Security Safeguard for IT Resources
Washington and Lee University's commitment to information technology (IT) security can be seen through its Information Security Program (ISP), its Confidentiality Policy and the Office of Information Technology Services (ITS) Computing Resources, Network and Email Use Policy.
This list of safeguards has been assembled from various sources of "best practices" to help you meet the requirements of these policies. It is not a comprehensive list of all possible safeguards, so please note that you may have additional safeguard obligations. If you have any questions, please contact the ISO by submitting a Web Desk Help Request (Request type=ITS-Security).
Available Safeguards for Systems, Accounts, and Passwords:
- Keep all operating system, server, and application software up-to-date. Make sure vendors are doing the doing the same for on-site hosted systems, appliances, and applications.
- Implement a patch management process to ensure that all security/critical updates are installed within one week after their release (same for vendor solutions).
- Run anti-virus and anti-malware software with daily updates and active protection enabled.
- Each user of a system should have their own unique login account, and all accounts should have strong passwords at least equivalent to the strength required for W&L's Active Directory (AD) accounts.
- Never share your password.
- All vendor-supplied default passwords should be changed.
- Implement a password expiration procedure appropriate for the systems or data being protected.
- Implement a password-protected screen saver, or other console-locking mechanism, that is triggered after 15 minutes of inactivity, or less if there is a greater risk.
- Configure user privileges to be as low as possible while still meeting business needs. Consistent or regular use of the "Administrator" or "root" account is strongly discouraged.
- All shares should be password protected (i.e., no open shares).
- Employ a local firewall (Windows Firewall, Mac OS X firewall, etc.) and or other filtering mechanism, with a default-deny policy that prohibits unnecessary inbound connections and strictly limits access to the systems with confidential data.
- Regularly review firewall to ensure continued applicability.
- Implement an Intrusion Detection System (IDS) or Intrusion Prevention System (IPS).
- Follow the hardening guidelines for the operating system and any applications or services consistent with industry standards and the vendor(s) for the specifics involved.
- Disable or turn off any services or application features that are not needed for the system to fulfill its function. Maintain a list of the necessary services, and review on regular intervals.
- Conduct regular risk assessments and develop risk management plans. See the ISP requirements and contact the CISO for suggestions and assistance Web Desk Help Request (Request type=ITS-Security>Assessment).
- Conduct regular OS and application vulnerability scans. Contact the CISO for suggestions and assistance Web Desk Help Request (Request type=ITS-Security>Assessment).
- Maintain an appropriate level of logging for operating systems and applications, and ensure a retention schedule consistent with any policies, regulations or best practices.
- Regularly review logs for indications of malicious activity, and investigate accordingly.
- Request an initial security assessment when bringing up a server/service by submitting a Web Help Desk Request Request type=ITS-Security>Assessment and include the system name, system OS, server role (file server, web server, database, etc.), main application(s), and functions.
- Employ regular back-ups and store them in a secure manner. If possible, back-ups should be encrypted, and stored at a safe off-site location. Regularly test restore/recovery procedures.
- Regularly review systems and applications looking for unauthorized or unnecessary Confidential Data, at least semi-annually.
- Regularly review accounts and personnel who have access to systems, especially those systems with Confidential Data.
- Regularly perform reviews of file and system privileges.
- Develop and follow account provisioning procedures for new hires and terminations.
Safeguards for Email:
- Be wary, as always, of any e-mails with attachments, especially those you are not expecting. This includes e-mails from people you know, since many viruses can "spoof" the sender's e-mail address.
- Be particularly suspicious of e-mail attachments with file extensions such as ".exe" and ".scr"
- When you receive an e-mail attachment you are not expecting, delete it without opening the attachment.
- Report spam, phish, etc. by forward to email@example.com
Safeguards for Storing Confidential Data:
- Never store un-encrypted confidential data information on laptops, or other portable media devices. Some examples of portable media include: external hard drives, phones, memory cards, USB thumb drives, CDs DVDs, tapes, and diskettes.
- Confidential data that are stored should be removed when no longer needed. Implement a regular review process to evaluate stored data, and if possible, see if the confidential data can be removed.
Safeguards for Sharing Data:
- If University data are handled or processed by an external service provider, the Office of General Counsel (OGC) needs to review the process/contracts prior to commitment. If you have any questions, please contact the CISO by submitting a Web Desk Help Request (Request type=ITS-Security>Inquiry).
- Review security with the external service provider or agency to ensure that it is consistent with industry best practices and the University's compliance obligations. If you have any questions, please contact the ISO by submitting a Web Desk Help Request (Request type=ITS-Security>Inquiry).
- When sharing data with an external service provider, ensure the security of the data during transport and storage.
- When sharing data with an external service provider, request documentation from any external service providers that their shows commitment to the security of the data being shared.
Safeguards for Accessing Confidential Data:
- Use encryption for any remote/wireless, or off campus access to a system containing confidential data. Please check out ITS's SSL Virtual Private Network (VPN http://vpn.wlu.edu) to see if it can help you.
- University confidential data and publicly accessible data should not be on the same system.
- Never use a public workstation or kiosk for processing confidential data.
- Use encryption if confidential data is accessed via the Internet.
- Use encryption when confidential data is transmitted over wireless networks, non-W&L networks, and when feasible use encryption when it is transmitted within the W&L wired network(s). Please check out ITS's SSL VPN (http://vpn.wlu.edu) to see if it can help you.
- Encrypt confidential data when it is transmitted via email, both in the body or as an attachment.
- Use encryption if passwords that grant access to confidential data are stored electronically.
- Notes on encryption:
- If full volume encryption is used, the volume should be mounted only when the system is in active use. (Note - make sure that the encryption does not interfere with your ability to create and retrieve backups).
- Protect encryption keys against disclosure, misuse, and loss.
Safeguards for Public Workstations or Kiosks:
- Public workstations and kiosks should not be on the same subnet as computers used to conduct confidential university business.
- Public workstations and kiosks should display a logon banner or bear signage with:
- a statement about responsible use;
- a warning about using the system for personal or sensitive data; and
- a reminder to logout and/or clear any credentials
- Public workstations and kiosks should not allow local shares
- Kiosk-users should not be able to save files to the kiosk.
- Public workstations and kiosks should be inspected regularly to see if security/integrity has been compromised.
- Make sure there is adequate power, heating/cooling, un-interruptible power supplies, and possibly generator electrical power.
- Reduce the possibility of physical theft by locking rooms. Limit and control access to servers and network equipment.
- Confidentiality Policy
- Acceptable Use Policy (Computing Resources, Network and Email Use Policy)
- Copyright Policy
- eCommerce Policy
- Financial Information Security