PolyU IT Security Policy

1
PolyU IT Security Policy

• PolyU
• IT/Computer
• Systems Security Policy
• (SSP)
• By
• Ken Chung
• Senior Computing Officer
• Information Technology Services office

2
PolyU Systems Security Policy

• Importance of IT Security
• Recommendation from auditors
• PolyU Systems Security Policy by ITS
• Endorsement of the Policy by ITSC
• Policy and Guidelines on Web

3
(No Transcript)
4
PolyU Systems Security Policy

• Physical Security
• Campus Network and Internet Security
• Operating System Security
• Application System Security
• Personal Computer Security
• Backup and Recovery

5
Physical Security

• Equipment housed in safe environment
• Access control to computer room
• Equipment installed in open areas should be
  attended or fixed

6
Physical Security (Contd)

• Proper electrical power protection should be
  employed, e.g. surge protector, UPS
• Food, liquid or powdery substances should be keep
  away from equipment
• Universitys health and safety requirements
  should be observed

7
Campus Network and Internet Security

• Security procedures against intrusion should be
  implemented and maintained
• Network management and security monitoring should
  be performed
• Security control mechanisms should be documented

8
Campus Network and Internet Security (Contd)

• Proper protection mechanisms should be
  implemented
• Non PolyU equipment and external links should not
  be connected to campus network
• HARNET Acceptable Use Policy should be observed
  (URL http//www.jucc.edu.hk/jucc/haup.htm)

9
Operating Systems Security

• Update list of system administrators
• Scanning programs to detect security bugs
• Latest system and security patches should be
  adopted
• All accounts should be protected by good
  password and changed regularly

10
Operating Systems Security (Contd)

• Passwords should not be disclosed to others
• Passwords should not be stored or transmitted in
  plain text form
• Users should report security violation to system
  administrator
• Accounting, auditing and logging facilities
  should be adopted for audit trails

11
Application Systems Security

• System owner must determine security level
  required for various kinds of data
• Only authorised users are allowed to access
  system and data
• Production data or files must only be used on
  production systems

12
Application Systems Security (Contd)

• Confidential data should be protected by
  passwords
• Passwords should not be written down or shared
  with others, standards on password length, format
  and frequency of change should be enforced
• Effective data encryption techniques should be
  used for storing highly confidential information

13
Application Systems Security (Contd)

• Changes to production programs should be
  authorised, controlled and recorded, timestamps,
  logs and audit trails must be employed
• Software developers must not access production
  data without prior approval of system owners

14
Personal Computer Security

• Access to standalone and networked personal
  computer equipment and resources should be
  restricted to authorised users only
• Data and programs should be backed up regularly

15
Personal Computer Security (Contd)

• Preventive and detective measures should be
  enforced to minimise damages caused by computer
  viruses
• Only licensed software should be used
• Security problems should be reported to system
  administrators promptly

16
Backup and Recovery

• System owners must determine their backup
  requirements
• Backup and restoration should be performed by
  authorised personnel only
• Backed up should be performed periodically on a
  transportable media and stored appropriately
  (onsite or offsite)

17
Backup and Recovery (Contd)

• Backup and restoration procedures should be test
  and review regularly
• Disaster Recovery Plan for mission critical
  systems should be in place and periodical
  drilling is required

18
IT Security Guidelines

• Physical Security
• Campus Network and Internet Security
• Firewall Security
• Remote Access Security
• Proxy Server Security
• Personal Computer Security

19
IT Security Guidelines (Contd)

• UNIX System Security
• Web Server Security
• Novell NetWare and GroupWise Systems Security
• Student Computing Cluster Security
• E-mail System Security
• PolyU Administrative Computer Systems Security

20
Recommendations of Auditor

• Establish the Internet/Intranet Security Policy
  with the following contents
• What services are allowed
• User access and privileges
• Policies for managing web pages
• Procedures for ensuring no alternate access paths
  to Internet
• Universitys response to security violation
• User signing internet usage agreement

21
Recommendations of Auditor (Contd)

• Establish the Internet/Intranet Security Policy
  with the following contents (contd)
• Enforcing password requirements
• Management of increased network traffic resulting
  from Internet use
• Hardware, software and client applications
• Client configuration
• Frequency of security audit
• Independent internet assessment

22
Recommendations of Auditor (Contd)

• Establish Security Procedures for
• Granting of users access rights
• Monitoring of users with administrative rights on
  IS
• Guidelines on data encryption
• Computer security policy training and distribution

23
Recommendations of Auditor (Contd)

• Establish Security Procedures for
• Virus protection policy
• Promote proper usage of internet
• Sharing of user accounts
• User accounts housekeeping
• Utilizing networking scanning tools
• E-mail virus protection

24
Recommendations of Auditor (Contd)

• Establish Security Procedures for
• Door-entry control system
• Automatic directory listing
• Banners
• Vulnerable services
• World-writeable files
• System logging

25
Some Security Tips

• Always apply security patch on OS and service
• Remove unnecessary services
• Review and change default settings
• Implement a personal firewall
• Apply encryption on sensitive data
• Enable auditing review log

26
Thank you!