Information Technology Security Procedures
| Links | ||
|
Introduction
This document describes procedures for implementing the University of Florida Information Technology Security Policy. These procedures apply to all people who maintain or manage university IT resources, their supervisors, and their unit administrator. They apply to all locations of those resources, whether on campus or from remote locations. These procedures are intended to help protect data confidentiality, integrity, availability, accountability, and assurance. Additional procedures may govern specific data, computers, computer systems or networks provided or operated by all specific UF and subsidiary units of the university.
Definitions
| UF Unit: | College, Department, Research Center, Institute or other administrative subdivision connected to the University of Florida network. |
| Subsidiary Unit | A major unit which has a distinct and divergent mission statement from that of UF, and which in some cases may also be a separate legal entity, such as Shands. |
| UF IT resource: |
Any equipment that has the primary purpose to store, process, display or transport digital information in support of the UF mission is a UF IT resource. The associated data, applications and hardware, are also IT resources. |
| Information Technology (IT) staff: | An individual hired by a unit to manage or maintain IT resources in that unit. IT duties must be specified in the job description. |
| Compromised host: | A system to which an intruder has gained access in excess of that intended to be available. |
| Filter: | A control used to block access to an IT resource which may or may not include a specific port. |
Unit IT Security Managers (Unit ISM)
The Unit ISM may choose to coordinate with their unit administration to determine if smaller units within their unit should have their own ISMs. Unit ISM duties do not need to be a full-time responsibility and may be assigned to an existing IT position. The Unit ISM must coordinate with their unit administration to ensure that all networks in their unit have adequate professional coverage, including vacation backups. The Unit ISM must maintain contact information for their unit IT staff and appropriate backups. The Unit ISM must ensure that all people who manage IT resources in their unit attend IT Orientation. The Unit ISM must coordinate within their unit various IT security responsibilities, including but not limited to monitoring, documenting, reporting, and correcting the cause of security breaches, establishing minimum security standards for the installation and configuration of IT resources, maintaining the operating system, reviewing account termination, and other security functions.
The Unit ISM must be a permanent employee with more than 50% IT related job responsibility. They must have a high school diploma and at least 4 years of professional IT related job experience. IT related vocational training or college course work may substitute for experience. The Unit ISM must not be a student. A police background check is recommended for all people who maintain or manage IT resources, but must be conducted before an individual is assigned Unit ISM duties. The Unit ISM should pursue IT security related continuing education such as Information Technology Security Awareness Day.
Vendor Managed Hosts
Vendors are encouraged to use private IP and should access their host through a UF managed secure tunnel provided by Network Services or the unit. Network Services will provide access control lists to restrict access to vendor managed hosts, but access control lists should also be applied on the vendor host and the local network. Secure encrypted authentication and communication such as SSH is encouraged; avoid using clear text protocols such as FTP or Telnet on vendor managed hosts.
Establishing Unit Policies and Procedures
Based on the importance of their data resources and the value of their physical assets, unit policies and procedures will address physical security, authentication and authorization standards, coordination of establishing internet connections, training and security awareness for administrators and users, and any other issues deemed important to protect data and IT resources from internal and external threats.
Physical Security
Physical access to servers and network equipment should be limited to authorized individuals. Network cables should be organized, labeled, and protected from interference. Network documentation must be maintained to identify network jack location. Reasonable methods should be used to physically secure ports. These include but are not limited to locking offices and disabling inactive switch ports. See the following documents for more information:
University of Florida Handbook on Business Policies and Procedures
UF Telecommunications Construction Standards
Network Services labeling documentation
Physical Plant Devision Keyshop,Authentication, Authorization and Auditability
The Unit ISM should have access to records of the hardware address, the host address, and the primary user for every IT resource in their unit.
If a device is public or accessed by multiple users, authentication and logging must be employed to identify users. There must be documented proof the time stamps in the logs are synchronized with UTC.
If dynamic host configuration protocol (DHCP), BOOTP, or another method is used to assign host addresses, the user must be identified before they are granted access to data or the network, or the workstation must be identified based on its hardware address.
Host and Network Security
Host based firewalls are encouraged. Network Services offers various services to improve IT security including VPNs, port, address and protocol filters, etc.Training and Security Awareness
IT staff of UF and applicable subsidiary units are required to attend orientation to inform them of available resources and their responsibility to comply with University policies. Subsidiary units must supply their IT staff with orientation materials agreed upon by the UF ISM and the Unit ISM. IT staff are encouraged to attend Information Technology Security Awareness Day and other security training offered on site at UF.
Filter Notification
Unit ISMs will be notified prior to or concurrent with the application of a filter. Notification attempts will be made to Unit ISMs and/or network managers, or their designees, directly by phone, beeper, or email, in that order. Accordingly, notification may be made by way of net-managers-l@lists.ufl.edu when multiple hosts from varied networks are affected. An effort will be made to avoid disruption of service in cases not involving outgoing attacks.
Critical IT Resources
A critical IT resource is vital to the function of the unit. It might store sensitive data, confidential data, or data protected by law. Critical IT resources may need special consideration with respect to risk assessment, filtering, and notification. Unit ISMs can submit a written request to register critical IT resources with the UF ISM. All submissions for classification as a critical IT resource will be reviewed by the IT Security Committee and considered for approval by the UF ISM. Registered critical IT resources must have IT personnel resources available 24 hours per day, 7 days per week. An incident response plan must be filed with the UF ISM describing risk assessment, filtering, and notification procedures. Systems classified as critical IT resources must have a documented disaster recovery plan on file within the unit.
Risk Assessment
Risk analysis may include port scans, vulnerability scans, policy compliance, best practices compliance, network management surveys, on site audits and other procedures as needed to thoroughly assess risk. Unit ISMs and/or network managers will be notified of scans of their network. Effort will be made to notify them prior to the scan as circumstances allow. It is a violation of this policy to knowingly and intentionally subvert risk assessment. Based on the risk analysis results, Unit ISMs must ensure that measures are taken to address security weaknesses. The UF ISM may apply preemptive filters to block vulnerable hosts identified through risk assessment. Filter notification will follow the procedures outlined in the Filter Notification section above.
All UF and subsidiary units are encouraged to conduct their own risk assessment, but to avoid being misinterpreted as an attack, prior notification of all probes must be sent to net-services@ufl.edu .
Incident Response
The UF ISM may coordinate with Network Services to apply filters to block compromised services and/or hosts that present a definitive danger to the rest of the network. Filter notification will follow the procedures outlined in the Filter Notification section above. Incidents must be resolved to the satisfaction of the UF ISM before compromised hosts are reconnected to the network or filters are lifted. In some cases, the UF ISM may request privileged access to ensure the host is safe to resume network connectivity.
Incidents involving Law Enforcement
Network hardware, software or data may be considered evidence. Care must be taken to preserve evidence. Follow instructions from law enforcement to preserve evidence. A public records request, subpoena, search warrant or other official request must be issued before data is released to law enforcement. The unit administrator and UF General Counsel should be notified of incidents involving law enforcement.
Incidents not involving Law Enforcement
Compromised hosts should be backed up. They must be assessed completely and, when appropriate, removed from the network immediately. When necessary, compromised hosts must be reformatted, rebuilt and patched before reconnecting them to the network. At the discretion of the UF ISM, in consultation with the Unit ISM, compromised hosts may be cleaned and patched expeditiously.
Virus Protection
A number of strategies and technologies can be used to protect against computer viruses and worms. As some of these technologies rely on characteristics of known viruses, it is the responsibility of the designated IT staff to ensure up-to-date protection. Virus protection should encompass a comprehensive approach including file and print servers; email, web, and news servers; and workstations.
