government, emergency services or military organizations.

 

Cyber Security Information Sharing Partnership (CiSP)

The CiSP is an initiative set up jointly between the UK industry and government in order to share cybersecurity threat and vulnerability information. The objective is to increase situational awareness of cyber threats with a consequent reduction of impact on UK businesses.

 

CSP membership can only be given to the UK registered companies responsible for the administration of an electronic communications network in the UK, or organizations that are sponsored by either a government department, an existing CiSP member or a trade body or association.

 

CiSP members are able to exchange cyber threat information in real time, in a secure environment, operating within a framework that protects confidentiality. Information shared includes alerts and advisories, weekly and monthly summaries and trend analysis reporting. Computer emergency response teams (CERTs) and computer security incident response teams (CSIRTs)

 

CERTs have been in existence for some years now – originally begun by the US Carnegie Mellon University, the practice of collecting, analyzing and distributing security advisories has been a major influence on all sectors worldwide. CERTs and CSIRTs carry out the same function, and the mnemonics are used interchangeably.

 

Many countries now operate a CERT/CSIRT, and even some larger multinational organizations whose enterprises cross traditional national and continental boundaries may do likewise.

 

In the UK, CERT-UK8 has four main responsibilities that flow from the UK’s Cyber Security Strategy:

  1. national cybersecurity incident management;
  2. support to critical national infrastructure companies to handle cyber security incidents;
  3. promoting cybersecurity situational awareness across industry, academia and the public sector;
  4. providing the single international point of contact for coordination and collaboration between national CERTs;

Subscription to a CERT or CSIRT is possible for almost any individual or organization wishing to receive updates. However, sometimes the volume and frequency of these can be overwhelming.

 

As an example, CERT-UK provides three main work streams:

  1. Alerts– In the exceptional event of a critical national cybersecurity incident, CERT-UK will issue an alert and appropriate guidance.
  2. Advisories– CERT-UK issues advisories that address cybersecurity issues being detected across government, industry or academia or that offer best practice updates.
  3. Best practice guides– Through CSP, CERT- UK provides regular advice and guidance on a range of cyber issues, with the aims of sharing information and encouraging best practice amongst its partners.

 

Security information exchanges (SIEs) and information sharing and analysis centers (ISACs)

Whereas CERTs and CSIRTs concentrate both on information collection and response to incidents, SIEs and ISACs provide solely a means of exchanging information about threats, vulnerabilities, and incidents. SIEs tend to provide raw data about incidents, whereas ISACs tend to provide deeper analysis and suggestions for a response.

 

POLICY PURPOSE

POLICY PURPOSE

The purpose of this policy is to provide guidance to all users to appropriately secure any Protected Data from risks including, but not limited to, unautho­rized access, use, disclosure, and removal as well as to adhere to regulatory and compliance requirements.

 

SCOPE

This policy applies to all users who have access to/store/transmit Protected Data on University business.

 

DEFINITIONS

User—Anyone with authorized access to the University business information systems. This includes employees, faculty, students, third party personnel such as temporaries, contractors or consultants and other parties with valid University access accounts.

 

University Owned Mobile Devices—these include, but are not limited to, Personal Digital Assistants (PDAs), notebook computers, Tablet PCs, iPhones, iPads, Palm Pilots, Microsoft Pocket PCs, RIM Blackberry, MP3 players, text pagers, smartphones, compact disks, DVD discs, memory sticks, flash drives, floppy disk, and other similar devices.

 

University Owned Non-Mobile Devices—these include, but are not limited to, computing devices that are not capable of moving or being moved readily such as desktop computers.

 

Protected Data—Any data governed under Federal or State regulatory or compliance requirements such as HIPAA, FERPA, FISMA, GLBA, PCI/DSS, Red Flag, PII as well as data deemed critical to business and academic processes which, if compromised, may cause substantial harm and/or financial loss.

 

HIPAA: The Health Insurance Portability and Accountability Act with the purpose of protecting the privacy of a patient’s medical records.

 

FERPA: The Family Educational Right and Privacy Act with the purpose of protecting the privacy of student education records.

 

FISMA: The Federal Information Security Management Act recognizes the importance of information security to the economic and national security interests of the United States and as a result sets forth information security requirements that federal agencies and any other parties collaborating with such agencies must follow in an effort to effectively safeguard IT systems and the data they contain.

 

GLBA: The Gramm-Leach-Bliley Act, also known as the Financial Services Modernization Act of 1999, contains privacy provisions requiring the protection of a consumer’s financial information.

 

PCI/DSS: Payment and Credit Card Industry Data Security Stan­ cards is guidance developed by the major credit card companies to help organizations that process card payments, prevent credit card fraud, hacking and various other security issues. A company processing card payments must be PCI compliant or risk losing the ability to process credit card payments.

 

Red Flag: A mandate developed by the Federal Trade Commission (FTC) requiring institutions to develop identity theft prevention programs.

 

PII: Personally Identifiable Information that can potentially be used to uniquely identify, contact, or locate a single person such as health information, credit card information, social security number, etc.

 

IP: Intellectual Property Information is work or invention that is the result of creativity, such as research or a design, to which one has rights and for which one may apply for a patent, copyright, trademark, etc.

 

Encryption/Password Protection —A process of converting Data in such a way that eavesdroppers or hackers cannot read the Data but authorized parties can.

 

Screen Lock—A password-protected mechanism used to hide Data on a visual display while the device continues to operate.

Screen Timeout —A mechanism which turns off a device after the device has not been used for a specified time period.

 

Personal Devices— Non-University owned devices used by employees, at the employee’s option, to access, store or transmit Protected Data on University business. This includes personal telephones whether or not the person is receiving a telephone allowance from the University. The University Information Technology Department does not support Personal Devices.

 

POLICY STATEMENT

Users must take appropriate steps to secure any protected data they access, create, possess, store, or transmit and must be in compliance with the following requirements:

 

Protected data should only be accessed on University-owned mobile or non-mobile devices, and should include paper documents. In addition, attached policies should address the issues of security patches, password enabled 2-factor authentication, containerized mobile phones, secure wireless points, (black-listed apps), and how and who will be responsible for the network monitoring.

 

The University will provide all individuals with a University-owned mobile or non-mobile device when it is determined such a device is required for the performance of the individual’s position responsibilities.

 

Accordingly, use of personal Devices is discouraged; however, should an individual use a personal Device on University business, the same procedures in this Policy for University-Owned Devices applies to any Personal Device and all cybersecurity risks associated with the use of personal Devices are the responsibility of the User.

password protected

Protected data must be encrypted or password protected when stored on or transmitted over University-owned mobile or non-mobile devices and email. An additional plan which specifies the method of encryption, the cost to train user’s, and the IT group tasked with these and other like responsibilities will be attached to the final approved document.

 

The personnel responsible for this policy must be provided with the resources to address and implement this and other similar policies contained in this document.

 

Protected data must not be sent through insecure public instant messaging networks including, but not limited to, AOL Instant Messenger, Yahoo Messenger, MSN Messenger, and Google Talk.

 

University-owned mobile or non-mobile devices must be logged off when not in use during non-work hours. Mobile devices shall be kept within the personal possession of the User whenever possible. Whenever a device is left unattended, the device shall be stored in a secure place preferably out-of-sight.

 

A password protected Screen Timeout/Screen Lock must activate within a maximum of 30 minutes of inactivity.

 

Basic Security protection including, but not limited to, authentication, network configuration, firewall, anti-virus protection, and security patches must be installed and actively maintained on an ongoing basis on all University-owned mobile or non-mobile devices.

 

Before university-owned mobile or non-mobile devices are connected to the University systems, they shall be scanned for viruses and all viruses must be appropriately deleted.

 

Completely and securely remove all Protected Data from all University-owned mobile or non-mobile devices upon replacement, exchange or disposal. Assistance with these processes is available through the University’s Information Technology Department.

 

The physical security of University-owned mobile or non-mobile devices is the responsibility of the user. If a University-owned mobile or non-mobile device is lost or stolen, the user must promptly report the incident to a supervisor, Public Safety, and Information Technology Department.

 

This report should include the serial number if the device has one, and the university should maintain a listing of these serial numbers.

 

ENFORCEMENT

Users must take the mandatory University training along with periodic updates as available. However, a plan with a phased implementation process must be provided which is tied to both personal and financial targets for addressing the main campus, regional and extended campus sites, as well as international campus locations.

 

Users who do not comply with this policy may temporarily be denied access to University computing resources and upon notice, may be subject to other penalties and disciplinary action.

 

Depending on the circumstances, federal or state law may permit civil or criminal litigation and/or restitution, fines and/ or penalties for actions that violate this policy.

 

Non-compliant devices may be disconnected from the University data network and departmental units until the device is brought into compliance. Of course, there are additional areas other than the “bring your own device” that must be addressed relative to a decision as to the degree of cyber resilience programs that will best fit an organization's cybersecurity needs.

Recommend