Network Attached Security Standards
The IT Security Office (ITSO) at Pacific has developed these security standards for Network Attached Systems based upon security best practices as well as standards currently in use at other institutions. Pacific requires compliance with these standards to help protect systems connected to the University network, to comply with audit requirements, and to prevent exploitation of Pacific resources by unauthorized individuals. These standards apply to all systems connected to the Pacific network. Those systems include computers, printers, network appliances, as well as hardware connected to the Pacific network.
The full Network Attached Security Standard can be downloaded here.
- Systems must be physically secured in racks or areas with restricted access. Portable systems shall be physically secured if left unattended.
- Backup media must be secured from unauthorized physical access. If the backup media is stored off- site, it must be encrypted or have a documented process to prevent unauthorized access.
PCs, Laptops & Mobile Devices
- Unauthorized physical access to an unattended system can result in harmful or fraudulent modification of data, fraudulent email use, or any number of other potentially dangerous situations. In light of this, where confidential and/or Restricted Access Information is used or accessed, PCs, laptops and mobile devices such as smart phones, must be configured to "lock" and require a user to re-authenticate if left unattended. This list outlines timeout thresholds for each typer of device:
- Staff dektops or laptops - 20 minutes
- Faculty desktops or laptops - 60 minutes
- Lecterns with fixed desktops or laptops - 120 minutes
- Mobile devices - 5 minutes
Vulnerabilities & Patches
Software patch updates
Campus networked systems must run software for which security patches are made available in a timely fashion. They also must have all currently available security patches installed in accordance with the Antivirus & Patching Security Standard (see Appendix 1 in the Network Attached Security Standards). Exceptions may be made for patches that compromise the usability of critical applications.
Anti-virus and anti-spyware software for any particular type of system must be running and up-to-date according to the Anti-malware & Patching Security Standard (see Appendix 1 in the Network Attached Security Standards), including clients, file servers, mail servers, and other types of campus networked systems.
System-based firewall software
System-based firewall software must be running and configured according to the System-based Firewall Security Standard (see Appendix 2 in the Network Attached Security Standards), on every level of system, including clients, file servers, mail servers, and other types of campus networked systems. While the use of departmental firewalls is encouraged, they do not necessarily obviate the need for system-based firewalls.
Passwords & Authentication
Campus electronic communications systems or services must identify users and authorize access by means of passwords or other secure authentication processes (e.g. biometrics or Smart Cards). When passwords are used, they must meet the Password Complexity Standards (see Appendix 3 in the Network Attached Security Standards). In addition, shared-access systems must enforce these standards whenever possible and appropriate and require that users change any pre- assigned passwords immediately upon initial access to the account. Where technically possible, all default passwords for access to network- accessible systems must be modified.
Where possible and appropriate:
- Initial account passwords should be randomized and changed upon first logon
- Systems should be configured with separate accounts for privileged and unprivileged access
- Users should authenticate with an unprivileged account rather than a privileged account
- Privileged access should occur through a privilege escalation mechanism which allows the log to show which user was granted additional privileges
- Privileged access should only be granted for as long as necessary to complete the task which requires additional privileges
Unencrypted system authentication mechanisms are only as secure as the network upon which they are used. Traffic across the campus network may be surreptitiously logged, rendering these authentication mechanisms vulnerable to compromise. Therefore, all campus systems must use only encrypted authentication mechanisms unless otherwise authorized by the ISPC. In particular, historically insecure services such as Telnet, FTP, SNMP, POP, and IMAP must be replaced by their encrypted equivalents.
Electronic communication systems are used to process and transmit information and services throughout PacificNet. Information and services must be processed and transmitted securely and reliably to assure that data confidentiality, integrity, and availability are preserved. The IT Security Office (ITSO) provides specific Hardening Checklists for common operating system platforms and systems. These Hardening Checklists provide the foundation for assessing the security state of a particular system, providing a measurable target. The ITSO has selected the CIS standards that are based on internationally known security best practices and are recognized by many organizations as the de facto standard for deploying reasonably secure systems.
Contact the ITSO for the current CIS standard and auditing tool.
Security Logging is a method used to confirm that the security practices and controls in place are being adhered to and are effective. Security logging processes consist of activities such as the review of: user account logs, application logs, data backup and recovery logs, automated intrusion detection system logs, etc. The purpose of the security logging standard is to ensure that information resource security controls are in place, are effective, and are not being bypassed. Some of the benefits of security logging are the early identification of wrongdoing and the discovery of new security vulnerabilities.
All systems that handle Confidential Information, accept network connections, or make access control (authentication and authorization) decisions shall record and retain audit- logging information sufficient to answer the following questions:
- What activity was performed?
- Who or what performed the activity, including where or on what system the activity was performed from (subject)?
- What the activity was performed on (object)?
- When was the activity performed?
- What was the status (such as success vs. failure), outcome, or result of the activity?