For questions or comments please contact the Network Security Coordinator, Chris Vakhordjian, at chrisv@mail.ucf.edu
The purpose of this policy is to establish guidelines, procedures, and requirements to ensure the appropriate protection of UCF’s information systems. In doing so this policy addresses the need for privacy of personal and university information. The university has at its possession confidential information that must be protected. This policy also addresses the need for integrity of data in the university information.
This policy applies to all students, faculty, staff, consultants, temporaries, and others not mentioned who access UCF’s computer network. This policy also applies to all computer and data communication systems owned by and or administered by UCF.
Responsibilities
Responsibilities of Every User
All users of the University computer systems and network resources have the responsibility to ensure the overall security of university systems, and to behave in a manner consistent with this security policy. Each user is responsible for understanding and complying with the acceptable use policy (ITR) and the Network Security Policy (NSP-this policy) of the University:
For the acceptable use policy please refer to Use of Information Technology and Resources Policy
For additional acceptable use policies please refer to the Golden Rule/Computer Use Policy section
For more clearly defined descriptions of administrative officers with primary information resource security responsibilities please refer to the Security Responsibilities section of the ADICS Guidline.
Responsibilities of the Network Security Team (NST)
Network Security Team (NST) has the same user responsibilities plus the additional responsibilities and privileges below due to their position:
NST is expected to assess the security of university servers, workstations, network resources, and data, and define and promote best practices regarding security of data and systems
NST is expected to conduct vulnerability scans on a regular basis to ensure the security of university systems, network and data, and if necessary to prescribe a course of action to mitigate any vulnerabilities
NST is expected to establish campus standards for security, and review relevant policies and procedures in the context of these standards
NST is expected to investigate, evaluate and implement security related technologies, such as authentication/authorization mechanisms, encryption, certificate services, antiviral software, network monitors, and firewalls
NST is expected to assist in resolution of serious security compromises, which may include coordination with the campus law-enforcement agencies, and provide assistance for recovery and security
NST is expected to work in conjunction with departments on campus to establish campus-wide standards for security and access control
Responsibilities of System Administrators
System Administrators have the same user responsibilities plus the additional responsibilities and privileges below due to their administrative positions:
System Administrators are expected to act as local information systems security coordinators
System Administrators are expected to establishing appropriate user privileges, monitoring access control logs, and performing similar security actions for the systems they administer
System Administrators are expected to be registered with NOC, and be adequately trained to provide network services for their network operating environment
Backup System Administrators are expected to be identified and registered with NOC
System Administrators are expected to prepare and maintain security procedures that implement the Network Security Policy in their local environment
System Administrators are expected to prepare and maintain access control, backup and disaster recovery plans in the event of a disaster
System Administrators are expected to take reasonable precautions to safeguard against corruption, compromise or destruction of data, computer systems, and network resources
System Administrators are expected to ensure that user information is treated as private. It is recognized that a system administrator may potentially have contact with user files, email, etc. in the course of his or her duties. The contents of such files must be kept private. Access to system user files is authorized only in the event of a security investigation
System Administrators are expected to take reasonable and appropriate steps to see that all hardware and software license agreements are faithfully executed on all systems, networks, and servers
System Administrators are expected to subscribe to appropriate vulnerability lists, based on the network operating system and services they support
System Administrators are expected to subscribe (or retain their subscription) to the ITRSEC mailing list
System Administrators are expected to participate in security training and other activities provided by NST
System Administrators are expected to participate on college or school initiated projects (committees) that may impact the Information Technology
Responsibilities of the Network Security Committee (NSC)
Network Security Committee is composed of representatives from various colleges and departments, to conduct long term and ongoing security planning, and to evaluate the effectiveness of the security efforts.
NSC is expected to represent university-wide interest in security matters
NSC is expected to be responsible for endorsing security-related actions proposed by the NST, or Network Operation Center (NOC) to the university community
NSC is expected to be a means for University departments to inform the NST of their security needs, and provide feedback on the performance of the NST
NSC is expected to be responsible for long-term planning for technical issues in the computer security area
NSC is expected to be active in providing input for security-related policies, in setting standards and directions for security-related training, and in communicating with the University community on important security issues
NSC is not expected to be responsible for enforcing policies and procedures
Responsibilities of the Departmental Managers
Departmental Managers are responsible for ensuring that appropriate computer and communication system security measures are observed in their areas. Besides allocating sufficient resources and staff time to meet the requirements of these policies, Departmental Managers are also responsible for making sure that all users are aware of the UCF’s policies related to computer and communication system security.
Departmental Managers are expected to allocate sufficient resources in the form of funds, and if necessary additional staff, for projects and for supporting the ever increasing number of systems to maintain
Departmental Managers are expected to inform all new students, staff, and faculty of the Network Security Policy and Information Resource Policy of the University
Departmental Managers are expected to provide and require information security training for all their information technology staff members
Departmental Managers are expected to notify changes in Network Security Policy to all students, staff and faculty
General Administration
Each user must be made aware of Network Security Policy and Information Resource Policy of the University
Individuals aware of any breach of information system or network security, or compromise of computer security safeguards, must report such situations to the systems administrator or the departmental representative responsible for security in that area. The administrator must determine if a security breach has occurred, and if so, must report the incident to the Network Security Team (NST)
System Administrators must acquire prior approval, in the form of a work order request, from NOC before making configuration changes or installing network devices, such as switches. This process prevents unexpected changes from inadvertently leading to denial of service, unauthorized disclosure of information, and other problems.
Each college, school or department should provide Information services for their faculty, staff, and students, thus eliminating the need for them setting up their own services
Faculty, staff or students must NOT establish their own personal web servers, FTP servers, news servers, electronic bulletin boards, local area networks, modem connections to existing local area networks, or other multi-user systems for communicating information without the specific approval of their local area network administrator or NOC, in the event that there is no local area administrator.
Enterprise services, such as Dynamic Host Configuration Protocol (DHCP), Domain Name Service (DNS), E-mail, routing, WINS services, firewalls, E-mail relay services, and directory services should be run in cooperation with NOC, NST and ACS
Security protocols, such as SSH and SSL, must be used whenever possible
Port scanning outside of UCF’s LAN is prohibited
Port scanning within the UCF’s LAN is prohibited without the explicit permission of NOC
Packet sniffing is strictly prohibited
Physical Security
Computing equipment must be placed in an environmentally controlled location (e.g., temperature control, humidity, exposure to water, etc.)
Computing resources and equipment must be stored in secure locations (server room, wiring closets, etc.) with restricted access
Printers or faxes used for sensitive data must be stored in a secure location
Magnetic media such as hard drives, diskettes, or tapes, must be erased before disposal
A shredder must be used for the disposal of sensitive documents
UPS is required for networking devices and servers
Where appropriate security access and authorization documentation must be retained a minimum of three 3 years
IT Administrators must have access to information technology to maintain systems in the event of a compromise or potential security issues
Mission critical data, or copy of it, should not be stored on a laptop or a handheld device
System Security
Only authorized personnel must install applications on a server or workstation
Administrative access to systems will be determined by the local systems administrator
System configuration must be done off line. The system must not be connected to the network until it is at an appropriate level of security (see Computer Security Standards and Security Tips for IT for more guidance.)
Whenever system security has been compromised, or even if there is a convincing reason to believe that it has been compromised, the involved System Administrator must immediately: (a) reassign all relevant passwords, and (b) force every password on the involved system to be changed at the time of the next log-in. If systems software does not provide the latter capability, a broadcast message must be sent to all users telling them to change their passwords
Operating systems and applications must be kept current. Where appropriate, all the latest operating and application patches must be applied
Applications must be configured with security in mind
Security, Account, and System level logging must be turned on when a server is set up
All unneeded services (e.g., SMTP, Telnet, etc.) must be turned off for network devices, such as printers and computers
The use of fault tolerant system, such as disk mirroring, server duplexing, or RAID is recommended. It is required for servers that store mission or business critical data
Major applications must be installed on separate servers, e.g., mail on its own server, Web files on a separate server
Maintenance and Service agreements with vendors must be kept
User Account Security
Each user must have a unique user ID. System administrators must be able to uniquely identify all users, including name, user ID, association, phone number and location. The “Administrator”, or “Backup Operator” accounts, for example, are an exception to this rule
The “Administrator” passwords to mission critical systems must be recorded and saved in a secure location for future reference
Each user’s profile must not be readable, writeable or executable by other users. Access to shared resources should be granted only as needed
Accounts created for vendors to provide services must only be active during the time the service is carried out
Accounts must be re-certified annually to ensure that only valid accounts remain active
All user accounts, where possible, must automatically have the associated privileges revoked after a certain period of inactivity. The recommended period is thirty (30) days
Temporary accounts must have expiration dates
If possible, failed login attempts must be terminated and account locked after three to five unsuccessful tries
Where possible, concurrent logins must be limited to one
Additional guidelines regarding Access and Acceptable Use Policy may be found in the ADICS Guidelines
Terminations and Transfers
Management must promptly report all significant changes in worker duties or employment status to the System Administrators responsible for user accounts
Computer access of terminated employees must be deactivated immediately upon notification from the employee’s management
Any files in the terminated or transferred user’s home directory should be reviewed
The user ID’s of terminated or transferred employees must not be used by other personnel
Password Administration
All accounts must have assigned passwords
Administrators and support staff must never request users to reveal their passwords. If an administrator must sign on to a user’s account, the password should be reset to give access to the administrator for support services. The user must be required to change their password after the support service is completed by the administrator
Network administrators and other support staff are prohibited from disclosing users’ ID and passwords to anyone
Users must be forced to change passwords after initial login to a server
Password history, where possible, must be activated and last six to ten passwords kept
Passwords must not be stored in readable form in batch files, automatic log-in scripts, software macros, terminal function keys, or in other locations where unauthorized persons might discover them
Passwords must not be written down and left in a place where unauthorized persons might discover them
All passwords must be immediately changed if they are suspected of being disclosed, or known to have been disclosed to anyone besides the authorized user
All vendor-supplied default passwords must be changed before any computer or communications system is used
Password files must be encrypted
Additional password standards in ITR must be adhered to
Additional guidelines regarding Access Control are found in the ADICS Guidelines
Communications
Encryption should be used when high degree of confidentiality is required for email communication
Communication software and dialing in through modems attached to a workstation must not be used. UCF provides modem pools and a VPN appliance to connect to UCF’s Intranet
Wireless Devices
Wired Equivalency Privacy (WEP) will not be mandatory on access points
Only none sensitive applications must be hosted on wireless subnets
No systems on Wireless subnets should store or transmit data of a sensitive nature such as credit card numbers, private student information, legal or attorney privileged data
All users of Wireless subnets must acknowledge these policies and agree to abide by them before access is granted to Wireless subnets
All wireless access points will be administered by Computer Services, Network Operations
Computer Services must approve any exceptions to the above
Computer Viruses
To assure continued uninterrupted service for both computers and networks, all desktop systems and servers must have Antivirus software installed and kept current (Unix systems are excluded at this time.)
Diskettes should be scanned before using them on desktops and servers
Backups
System Administrators, or backup administrators, must make sure that backups are completed, monitored and tested for effectiveness. Systems should be restorable, after a failure, due to loss of data, or compromise within a short period of time
Backups should be stored in a secure environment not in the same room as the system
Backups must be periodically stored in a secure environment offsite
The number of sets and frequency of backups of a system should be based on the risk analysis of the system, application, or data being backed up
Backup and restore procedures must be documented
Backup media must be tested periodically to determine its effectiveness
Additional guidelines regarding backup procedures are found in the ADICS Guidelines
Disaster Recovery
Each college, school or department should have a Business Analysis/Risk Assessment plan
For characterizing risk analysis and sensitivity of data, please refer to the following document: Risk, Sensitivity, and Criticality
Each college, school or department should have a business resumption plan
Inventory of hardware, software, service agreements, vendor contacts, personnel information and responsibilities must be maintained
Business resumption plan should be reviewed regularly
For disaster recovery and emergency procedures please refer to the following document: Disaster Recovery and Emergency Procedures
ACS: Academic Computing Services – UCF Computer Services
BNA: Backup Network Administrator
Cisco ACS: The Cisco Secure ACS product line consists of access control servers used to determine who may access the network and what services they are authorized to use
DCE: Distributed Computing Environment. This network security architecture incorporates a version of Kerberos, as well as other facilities such as a directory service
DEN: Directory-Enabled Networks, an initiative formed by Microsoft and Cisco to define a directory schema foundation for common network objects as well as for the use of LDAP as a query protocol
Encryption: A process involving data coding to achieve confidentiality, anonymity, time stamping, and other security objectives
Kerberos: Technology, developed at MIT, which uses encryption to avoid transmitting passwords in clear text over the network
LAN: Local Area Network
Mission Critical Data: Data which is vital for an organization to function harmoniously. The unavailability of such data would prevent an organization from functioning
NA: Network Administrator
Net-Sonar: Vulnerability scanner that essentially acts like an intruder, probing the target network for security holes. Unlike an intruder tool, however, Net-sonar alerts the user of a particular security hole and does not actually take advantage of the hole
NOC: Network Operations Center – Responsible for the daily operation of the interconnected networking devices
NSC: Network Security Committee – comprised of members from the UCF community. Deals with assisting, enforcing, propagandizing, etc. of the security policy
NST: Network Security Team – Responsible for the security of the network
One-Time Passwords (OTP): A System in which a user is provided a new password at regular intervals, usually every sixty seconds. This is one approach to blocking password sniffers. That is to say, never using the same password twice
PGP: Pretty Good Privacy. A public key/private key encryption scheme used to digitally sign messages, encrypt files, or both
Server: Any computer that provides services to any other computer over a network e.g., Microsoft Internet Information Server, Apache HTTP Server, telnet and ftp server, Norton PC Anywhere, Virtual Network Computing (VNC), Napster, Audio Galaxy Satellite, etc.
SSH: The Secure Shell, being used to protect Unix systems and users. It creates an encrypted channel so the data is not visible as clear text. SSH can use certificates as well
SSL: Provides a "secure" (i.e. encrypted connection) between a web-browser and a web-server so that the data cannot be sniffed
I wish to acknowledge the contributions of the following staff members for their assistance in the creation of this document:
Robert Scott, Tim Christopher, Jim Ennis, David Collantes, Matthew Hathaway, Chris Rank, Tony Travaglini, Greg McCoy, Aaron Steimish
Effective
Date: DD/MM/YY
Date of Last Revision: 09/30/2009