Radford University Information Technology Security ......Technology (DoIT) website. Both the...
Transcript of Radford University Information Technology Security ......Technology (DoIT) website. Both the...
RadfordUniversityInformationTechnologySecurityStandard5003s-01
ITSecurityOffice
February21,2019
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
Preface
DateandPurposeFebruary21,2019–Clarifiedlogreview(9.3.2),clarifiedscopeforannualDRtesting(3.2.2),clarifiedbaselinesecurityconfigurations(4.3.2)andclarifiedwordingfortwo-factorauthentication(5.2.2).
NoticeItisthereader’sresponsibilitytoensuretheyhavethelatestversionofthisStandard.RevisionquestionsshouldbedirectedtotheUniversity’sInformationSecurityOfficer(ISO).Themostrecent,approvedversionofthisStandardwillalwaysbeavailableuponrequestandontheUniversity’sDivisionofInformationTechnology(DoIT)website.BoththeInformationTechnologyAdvisoryCommittee(ITAC)andtheit-infolistservwillbenotifiedwhennewrevisionsareapprovedandreleasedforpublication.
HistoryFebruary21,2019–Clarifiedlogreview(9.3.2),clarifiedscopeforannualDRtesting(3.2.2),clarifiedbaselinesecurityconfigurations(4.3.2)andclarifiedwordingfortwo-factorauthentication(5.2.2).September1,2018-UpdatedRoles,includingresponsibilitiesaroundThird-PartyHostedSystems/Applications,(2.2.5),ApplicationAdministrator(2.2.8)andTraining(8.3).April15,2016–updatedsections2.2.3,4.3.2,and4.7.2toclarifyannualvulnerabilityscanningrequirementsJanuary13,2015–updateddefinitionsforclarity;updatedsectionfor“PasswordManagement”toreflectchangeto180daypasswordexpirationMarch18,2013–updatedsection“ExceptionstoSecurityRequirements”toreflectproperapprovalprocess,andRequirementsfor“AccountManagement”toreflectchangesinresponsibilityforaccessapprovalsFebruary13,2012–UpdatedtoreflectchangeinsystemidletimeoutsettingFebruary9th,2011-OriginalVersion1(5003s-01) ReviewProcessTheInformationTechnologyAdvisoryCommittee(ITAC)andtheOfficeofAuditandAdvisoryServices(OAAS)willprovidetheinitialreviewofthisStandardandallsubsequentrevisions.
ApprovalAuthorityTheUniversityPresident,ordesignee,hasapprovalauthorityoverthisStandard.
PublicationDesignationInformationTechnologySecurityStandard
PublicationNumber5003s-01
PurposeofThisStandardTodefinetheminimumrequirementsfortheUniversity’sInformationSecurityProgram.
GeneralResponsibilitiesTheVicePresidentforInformationTechnology&ChiefInformationOfficer(CIO)hasdesignatedtheInformationSecurityOfficer(ISO)todevelopinformationsecuritypolicies,procedures,andstandardsto
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
protecttheconfidentiality,integrity,andavailabilityoftheUniversity’sinformationtechnologysystems,networksanddata.Therefore,theISOistheauthorandmaintainerofthisStandard.
SubjectAreaInformationTechnologySecurity
EffectiveDateFebruary21,2019
ComplianceDateFebruary21,2019
SupersedesNone
ScheduledReviewOne(1)yearfromeffectivedate.
AuthorityMemorandumofUnderstandingbetweenRadfordUniversityandtheCommonwealthofVirginiaSection23-38.90.
ScopeThisStandardappliestoallofRadfordUniversity.
BaseStandards1. InternationalOrganizationforStandardization(ISO)andtheInternationalElectrotechnical
Commission(IEC)ISO/IEC27000series.2. NationalInstituteofStandardsandTechnology(NIST)SpecialPublication800-88.3. CommonwealthofVirginiaITRMStandardSEC501-01(Revision5).
RelatedPolicyCurrentversionoftheUniversity’sInformationSecurityPolicyIT-PO-1503.
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
Contents1 INTRODUCTION .................................................................................................................................... 9
1.1 Intent ............................................................................................................................................. 9
1.2 Organization of this Standard ......................................................................................................... 9
1.3 Roles and Responsibilities .............................................................................................................. 9
1.4 Information Security Program ...................................................................................................... 10
1.5 Exceptions to Security Requirements ........................................................................................... 10
1.6 Exemptions from this Standard .................................................................................................... 10
2 RISK MANAGEMENT ........................................................................................................................... 11
2.1 Purpose ........................................................................................................................................ 11
2.2 Key Information Security Roles and Responsibilities ..................................................................... 11
2.2.1 Purpose ................................................................................................................................. 11
2.2.2 Chief Information Officer of the University (CIO) ................................................................... 11
2.2.3 Information Security Officer (ISO) .......................................................................................... 12
2.2.4 Privacy Officer ....................................................................................................................... 12
2.2.5 System Owner ....................................................................................................................... 13
2.2.6 Data Owner ........................................................................................................................... 13
2.2.7 System Administrator ............................................................................................................ 13
2.2.8 Application Administrator ..................................................................................................... 14
2.2.9 Data Custodian ...................................................................................................................... 14
2.2.10 IT System Users ................................................................................................................... 14
2.3 Business Impact Analysis .............................................................................................................. 15
2.3.1 Purpose ................................................................................................................................. 15
2.3.2 Requirements ........................................................................................................................ 15
2.4 IT System and Data Sensitivity Classification ................................................................................. 15
2.4.1 Purpose ................................................................................................................................. 15
2.4.2 Requirements ........................................................................................................................ 16
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
2.5 Sensitive IT System Inventory and Definition ................................................................................ 16
2.5.1 Purpose ................................................................................................................................. 16
2.5.2 Requirements ........................................................................................................................ 16
2.6 Risk Assessment ........................................................................................................................... 17
2.6.1 Purpose ................................................................................................................................. 17
2.6.2 Requirements ........................................................................................................................ 17
2.7 IT Security Audits ......................................................................................................................... 17
2.7.1 Purpose ................................................................................................................................. 17
2.7.2 Requirements ........................................................................................................................ 17
3 IT CONTINGENCY PLANNING ............................................................................................................... 17
3.1 Purpose ........................................................................................................................................ 17
3.2 Continuity of Operations Planning ................................................................................................ 18
3.2.1 Purpose ................................................................................................................................. 18
3.2.2 Requirements ........................................................................................................................ 18
3.3 IT Disaster Recovery Planning ....................................................................................................... 18
3.3.1 Purpose ................................................................................................................................. 18
3.3.2 Requirements ........................................................................................................................ 18
3.4 IT System and Data Backup and Restoration ................................................................................ 19
3.4.1 Purpose ................................................................................................................................. 19
3.4.2 Requirements ........................................................................................................................ 19
4 INFORMATION SYSTEMS SECURITY ..................................................................................................... 19
4.1 Purpose ........................................................................................................................................ 19
4.2 IT System Security Plans ............................................................................................................... 20
4.2.1 Purpose ................................................................................................................................. 20
4.2.2 Requirements ........................................................................................................................ 20
4.3 IT System Hardening .................................................................................................................... 20
4.3.1 Purpose ................................................................................................................................. 20
4.3.2 Requirements ........................................................................................................................ 20
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
4.4 IT Systems Interoperability Security ............................................................................................. 21
4.4.1 Purpose ................................................................................................................................. 21
4.4.2 Requirements ........................................................................................................................ 21
4.5 Malicious Code Protection............................................................................................................ 22
4.5.1 Purpose ................................................................................................................................. 22
4.5.2 Requirements ........................................................................................................................ 22
4.6 Systems Development Life Cycle Security ..................................................................................... 23
4.6.1 Purpose ................................................................................................................................. 23
4.6.2 Requirements ........................................................................................................................ 23
4.7 Application Security ..................................................................................................................... 24
4.7.1 Purpose ................................................................................................................................. 24
4.7.2 Requirements ........................................................................................................................ 24
4.8 Wireless Security .......................................................................................................................... 25
4.8.1 Purpose ................................................................................................................................. 25
4.8.2 Requirements ........................................................................................................................ 25
5 LOGICAL ACCESS CONTROL ................................................................................................................. 26
5.1 Purpose ........................................................................................................................................ 26
5.2 Account Management .................................................................................................................. 26
5.2.1 Purpose ................................................................................................................................. 26
5.2.2 Requirements ........................................................................................................................ 27
5.3 Password Management ................................................................................................................ 28
5.3.1 Purpose ................................................................................................................................. 28
5.3.2 Requirements ........................................................................................................................ 28
5.4 Remote Access ............................................................................................................................. 30
5.4.1 Purpose ................................................................................................................................. 30
6 DATA PROTECTION ............................................................................................................................. 30
6.1 Purpose ........................................................................................................................................ 30
6.2 Data Storage Media Protection .................................................................................................... 30
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
6.2.1 Purpose ................................................................................................................................. 30
6.2.2 Requirements ........................................................................................................................ 30
6.3 Encryption .................................................................................................................................... 31
6.3.1 Purpose ................................................................................................................................. 31
6.3.2 Requirements ........................................................................................................................ 31
6.4 Protection of Sensitive Information on Non-Electronic Media ...................................................... 32
6.4.1 Purpose ................................................................................................................................. 32
6.4.2 Recommendations ................................................................................................................ 32
7 FACILITIES SECURITY ........................................................................................................................... 32
7.1 Purpose ........................................................................................................................................ 32
7.2 Requirements............................................................................................................................... 32
8 PERSONNEL SECURITY ......................................................................................................................... 33
8.1 Purpose ........................................................................................................................................ 33
8.2 Access Determination and Control ............................................................................................... 33
8.2.1 Purpose ................................................................................................................................. 33
8.2.2 Requirements ........................................................................................................................ 33
8.3 Information Security Awareness and Training............................................................................... 34
8.3.1 Purpose ................................................................................................................................. 34
8.4 Acceptable Use ............................................................................................................................ 35
8.4.1 Purpose ................................................................................................................................. 35
8.4.2 Requirements ........................................................................................................................ 35
8.5 Email Communications ................................................................................................................. 35
8.5.1 Purpose ................................................................................................................................. 35
8.5.2 Requirements ........................................................................................................................ 35
9 THREAT MANAGEMENT ...................................................................................................................... 36
9.1 Purpose ........................................................................................................................................ 36
9.2 Threat Detection .......................................................................................................................... 36
9.2.1 Purpose ................................................................................................................................. 36
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
9.2.2 Requirements ........................................................................................................................ 36
9.3 Information Security Monitoring and Logging ............................................................................... 36
9.3.1 Purpose ................................................................................................................................. 36
9.3.2 Requirements ........................................................................................................................ 37
9.4 Information Security Incident Handling ........................................................................................ 37
9.4.1 Purpose ................................................................................................................................. 37
9.4.2 Requirements ........................................................................................................................ 37
9.5 Data Breach Notification .............................................................................................................. 38
9.5.1 Purpose ................................................................................................................................. 38
9.5.2 Requirements ........................................................................................................................ 38
10 IT ASSET MANAGEMENT .................................................................................................................. 38
10.1 Purpose ...................................................................................................................................... 38
10.2 IT Asset Control ......................................................................................................................... 38
10.2.1 Purpose ............................................................................................................................... 38
10.2.2 Requirements ...................................................................................................................... 38
10.3 Software License Management .................................................................................................. 39
10.3.1 Purpose ............................................................................................................................... 39
10.3.2 Requirements ...................................................................................................................... 39
10.4 Configuration Management and Change Control ........................................................................ 39
10.4.1 Purpose ............................................................................................................................... 39
10.4.2 Requirements ...................................................................................................................... 39
11 GLOSSARY ......................................................................................................................................... 40
12 ACRONYMS ....................................................................................................................................... 47
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
1INTRODUCTION
1.1IntentTheintentofthisStandardistoestablishabaselineforinformationsecurityandriskmanagementactivitiesfor all of Radford University. These baseline activities include, but are not limited to, any regulatoryrequirements that the University is subject to, information security best practices, and the requirementsdefinedinthisStandard.Theseinformationsecurityandriskmanagementactivitieswillprovideprotectionof,andmitigaterisksto,Universityinformationsystems,networksanddata. ThisStandarddefinestheminimumacceptablelevelofinformationsecurityandriskmanagementactivitiesfortheUniversity.AsusedinthisStandard,sensitivityencompassestheelementsofconfidentiality,integrity,andavailability.SeeITSystemandDataSensitivityClassificationforadditionaldetailsonsensitivity.
TheUniversityInformationSecurityProgramconsistsofthefollowingmajorcomponentareas: 1. RiskManagement2. ITContingencyPlanning3. InformationSystemsSecurity4. LogicalAccessControl5. DataProtection6. FacilitiesSecurity7. PersonnelSecurity8. ThreatManagement9. ITAssetManagement
Each component listed above contains requirements that, taken together, comprise the University’s ITSecurity Standard. This Standard recognizes that University departments may procure IT equipment,systems,andservicesfromthirdparties. Insuchinstances,Universitydepartmentsremainaccountableformaintaining compliance with this Standard and must enforce these compliance requirements throughdocumentedagreementswiththird-partyprovidersandoversightoftheservicesprovided.
1.2OrganizationofthisStandardThecomponentareasoftheUniversity’sInformationSecurityProgramprovidetheorganizationalframeworkforthisStandard.Eachcomponentareaconsistsofoneormoresectionscontaining:
1. APurposestatementthatprovidesahigh-leveldescriptionofthecomponentareaorsubcomponentareaanditsimportance.
2. Requirementsthataremandatorytechnicaland/orprogrammaticactivitiesforaspecificcomponentarea.
3. Asappropriate,recommendationsthatareadvisoryinnatureandprovideguidancetodepartmentsinansweringspecificquestions.
4. Notes,whichproviderationaleandexplanationregardingtherequirements.5. Examplesthatdescribethewaysinwhichtherequirementsmightbemet.
1.3RolesandResponsibilitiesThe University should utilize organizational charts depicting the reporting structure of employees when
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
assigning specific responsibilities for the security of IT systems, networks and data. The University shallmaintaindocumentationregardingspecificrolesandresponsibilitiesrelatingtoinformationsecurity.
1.4InformationSecurityProgramThe University shall establish, document, implement, and maintain its information security programappropriate to its business and technology environment in compliance with this Standard. In addition,becauseresourcesthatcanreasonablybecommittedtoprotectingITsystemsarelimited,theUniversitymustimplementitsinformationsecurityprograminamannercommensuratewithsensitivityandrisk.
1.5ExceptionstoSecurityRequirementsIfaUniversitydepartmentdetermines that compliancewith theprovisionsof thisStandardoranyrelatedinformationsecuritystandardwouldadverselyimpactanofficialUniversitybusinessprocess,theUniversitydepartmentmayrequestapprovaltodeviatefromaspecificrequirementbysubmittinganexceptionrequesttotheChiefInformationOfficer(CIO).Foreachexception,therequestingdepartmentshallfullydocument:
1. Thebusinessneedandjustification2. Thescopeandextentofthedeviation3. Mitigatingsafeguards4. Therelatedrisks5. Thespecificduration6. ThedepartmentDeanorDirector’sapproval7. UniversityVicePresidentsignatureacceptingresidualrisks
EachrequestshallbeinwritingtotheCIOusingtheITSecurityStandard5003sExceptionRequestlocatedat:https://www.radford.edu/content/dam/departments/administrative/doit/documents/ITSecurityStandardExceptionVer1.pdf.Therequestmustbeapprovedbythedepartment’sDeanorDirector,andbytheVicePresidentofthedivisionmakingtherequestindicatingacceptanceofandresponsibilityforthedefinedresidualrisks.Includedineachrequestshallbeastatementdetailingthereasonsfortheexceptionaswellasmitigatingcontrolsandidentifiedrelatedrisks.RequestsforexceptionshallbeevaluatedanddecideduponbytheUniversity’sInformationSecurityOfficerandCIO.Therequestingpartywillbeinformedofthedecision.Anexceptioncannotbeprocessedunlessidentifiedrelatedrisksareclearlystatedandthedepartment’sDeanorDirector,andtheareaVicePresidenthasapproved,indicatingacceptanceofandresponsibilityfortheserisks.Inaddition,whenarequirementdefinedinthisstandardisnotsupportedbyfeaturesofthesystem,mitigatingcontrolsmustbeimplementedtoaddresstherequirement.
1.6ExemptionsfromthisStandardThefollowingareexplicitlyexemptfromcomplyingwiththerequirementsdefinedinthisStandard:
1. Systemsunderdevelopmentand/orexperimentalsystemsthatdonotcreateadditionalrisktoproductionsystems,networksanddata.Tobeconsideredforexemption,thesesystemsmustnotcontainsensitivedata.
2. Surplusandretiredsystems.3. Non-sensitivesystems.
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
2RISKMANAGEMENT
2.1PurposeRiskManagementdelineatesthestepsnecessarytoidentify,analyze,prioritize,andmitigaterisksthatcouldcompromiseITsystems,networksanddata.Thissectiondefinesrequirementsforthefollowingareas:
1. KeyInformationSecurityRolesandResponsibilities2. BusinessImpactAnalysis3. ITSystemandDataSensitivityClassification4. SensitiveITSystemInventoryandDefinition5. RiskAssessment6. ITSecurityAudits
2.2KeyInformationSecurityRolesandResponsibilities
2.2.1PurposeThis Section defines the key IT security roles and responsibilities included in the Information SecurityProgram.Theserolesandresponsibilitiesareassignedto individuals,andmaydiffer fromtherole titleorworkingtitleoftheindividual’sposition.Individualsmaybeassignedmultipleroles,aslongasthemultipleroleassignmentsprovideadequateseparationofduties,provideadequateprotectionagainstthepossibilityoffraud,anddonotleadtoaconflictofinterests.
2.2.2ChiefInformationOfficeroftheUniversity(CIO)1. AtRadfordUniversity,theCIOisalsotheVicePresidentforInformationTechnologyandmaybe
referredtoaseitherinthisStandard.TheUniversityPresidenthasdelegatedInformationTechnologydutiesandresponsibilitiestotheCIO.Asapartofthesedelegateddutiesandresponsibilities,theCIOisresponsiblefortheoverallsecurityoftheUniversity’sinformationsystems,networksanddata.TheCIO’sinformationsecurityresponsibilitiesincludethefollowing:DesignateanInformationSecurityOfficer(ISO)fortheUniversity.Note:TheUniversityshouldhaveatleastonebackupISO.
2. EnsurethataninformationsecurityprogramismaintainedthatissufficienttoprotecttheUniversity’sITassetsandisdocumentedandeffectivelycommunicatedtotheUniversitycommunity.
3. IdentifyaSystemOwnerwhoisgenerallytheBusinessOwnerforeachUniversitysensitivesystem.EachSystemOwnershallworkwithDataOwner(s),DataCustodian(s)andSystemAdministrator(s)inthedocumentation,operationandmaintenanceoftheUniversitysensitiveITsystem.
4. ReviewandapprovetheUniversity’sBusinessImpactAnalysis(BIAs),RiskAssessments(RAs),andITDisasterRecoveryPlans.
5. ProvidetheresourcestoenableUniversityemployeestocarryouttheirresponsibilitiesforsecuringITsystems,networksanddata.
6. Ensurecompliance ismaintainedwith thecurrentversionof theUniversity’s ITAuditPolicy.Thiscompliancemustinclude,butisnotlimitedto:(a) RequiringdevelopmentandimplementationofaplanforITsecurityaudits.(b) RequiringthattheplannedITsecurityauditsareconducted.(c) ReceivingreportsoftheresultsofITsecurityaudits.(d) RequiringdevelopmentofCorrectiveActionPlanstoaddressfindingsofITsecurityaudits.
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
7. Preventconflictofinterestsandadheretotheconceptofseparationofdutiesbyassigningrolesso
that:(a) TheISOisnotaSystemOwneroraDataOwnerexceptinthecaseofcompliancesystemsfor
informationsecurity.(b) TheSystemOwnerandtheDataOwnerarenotSystemAdministratorsforITsystemsordata
theyown.(c) TheISO,SystemOwners,andDataOwnersareallUniversityemployees.
8.Ensurethataninformationsecurityawarenessandtrainingprogramisestablished.
2.2.3InformationSecurityOfficer(ISO)The ISO is responsible for developing, coordinating and managing the University’s information securityprogram.TheISOdutiesareasfollows:
1. Developandmanageaninformationsecurityprograminamannercommensuratewithrisk.2. DevelopandmanageanIntrusionDetectionSystem(IDS)programinamannercommensuratewith
risk.3. DevelopandmaintainaninformationsecurityawarenessandtrainingprogramforUniversityIT
userswithaccesstosensitivesystems,networksordata,includingcontractorsandITserviceproviders.RequirethatallsensitiveITsystemuserscompleterequiredITsecurityawarenessandtrainingactivitiespriorto,orassoonaspracticableafter,receivingaccesstosensitivesystems,andnolessthanannually,thereafter.
4. VerifyandvalidatethatallUniversityITsystems,networksanddataareclassifiedforsensitivityandmaintainawarenessofthesecuritystatusofsensitiveITsystems.
5. Implementandmaintaintheappropriatebalanceofpreventative,detectiveandcorrectivecontrolsforUniversityITsystemscommensuratewithdatasensitivity,riskandsystemscriticality.
6. MitigateandreportallITsecurityincidentsinaccordancewith2.2-603oftheCodeofVirginiaandtakeappropriateactionstopreventrecurrence.
7. Providesolutions,guidance,andexpertiseinITsecuritymatters.8. ReviewandapproveSystemSecurityPlansthatprovideadequateprotectionsagainstsecurityrisks
ordisapproveSystemSecurityPlansthatdonotprovideadequateprotectionsagainstsecurityrisks,andrequirethattheSystemOwnerimplementadditionalsecuritycontrolsontheITsystemtoprovideadequateprotectionsagainstsecurityrisks.
9. Performannualinternalreviewsandvulnerabilityassessmentsforallidentifiedsensitivesystems.10. DevelopandleadComputerSecurityIncidentResponseTeam(CSIRT)toprepareforintrusionsand
threats.11. Provideannualrole-basedtrainingtosystemowners,dataowners,systemadministratorsand
applicationadministrators.
2.2.4PrivacyOfficerTheUniversitymust havea PrivacyOfficer if required by lawor regulation, such as theHealth InsurancePortabilityandAccountabilityAct(HIPAA),andmaychoosetohaveonewherenotrequired.Otherwise,theseresponsibilitiesarecarriedoutbytheISO.ThePrivacyOfficerprovidesguidanceon:
1. Therequirementsofstateandfederalprivacylaws.2. Disclosureofandaccesstosensitivedata.3. SecurityandprotectionrequirementsinconjunctionwithITsystemswhenthereissomeoverlap
amongsensitivity,disclosure,privacy,andsecurityissues.
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
2.2.5SystemOwnerTheSystemOwneristheUniversitymanagerresponsibleforhavinganITsystemdocumented,operatedandmaintained.AnITSystemmayhaveonlyoneSystemOwner.WithrespecttoITsecurity,theSystemOwner’sresponsibilitiesincludethefollowing:
1. RequirethattheITsystemuserscompleteanysystemuniquesecuritytrainingpriorto,orassoonaspracticableafter,receivingaccesstothesystem,andnolessthanannually,thereafter.
2. Ensurethatsystemdocumentationanddiagramsareupdatedwithsystemchanges.3. Managesystemriskanddevelopanyadditionalinformationsecuritypoliciesandprocedures
requiredtoprotectthesysteminamannercommensuratewithrisk.4. MaintaincompliancewithUniversityInformationSecuritypoliciesandstandardsinallITsystem
activitiesforbothsystemshostedbyathird-partyproviderandon-premisesystems.5. MaintaincompliancewiththeThird-PartyHostedSystem/ApplicationSecurityReviewProcedures
whensystemishostedbyathird-partyprovider.6. MaintaincompliancewithrequirementsspecifiedbyDataOwnersforthehandlingofdataprocessed
bythesystem.7. DesignateSystemAdministrators,DataOwnerandApplicationAdministratorforthesystem.8. Completeannualrole-basedtraining.
Note:ASystemOwnercanownmultipleITsystems.
2.2.6DataOwnerThe Data Owner is the University manager responsible for the policy and practice decisions regardingUniversitydata,andisresponsibleforthefollowing:
1. Evaluateandclassifysensitivityofthedata.2. Defineprotectionrequirementsforthedatabasedonthesensitivityofthedata,anylegalor
regulatoryrequirements,andbusinessneeds.3. CommunicatedataprotectionrequirementstotheSystemOwner.4. Definerequirementsforaccesstothedata.5. Completeannualrole-basedtraining.6. Approveaccesstodata.7. AppointaDataCustodian,whereappropriate.
Note:ADataOwnercanowndataonmultipleITsystems.Datamayhavemultipledataowners.
2.2.7SystemAdministratorTheSystemAdministratorisananalyst,engineer,orconsultantwhoimplements,manages,and/oroperatesasystemorsystemsat thedirectionof theSystemOwner,DataOwner,and/orDataCustodian.TheSystemAdministratorisresponsibleforthefollowing:
1. AssistsUniversitymanagementintheday-to-dayadministrationofITsystems.
2. Implements security controls and other requirements of the University’s information securityprogramonITsystemsforwhichtheSystemAdministratorhasbeenassignedresponsibility.
3. EachsystemshouldhaveatleasttwoSystemAdministrators(oneprimary,onesecondary).
4. MonitorsystemlogsforanomalousactivityandnotifyITSecurityofanypotentialthreatsorcompromisesofthesystem.
5. Ensuresystemandsecurityupdatesareappliedinatimelymanner.6. Completeannual,role-basedtraining.
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
Note: SystemAdministrators can assume responsibility formultiple IT systems, butmaynot be a SystemOwnerorDataOwner.
2.2.8ApplicationAdministratorTheApplicationAdministratoristheUniversitymanagerresponsiblefortheoperationsandmaintenanceoftheapplication,atthedirectionoftheSystemOwner,DataOwner,and/orDataCustodian,andisresponsibleforthefollowing:
1. Implementsecuritybaseline,controlsandotherrequirementsoftheUniversity’sinformationsecurityprogramonITapplicationsforwhichtheApplicationAdministratorhasbeenassignedresponsibility.
2. IftheapplicationrequirescommunicationwithotherUniversitysystems,workwiththeDivisionofInformationTechnologytoupdateorimplementfirewallrulesandintegrationswithothersystems.
3. Assignaccessandaccounts,adheringtoSection5:LogicalAccessControl.Promptlyremoveaccessofthosewhonolongerneedaccessandmaintainprincipleofleastprivilege.
4. EachsystemshouldhaveatleasttwoApplicationAdministrators(oneprimary,onesecondary).
5. MonitorapplicationlogsforanomalousactivityandnotifyITSecurityofanypotentialthreatsorcompromisesoftheapplicationoraccounts.
6. Ensureapplicationandsecurityupdatesareappliedinatimelymanner.7. Completeannualrole-basedtraining.
2.2.9DataCustodianDataCustodiansareindividualsororganizations inphysicalor logicalpossessionofdata forDataOwners.DataCustodiansareresponsibleforthefollowing:
1. Protectingthedataintheirpossessionfromunauthorizedaccess,alteration,destruction,orusage.2. Establishing,monitoring,andoperatingITsystemsinamannerconsistentwithUniversity
InformationSecuritypoliciesandstandards.3. ProvidingDataOwnerswithreports,whennecessaryandapplicable.4. Completingannualrole-basedtraining.
2.2.10ITSystemUsersAllusersofUniversityITsystemsincludingemployeesandcontractorsareresponsibleforthefollowing:
1. ReadingandcomplyingwithUniversityinformationsecurityprogrampolicies,proceduresandstandards.
2. ReportingbreachesofITsecurity,actualorsuspected,toUniversitymanagementand/ortheISO.3. TakingreasonableandprudentstepstoprotectthesecurityofITsystems,networksanddatato
whichtheyhaveaccess.4. CompletingannualITSecurityAwarenesstraining.FailuretocompleteannualITSecurityAwareness
trainingmayresultinaccountsuspension.Note:Other rolesmaybeassigned tocontractorsworkingwith theUniversityonsystemsordata thatareclassified as sensitive. For roles assigned to contractors, the contract language must include specificresponsibilityandbackgroundcheckrequirements.
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
2.3BusinessImpactAnalysis
2.3.1PurposeBusiness Impact Analysis (BIA) delineates the steps necessary for the University to identify businessfunctions that are essential to its mission, and identify the resources that are required to support theseessentialbusinessfunctions.
2.3.2Requirements1. TheUniversityshould:RequiretheparticipationofSystemOwnersandDataOwnersinthede-
velopmentoftheUniversity’sBIA.2. Identifybusinessfunctions.3. Identifyessentialbusinessfunctions.
Note:AbusinessfunctionisessentialifdisruptionordegradationofthefunctionpreventstheUniversityfromperformingitsmission,asdescribedintheUniversitymissionstatement.
4. Identifydependentfunctions,ifany.Determineanddocumentanyadditionalfunctionsonwhicheachessentialbusinessfunctiondepends.Thesedependentfunctionsareessentialfunctionsaswell.
5. Foreachessentialbusinessfunctionanddependentfunction,assesswhetherthefunctiondependsonanITsystemtoberecovered.EachITsystemthatisrequiredtorecoveranessentialfunctionoradependentfunctionshallbeconsideredsensitiverelativetoavailability.Foreachsuchsystem,theUniversityshall:(a) DetermineanddocumenttherequiredRecoveryTimeObjective(RTO),basedonUniversity
goalsandobjectives.(b) DetermineanddocumenttheRecoveryPointObjectives(RPO).
6. UsetheITinformationdocumentedintheBIAreportasaprimaryinputtoITSystemandDataSensitivityClassification,RiskAssessment,ITContingencyPlanningandITSystemSecurityPlans.
7. ConductperiodicreviewandrevisionoftheUniversityBIAs,asneeded,butatleastonceeverythreeyears.
2.4ITSystemandDataSensitivityClassification
2.4.1PurposeIT SystemandData Sensitivity Classification requirements identify the steps necessary to classify all ITsystems,networksanddataaccordingtotheirsensitivitywithrespecttothefollowingcriteria:
1. Confidentiality,whichaddressessensitivitytounauthorizeddisclosure.2. Integrity,whichaddressessensitivitytounauthorizedmodification.3. Availability,whichaddressessensitivitytooutages.
Sensitivedata(alsoknownasHighlySensitiveData)isanydataofwhichthecompromisewithrespecttoconfidentiality, integrity,and/oravailabilitycouldhaveamaterialadverseeffectonUniversity interests,the conduct of University programs, or the privacy towhich individuals are entitled.Data sensitivity isdirectly proportional to themateriality of a compromise of the datawith respect to these criteria.DataOwnersandSystemOwnersmustclassifyeachITsystembysensitivityaccordingtothemostsensitivedatathattheITsystemstores,processes,ortransmits.
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
2.4.2RequirementsTheISOshall:
1. RequirethattheDataOwneridentifythetype(s)ofdatahandledbytheUniversityITsystem.2. RequirethattheDataOwnerdeterminewhethereachtypeofdataisalsosubjecttootherregulatory
requirements.3. RequirethattheDataOwnerdeterminethepotentialdamagestotheUniversityofacompromiseof
confidentiality,integrityoravailabilityofeachtypeofdatahandledbytheITsystem,andclassifythesensitivityofthedataaccordingly.
4. ClassifytheITsystemassensitiveifanytypeofthedatahandledbytheITsystemhasasensitivityofhighonanyofthecriteriaofconfidentiality,integrity,oravailability.
5. ReviewITsystemanddataclassificationsandsubsequentlyobtainCIOapprovaloftheseclassifications.
6. VerifyandvalidatethatallUniversityITsystems,networksanddatahavebeenreviewedandclassifiedforsensitivity.
7. CommunicateapprovedITsystemanddataclassificationstoSystemOwners,DataOwners,andend-users.
8. RequirethattheUniversityprohibitpostinganydataclassifiedassensitivewithrespecttoconfidentialityonapublicwebsite,FTPserver,driveshare,bulletinboardoranyotherpubliclyaccessiblemediumunlessawrittenexceptionisapprovedbytheCIOidentifyingthebusinesscase,risks,mitigatingcontrols,andidentifiedresidualrisks.Thisrequirementmaybeimplementedbypolicy,procedureand/orstandards.
9. UsetheinformationdocumentedinthesensitivityclassificationasaprimaryinputtotheRiskAssessmentprocessdefinedinthisStandard.
2.5SensitiveITSystemInventoryandDefinition
2.5.1PurposeSensitive IT System Inventory and Definition requirements identify the steps in listing and marking theboundaries of sensitive IT systems in order to providecost-effective, risk-based security protection for ITsystems,fortheUniversityasawhole.
2.5.2RequirementsTheITSecurityofficeshallprovideaconsultingroletotheresponsiblepartiesto:
1. DocumenteachsensitiveITsystemownedbytheUniversity,includingitsownershipandboundaries,andupdatethedocumentationaschangesoccur.Note:AsensitiveITsystemmayhavemultipleDataOwners,and/orSystemAdministrators,butmusthaveasingleSystemOwner.
2. Maintainorrequirethatitsnetworkinggroup/serviceprovidermaintainupdatednetworkdiagrams.3. Maintainareferencelistthatcorrelateseachsensitivesystemwiththecomponentsrequiredtorun
thesystem(suchasservers,networks,personnel,etc.).
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
2.6RiskAssessment
2.6.1PurposeRiskAssessment(RA)requirementsdelineatethestepstheUniversitymusttakeforeachITsystemclassifiedassensitiveto:
1. IdentifypotentialthreatstoanITsystemandtheenvironmentinwhichitoperates.2. Determinethelikelihoodthatthreatswillmaterialize.3. Identifyandevaluatevulnerabilities.4. Determinethelossimpactifoneormorevulnerabilitiesareexploitedbyapotentialthreat.
Note:ThisStandardrequiresariskassessmentbasedonoperationalrisk.
2.6.2RequirementsForeachITsystemclassifiedassensitive,theUniversityshall:
1. ConductanddocumentaRAoftheITsystemasneeded,butnotlessthanonceeverythreeyears.2. Conductanddocumentanannualself-assessmenttodeterminethecontinuedvalidityoftheRA.3. Prepare a report of each RA that includes, at a minimum, identification of all vulnerabilities
discovered during the assessment, and an executive summary, including major findings and riskmitigationrecommendations.
2.7ITSecurityAudits
2.7.1PurposeIT Security Audit requirements define the steps necessary to assess whether IT security controlsimplementedtomitigaterisksareadequateandeffective.
2.7.2RequirementsForeachITsystemclassifiedassensitive,theUniversityshall:
1. RequirethattheITsystemsundergoanITSecurityAudit.2. AssignanindividualtoberesponsibleformanagingITSecurityAudits.
3ITCONTINGENCYPLANNING
3.1PurposeITContingencyPlanningdelineatesthestepsnecessarytoplanforandexecuterecoveryandrestorationofITsystems,networksanddataifaneventoccursthatrenderstheITsystems,networksand/ordataunavailable.ThiscomponentoftheUniversityInformationSecurityProgramdefinesrequirementsinthefollowingareas:
1. ContinuityofOperationsPlanning.2. DisasterRecoveryPlanning.3. ITSystemandDataBackupandRestoration.
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
3.2ContinuityofOperationsPlanning
3.2.1PurposeTheContinuityofOperationsPlan(COOP)requirementsareoutsideofthescopeofthisStandard.ThissectionaddressesonlytheITdisasterrecoverycomponentsoftheCOOPforITsystems,networksanddata.TheseITdisaster recovery components of theCOOP identify the steps necessary to provide continuity foressentialUniversityITsystems,networksanddata.
3.2.2RequirementsTheUniversityshall:
1. DesignateanemployeetocollaboratewiththeUniversityContinuityofOperationsPlan(COOP)coordinatorasthefocalpointforITaspectsofCOOPandrelatedDisasterRecovery(DR)planningactivities.Unlessotherwisespecified,theISOassumesthisdesignation.
2. BasedonBIAandRAresults,developITdisastercomponentsoftheUniversityCOOPwhichidentifies:(a) EachITsystemthatisnecessarytorecoveressentialbusinessfunctionsordependentbusiness
functionsandtheRecoveryTimeObjective(RTO)andRecoveryPointObjective(RPO)foreach.(b) Personnelcontactinformationandincidentnotificationprocedures.(c) Thenecessarycomponentstorecovereachidentifiedsystem.Note:IftheCOOPcontainssensitivedata,thosecomponentswithsensitivedatashouldbeprotectedandstoredatasecureoff-sitelocation.
3. RequireanexerciseofbusinessessentialITDRcomponents,asdefinedbytheBIA,toassesstheiradequacyandeffectivenessatleasteverythreeyears.
4. RequirereviewandrevisionofITDRcomponentsfollowingtheexercise(andatothertimesasnecessary).
3.3ITDisasterRecoveryPlanning
3.3.1PurposeITDisasterRecoveryPlanningisthecomponentofContinuityofOperationsPlanningthatidentifiesthestepsnecessarytoprovideforrestoringessentialbusinessfunctionsonaschedulethatsupportstheUniversity’smission.ThesestepsleadtothecreationofanoverallITDisasterRecoveryStrategy(DRS).
3.3.2RequirementsTheUniversityshall:
1. DevelopandmaintainanITDRS,whichsupportstherestorationofessentialbusinessfunctionsanddependentbusinessfunctions.
2. RequireapprovaloftheITDRSbytheCIO.3. Requireannualreviews,reassessments,testing,andrevisionsoftheITDRStoreflectchangesin
essentialbusinessfunctions,services,ITsystemhardwareandsoftware,andpersonnel.4. EstablishcommunicationmethodstosupportITsystemusers’localandremoteaccesstoITsystems,
asnecessary.
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
3.4ITSystemandDataBackupandRestoration
3.4.1PurposeIT System and Data Backup and Restoration requirements identify the steps necessary to protect theavailabilityandintegrityofUniversitydatadocumentedinbackupandrestorationplans.
3.4.2RequirementsForeveryITsystemidentifiedassensitiverelativetoavailability,theUniversityshallorshallrequirethatitsserviceproviderimplementbackupandrestorationplanstosupportrestorationofsystems,networks,dataandapplications inaccordancewithUniversity requirements.Ataminimum, theseplansshalladdress thefollowing:
1. Secureoff-sitestorageforbackupmedia.2. Storeoff-sitebackupmediainanoff-sitelocationthatisgeographicallyseparateanddistinctfrom
theprimarylocation.3. Performanceofbackupsonlybyauthorizedpersonnel.4. Reviewofbackuplogsafterthecompletionofeachbackupjobtoverifysuccessfulcompletion5. ApprovalofbackupschedulesofasystembytheSystemOwnerinconsultationwiththeDataOwner.6. ApprovalofemergencybackupandoperationsrestorationplansbytheSystemOwner.7. Protectionofanybackupmediathatissentoff-site(physicallyorelectronically),orshippedbythe
UnitedStatesPostalServiceoranycommercialcarrier,inaccordancewithUniversityrequirements.8. Authorizationandloggingofdepositsandwithdrawalsofallmediathatisstoredoffsite.9. RetentionofthedatahandledbyanITsysteminaccordancewiththeCommonwealthofVirginiaor
theUniversity’srecordsretentionpolicy.10. Managementofelectronicinformationinsuchawaythatitcanbeproducedinatimelyandcomplete
mannerwhennecessary,suchasduringalegaldiscoveryproceeding.11. DocumentandexerciseastrategyfortestingthatITsystemanddatabackupsarefunctioningas
expectedandthedataispresentinausableform.12. Forbusinessessentialsystems,documentandexerciseastrategyfortestingbackupandrecovery
procedures,inaccordancewiththeUniversity’sContinuityofOperationsPlan,atleasteverythreeyears.
4INFORMATIONSYSTEMSSECURITY
4.1PurposeInformationSystemsSecurityrequirementsdelineatestepstoprotect informationsystemsinthefollowingareas:
1. ITSystemSecurityPlans2. ITSystemHardening3. ITSystemsInteroperabilitySecurity4. MaliciousCodeProtection5. SystemsDevelopmentLifeCycleSecurity6. ApplicationSecurity
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
7. WirelessSecurity
4.2ITSystemSecurityPlans
4.2.1PurposeITSystemSecurityPlans(SSP)documentthesecuritycontrolsrequiredtodemonstrateadequateprotectionofinformationsystemsagainstsecurityrisksincludingthoserisksidentifiedinriskassessments.
4.2.2RequirementsEachSystemOwnerofasensitiveITsystemshall:
1. Document an IT System Security Plan (SSP) for the IT system based on the results of the riskassessment.Thisdocumentationshallincludeadescriptionof:(a) AllexistingandplannedsecuritycontrolsfortheITsystem,includingaschedulefor
implementingplannedcontrols.(b) HowthesecontrolsprovideadequatemitigationofriskstowhichtheITsystemissubject.
2. SubmittheITSystemSecurityPlantotheISOforapproval.3. Plan,documentandimplementadditionalsecuritycontrolsfortheITsystemiftheISOdisapproves
oftheITSystemSecurityPlan,andresubmittheITSystemSecurityPlantotheISOforapproval.4. UpdatetheITSystemSecurityPlaneverythreeyears,ormoreoftenifnecessary(e.g.,duetomaterial
change),andresubmittheITSystemSecurityPlantotheISOforapproval.
4.3ITSystemHardening
4.3.1PurposeIT System Hardening requirements delineate technical security controls to protect IT systems againstsecurityvulnerabilities.
4.3.2RequirementsTheUniversityshallorshallrequirethatitsserviceprovider:
1. Identify,document,andapplyappropriatebaselinesecurityconfigurationstoallUniversityITsystems,regardlessoftheirsensitivity.
2. Identify,document,andapplymorerestrictivesecurityconfigurationsforsensitiveUniversityITsystems,asnecessary.Note:TheUniversitymaydevelopUniversityspecificbaselinesecurityconfigurationstandardsormayelecttousebaselinesecurityconfigurationstandardsthatarepubliclyavailable,suchasthosedevelopedbytheCenterforInternetSecurity(www.cisecurity.org).
3. Maintainrecordsthatdocumenttheapplicationofbaselinesecurityconfigurations.4. Monitorsystemsforsecuritybaselinesandpolicycompliance.5. Reviewandreviseallbaselinesecurityconfigurationstandardsannually,ormorefrequently,as
needed.Note:TheUniversityshouldestablishaprocesstoreviewapplicablesecuritynotificationsissuedbyequipmentmanufacturers,bulletinboards,security-relatedwebsites,andothersecurityvenues,and
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
establishaprocesstoupdatesecuritybaselineconfigurationstandardsbasedonthosenotifications.6. Reapply all baseline securityconfigurations toUniversity IT systems,as appropriate,when the IT
systemundergoesamaterialchange,suchasanoperatingsystemupgrade.7. RequireannualoperatingsystemlevelvulnerabilityscanningofsensitiveITsystems.8. Modify individual IT system configurations or baseline security configuration standards, as
appropriate,toimprovetheireffectivenessbasedontheresultsofvulnerabilityscanning.9. Security patches should be applied when they can eliminate or mitigate applicable security
vulnerabilities.However,automaticupdatesshouldneverbeenabledonsensitivesystemsthathavehigh-availabilityrequirementsassomesecuritypatchesmaycauseapplications(orentiresystems)to fail.Therisksassociatedwithapplyingsecuritypatchesshouldbe taken intoconsiderationandcomparedagainsttherisksoftheidentifiedsecurityvulnerability.Ifnosecuritypatchisavailable,orisavailablebutunabletobeappliedbecausedoingsoisdeemedtobethegreaterrisk,thefollowingcompensatingcontrolsmaybeutilized:(a) Modifyorcreateaccessrestrictions,e.g.firewalls,tolimitaccesstothesystem.(b) Disableservicesorfunctionalityrelatedtotheidentifiedsecurityvulnerability.(c) Raiseawarenessoftheidentifiedsecurityvulnerability.(d) IncreaseIDSloggingtodetectpotentialattacks.
4.4ITSystemsInteroperabilitySecurity
4.4.1PurposeITSystemInteroperabilitySecurityrequirementsidentifystepstoprotectdatasharedwithotherITsystems.
4.4.2RequirementsForeverysensitiveUniversity ITsystemthat sharesdatawithnon-Universityentities, theUniversityshallrequireorshallspecifythatitsserviceproviderrequire:
Note: Best practice dictates that Interoperability Agreements should be in place for sensitive IT systeminteroperability between University departments. However, this Standard currently only requiresagreementsbetweenUniversityandnon-Universityentities.
1. TheSystemOwners, inconsultationwith theDataOwners, shalldocument ITsystemswithwhichdataisshared.Thisdocumentationmustinclude:(a) Thetypesofshareddata.(b) Thedirection(s)ofdataflow.(c) ContactinformationfortheorganizationthatownstheITsystemwithwhichdataisshared,
includingtheSystemOwner,theInformationSecurityOfficer(ISO),orequivalent,andtheSystemAdministrator.
2. TheSystemOwnersoftheITsystemswhichsharedatashalldevelopawrittenagreementthatdelineatessecurityrequirementsforeachinterconnectedITsystemandforeachtypeofdatashared.
3. TheSystemOwnersoftheITsystemsthatsharedatashallinformoneanotherregardingotherITsystemswithwhichtheirITsystemsinterconnectorsharedata,andshallinformoneanotherpriortoestablishinganyadditionalinterconnectionsordatasharing.
4. ThewrittenagreementshallspecifyifandhowtheshareddatawillbestoredoneachITsystem.5. ThewrittenagreementshallspecifythatSystemOwnersoftheITsystemsthatsharedata
acknowledgeandagreetoabidebyanylegalrequirements(e.g.,HIPAA,PCI,etc.)regardinghandling,protection,anddisclosureoftheshareddata.
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
6. ThewrittenagreementshallspecifyeachDataOwner’sauthoritytoapproveaccesstotheshareddata.
7. TheSystemOwnersshallapproveandenforcetheagreement.
4.5MaliciousCodeProtection
4.5.1PurposeMalicious Code Protection requirements identify controls to protect IT systems from damage caused bymaliciouscode.
4.5.2RequirementsTheUniversityshall,orshallrequirethatitsserviceprovider:
1. ProhibitallITsystemusersfromdevelopingorexperimentingwithmaliciousprograms(e.g.,viruses,worms,spy-ware,keystrokeloggers,phishingsoftware,Trojanhorses,etc.)unlessthisdevelopmentorexperimentationisforacademicorresearchpurposesinanofflineenvironmentthatdoesnotimpactproductionsystems,networksordata.
2. Providemaliciousprogramdetection,protection,eradication,logging,andreportingcapabilities.3. ProvidemaliciouscodeprotectionmechanismsviamultipleITsystemsandforallITsystemusers
preferablydeployingmaliciouscodedetectionproductsfrommultiplevendorsonvariousplatforms.Example:TheUniversitymayelecttoprovideprotectionagainstmaliciouscodetransmittedviaemailontheemailserversandonthedesktop.
4. Provideprotectionagainstmaliciousprogramsthroughtheuseofmechanismsthat:(a) Eliminatesorquarantinesmaliciousprogramsthatitdetects.(b) Providesanalertnotification.(c) Automaticallyrunsscansonmemoryandstoragedevices.(d) Automaticallyscansallfilesretrievedthroughanetworkconnection,modemconnection,orfrom
aninputstoragedevice.(e) Allowsonlyauthorizedpersonneltomodifyprogramsettings.(f) Maintainsalogofprotectionactivities.
5. ProvidetheabilitytoeliminateorquarantinemaliciousprogramsinemailmessagesandfileattachmentsastheyattempttoentertheUniversity’sinternalemailsystem.
6. Providetheabilityforautomaticdownloadofdefinitionfilesformaliciouscodeprotectionprogramswhenevernewfilesbecomeavailable,andpropagatethenewfilestoalldevicesprotectedbythemaliciouscodeprotectionprogram.
7. Requireallformsofmaliciouscodeprotectiontostartautomaticallyuponsystemboot.8. Providenetworkdesignsthatallowmaliciouscodetobedetectedandremovedorquarantined
beforeitcanenterandinfectaproductiondevice.9. ProvideproceduresthatinstructadministratorsandITsystemusersonhowtorespondtomalicious
programattacks,includingshutdown,restoration,notification,andreportingrequirements.10. Requireuseofonlynewmedia(e.g.,USBsticks,CD-ROM)orsanitizedmediaformakingcopiesof
softwarefordistribution.11. Prohibittheuseofsharedcomputersanddesktops(e.g.,trainingrooms)tocreatedistribution
media.
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
4.6SystemsDevelopmentLifeCycleSecurity
4.6.1PurposeSystemsDevelopmentLifeCycle(SDLC)securityrequirementsdocumentthesecurityrelatedactivitiesthatmust occur in each phase of the development life cycle (from project definition through disposal) forUniversityITapplicationsystems.
4.6.2RequirementsTheUniversityshall:
1. Incorporate security requirements in each phase of the life cycle, aswell as for eachmodificationproposedfortheITapplicationsystemineachstageofitslifecycle.
ProjectInitiation
1. Performaninitialriskanalysisbasedontheknownrequirementsandthebusinessobjectivestoprovidehigh-levelsecurityguidelinesforthesystemdevelopers.
2. ClassifythetypesofdatathatthesystemwillprocessandthesensitivityoftheproposedITsystem.3. Assesstheneedforcollectionandmaintenanceofsensitivedatabeforeincorporatingsuchcollection
andmaintenanceinITsystemrequirements.4. DevelopaninitialITSystemSecurityPlan(seeITSystemSecurityPlans)thatdocumentsthesecurity
controlsthatthesystemwillenforcetoprovideadequateprotectionagainstsecurityrisks.ProjectDefinition
1. Identify,develop,anddocumentsecurityrequirementsforthesystemduringtheProjectDefinitionphase.
2. IncorporatesecurityrequirementsinITsystemdesignspecifications.3. Verifythatthesystemdevelopmentprocessdesigns,develops,andimplementssecuritycontrolsthat
meetinformationsecurityrequirementsinthedesignspecifications.4. UpdatetheinitialITSystemSecurityPlantodocumentthesecuritycontrolsincludedinthedesignof
thesystemtoprovideadequateprotectionagainstsecurityrisks.5. Developevaluationprocedurestovalidatethatsecuritycontrolsdevelopedforanewsystemare
workingproperlyandareeffective.Note:Somesecuritycontrols (primarily thosecontrolsofanon-technicalnature)cannotbe testedandevaluateduntilafterdeploymentofthesystem.
Implementation
1. Executetheevaluationprocedurestovalidateandverifythatthefunctionalitydescribedinthespecificationisincludedintheproduct.Note:Resultsshouldbedocumentedinareport,includingidentificationofcontrolsthatdidnotmeetdesignspecifications.
2. ConductaRiskAssessment(seeRiskAssessment)toassesstherisklevelofthesystem.3. RequirethatthesystemcomplywithallrelevantRiskManagementrequirementsinthisStandard.4. UpdatetheITSystemSecurityPlantodocumentthesecuritycontrolsincludedinthesystemas
implementedtoprovideadequateprotectionagainstinformationsecurityrisks,andcomplywiththeotherrequirements(seeITSystemSecurityPlans)ofthisdocument.
Disposition
1. RequireretentionofthedatahandledbyasystemtakesplaceinaccordancewiththeCommonwealth
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
ofVirginiaortheUniversity’srecordsretentionpolicypriortodisposingofthesystem.2. Requirethatelectronicmediaissanitizedpriortodisposalsothatalldataisremovedfromthe
system.3. VerifythedisposalofhardwareandsoftwareinaccordancewiththeDataStorageandMedia
ProtectionPolicy5102.
4.7ApplicationSecurity
4.7.1PurposeApplicationsecurityrequirementsdefinethehigh-levelspecificationsforsecurelydevelopinganddeployingUniversityapplications.
4.7.2RequirementsTheUniversityISOisaccountableforensuringthefollowingstepsaredocumentedandfollowed:
ApplicationPlanning
1. DataClassification-Dataused,processedorstoredbytheproposedapplicationshallbeclassifiedaccordingtothesensitivityofthedata.
2. RiskAssessment-Ifthedataclassificationidentifiesthesystemassensitive,ariskassessmentshallbeconductedbeforedevelopmentbeginsandafterplanningiscomplete.
3. SecurityRequirements-Identifyanddocumentthesecurityrequirementsoftheapplicationearlyinthedevelopmentlifecycle.Forasensitivesystem,thisshallbedoneafterariskassessmentiscompletedandbeforedevelopmentbegins.
4. SecurityDesign-UsetheresultsoftheDataClassificationprocesstoassessandfinalizeanyencryption,authentication,accesscontrol,andloggingrequirements.Whenplanningtouse,processorstoresensitiveinformationinanapplication,thefollowingdesigncriteriamustbeaddressed:(a) Encryptedcommunicationchannelsshallbeestablishedforthetransmissionofsensitive
information.(b) Sensitiveinformationshallnotbevisiblytransmittedbetweentheclientandtheapplication.(c) Sensitiveinformationshallnotbestoredinhiddenfieldsthatarepartoftheapplication
interface.ApplicationDevelopment
The following requirements represent a minimal set of coding practices, which shall be applied to allapplicationsunderdevelopment.
1. Authentication-Application-basedauthenticationandauthorizationshallbeperformedforaccesstodatathatisavailablethroughtheapplicationbutisnotconsideredpubliclyaccessible.
2. SessionManagement-Anyusersessionscreatedbyanapplicationshallsupportanautomaticinactivitytimeoutfunction.
3. Datastorageshallbeseparatedeitherlogicallyorphysically,fromtheapplicationinterface(i.e.,designtwoorthreetierarchitectures).Note:TheUniversitymayconsidertheuseofdatascrubbingroutinestoremoveallsensitivedatafromnon-productiondatastorage.
4. InputValidation-Allapplicationinputshallbevalidatedirrespectiveofsource.Inputvalidationshouldalwaysconsiderbothexpectedandunexpectedinput,andnotblockinputbasedonarbitrarycriteria.
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
5. DefaultDeny-Applicationaccesscontrolshallimplementadefaultdenypolicy,withaccessexplicitlygranted.
6. PrincipleofLeastPrivilege-Allprocessingshallbeperformedwiththeleastsetofprivilegesrequired.
7. QualityAssurance-Internaltestingshallincludeatleastoneofthefollowing:penetrationtesting,fuzztesting,orasourcecodeauditingtechnique.Thirdpartysourcecodeauditingand/orpenetrationtestingshouldbeconductedcommensuratewithsensitivityandrisk.Note:Sourcecodeauditingtechniquesinclude,butarenotlimitedto:(a) Manualcodereviewcanidentifyvulnerabilitiesaswellasfunctionalflaws,butmostUniversity
departmentsdonothavetheskilledsecurityresourcesortimeavailablewithinthesoftwarelifecyclethatamanualcodereviewrequires,andtherefore,manywhodecidetoperformmanualcodereviewscanonlyanalyzeasmallportionoftheirapplications
(b) Applicationpenetrationtestingtriestoidentifyvulnerabilitiesinsoftwarebylaunchingasmanyknownattacktechniquesaspossibleonlikelyaccesspointsinanattempttobringdowntheapplicationortheentiresystem
(c) Automatedsourcecodeanalysistoolsmaketheprocessofmanualcodereviewmoreefficient,affordable,andachievable.Thistechniqueofcodeauditresultsinsignificantreductionofanalysistime,actionablemetrics,significantcostsavings,andcanbeintegratedintoallpointsofthedevelopmentlifecycle.
8. Configureapplicationstoclearthecacheddataandtemporaryfilesuponexitoftheapplicationorlogoffofthesystem.
ProductionandMaintenance
1. ProductionapplicationsshallbehostedonserverscompliantwiththeUniversitySecurityrequirementsforITsystemhardening.
2. Internet-facingapplicationsclassifiedassensitiveshallhavevulnerabilityscansrunagainsttheapplicationsandsupportingserverinfrastructureatleastannually,andalwayswhenanysignificantchangetotheenvironmentorapplicationhasbeenmade.Anyremotelyexploitablevulnerabilityshallberemediatedimmediately.Othervulnerabilitiesshouldberemediatedwithoutunduedelay.Note: It is strongly recommended that theUniversityadoptapplicationvulnerability scanningandremediationforallinternalsensitiveapplicationsaswell.
4.8WirelessSecurity
4.8.1PurposeWireless security requirements define the high-level specifications for the secure deployment and use ofwirelessnetworking.
4.8.2RequirementsTheUniversityISOisaccountableforensuringthefollowingstepsarefollowedanddocumented:
WirelessLAN(WLAN)ConnectivityontheUniversitynetworks
1. The following requirements shall be met in the deployment, configuration and administration ofWLANinfrastructureconnectedtoanyinternalUniversitynetwork.(a) WLANinfrastructuremustauthenticateclientdevicespriortopermittingaccesstotheWLAN.(b) Userauthorizationinfrastructure(e.g.,ActiveDirectory)mustbeusedtoauthorizeaccessto
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
Universityresources.(c) Encryptionmustbeusedtoaccesssensitivesystems(e.g.VPN).(d) PhysicalorlogicalseparationbetweenWLANandwiredLANsegmentsmustexist.(e) UniversityWLANaccessandWLANegresstrafficwillbemonitoredformaliciousactivity,and
associatedeventlogfilesstoredonacentralizedstoragedevice.WLANHotspot(WirelessInternet)
1. Whenbuildingawirelessnetwork,whichwillonlyprovideunauthenticatedaccesstotheInternet,thefollowingmustbeinplace:(a) WLANHotspotsmusthavelogicalorphysicalseparationfromtheUniversity’sLAN.(b) WLANHotspotaccessandWLANegresstrafficwillbemonitoredformaliciousactivity,andlog
filesstoredonacentralizedstoragedevice.WirelessBridging
1. ThefollowingnetworkconfigurationshallbeusedwhenbridgingtwowiredLANs:(a) Allwirelessbridgecommunicationsmustutilizesecureencryption.(b) Wirelessbridgingdevicesmustnotbeconfiguredforanyotherservicethanbridging(e.g.,a
wirelessaccesspoint).
5LOGICALACCESSCONTROL
5.1PurposeLogicalAccessControlrequirementsdelineatethestepsnecessarytoprotectITsystems,networksanddatabyverifyingandvalidating thatusersarewho theysay theyareand that theyarepermitted touse the ITsystems, networks and data they are attempting to access. Users are accountable for any activity on thesystemandnetworkperformedwiththeuseoftheiraccount.ThiscomponentoftheUniversityInformationSecurityProgramdefinesrequirementsinthefollowingthreeareas:
1. AccountManagement2. PasswordManagement3. RemoteAccess
5.2AccountManagement
5.2.1PurposeAccountManagement requirements identify those steps necessary to formalize the process of requesting,granting,administering,andterminatingaccounts.TheUniversityshouldapplytheseAccountManagementpracticestoaccountsonITsystems,includingaccountsusedbyvendorsandthirdparties.
The requirements below distinguish between internal and external IT systems. Internal IT systems aredesignedandintendedforuseonlybyUniversityemployees,contractors,andbusinesspartners.ExternalITsystemsaredesignedandintendedforusebyUniversitycustomersandbymembersofthepublic.
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
5.2.2RequirementsTheUniversityshallorshallrequirethatitsserviceproviderdocumentandimplementaccountmanagementpractices for requesting, granting, administering,and terminating accounts. Ataminimum, these practicesshallincludethefollowingcomponents:
Note:Itisstronglyrecommendedtechnicalcontrolsbeimplementedwhereverpossibletofulfillthefollowingrequirements, understanding that manual processes must sometimes be implemented to compensate fortechnicalcontrolsthatmightnotbefeasible.
ForallinternalandexternalITsystems
1. GrantITsystemusers’accesstoITsystems,networksanddatabasedontheprincipleofleastprivilege.
2. Defineauthenticationandauthorizationrequirements.3. EstablishpoliciesandproceduresforapprovingandterminatingauthorizationtoITsystems.4. Requirerequestsforandapprovalsofemergencyortemporaryaccessthat:
(a) Aredocumentedaccordingtostandardpracticeandmaintainedonfile.(b) Includeaccessattributesfortheaccount.(c) AreapprovedbytheSystemOwner.(d) Expireafterapredeterminedperiod,basedonsensitivityandrisk.
5. Implementtwo-factorauthentication,wherepossible,foraccesstoITsystems.6. SystemOwnersandDataOwnersmustreviewalluseraccountsfortheuser’scontinuedneedto
accesssensitivesystems.Thesereviewsshouldoccurannually.7. NotifytheDivisionofInformationTechnology(DoIT)whenITsystemuseraccountsarenolonger
required,orwhenanITsystemuser’saccesslevelrequirementschange.8. IftheITsystemisclassifiedassensitive,prohibittheuseofguest(non-authenticated)accounts.9. ProhibitthedisplayofthelastlogonuserIDonmulti-usersystems.Desktopandlaptopsystems
assignedtoaspecificuserareexemptfromthisrequirement.10. Lockanaccountautomaticallyifitisnotusedforapredefinedperiod.
Note:TheUniversity shouldstronglyconsider lockingaccounts thatgounused for90consecutivedays.
11. Disableunneededaccounts.Example:Rootaccountsthatarenotroutinelyusedshouldbedisabled.12. RetainunneededaccountsinadisabledstateinaccordancewiththeCommonwealthofVirginiaor
theUniversity’srecordsretentionpolicy.13. Associateaccesslevelswithgroupmembership,wherepractical,andrequirethateverysystemuser
accountbeamemberofatleastoneusergroup.14. Require that the SystemOwner and the System Administrator investigate unusual system access
activities.15. Require that System Administrators have both an administrative account and at least one user
account and require that administrators use their administrative accounts onlywhen performingtasksthatrequireadministrativeprivileges.
16. Prohibit the granting of local administrator rights to users without documented need. Localadministrative accounts are prohibited in areas subject to high risk or subject to additionalregulationsorstandards(PCI,HIPAA,etc.).
17. Require that at least two individuals have administrative accounts to each IT system, to providecontinuityofoperations.
ForallinternalITsystems
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
1. Requireadocumentedrequestandapprovalbytheuser’ssupervisorandbythesystem’sDataOwnerordesigneetoestablishauseraccountonanysensitiveITsystem.
2. RequireadocumentedrequestandapprovalbytheITsystemuser’ssupervisorandapprovalbytheSystemOwnerordesigneetoestablishanelevatedprivilegedaccountonanysensitiveITsystem.
3. CompleteanyUniversityrequiredbackgroundchecksbeforeestablishingaccounts,orassoonaspracticalthereafter.
4. Requiresecuredeliveryofaccesscredentialstotheuserbasedoninformationalreadyonfile.5. UniversitydepartmentsmustnotifyHumanResourcesandtheDivisionofInformationTechnology
(DoIT)inatimelymannerabouttermination,transferofemployeesandcontractorswithaccessrightstosensitiveITsystems,networksanddata.
6. Promptlyremoveaccesswhennolongerrequired.
ForallexternalITsystems
1. RequiresecuredeliveryofaccesscredentialstousersofallexternalITsystems.2. Requireconfirmationoftheuser’srequestforaccesscredentialsbasedoninformationalreadyonfile
priortodeliveryoftheaccesscredentialstousersofallsensitiveexternalITsystems.3. Requiredeliveryofaccesscredentials tousersofall sensitiveexternal ITsystemsbymeansofan
alternatechannel(e.g.,U.S.Mail).
Forallserviceandhardwareaccounts
1. DocumentaccountmanagementpracticesforallUniversitycreatedserviceaccounts, including,butnotlimitedtogranting,administeringandterminatingaccounts.
5.3PasswordManagement
5.3.1PurposePassword Management specifies requirements for password use, storage and transmission to protectUniversityITsystems,networksanddata.
5.3.2RequirementsTheUniversityshallorshallrequirethatitsserviceproviderimplementpasswordmanagementpractices.Ataminimum,thesepracticesshallincludethefollowingcomponents:
1. UsersareresponsibleforselectingauniquepasswordthatisdifferentfromanyotherRUornon-RUsystem.(Asanexample,usersmustnotusethesamepasswordforFacebookandBanner.)
2. Sharedaccountsthatareusedprimarilyfordepartmentalorclubactivitiesmaynotbeusedtoaccesssensitivesystemsorsensitivedata.
3. Requirepasswords,PINsorothermodesofprotection(e.g.patternunlockingorfingerprints)onmobiledevicessuchassmartphones,tabletsandlaptopsIfusingaPIN,itmusthaveaminimumof4digits.
4. Requirepasswordcomplexity:(a) Atleasteightcharactersinlength.(b) Passwordcannotcontaintheuser’sfirstname,lastname,oraccountusername.(c) Utilizeatleastthreeofthefollowingfourcharactersets:
i. Specialcharacters(.@?)ii. Uppercasealphabeticalcharacters(ABC)
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
iii. Lowercasealphabeticalcharacters(abc)iv. Numericalcharacters(123)
Note:Itisconsideredbestpracticenottobasepasswordsonasingledictionarywordandnottousewordswithnumbers(orspecialcharacters)appendedtotheend.Forexample,”Classof2014!”wouldbeanextremelyweakpassword.
5. Requirethatdefaultpasswordsbechangedimmediatelyafterinstallation.6. Prohibit the transmission of password data without the use of industry accepted encryption
standards.7. RequireITsystemuserstomaintainexclusivecontrolanduseoftheirpasswords,toprotectthem
frominadvertentdisclosuretoothers.8. RequireallsensitiveITsystemaccountstochangepasswordsatleastevery180days.9. RequirethatITsystemusersimmediatelychangetheirpasswordsandnotifytheISOiftheysuspect
theirpasswordshavebeencompromised.10. Configure all sensitive IT systems tomaintain at least the last 6 passwords used in the password
historyfilestopreventthereuseofthesameorsimilarpasswords.11. ProvideauniqueinitialpasswordforeachnewaccountofsensitiveITsystemsandrequirethatIT
systemuserschangetheinitialpasswordsissueduponfirstlogin.12. For sensitive IT systems, deliver the initial password to the IT system user in a secure and
confidentialmanner.13. Prohibit the storage of passwords in clear text and, use the strongest available hashing storage
solution to better withstand off-line attacks. The ISO should approve password hash storagesolutions.Example:InaMicrosoftWindowsActiveDirectorydomainthatnolongerhaslegacyclients,considerdisablingLanManhashingandrequireNTHashingforpasswordstorage.InanOpenLDAPdirectory,useSecureSHA1hashing(SSHA)ratherthansimpleSHA1hashingforpasswordstorage,etc.Note:SystemOwnersshouldconsultwiththeISOtodeterminethestrongesthashstoragesolutionfortheirsystems.
14. LimitaccesstofilescontainingpasswordstotheITsystemanditsadministrators,andlogsuchaccesstothesefiles.
15. Suppressthedisplayofpasswordsonthescreenastheyareentered.16. Implementascreensaverlockoutperiodafteramaximumof30minutesofinactivityforUniversity
owneddevicesinnon-academicareas.17. Requirepasswordstobesetondevicemanagementinterfacesforallnetworkdevices.18. Documentandstorehardwarepasswordssecurely.19. Implementprocedurestohandlelostorcompromisedpasswordsand/ortokens.20. In areas identified to be subject to specific regulations or other standards, set an account lockout
threshold of not greater than fifty (50) invalid attempts and the lockout duration for at least 15minutes.
21. Useraccounts thathavesystem-levelprivilegesgranted throughgroupmembershipsorprogramssuchas“sudo”musthaveauniquepasswordfromallotheraccountsheldbythatuser.
22. Where practical, sensitive systems should be configured to prevent a user from changing theirpasswordmorethanonceperday
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
5.4RemoteAccess
5.4.1PurposeRemoteAccessrequirementsidentifythestepsnecessarytoprovideforthesecureuseofremoteaccesstoresourcesusedbytheUniversity.
5.4.2Requirements
TheUniversityshallorshallrequirethatitsserviceprovider:
1. ProtectthesecurityofallremoteaccesstotheUniversity’ssensitiveITsystems,networksanddatabymeansofencryption,inamannerconsistentwithSection6.3.Note:Thisencryptionrequirementappliesbothtosessioninitiation(e.g.,identificationandauthentication)andtoallexchangescontainingsensitivedata.
2. ProtectthesecurityofremotefiletransferofsensitivedatatoandfromUniversityITsystemsbymeansofencryption,inamannerconsistentwithSection6.3.
3. Documentrequirementsforuseofremoteaccessandforremoteaccesstosensitivedata,basedonUniversitypolicies,standards,guidelines,andprocedures.
4. RequirethatITsystemusersobtainauthorizationandauniqueuserIDandpasswordpriortousingtheUniversity’sremoteaccesscapabilities.
5. Documentrequirementsforthephysicalandlogicalhardeningofremoteaccessdevices.6. Requiremaintenanceofauditablerecordsofallremoteaccess.7. Wheresupportedbyfeaturesofthesystem,sessiontimeoutsshallbeimplementedafteraperiodof
nolongerthan2hoursofinactivity,commensuratewithsensitivityandrisk.
6DATAPROTECTION
6.1PurposeData Protection requirements delineate the steps necessary to protect University data from improper orunauthorized disclosure. This component of the University Information Security Program definesrequirementsinthefollowingtwoareas:
1. DataStorageMediaProtection2. Encryption
6.2DataStorageMediaProtection
6.2.1PurposeData StorageMedia Protection requirements identify the steps necessary for the appropriate handling ofstoreddatatoprotectthedatafromcompromise.
6.2.2RequirementsThe University shall or shall require that its service provider implement Data Storage Media Protectionpractices.Ataminimum,thesepracticesmustincludethefollowingcomponents:
1. DefineprotectionofstoredsensitivedataastheresponsibilityoftheDataOwner.
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
2. Prohibitthestorageofsensitivedataonanynon-networkstoragedeviceormedia,exceptforbackupmedia,unlessthedataisencryptedandthereisawrittenexceptionapprovedbytheCIOacceptingidentifiedresidualrisks.Theexceptionshallincludethefollowingelements:(a) Thebusinessortechnicaljustification.(b) Thescope,includingquantificationandduration(nottoexceedoneyear).(c) Adescriptionofallassociatedrisks.(d) Identificationofcontrolstomitigatetherisks,oneofwhichmustbeencryption.(e) Identificationofanyresidualrisks.
Note:Non-networkstoragedeviceormedia,includesremovabledatastoragemediaandthefixeddiskdrivesofalldesktops,mobiledevicesandmobilestoragedevices.
3. Require logical and physical protection for all data storage media containing sensitive data,commensuratewithsensitivityandrisk.
4. Restrictthepickup,receipt,transfer,anddeliveryofalldatastoragemediacontainingsensitivedatatoauthorizedpersonnel.
5. Procedures must be implemented and documented to safeguard handling of all backup mediacontainingsensitivedata.Encryptionofbackupmediashallbeconsideredwherethedataissensitiveasrelatedtoconfidentiality.Whereencryptionisnotaviableoption,mitigatingcontrolsandproce-duresmustbeimplementedanddocumented.
6. Implementprocessestosanitizedatastoragemediapriortodisposalorreuse.
6.3Encryption
6.3.1PurposeEncryptionrequirementsprovideaframeworkforselectingandimplementingencryptioncontrolstoprotectsensitivedata.SeeDataBreachNotificationfornotificationrequirementsregardingabreachofunencryptedsensitivedata.
6.3.2RequirementsCommensuratewithsensitivityandrisk,theUniversityortheirserviceprovidershall:
1. Defineanddocumentpracticesforselectinganddeployingencryptiontechnologiesandfortheencryptionofdata.
2. Documentappropriateprocessesbeforeimplementingencryption.Theseprocessesmustincludethefollowingcomponents:(a) InstructionsintheSecurityIncidentResponsePlanonhowtorespondwhenencryptionkeysare
compromised.(b) Asecurekeymanagementsystemfortheadministrationanddistributionofencryptionkeys.(c) Requirementstogenerateallencryptionkeysthroughanapprovedencryptionpackageand
securelystorethekeysintheeventofkeylossduetounexpectedcircumstances.3. Requireencryptionforthetransmissionofdatathatissensitiverelativetoconfidentialityor
integrity.Digitalsignaturesmaybeutilizedfordatathatissensitivesolelyrelativetointegrity.
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
6.4ProtectionofSensitiveInformationonNon-ElectronicMedia
6.4.1PurposeThissectionoutlinesthebestpracticestepsthatshouldbetakentoprotectsensitiveUniversityinformationthatmaybestoredortransmittedonnon-electronicmediasuchas,thespokenword,paperdocuments,whiteorblackboards,photographs,etc.
6.4.2RecommendationsTheserecommendationsapplytonon-electronicmedia:
1. Whileinuse,limitaccessbasedonaneedtoknowbasisbyphysicallycontrollingaccess.Forexample,sensitivedocumentsprintedtoaglobalprintershouldberetrievedwithoutdelay.
2. Whilenotinuse,storeinasecurelocationwithappropriatephysicalcontrols.3. Whennolongerneeded,securelydestroyusingappropriatedestructionmethodssuchaserasing
whiteorblackboardsandshreddingpaperdocuments.
7FACILITIESSECURITY
7.1PurposeFacilitiesSecurityrequirementsidentifythestepsnecessarytosafeguardthephysicalfacilitiesthathouseITequipment,systems,services,networksandpersonnel.
7.2RequirementsThe University shall or shall require that its service provider document and implement facilities securitypractices.Ataminimum,thesepracticesmustincludethefollowingcomponents:
1. SafeguardITsystems,networksanddataresidinginbuildings,mobilefacilities,andportablefacilities.
2. Designsafeguards,commensuratewithrisk,toprotectagainsthuman,natural,andenvironmentalthreats.
3. Requireappropriateenvironmentalcontrolssuchaselectricpower,heating,firesuppression,humiditycontrol,ventilation,air-conditioningandairpurification,asrequiredbytheITsystems,networksand/ordata.
4. Protectagainstunauthorizedphysicalaccess.5. Controlphysicalaccesstoessentialcomputerhardware,wiring,displays,andnetworksbythe
principleofleastprivilegeinallnewinstallations.6. ProvideasystemofmonitoringandauditingphysicalaccesstosensitiveITsystems.7. RequirethattheISOordesigneeannuallyreviewthelistofpersonsallowedphysicalaccessto
sensitiveITsystems.8. Shouldunauthorizedphysicalaccessoccur,departmentsmustalerttheISOassoonaspractical.
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
8PERSONNELSECURITY
8.1PurposePersonnelSecurityrequirementsdelineatethestepsnecessarytorestrictaccesstoITsystems,networksanddata to those individuals who require such access as part of their job duties and responsibilities. ThiscomponentoftheUniversityInformationSecurityProgramdefinesrequirementsinthefollowingareas:
1. AccessDeterminationandControl2. InformationSecurityAwarenessandTraining3. AcceptableUse4. EmailCommunications
8.2AccessDeterminationandControl
8.2.1PurposeAccessDeterminationandControlrequirementsidentifythestepsnecessarytorestrictaccesstoITsystems,networksanddatatoauthorizedindividuals.
8.2.2RequirementsTheUniversityshallorshallrequirethatitsserviceproviderdocumentandimplementaccessdeterminationand control practices for all sensitive University IT systems and all third-party IT systems with whichsensitive University IT systems interconnect. At a minimum, these practices shall include the followingcomponents:
1. PerformbackgroundinvestigationsofallinternalITSystemusersinaccordancewithUniversityHRbackgroundcheckpolicy.Existingusersmaybegrandfatheredunderthepolicyandmaynotberequiredtohavebackgroundinvestigations.
2. RestrictvisitoraccessfromfacilityareasthathousesensitiveITsystems,networksordata.3. Requirenon-disclosureandsecurityagreementsforaccesstoITsystems,networksanddata.4. Removephysicalandlogicalaccessrightsuponpersonneltransferortermination,orwhen
requirementsforaccessnolongerexist.5. Establishterminationandtransferpracticesthatrequirereturnoflogicalandphysicalassetsthat
provideaccesstosensitiveITsystems,networksanddataandthefacilitiesthathousethem.6. Temporarilydisablephysicalandlogicalaccessrightswhenpersonneldonotneedsuchaccessfora
prolongedperiodinexcessof30daysbecausetheyarenotworkingduetoleave,disabilityorotherauthorizedpurpose,basedonrequestsfromdepartments.
7. Disablephysicalandlogicalaccessrightsuponsuspensionofpersonnelforgreaterthan1dayfordisciplinarypurposes,basedonrequestsfromdepartments.
8. EstablishseparationofdutiesinordertoprotectsensitiveITsystems,networksanddata,orestablishcompensatingcontrolswhenconstraintsorlimitationsoftheUniversityprohibitacompleteseparationofduties.Example:Suchcompensatingcontrolsmayincludeincreasedsupervisoryreview;reducedspanofcontrol;rotationofassignments;independentreview,monitoring,and/orauditing;andtimedandspecificaccessauthorizationwithauditreview,amongothers.
9. ExplicitlygrantphysicalandlogicalaccesstosensitiveITsystems,networksanddataandthefacilitiesthathousethembasedontheprincipleofleastprivilege.
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
8.3InformationSecurityAwarenessandTraining
8.3.1PurposeSecurityAwarenessandTrainingrequirementsidentifythestepsnecessarytoprovideITsystemmanagers,administrators,anduserswith awareness of system security requirements and of their responsibilities toprotectITsystems,networksanddata.
8.3.2Requirements
TheUniversityISOshall:
1. IncludeanyUniversityspecificinformationsecuritytrainingrequirementsintheUniversityinformationsecurityawarenessandtrainingprogram.Example:AUniversitydepartmentthatprocessesdatacoveredbytheHealthInsurancePortabilityandAccountabilityAct(HIPAA)orthePaymentCardIndustryDataSecurityStandard(PCI-DSS)musthaveaninformationsecurityawarenesstrainingprogramthataddressesspecificdatasecurityrequirements.
2. RequirethatallemployeesandcontractorsreceiveinformationsecurityawarenesstrainingduringtheUniversity’strainingcycle.
3. Requireadditionalrole-basedinformationsecuritytrainingcommensuratewiththelevelofexpertiserequiredforthoseemployeesandcontractorswhomanage,administer,operate,anddesignITsystems,aspracticableandnecessary.Example:TheUniversityemployeesandcontractorswhoaremembersoftheDisasterRecoveryTeamorSecurityIncidentResponseTeamrequirespecializedtrainingintheseduties.
4. Monitorandtrackcompletionofinformationsecuritytraining.5. Requireinformationsecuritytrainingbefore(orassoonaspracticableafter)ITsystemusersreceive
accessrightstotheUniversity’ssensitiveITsystems,andinordertomaintaintheseaccessrights.6. Developaninformationsecuritytrainingprogramthatcoverssuchtopicsas,butnotlimitedto:
(a) TheUniversity’spolicyforprotectingITsystems,networksanddata,withaparticularemphasisonsensitiveITsystems,networksanddata
(b) Theconceptofseparationofduties(c) Preventionanddetectionofinformationsecurityincidents,includingthosecausedbymalicious
code(d) Properuseofdatastoragemedia(e) Properuseofencryption(f) Accesscontrols,includingcreatingandchangingpasswordsandtheneedtokeepthem
confidential(g) Acceptableusepolicies(h) ResponsibilityforthesecurityofUniversitydata(i) Phishing(j) Socialengineering
7. RequiredocumentationofITsystemusers’acceptanceoftheUniversity’ssecuritypoliciesafterreceivinginformationsecuritytraining.
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
8.4AcceptableUse
8.4.1PurposeAcceptable Use requirements identify the steps necessary to define acceptable and permitted use ofUniversityITsystems,networksanddata.
8.4.2RequirementsTheUniversityshall:
1. Documentanacceptableusepolicy.2. Directtheproperuseofencryptionfortransmittingsensitivedata.3. DirecttheuseofanauthorizedUniversitywarningbannertocommunicatethatITsystemsandtheir
usemaybemonitoredandviewedbyauthorizedpersonnel;andthereisnoexpectationofprivacywhenusingaUniversityownedsystemornetwork.
4. RequireacknowledgmentthatmonitoringofITsystems,networksanddatamayinclude,butwillnotbe limited to, network traffic; application and data access; keystrokes (only when required forsecurity investigations and approved in writing by the University President or CIO); and usercommands;emailandInternetusage;andmessageanddatacontent.
5. Prohibitusersfrom:(a) Installingorusingproprietaryencryptionhardware/softwareonUniversitysystems(b) TamperingwithsecuritycontrolsconfiguredonUniversityownedsystems(c) Installingunauthorized,personalsoftwareonUniversityownedsystems(d) Addingsystemhardwareto,removingsystemhardwarefrom,ormodifyingsystemhardwareon
aUniversityownedsystem6. Prohibittheunauthorizedstorage,useortransmissionofcopyrightedandlicensedmaterialson
Universitysystemsandnetworks.7. WhenconnectedtosensitiveinternalUniversitynetworks,datatransmissionshallbeencrypted.8. RequiredocumentationofITsystemusers’acceptanceoftheUniversity’sAcceptableUsePolicy
before,orassoonaspracticalafter,gainingaccesstoUniversityITsystems.
8.5EmailCommunications
8.5.1PurposeEmail shall not be used to send sensitive data unless said data is encrypted. As stated in the Encryptionsection of this Standard, encryption is required for the transmission of data that is sensitive relative toconfidentialityandintegrity.
Anemaildisclaimerisasetofstatementsthatareeitherpre-pendedorappendedtoemails.Thesestatementsarefrequentlyusedtocreateawarenessofhowtotreatthedataintheemail.Anemaildisclaimerisnotasubstituteforjudgmentonwhatcontenttoputintoanemail.
8.5.2RequirementsTheUniversityshall:
1. Requireapprovedencryptiontechnologiesforthetransmissionofemailandattacheddatathatis
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
classifiedassensitive.DigitalsignaturesmaybeutilizedfordatathatissensitivesolelyrelativetointegrityasstatedintheencryptioncomponentofthisStandard.Note:ApprovedencryptiontechnologiesforemailareOpenPGPorS/MIMEbasedencryption.
2. ConsultwithDoITbeforeadoptinganemaildisclaimer.EmailssentfromUniversitysystemsarepublicrecordsoftheCommonwealthofVirginiaandmustbemanagedassuch.
9THREATMANAGEMENT
9.1PurposeThreatManagementdelineatesthestepsnecessarytoprotectITsystems,networksanddatabypreparingfor and responding to information security incidents. This component area of the Standard definesrequirementsforthefollowing:
1. ThreatDetection2. InformationSecurityMonitoringandLogging3. InformationSecurityIncidentHandling4. DataBreachNotification
9.2ThreatDetection
9.2.1PurposeThreatDetectionrequirementsidentifythepracticesforimplementingintrusiondetectionandprevention.
9.2.2RequirementsTheUniversityshallorshallrequirethatitsserviceproviderimplementthreatdetectionpracticesthatataminimumincludethefollowing:
1. DesignateanindividualresponsiblefortheUniversity’sthreatdetectionprogram,includingplanning,development,acquisition,implementation,testing,training,andmaintenance.Unlessotherwisespecified,theISOassumesthisdesignation.
2. ImplementanIntrusionDetectionSystem(IDS).3. ConductIDSlogreviewstodetectnewattackpatternsasquicklyaspossible.4. DevelopandimplementrequiredmitigationmeasuresbasedontheresultsofIDSlogreviews.5. Maintainregularcommunicationwithsecurityresearchandcoordinationorganizations,suchasUS
CERT,REN-ISAC,etc.toobtaininformationaboutnewattacktypes,vulnerabilities,andmitigationmeasures.
9.3InformationSecurityMonitoringandLogging
9.3.1PurposeInformation Security Monitoring and Logging requirements identify the steps necessary to monitor andrecordITsystemactivity.
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
9.3.2RequirementsTheUniversity shall, or shall require that its service provider, implement information securitymonitoringandloggingpracticesthatincludethefollowingcomponents,ataminimum:
1. Designateindividualsresponsibleforthedevelopmentandimplementationofinformationsecurityloggingcapabilities.
2. Developproceduresforreviewingandadministeringthelogs.3. EnableloggingonallsensitiveITsystems.Ataminimum,logswillinclude:
(a) Theevent.(b) TheuserIDassociatedwiththeevent.(c) Thedateandtimetheeventoccurred.
4. MonitorITsystemlogs,correlateinformationwithotherautomatedtools,identifysuspiciousactivities,andprovidealertnotificationsincompliancewithIT-PO-5200,LogReviewandStoragePolicy.
5. DocumentstandardsthatspecifythetypeofactionsanITsystemadministratorshouldtakewhenasuspiciousorapparentmaliciousactivityistakingplace.Example: Possible actions include stopping the event, shutting down the IT system, and alertingappropriatestaff.Note:Multipleactionsmaybewarrantedandadvisable,basedonsensitivityandrisk.
6. Prohibittheinstallationoruseofunauthorizedmonitoringdevices.7. Prohibit the use of keystroke logging, except when required for security investigations and/or
academicinstruction/researchpurposes.Note:Forinvestigativepurposes,theISOhastheresponsibilitytoauthorizemonitoringorscanningactivitiesfor network traffic; application and information access; user commands; email and Internet usage; andmessageandinformationcontentforITsystems,networksanddata.
9.4InformationSecurityIncidentHandling
9.4.1PurposeInformationSecurityIncidentHandlingrequirementsidentifythestepsnecessarytorespondtosuspectedorknownbreachestoinformationsecuritysafeguards.
9.4.2RequirementsTheUniversity shalldocument informationsecurity incidenthandlingpracticesandwhereappropriate theUniversityshallincorporateitsserviceprovider’sproceduresforincidenthandlingpracticesthatincludethefollowing,ataminimum:
1. DesignateaComputerSecurityIncidentResponseTeam(CSIRT)thatincludespersonnelwithappropriateexpertiseforrespondingtoattacks.
2. Identifycontrolstodeteranddefendagainstattackstobestminimizelossortheftofinformationanddisruptionofservices.
3. Implementproactivemeasurestodefendagainstnewformsofattacksandzero-dayexploits.4. Establishinformationsecurityincidentcategorizationandprioritizationbasedontheimmediateand
potentialadverseeffectoftheinformationsecurityincidentandthesensitivityofaffectedITsystems,networksanddata.
5. Identifyimmediatemitigationprocedures,includingspecificinstructions,basedoninformation
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
securityincidentcategorizationlevel,onwhetherornottoshutdownordisconnectaffectedITsystems.
6. EstablishaprocessforreportinginformationsecurityincidentstotheISO.AllUniversitydepartmentsmustreportinformationsecurityincidentstotheISO.
7. EstablishrequirementsforinternalUniversityinformationsecurityincidentrecordingandreportingrequirements,includingatemplatefortheincidentreport.
8. Establishproceduresforinformationsecurityincidentinvestigation,preservationofevidence,andforensicanalysis.
Note: The ISO, in conjunction with the CIO or other Administration authorities as necessitated bycircumstances,mayauthorizetheconfiscationandremovalofanyUniversityownedITresourcesuspectedtobetheobjectofinappropriateuseorviolationoflaws,regulations,policiesorstandardsinordertopreserveevidence.
9.5DataBreachNotification
9.5.1PurposeTospecifythenotificationrequirementsforunauthorizedreleaseofunencryptedsensitiveinformation.
9.5.2RequirementsShouldadatabreachoccur,theUniversityshall:
1. Comply with Commonwealth of Virginia data breach notification laws (and any other applicablelaws)inconsultationwithlegalcounselasnecessary.
10ITASSETMANAGEMENT
10.1PurposeITAssetManagementdelineatesthestepsnecessarytoprotectITsystems,networksanddatabymanagingthe IT assets themselves in a planned, organized, and secure fashion. This component area definesrequirementsforthefollowing:
1. ITAssetControl2. SoftwareLicenseManagement3. ConfigurationManagementandChangeControl
10.2ITAssetControl
10.2.1PurposeITAssetControlrequirementsidentifythestepsnecessarytocontrolandcollectinformationaboutITassets.
10.2.2RequirementsCommensurate with sensitivity and risk, the University shall or shall require that its service providerimplementinventorymanagementpracticesthataddressthefollowingcomponents,ataminimum:
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
1. AssociateaprimarycustodiantoeachITasset.2. TrackITassettransfersinatimelyandaccuratemanner.3. Identifytheprimarylocation(s)ofeachITasset.4. Requirethatdigitalmediabesanitizedpriortodisposal.Thisprocessmustoccurinaccordancewith
theDataStorageandMediaProtectionPolicy5102.5. RequirecreationandannualreviewofalistofUniversityhardwareandsoftwareassets.
10.3SoftwareLicenseManagement
10.3.1PurposeSoftwareLicenseManagementrequirementsidentifythestepsnecessarytoprotectagainstuseofcomputersoftwareinviolationofapplicablelawsandcontracts.
10.3.2RequirementsThe University shall or shall require that its service provider document and implement software licensemanagementpracticesthataddressthefollowingcomponents:
1. Assessannuallywhetherallsoftwareisusedinaccordancewithlicenseagreements.
10.4ConfigurationManagementandChangeControl
10.4.1PurposeConfigurationManagementandChangeControlrequirementsidentifythestepsnecessarytodocumentandmonitortheconfigurationofITsystems,andtocontrolchangestotheseitemsduringtheirlifecycles.Whilethe full extentofConfigurationManagementandChangeControl isbeyond thescopeof thisStandard, theUniversitywillestablishandmaintainachangecontrolprocess.
10.4.2RequirementsThe University shall, or shall require that its service provider, document and implement configurationmanagementandchangecontrolpracticessothatchangestotheITenvironmentdonotcompromiseexistingsecuritycontrols.
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
11GLOSSARYAccess:Theabilitytouse,modifyoraffectaninformationsystemortogainphysicalentrytoanareaorlocation. AccessControls:Asetofsecurityproceduresthatmonitoraccessandeitheralloworprohibitusersfromaccessinginformationsystems,networksanddata. Alert:Notificationthataneventhasoccurredormayoccur. Application:Anexecutablecomputerprogram. ApplicationSystem:Aninterconnectedsetofinformationresourcesunderthesamedirectmanagementcontrol. Asset:Anysoftware,data,hardware,administrative,physical,communications,orpersonnelresource. Assurance:Measureofconfidence. Attack:Anattempttobypasssecuritycontrols,disruptservicesand/orgainunauthorizedaccesstosystems,networksand/ordata. Audit:Anindependentreviewandexaminationofrecordsandactivitiestotestforadequacyofcontrols,measurecompliancewithestablishedpoliciesandoperationalprocedures,andrecommendchanges. Authentication:Theprocessofverifyingtheidentityofausertodeterminetheiraccessrights. Authorization:Theprocessofgrantingaccessafterproperidentificationandauthenticationhasoccurred. Availability:Theextenttowhichaninformationassetisavailableandaccessibleforauthorizeduse. Backup:Theprocessofproducingareservecopyofsoftwareorelectronicfilesasaprecautionincasetheprimarycopyisunavailable. BaselineSecurityConfiguration:TheminimumsetofsecuritycontrolsthatmustbeimplementedonallUniversityinformationsystemstoincludevendorprovidedsystemsandhostedsystems. BroadcastDomain:Abroadcastdomainisalogicalpartofanetwork(anetworksegment)inwhichanynetworkequipmentcantransmitdatadirectlytoanotherequipmentordevicewithoutgoingthrougharoutingdevice(assumingthedevicessharethesamesubnetandusethesamegateway).BusinessEssential:systemsdefinedassupportingessentialbusinessfunctionsintheBusinessImpactAnalysis(BIA).BusinessFunction:Acollectionofrelatedstructuralactivitiesthatproducesomethingofvaluetotheorganization,itsstakeholdersoritscustomers.BusinessImpactAnalysis(BIA):Theprocessofdeterminingthepotentialconsequencesofadisruptionordegradationofbusinessfunctions. ChangeControl:Amanagementprocesstoprovidecontrolandtraceabilityforallchangesmadetoasystem. ChiefInformationOfficeroftheUniversity(CIO):TheCIOoverseestheoperationoftheDivisionofInformationTechnology(DoIT)and,underthedirectionandcontroloftheUniversityPresident,exercisesthepowersandperformsthedutiesconferredorimposedandperformssuchotherdutiesasmayberequiredbytheUniversityPresident. CommonwealthofVirginia:ThegovernmentoftheCommonwealthofVirginia,anditsagenciesanddepartments. ComputerSecurityIncidentResponseTeam(CSIRT):AgroupwithintheUniversityconstitutedtomonitorandrespondtoinformationsecuritythreats. Confidentiality:Theextenttowhichinformationdatamustbeprotectedagainstunauthorizeddisclosure. ConfigurationManagement:Aprocessforauthorizingandtrackingallchangestoaninformationsystemduringitslifecycle. ContinuityofOperationsPlan(COOP):Asetofdocumentedplansdevelopedtoprovideforthecontinuanceof
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
essentialbusinessfunctionsduringanemergency. ContinuityofOperationsPlanning:Theprocessofdevelopingplansandprocedurestocontinuetheperformanceofessentialbusinessfunctionsintheeventofabusinessinterruptionorthreatofinterruption. Control:Anyprotectiveaction,device,procedure,techniqueorothermeasurethatreducesexposures.Typesofcontrolsincludepreventative,detective,corrective,etc. ControlObjectivesforInformationandrelatedTechnology(COBIT):AframeworkofbestpracticesforITmanagementthatprovidesmanagers,auditors,andITuserswithasetofgenerallyacceptedmeasures,indicators,processesandbestpracticestoassisttheminmaximizingthebenefitsderivedthroughtheuseofinformationtechnologyanddevelopingappropriateITgovernanceandcontrol.Countermeasure:Anaction,device,procedure,technique,orothermeasurethatreducesvulnerabilityortheimpactofathreattoaninformationsystem. Credential:Informationusedtoestablishaccessrights.Anexampleisapassword. Cryptography:Theprocessoftransformingplaintextintociphertext(encryption),andciphertextintoplaintext(decryption). Data:Anarrangementofnumbers,characters,and/orimagesthatrepresentconceptssymbolically. Database:Acollectionoflogicallyrelateddata(andadescriptionofthisdata),designedtomeettheinformationneedsofanorganization. DataBreach:Theunauthorizedaccessandacquisitionofun-redactedcomputerizeddatathatcompromisesthesecurityorconfidentialityofpersonalinformation. DataClassification:Theprocessofcategorizingdatabasedonconfidentiality,integrityandavailability. DataCustodian:AnindividualororganizationinphysicalorlogicalpossessionofdataforDataOwners.DataCustodiansareresponsibleforprotectingthedataintheirpossessionfromunauthorizedaccess,alteration,destruction,orusageandforprovidingandadministeringgeneralcontrols,suchasback-upandrecoverysystems. DataOwner:AUniversityManager,designatedbytheInformationSecurityOfficer,whoisresponsibleforthepolicyandpracticedecisionsregardingdata.Dataownersapprove(ordeny)accesstoUniversitydata. DataSecurity:Practices,technologies,and/orservicesusedtoapplysecurityappropriatelytodata. DataStorageMedia:Adeviceusedtostoredata.Examplesofdatastoragemediaincludefixeddisks,CDROMs,andUSBflashdrives.Seemedia. Decryption:Transformciphertextintohumanormachine-readabletext. DigitalCertificate:Anelectronicdocumentattachedtoorassociatedwithafilethatcertifiesthefileisfromtheorganizationitclaimstobefromandhasnotbeenmodified. DisasterRecoveryPlan(DRP):AsetofdocumentedplansthatidentifythestepstorestoreessentialbusinessfunctionsonaschedulethatsupportstheUniversity’smissionrequirements. ElectronicInformation:Anyinformationstoredinaformatthatenablesittoberead,processed,manipulated,ortransmittedbyaninformationsystem. Encryption:Transforminghumanormachine-readabletext(oftencalledplaintext)intociphertext. EssentialBusinessFunction:AbusinessfunctionisessentialifdisruptionordegradationofthefunctionpreventstheUniversityfromperformingitsmissionasdescribedintheUniversity’smissionstatement. Evaluation:Proceduresusedintheanalysisofsecuritymechanismstodeterminetheireffectivenessandtosupportorrefutespecificsystemweaknesses. ExternalITSystem:Aninformationsystemdesignedandintendedforusebyexternalpartiesand/orbythepublic. Firewall:Traffic-controllinggatewaythatcontrolsaccess,traffic,andservicesbetweentwonetworksornetworksegments,onetrustedandtheotheruntrusted. FullTunneling:Allnetworktrafficgoesthroughthetunneltotheorganization.TheUniversity’sVPNisanexampleofafulltunnelingtechnology.
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
Function:Apurpose,process,orrole. FuzzTesting:Thisisasoftwaretestingtechniquethatprovidesrandomdata(”fuzz”)totheinputsofaprogram.Iftheprogramfails(forexample,bycrashing,orbyfailingbuilt-incodeassertions),thedefectscanbenotedandperhapsfurtherexploited(bysecurityresearchersorcrackers)togainelevatedaccesstoITsystems,networksordata. Group:Anamedcollectionofinformationsystemusers;createdforconveniencewhenstatingauthorizationpolicy. GuestAccount:Adefaultsetofpermissionsandprivilegesgiventononregisteredusersofasystemorservice. Harden:Theprocessofimplementingsoftware,hardware,orphysicalsecuritycontrolstomitigateriskassociatedwithUniversityinfrastructureand/orsensitiveinformationsystems,networksanddata. HealthInsurancePortabilityandAccountabilityAct(HIPAA):Enactedin1996tohelpprotecthealthinsurancecoverageforworkersandtheirfamilieswhenemployeeschangeorlosetheirjobs.ProvisionsofHIPAAalsoaddressthesecurityandprivacyofhealthandpatientdata. HighAvailability:Arequirementthattheinformationsystemiscontinuouslyavailable,hasalowthresholdfordowntime,orboth. HighlySensitiveData:Universitydatawhich,becauseofitsassociatedlegalrestrictionsorpotentialsecurityramifications,isapprovedforuseonlyonaverylimitedbasisandonlywithspecialsecurityprecautions.Afewexamplesofhighlysensitivedataaresocialsecuritynumbers,financialcardnumbersandpassportinformation. Identification:TheprocessofassociatingauserwithauniqueuserIDorloginID. Information:Dataorganizedinamannertoenabletheirinterpretation. InformationSecurityBreach:Theviolationofanexplicitorimpliedsecuritypolicythatcompromisestheintegrity,availability,orconfidentialityofaninformationsystem,networkordata. InformationSecurityControls:TheprotectionmechanismsprescribedtomeetthesecurityrequirementsspecifiedforanITsystem. InformationSecurityIncident:Anadverseeventorsituation,whetherintentionaloraccidental,thatposesathreattotheintegrity,availability,orconfidentialityofanITsystem. InformationSecurityLogging:Chronologicalrecordingofsystemactivitiessufficienttoenablethereconstruction,review,andexaminationofthesequenceofeventsandactivitiessurroundingorleadingtoanoperation,aprocedure,oraneventinatransactionfromitsinceptiontoitsfinalresults. InformationSecurityOfficer(ISO):TheindividualdesignatedbytheCIOtoberesponsibleforthedevelopment,implementation,oversight,andmaintenanceoftheUniversity’sinformationsecurityprogram. InformationSecurity(IS)Policy:Astatementoftheinformationsecurityobjectivesofanorganization,andwhatemployees,contractors,vendors,businesspartners,andthirdpartiesoftheUniversitymustdotoachievetheseobjectives. InformationSecurityProgram:Acollectionofsecurityprocesses,standards,rules,andproceduresthatrepresentstheimplementationofanorganization’ssecuritypolicy. InformationSecurityRequirements:Thetypesandlevelsofprotectionnecessarytoadequatelysecureasystem,networkordata. InformationSecuritySafeguards:SeeInformationSecurityControls. InformationSecurityStandards:Detailedstatementsofhowemployees,contractors,vendors,businesspartners,andthirdpartiesoftheUniversitymustcomplywithitsinformationsecuritypolicy. InformationTechnology:Telecommunications,automateddataprocessing,databases,theInternet,managementinformationsystems,andrelatedinformation,equipment,goods,andservices. InformationTechnologyContingencyPlanning:ThecomponentofContinuityofOperationsPlanningthatpreparesforcontinuityand/orrecoveryoftheUniversity’sITsystems,networksanddatathatsupportitses-sentialbusinessfunctionsintheeventofabusinessinterruptionorthreatofinterruption.InformationTechnologyInfrastructureLibrary(ITIL):Aframeworkofbestpracticeprocessesdesignedtofacilitatethedeliveryofhighqualityinformationtechnologyservices.
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
InformationTechnologySecurity:TheprotectionaffordedtoITsystems,networksanddatainordertopreservetheiravailability,integrity,andconfidentiality. InformationTechnologySecurityArchitecture:Thelogicalandphysicalsecurityinfrastructuremadeupofproducts,functions,locations,resources,protocols,formats,operationalsequences,administrativeandtechnicalsecuritycontrols,etc.,designedtoprovidetheappropriatelevelofprotectionforITsystems,networksanddata. InformationTechnologySecurityAudit:TheexaminationandassessmentoftheadequacyofITsystemcontrolsandcompliancewithestablishedinformationsecuritypolicyandprocedures. InformationTechnologySecurityAuditor:UniversityInternalAuditors,theAuditorofPublicAccounts,oraprivatefirmthat,inthejudgmentoftheUniversity,hastheexperienceandexpertiserequiredtoperformITsecurityaudits. InformationTechnologySystem:AninterconnectedsetofITresourcesunderthesamedirectmanagementcontrol.SeeApplicationSystemandSupportSystem. InformationTechnologySystemSensitivity:SeeSensitivity. InformationTechnologySystemUsers:AsusedinthisStandard,atermthatincludesUniversityemployees,contractors,vendors,third-partyproviders,andanyotherauthorizedusersofITsystems,applications,telecommunicationnetworks,data,andrelatedresources. Integrity:Theextenttowhichinformationdataorinformationsystemsmustbeprotectedfromintentionaloraccidentalunauthorizedmodification. InternalITSystem:AnITsystemdesignedandintendedforuseonlybyUniversityemployees,contractors,andbusinesspartners.SeeInformationTechnologySystemandExternalITSystem. InternalITSystemUser:AUniversityemployeewhousesanITsysteminanycapacitytoperformjobduties. InternalNetwork:AninternalnetworkisaprivatecomputernetworkusedtosecurelyshareanypartoftheUniversity’sinformationoroperationalsystemswithitsemployees. Internet:AnexternalworldwidepublicdatanetworkusingInternetprotocolstowhichtheUniversitycanestablishconnections. Intranet:Atrustedmulti-function(data,voice,video,image,facsimile,etc.)privatedigitalnetworkusingInternetprotocols,whichcanbedeveloped,operatedandmaintainedfortheconductofUniversitybusiness,research,education,etc. IntrusionDetection:Amethodofmonitoringtrafficonthenetworktodetectbreak-insorbreak-inattempts,eithermanuallyorviasoftwaresystems. IntrusionDetectionSystems(IDS):Softwarethatdetectsanattackonanetworkorcomputersystem.ANetworkIDS(NIDS)isdesignedtosupportmultiplehosts,whereasaHostIDS(HIDS)issetuptodetectillegalactionswithinthehost.MostIDSprogramstypicallyusesignaturestosignalanalert.Otherslookfordeviationsofthenormalroutineasindicationsofanattackandaresometimescalledanomalydetectionsystems. ISO/IEC:AseriesofITsecuritystandardspublishedbytheInternationalOrganizationforStandardization(ISO)andtheInternationalElectrotechnicalCommission(IEC),providingbestpracticerecommendationsonITsecuritymanagementforusebythosewhoareresponsibleforinitiating,implementingormaintaininginformationsecuritymanagementsystems. ITSupportServices:ITsupportservicesisarangeofservicesprovidingassistancewithtechnologyproductssuchasmobilephones,computers,orotherelectronicormechanicalgoods.Ingeneral,technicalsupportservicesattempttohelptheusersolvespecificproblemswithaproductratherthanprovidingtraining,customization,orothersupportservices. Key:Asequenceofdatausedincryptographytoencryptordecryptdata.Apasswordorpassphraseisanexampleofasymmetrickey.Withsymmetrickeys,theexactsamekeyencryptsanddecryptsthedata.Withasymmetrickeys,onekeyencryptsthedatawhileaseparate,differentkeydecryptsit. LeastPrivilege:Theminimumlevelofdata,functions,andcapabilitiesnecessarytoperformauser’sduties. LogonID:Anidentificationcodeassignedtoaparticularuserthatidentifiestheusertotheinformationsystem.
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
MaliciousCode:Harmfulcode(suchasvirusesandworms)introducedintoaprogramorfileforthepurposeofcontaminating,stealing,damaging,ordestroyinginformationsystemsand/ordata.Maliciouscodeincludesviruses,Trojanhorses,trapdoors,worms,spy-ware,andcounterfeitcomputerinstructions(executables).MaliciousSoftware:SeeMaliciousCode. ManagementControl:Asetofmechanismsdesignedtomanageandachievedesiredobjectives. Media:Pluralofmedium. MediaSanitization:Ageneraltermreferringtotheactionstakentorenderdatawrittenonmediaunrecoverablebybothordinaryandextraordinarymeans. Medium:Materialonwhichdataareormayberecorded,suchaspaper,punchedcards,magnetictape,magneticdisks,solidstatedevices,oropticaldiscs. MinimumSystemConfiguration:SeeBaselineSecurityConfiguration.MobileDevices:Anycomputingdevicethatcanbeeasilytransportedandthathasthecapabilitytoprocessandtransmitdata,includingbutnotlimitedtolaptops,smartphones,tablets,andhandheldPCs. MobileStorageDevices:AnytransportablestoragedevicethatcanbeusedtostoredataincludingbutnotlimitedtoportableharddrivesandUSBflashdrives. Monitoring:Listening,viewing,orrecordingdigitaltransmissions,electromagneticradiation,sound,andvisualsignals. NIST:NationalInstituteofStandardsandTechnology. Non-SensitiveSystem:Systemsnotclassifiedassensitive.Thereisnoconcernwhatsoeverforsystemordataintegrity,confidentialityoravailability. Off-siteStorage:Theprocessofstoringvitalrecordsinafacilitythatisphysicallyremotefromtheprimarysite.Toqualifyasoff-site,thefacilityshouldbegeographically,separatelyanddistinctfromtheprimarysiteandofferenvironmentalandphysicalaccessprotection. OperationalControls:Informationsecuritymeasuresimplementedthroughprocessesandprocedures.Password:Auniquestringofcharactersthat,inconjunctionwithalogonID,authenticatesauser’sidentity. PenetrationTesting:Apenetrationtestisamethodofevaluatingthesecurityofacomputersystemornetwork. PersonalDigitalAssistant(PDA):Adigitaldevice,whichcanincludethefunctionalityofacomputer,acellulartelephone,amusicplayerandacamera.Alsocalledasmartphone. PersonalIdentificationNumber(PIN):Ashortsequenceofdigitsusedasapassword.PersonalInformation(PI):Allinformationthatdescribes,locatesorindexesanythingaboutanindividualincludinghisrealorpersonalpropertyholdingsderivedfromtaxreturns,andhiseducation,financialtransactions,medicalhistory,ancestry,religion,politicalideology,criminaloremploymentrecord,orthataffordsabasisforinferringpersonalcharacteristics,suchasfingerandvoiceprints,photographs,orthingsdonebyortosuchindividual;andtherecordofhispresence,registration,ormembershipinanorganizationoractivity,oradmissiontoaninstitution.”Personalinformation”shallnotincluderoutineinformationmaintainedforthepurposeofinternalofficeadministrationwhoseusecouldnotbesuchastoaffectadverselyanydatasubjectnordoesthetermincluderealestateassessmentinformation.CodeofVirginia2.2-3801. Personnel:AllUniversityemployees,contractors,andsubcontractors,bothpermanentandtemporary. Phishing:Aformofcriminalactivitycharacterizedbyattemptstoacquiresensitiveinformationfraudulently,suchaspasswordsandcreditcarddetails,bymasqueradingasatrustworthypersonorbusinessinanapparentlyofficialelectroniccommunication. Privacy:Therightsanddesiresofanindividualtolimitthedisclosureofindividualinformationtoothers. PrivacyOfficer:Theprivacyofficer,ifrequiredbystatute(suchasHIPAA)providesguidanceontherequirementsofstateandfederalPrivacylaws;disclosureofandaccesstosensitivedata;andsecurityandprotectionrequirementsinconjunctionwiththeinformationsystemwhenthereissomeoverlapamongsensitivity,disclosure,privacy,andsecurityissues.
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
ProtectedData:Universitydataindividuallyrequestedandapprovedbyadataownerforaspecificbusinessuseandwhichissubjecttothegeneralprovisionsassociatedwithuniversityinformationsecuritypolicyandmaybesubjecttostateand/orfederallaw.OneexampleofprotecteddatawouldbeFERPAprotecteddata.PublicData:Universitydatawhichcanbesharedwithoutrestrictionwiththegeneralpublic(e.g.universitycourselistings,publicityandnewsarticles,directorylistings,etc.) PublicWebSite:ApublicwebsiteisthemostvisibleandreadilyaccessibletotheaverageWebuser.AsiteontheWebthatisaccessiblebyanyonewithaWebbrowserandaccesstotheInternet. Recovery:Activitiesbeyondtheinitialcrisisperiodofanemergencyordisasterthataredesignedtoreturninformationsystemsand/ordatatonormaloperatingstatus. RecoveryPointObjective(RPO):Themeasurementofthepointintimetowhichdatamustberestoredinordertoresumeprocessingtransactions.Directlyrelatedtotheamountofdatathatcanbelostbetweenthepointofrecoveryandthetimeofthelastdatabackup. RecoveryTimeObjective(RTO):Theperiodoftimeinwhichsystems,applicationsorfunctionsmustberecoveredafteranoutage. ResidualRisk:Theportionofriskthatremainsaftersecuritymeasureshavebeenapplied. Restoration:Activitiesdesignedtoreturndamagedfacilities,equipment,systemsandnetworkstoanoperationalstatus. Risk:Thepotentialthataneventmaycauseamaterialnegativeimpacttoanasset.RiskAnalysis:Asystematicprocesstoidentifyandquantifyriskstoinformationsystems,networksanddataandtodeterminetheprobabilityoftheoccurrenceofthoserisks. RiskManagement:Identificationandimplementationofinformationsecuritycontrolsinordertoreduceriskstoanacceptablelevel. RiskAssessment(RA):Theprocessofidentifyingandevaluatingriskssoastoassesstheirpotentialimpact. RiskMitigation:Thecontinuousprocessofminimizingriskbyapplyingsecuritymeasurescommensuratewithsensitivityandrisk. RoleBasedTraining:SpecificannualtrainingthataddressestherolesandresponsibilitiesofSystemOwners,DataOwners,DataCustodiansandSystemAdministrators.ThistrainingisinadditiontoannualITSecurityAwarenesstraining. RolesandResponsibility:Rolesrepresentadistinctsetofoperationsandresponsibilitiesrequiredtoperformsomeparticularfunctionthatanindividualmaybeassigned.Rolesmaydifferfromtheindividual’sbusinesstitle.ThisStandardcontainstherolesandresponsibilitiesassociatedwithimplementinginformationsecurity. Secure:Astatethatprovidesadequateprotectionofinformationsystems,networksanddataagainstcompromise,commensuratewithsensitivityandrisk. SeparationofDuties:Assignmentofresponsibilitiessuchthatnooneindividualorfunctionhascontrolofanentireprocess.Itisatechniqueformaintainingandmonitoringaccountabilityandresponsibilityforinforma-tionsystems,networksanddata. SensitiveSystem:Asystemissensitivebasedonconfidentiality,integrityoravailability.Alsoseesensitivity. SensitiveData:AtRadfordUniversity,thephrase”sensitivedata”hastheexactsamedefinitionashighlysensitivedata.Becauseoftheiridenticaldefinition,thesephrasesmaybeusedinterchangeably.Whilethephrase”sensitivedata”ismorecommonlyusedinspeechandtext,thephrase”highlysensitivedata”,istheofficialUniversityclassificationforsuchdata. Sensitivity:AmeasureoftheadverseaffectonUniversityinterests,theconductofUniversityprograms,and/ortheprivacytowhichindividualsareentitledthatcompromisedinformationsystems,networksanddatawithrespecttoconfidentiality,integrity,and/oravailabilitycouldcause.Informationsystems,networksanddataaresensitiveindirectproportiontothematerialityoftheadverseeffectcausedbytheircompromise. SensitivityClassification:Theprocessofdeterminingwhetherandtowhatdegreeinformationsystems,networksanddataaresensitive. SharedAccounts:AlogonIDoraccountutilizedbymorethanoneentity.AnexampleofasharedaccountwouldbeaUniversityclubaccount.
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
SourceCodeAuditing:Asoftware(source)codeauditisacomprehensiveanalysisofsourcecodeinaprogrammingprojectwiththeintentofdiscoveringbugs,securitybreachesorviolationsofprogrammingconventions.Itisanintegralpartofthedefensiveprogrammingparadigm,whichattemptstoreduceerrorsbeforethesoftwareisreleased. SplitTunneling:Routingorganization-specifictrafficthroughtheVPNtunnel,butothertrafficusestheremoteuser’sdefaultgateway. Spy-ware:Acategoryofmalicioussoftwaredesignedtointerceptortakepartialcontrolofacomputer’soperationwithouttheinformedconsentofthatmachine’sownerorlegitimateuser.Whilethetermtakenliterallysuggestssoftwarethatsurreptitiouslymonitorstheuser,ithascometorefermorebroadlytosoftwarethatsubvertsthecomputer’soperationforthebenefitofathirdparty. State:CommonwealthofVirginia. SupportSystem:AninterconnectedsetofITresourcesunderthesamedirectmanagementcontrolthatsharescommonfunctionalityandprovidesservicestoothersystems.SeealsoApplicationSystemandInformationTechnologySystem. System:SeeInformationTechnologySystem. SystemAdministrator:Ananalyst,engineer,orconsultantwhoimplements,manages,and/oroperatesasystematthedirectionoftheSystemOwner,DataOwner,and/orDataCustodian. SystemClassification:Theprocessofcategorizingsystemsbasedonconfidentiality,integrityandavailability.SystemOwner:TheUniversityManagerwhoisresponsiblefortheoperation,documentationandmaintenanceofaUniversityITsystem.AnITSystemmayhaveonlyoneSystemOwner. TechnicalControls:Informationsecuritymeasuresimplementedthroughtechnicalsoftwareorhardware. TemporaryFiles:Filesthatarecreatedasanapplicationexecutes,butuponapplicationtermination,arenolongerrequiredforprocessing;noraretheypartofthefinalrepresentationofdata. TheUniversity:RadfordUniversity. Third-PartyProvider:AcompanyorindividualthatsuppliesITequipment,systems,networksorservicestotheUniversity. Threat:Anycircumstanceorevent(human,physical,orenvironmental)withthepotentialtocauseharmtoaninformationsystemintheformofdestruction,disclosure,adversemodificationofdata,and/ordenialofservicebyexploitingvulnerability. Token:Asmalltangibleobjectthatcontainsabuilt-inmicroprocessorutilizedtostoreandprocessinformationforauthentication. TrojanHorse:Amaliciousprogramthatisdisguisedasorembeddedwithinlegitimatesoftware.TrustedSystemorNetwork:AnITsystemornetworkthatisrecognizedautomaticallyasreliable,truthful,andaccurate,withoutcontinualvalidationortesting.Uniquepassword:Passwordsusedmustbeseparateanddifferentfrompasswordsusedforanyotheruniversityorcommercialaccount. UniversalSerialBus(USB):Astandardforconnectingdevicestocomputers.University:RadfordUniversity. UniversityPresident:ThechiefexecutiveofficeroftheUniversity.USBFlashDrive:Asmall,lightweight,removableandrewritabledatastoragedevice.UserID:AuniquesymbolorcharacterstringthatisusedbyanITsystemtoidentifyaspecificuser.SeeLogonID. VersionControl:Themanagementofchangestodocuments,programs,andotherdatastoredascomputerfiles. VirginiaDepartmentofEmergencyManagement(VDEM):ACommonwealthofVirginiadepartmentthatprotectsthelivesandpropertyofVirginia’scitizensfromemergenciesanddisastersbycoordinatingthe
Radford University IT Security Standard 5003s-01 Date: February 21, 2019
state’semergencypreparedness,mitigation,response,andrecoveryefforts. Virus:SeeMaliciousCode. VitalRecord:Adocument,regardlessofmedia,which,ifdamagedordestroyed,woulddisruptbusinessoperations. Vulnerability:Aconditionorweaknessinsecurityprocedures,technicalcontrols,oroperationalprocessesthatexposesthesystemtolossorharm. Zero-Day(Zero-Hour)AttackorThreat:Acomputerthreatthatattemptstoexploitcomputerapplicationvulnerabilitieswhichareunknowntoothers,undisclosedtothesoftwarevendor,orforwhichnosecurityfixisavailable.
12ACRONYMSBIA:BusinessImpactAnalysis
CIO:ChiefInformationOfficer
COOP:ContinuityofOperationsPlan
DoIT:DivisionofInformationTechnology
DRP:DisasterRecoveryPlan
FTP:FileTransferProtocol
HIPAA:HealthInsurancePortabilityandAccountabilityAct
IDS:IntrusionDetectionSystems
ISO:InformationSecurityOfficer
ISO/IEC:InternationalOrganizationforStandardization/InternationalElectrotechnicalCommission
ITRM:InformationTechnologyResourceManagement
NIST:NationalInstituteofStandardsandTechnology
PCI:PaymentCardIndustry
PDA:PersonalDigitalAssistant
PI:PersonalInformation
PIN:PersonalIdentificationNumber
RA:RiskAssessment
RPO:RecoveryPointObjective
RTO:RecoveryTimeObjective
SDLC:SystemsDevelopmentLifeCycleSolutionsDirectorate
SSID:ServiceSetIdentifier
SSP:SystemSecurityPlan
VDEM:VirginiaDepartmentofEmergencyManagement