UTech Security Policy February2010

♠♣

♠

The University of Technology

Jamaica

Security Policy

Security Expert

Wayne Jones0500005BSCIT 4C

2010

The University of Technology, Jamaica | Computer Security Policy

February 12, 2010

Table of Contents

Disclaimer..................................................................................................................................................................... 3

Case Study..................................................................................................................................................................... 4

Introduction................................................................................................................................................................. 5

Security in Distributed Systems.....................................................................................................................6

Cloud Computing Overview............................................................................................................................. 6

Security Policy............................................................................................................................................................. 9

Overview................................................................................................................................................................... 9

Scope.......................................................................................................................................................................... 9

Risk Assessment Matrix.................................................................................................................................. 11

Access Control Policy....................................................................................................................................... 13

Adhering to Legal Procedures...........................................................................................................................14

General Policies...................................................................................................................................................14

Orange Book Security Standard..............................................................................................................14

Complying with Computer Misuse Act................................................................................................15

Complying with Data Protection Act....................................................................................................16

Complying with COBIT Standard........................................................................................................... 16

Complying with BS77999 Standard......................................................................................................17

Complying with the ISO 27001 Standard...........................................................................................17

Legal Obligations Awareness...................................................................................................................18

Complying with the Copyright Licensing Legislation...................................................................18

Specific Policies........................................................................................................................................................ 19

Student Computer Systems........................................................................................................................... 19

Staff Computer Systems.................................................................................................................................. 20

References.................................................................................................................................................................. 24

Author: Wayne Jones (0500005)- BSCIT-4C Page 2 of 24


February 12, 2010

Disclaimer

Confidentiality of information is mandated by common law, formal statute, explicit

agreement, or convention. Different classes of information warrant different degrees of

confidentiality.

The hardware and software components that constitute the university’s IT assets represent

a sizable monetary investment that must be protected. The same is true for the information

stored in its IT systems, some of which may have taken huge resources to generate, and

some of which can never be reproduced.

The use of university IT assets in other than in a manner and for the purpose for which

they were intended represents a misallocation of valuable university resources, and

possibly a danger to its reputation or a violation of the law.

Finally, proper functionality of IT systems is required for the efficient operation of the

university. Some systems, such as the HRS, Finance, Student Administration, ISAS, and

Library systems are of paramount importance to the mission of the university. Other

systems (e.g. somebody’s PC) are of less importance.



February 12, 2010

Case Study

Cloud computing has become extremely popular , but security of such systems are

likely to pose serious challenges in the years to come. You have been hired to

setup a distributed security policy within the University of technology where all

system resources will be managed as a part of an open public cloud and private

cloud. To maintain the ubiquity of all these resources within the UTECH , you are

hired as the new security personnel within the IS and Audit department with

responsibility for UTECH’s cloud security . Highlight all the salient issues of a

security policy that you would have to develop in managing all these resources.



February 12, 2010

Introduction

Computer Security encompasses the safe keeping of information which is just as critical as

any other asset to a business, if not the most important and sensitive asset. Information

security is an effort that comprises of security policies, products & technologies and

procedures.

Software applications which provide firewall information security and virus scanners are

not enough on their own to protect information. A set of procedures and systems needs to

be applied to effectively deter access to information (Crystal, G. 2010).

Cloud computing is a type of computing that is comparable to grid computing, relies on

sharing computing resources rather than having local servers or personal devices to handle

applications. The goal of cloud computing is to apply traditional supercomputing power

(normally used by military and research facilities) to perform tens of trillions of

computations per second.

In an effort to do this, companies engaging in Cloud computing network large groups of

servers with specialized connections to spread data-processing chores across them. This

shared IT infrastructure contains large pools of systems that are linked together. Often,

virtualization techniques are used to maximize the power of cloud computing (Veal, B.

2010).

Cloud Computing is the convergence of three major trends: Virtualization, Utility Computing

and Software-as-a-Service. Virtualization is where applications are separated from

infrastructure. Utility Computing is the packaging of computer resources and offering the

service on a metered price rate. Software-as-a-Service is when software available on

demand on a subscription basis.

Companies such as IBM, Google and Amazon are pioneering the emergence of the new IT

strategy. Amazon.com launched a company called Amazon Web Services (AWS) in July

2002 that provides a range of cloud computing services. Google offers a number of web

services such as Picaso-to host pictures, Gmail-stores emails and Google Docs stores

documents.



February 12, 2010

Security in Distributed Systems

The security of information stored on computers is of extremely high priority for

large corporations such as The University of Technology, Jamaica. In protecting

information from unauthorized access, especially in a scenario such as this where we

intend to practice cloud computing, the Confidentiality, Integrity and Availability (C.I.A

triad) of information has to be preserved.

Modern distributed systems contain a large number of objects, and must be capable

of evolving, without shutting down the complete system, to cater for changing

requirements. There is a need for distributed, automated management agents whose

behavior also has to dynamically change to reflect the evolution of the system being

managed. Policies are a means of specifying and influencing management behavior within a

distributed system, without coding the behavior into the manager agents (Lupu, E. 1999).

According to Lupu (Lupu, E. 1999), new components and services are added or removed

from the system dynamically, thus changing the requirements of the management system

over a potentially long lifetime. There has been considerable interest recently in policy-

based management for distributed systems (Sloman 1994a; DSOM 1994; Magee 1996;

Koch 1996).

Cloud Computing Overview

Open Cirrus is a cloud-computing research platform for experimentation designed to

support research into design, provisioning, and management of services of an open source

cloud computing infrastructure on a global, multi-datacenter scale. “It is a collaboration

between HP, Intel, Yahoo!, and a number of academic institutions” (Jones, E. 2009).

According to Campbell, R (2009),

Pay-as-you-go utility computing services by companies such as Amazon, and new

initiatives by Google, IBM, and NSF, have begun to provide applications researchers in

areas such as machine learning and scientific computing with access to large scale cluster

resources. However, system researchers, who are developing the techniques and software

infrastructure to support cloud computing, still find it difficult to obtain low-level access to



February 12, 2010

large scale cluster resources and that gave rise to the Open Cirrus Project. While the

researchers of the Open Cirrus Project work on developing wide scale cloud computing

systems, pioneers such as Google have already made available basic concepts of cloud

computing.

The idea of cloud computing certainly isn't a new one as Oracle's Larry Ellison launched the

New Internet Computer (NIC) company back in 2000 to lead the industry forward to that

goal. The concept was very simple: On your desk, you would have a very low-cost computer

with just a processor, a keyboard and a monitor without any hard drive or CD/DVD drive. It

would be connected to the Internet and would link to a central supercomputer, which

would host all of your programs and files. The idea, however, was ahead of its time. The NIC

sold very poorly, probably due to a dearth of broadband availability in the United States

and subsequent lead to the company folding in 2003 (Pollette, C. 2008).

The potential for cloud computing is compelling. For business, it promises faster access to

technology and better alignment to demand. That offers agility, which can deliver

significant competitive advantage. Cloud computing has the potential to make that extra

computing capacity available in minutes or hours and provide the flexibility to turn it off as

soon as it’s no longer needed without the residual capital asset and operating costs (Smillie,

K. 2010).

The rewards to be reaped by the University of Technology, Jamaica by implementing a

distributed system via cloud computing is endless. The concept of cloud computing is a new

one and people are catching on globally at an alarming rate. Rewards to be earned from

investing in a cloud computing infrastructure are but not limited to:

Reduced Cost

Cloud technology is paid incrementally, which would save the university money.

Money could also be saved on software as it relates to licensing.

Increased Storage

because data is not stored on the individual machines, but on ‘clouds’, the university

can store more data than on private computer systems.



February 12, 2010

Highly Automated

the job of IT personnel keeping software updated would be easier seeing that there

would be less independent instances of the software.

More Mobility

Employees can access information wherever they are, rather than having to remain

at their desk which is one of the major underlying reason for Google and Apple’s

collaboration.



February 12, 2010

Security Policy

Overview

The purpose of this policy is to secure and protect the information assets owned by The

University of Technology, Jamaica (UTECH). The University of Technology, Jamaica

provides computer devices, networks, and other electronic information systems to meet

missions, goals, and initiatives. The University of Technology, Jamaica grants access to

these resources as a privilege and must manage them responsibly to maintain the

confidentiality, integrity, and availability of all information assets. This policy specifies the

conditions that wireless/wired infrastructure devices must satisfy to connect to The

University of Technology, Jamaica network. Only those wireless/wired infrastructure

devices that meet the standards specified in this policy.

Scope

All employees, contractors, consultants, temporary and other workers at The University of

Technology, Jamaica, including all personnel affiliated with third parties that maintain a

wireless/wired infrastructure device on behalf of The University of Technology, Jamaica,

must adhere to this policy. This policy applies to all wireless/wired infrastructure devices

that connect to UTECH’s network or reside on a UTECH’s site that provide wireless/wired

connectivity to endpoint devices including, but not limited to, laptops, cellular phones, and

personal digital assistants (PDAs). This includes any form of wireless communication

device capable of transmitting packet data. The Human Resource Management Department

must approve exceptions to this policy in advance.

The corporate assets that must be protected include:

Computer and Peripheral Equipment,

Computing and Communications Premises,

Power and Communications equipment.



February 12, 2010

Supplies and Data Storage Media.

System Computer Programs and Documentation.

Application Computer Programs and Documentation.

Information.

This policy will deal with the following domains of security:

Computer system security: CPU, Peripherals, OS. This includes data security.

Physical security: The premises occupied by personnel and computer equipment (labs, offices, etc).

Operational security: Power equipment and operation activities.

Communications security: Communications equipment, personnel, transmission paths, and adjacent areas.



February 12, 2010

Risk Assessment Matrix

CategoryFREQUENTLikely to occur

immediately or in a short period of time;

expected to occur frequently

LIKELYQuite likely to occur

in time

OCCASSIONALMay occur in time

SELDOMNot likely to occur

but possible

UNLIKELYUnlikely to occur

CATASTROPHIC

May result in death E E H H M

CRITICALMay cause severe injury, major property damage, significant financial loss, and/or result in negative

publicity for the organization and/or

institution.

E H H M L

MARGINALMay cause minor injury,

illness, property damage, financial loss and/or result in negative publicity for the

organization and/or the institution.

H M M L L

NEGLIGABLEHazard presents a minimalthreat to safety, health and well-being of participants;

trivial.

M L L L L

RISK DEFINITIONSMany events, without proper planning, can have unreasonable levels of risk. However, by applying risk management strategies, you can reduce the risk to an acceptable level.

E Extremely High RiskActivities in this category contain unacceptable levels of risk, including catastrophic and critical injuries that are highly likely to occur. Organizations should consider whether they should eliminate or modify activities that still have an “E” rating after applying all reasonable risk management strategies.

H High RiskActivities in this category contain potentially serious risks that are likely to occur. Application of proactive risk management strategies to reduce the risk is advised. Organizations should consider ways to modify or eliminate unacceptable risks.

M Moderate RiskActivities in this category contain some level of risk that is unlikely to occur. Organizations should consider what can be done to manage the risk to prevent any negative outcomes.

L Low Risk Activities in this category contain minimal risk and are unlikely to occur. Organizations can proceed with these activities as planned.


RIS

K A

SSES

SMEN

T

PROBABILITY OF OCCURENCE


February 12, 2010


TH

REA

T A

SSES

SMEN

T

ASS

ET

FUR

NIT

UR

E

FUR

NIT

UR

E

HA

RD

WA

RE

HA

RD

WA

RE

NET

WO

RK

EMP

LOY

EES

AG

ENT

/EV

ENT

NA

TU

RA

L D

ISA

STE

R

STO

LEN

NA

TU

RA

L D

ISA

STE

R

STO

LEN

HA

CKED

RES

IGN

Giv

ing

out

impo

rtan

t in

form

atio

n

CLA

SS O

F T

HR

EAT

DES

TR

UCT

ION

REM

OV

AL,

IN

TER

UPT

ION

DES

TR

UCT

ION

REM

OV

AL,

IN

TER

UPT

ION

MO

DIF

ICA

TIO

N,

DES

TR

UCT

ION

, R

EMO

VA

L

INT

ERR

UPT

ION

DIS

CLO

SUR

E

LIK

ELIH

OO

D

OF

OCC

UR

REN

CE

ME

DIU

M

VE

RY

LOW

ME

DIU

M

LOW

ME

DIU

M

ME

DIU

M

LOW

CON

SEQ

UEN

CE O

F O

CCU

RR

ENCE

Inco

nven

ienc

e to

em

ploy

ees

Inco

nven

ienc

e to

em

ploy

ees

Loss

of v

alua

ble

data

an

d eq

uipm

ent

Loss

of v

alua

ble

data

an

d eq

uipm

ent

Com

peti

tors

gai

ning

ad

vant

age.

Los

s of

cu

stom

ers

beca

use

of

cred

it c

ard

info

bei

ng

used

. Hac

ker

may

st

eel p

assw

ords

and

th

us g

ain

free

in

tern

et a

cces

s he

nce

loss

of r

even

ue

Loss

of p

rodu

ctiv

ity

as r

epla

cem

ent i

s re

crui

ted

and

trai

ned

Com

prom

ise

of

secu

rity

if im

med

iate

ch

ange

s of

pas

swor

ds

and

othe

r se

nsit

ive

area

s ar

e no

t eff

ecte

d

IMP

ACT

(I

NJU

RY

)

VE

RY

LOW

VE

RY

LOW

CRIT

ICA

L

CRIT

ICA

L

HIG

H

LOW

CRIT

ICA

L

RIS

K A

SSES

SMEN

T

EXP

OSU

RE

RA

TIN

G

L L E E E M H

EXIS

TIN

G

SAFE

GU

AR

DS

NO

NE

NO

NE

NO

NE

Gua

rdsm

an

Secu

rity

Putt

ing

Tec

hnic

al

Supp

ort o

n a

diff

eren

t ne

twor

k fr

om

the

Mai

n Se

rver

s. U

sing

Fr

ee B

SD fo

r op

erat

ing

mai

n

NO

NE

NO

NE

REC

OM

MEN

DA

TIO

NS

VU

LNER

AB

ILIT

IES

Floo

ds, f

ires

and

ot

her

such

dis

aste

rs

are

not p

rote

cted

ag

ains

t

Floo

ds, f

ires

and

ot

her

such

dis

aste

rs

are

not p

rote

cted

ag

ains

t

Use

of a

ny

mec

hani

sm to

byp

ass

swip

e ca

rd a

cces

sW

alki

ng o

ut o

f the

bu

ildin

g w

ith

smal

l eq

uipm

ent s

uch

as

Use

of F

ree

BSD

do

esn’

t gua

rant

ee

that

no

one

will

hac

k sy

stem

Empl

oyee

s m

ay

choo

se to

res

ign

wit

hout

not

ice

Empl

oyee

s th

at h

ave

resi

gned

may

dis

clos

e se

nsit

ive

info

rmat

ion

to th

ird

part

ies

RIS

K

2 2 3 4 5 5 2

PR

OP

OSE

D

SAFE

GU

AR

DS

SECU

RIT

Y G

UA

RD

SECU

RIT

Y G

UA

RD

INSU

RA

NCE

/

BA

CKU

P

INSU

RA

NCE

/

BA

CKU

P

Use

of A

udit

ing

Soft

war

e an

d H

oney

Pots

Cont

ract

ual

requ

irem

ent o

f ad

equa

te

noti

ce

Non

-dis

clos

ure

clau

se in

co

ntra

ct

PR

OJE

CTE

D

RIS

K L L M M M M M

EXP

ECT

AT

ION

OF

EFFE

CTIV

ENES

S O

F P

RO

PO

SED

SA

FEG

UA

RD

S

Com

plet

ely

Sati

sfac

tory

Com

plet

ely

Sati

sfac

tory

Sati

sfac

tory

Sati

sfac

tory

Sati

sfac

tory

Com

plet

ely

Sati

sfac

tory

Com

plet

ely

Sati

sfac

tory


February 12, 2010

Access Control PolicyAccess Control Policy

Personnel Hardware Software Physical access to Rooms

Managers Full Access Full Access Physical access to RoomsSupervisors Use Only No Access Physical access to RoomsCustomer Support Representatives Use Only Only Payments section Physical access to RoomsLab Tech Use Only Use Only Physical access to RoomsNetwork Administrators Full Access No Access Physical access to RoomsSenior Technician Full Access No Access Physical access to RoomsAccountants Use Only Full Access Physical access to RoomsSecurity Guards No Access No Access Full Access To Entire FacilitySenior Finance Staff Use Only Full Access No Access to Server Room



February 12, 2010

Adhering to Legal Procedures

An employee found to have violated this policy may be subject to disciplinary action, up to

and including termination of employment. A violation of this policy by a temporary worker,

contractor or vendor may result in the termination of their contract or assignment with

The University of Technology, Jamaica referred to as UTech from here in.

The following legal policy considerations outline legal issues that govern the operation of

UTech for incorporation into the security policy. The following policies are examined with

specific attention to the systems the university’s distributed system incorporates.

There are some general policies and legal procedures that govern the entire IT arena as it

relates to computer security. We will classify these as general policies. However, the nature

of distributed systems attract specific guidelines that to secure distributed systems because

the traditional concept of a security policy for the entire computer system is not practical

for a distributed system. These policies will be classified as specific policies.

General PoliciesOrange Book Security Standard:

The University of Technology, Jamaica intends to comply fully with the requirements of

Orange Book Security Standard as it affects the immediate business of the university.

Orange Book was first published in 1983, by the Department of Defence Trusted Computer

System Evaluation Criteria in the USA. The Orange Book is the benchmark for computer

security. This policy shows that the Mandatory Security Policy enforces access control rules

based directly on an individual's clearance, authorization for the information and the

confidentiality level of the information being sought. Other indirect factors are physical and

environmental. This policy also accurately reflects the laws, general policies and other

relevant guidance from which the rules are derived. Discretionary Security Policy enforces

a consistent set of rules for controlling and limiting access based on identified individuals

who have been determined to have a need-to-know for the information.



February 12, 2010

Complying with Computer Misuse Act:

The University of Technology, Jamaica will implement computer use policies which all

employees will be required to comply with. The H R Manager is responsible for ensuring

that all staff members are fully aware of these policies as they relate to their duties.

The University of Technology, Jamaica provides all employees with computer access and

internet services.

However, employees need to exercise discretion, and ensure that they do not engage in

illegal activities in fulfilment of the provision of support to users. Such activities include,

but are not limited to: viewing pornography, visiting sites promoting illegal computer

access activities (crack sites), viewing material advocating terrorism or other sites that

threaten national security. The issue of terrorism is of special importance in light of

Jamaica’s conformance to international terrorism prevention legislation. These terrorists

acts may include:

Unauthorized Access – the offender knowingly gains unauthorized access to a computer or

data,

Unauthorized Access with Intent – the offender knowingly gains unauthorized access to a

computer or data with malicious intent,

Unauthorized Acts with Intent to Impair – described case involving distributed denial of

service attacks on a computer system or information,

Making, supplying or obtaining articles – describes cases involving those who produce, for

example, malicious scripts or software designed to enable modification.

It is therefore imperative that all employees exercise full discretion as it regards to use of

UTech’s property during or after working hours.

ISO 17799 and BS 7799 References

12.1.5 Prevention of Misuse of Information Processing Facilities

See Computer Misuse Act of 1990



February 12, 2010

Complying with Data Protection Act:


Data Protection legislature in so far as it affects the immediate business of the university.

This act is a security standard that gives individuals the right to know what information is

held about them, as well as providing a framework to ensure that personal information is

handled properly. This therefore means that anyone who handles personal information

must comply with these important principles. It also gives individuals rights over their

personal information. These rights are comprised of access, compensation and the

prevention of processing. These two ways in which the act is employed is broken down into

sub-groups as follows:

1. The Act provides individuals with important rights, including the right to find

out what personal information is held on computer and most paper records.

2. Anyone who processes personal information must comply with eight

principles, which ensures that personal information is Fairly and lawfully

processed, Processed for limited purposes, Adequate, relevant and not

excessive, Accurate and up to date, Not kept for longer than is necessary,

Processed in line with your rights, Secure and not transferred to other countries without

adequate protection.

Complying with COBIT Standard:

The Control Objectives for Information related Technology (COBIT) “provides good

practices across a domain and process framework and presents activities in a manageable

and logical structure” (IT Governance Institute, 2007). COBIT is the IT governance

framework and supporting tool set that allows IT managers to bridge the gap between

control requirements, technical issues and business risks. It enables clear policy

development and good practice for IT governance in organizations. COBIT 4.1, has 34 high

level processes that cover 210 control objectives these are broken into four categories:

Planning and Organization



February 12, 2010

Acquisition and Implementation

Delivery and Support

Monitoring and Evaluation

The “good practices” of COBIT are “strongly focused more on control, and less on

execution.” In other words, it specifies measures for the management, monitoring and

control of the technology to be used to implement the distributed system must be properly

monitored and controlled under the specifications of the practices of COBIT.

Implementation of these practices will “help optimise IT-enabled investments, ensure

service delivery and provide a measure against which to judge when things do go wrong.

Complying with BS77999 Standard:



BS77999 is based on a comprehensive set of controls that is comprised of the best

practices in Information Security. It is an internationally recognized generic information

security standard covering 10 subject domains, 36 management objectives, 127 controls

and 500 detail controls. It was developed in the UK by the government to promote

confidence in inter-company trading. Shell, BOC, BT, Marks & Spencer, Midland Bank,

Nationwide and Unilever were all contributors to this security standard. This security

standard began to acquire increasing international acceptance as the primary de facto

industry security standard.

Complying with the ISO 27001 Standard:



ISO 27001 is the international standard for an Information Security Management System

(ISMS). In Great Britain, it also still has its original designation: BS7799-2. ISO27001 is the

first in a family of international information security standards that will underpin and

protect IT worldwide over the next decade. It is designed to harmonise with ISO9001 and

ISO14001 so that management systems can be effectively integrated. It implements the



February 12, 2010

Plan-Do-Check-Act (PDCA) model and reflects the principles of the 2002 OECD guidance on

the security of information systems and networks. ISO27001 can also help create a

framework that helps UK sales and marketing departments comply with the

Telecommunications Regulations 1998 (Data Protection and Privacy). This standard helps

organizations reduce their total information security expenditure, while increasing its

effectiveness.

Legal Obligations AwarenessAll employees of the organization should be informed and made aware of all the legal

obligations that directly affect them with respect to the information assurance, computer

use and misuse, computer data, its usage, handling and protection, and information

systems and services.

“The Human Resource Manage or Senior Personnel Officer of UTech is responsible for

ensuring that all employees area aware of legal obligations that affect computer use,

computer data and information systems. Individuals should be made aware of legal

obligations that the university has to adhere to and be informed of their responsibilities as

it regards to compliance with these obligations. These requirements should be outline in

staff documentations such as Terms and Conditions of Employment and Organization Code

of Conduct documents.”

Complying with the Copyright Licensing Legislation

“UTech must ensure that all software used on its computers and systems is properly

licensed and is being used in accordance with the lincense. It is the responsibility of the

Human Resource Manager or Senior Personnel officer to prepare guidelines for employees

on important aspects of Software Copyright and Licensing Legislation.”

Explanation

The university uses Microsoft based applications, such as Microsoft Windows Systems. The

Windows operating system licenses are provided with each workstation upon purchase. An

Enterprise License which allows one copy of the software to be installed on several devices



February 12, 2010

and distributed throughout the organization. The same licensing packages are used for the

Antivirus and Intrusion detection system. It is imperative that UTech adheres to the license

agreement and also ensure that its use of software is in compliance with the respective End

User License Agreements (EULA).

ISO 17799 and BS 7799 References

12.1.2 Intellectual Property Rights (IPR)

Copyright, Act, 01/09/1993 (Jamaica)

Specific Policies

Student Computer Systems

Security Responsibilities.

The day-to-day managers of student-based systems must:

Be thoroughly familiar with the University IT Security Policy in its entirety.

Ensure compliance to this policy by all of its users.

Report any serious breaches of security to the Head of Security.

Physical Security.

The following standards of physical security of student based platforms must be

met:

Premises must be physically strong and free from unacceptable risk from

flooding, vibration, dust, etc.

There must not be an inordinate amount of combustible material (e.g. paper)

stored in the same room as the computer system.

Air temperature and humidity must be controlled to within acceptable limits.

Computing equipment should be electrically powered via UPS to provide the

following:



February 12, 2010

Minimum of 15 minutes’ operation in the event of a power blackout.

Adequate protection from surges and sags.

Trigger an orderly system shutdown when deemed necessary.

Physical Access.

There must be procedures in place to assure that only authorized staff or

student enter the premises.

User Access.

New userid’s should be handled as follows:

Students should direct requests to lab technician.

The applicant must present suitable personal identification.

The new userid and password must be given orally to the applicant; unless

special delivery has been authorized due to special circumstances (e.g. applicant

is overseas).

If the Operating System supports a password aging facility then it should be set

to force password change on the first login.

Fire Detection and Control.

There should be smoke and thermal detectors on the premises.

Under floor areas should have smoke and water detectors.

Staff Computer Systems

General Obligations

Users and custodians of Desktop computers are subject to the "Conditions of Use"

and "Code of Practice" specified in the university’s IT Security Policy.

Hardware Security

Lock offices. Office keys should be registered and monitored to ensure they

are returned when the owner leaves the University.



February 12, 2010

Secure Desktops in public areas. Equipment located in publicly accessible areas

or rooms that cannot be locked should be fastened down by a cable lock system

or enclosed in a lockable computer equipment unit or case.

Secure hard disks. External hard disks should be secured against access,

tampering, or removal.

Locate computers away from environmental hazards.

Store critical data backup media in fireproof vaults or in another building.

Register all University computers.

Access Security

Utilize password facilities to ensure that only authorized users can access the

system. Where the Desktop is located in an open space or is otherwise difficult to

physically secure then consideration should be given to enhanced password

protection mechanisms and procedures.

Password guidelines:

Avoid words found in the dictionary and include at least one numeric character.

(Six-character passwords may suffice for non-dictionary words.)

Choose passwords not easily guessed by someone acquainted with the user.

(For example, passwords should not be maiden names, or names of children,

spouses, or pets.)

Do not write passwords down anywhere.

Change passwords periodically.

Do not include passwords in any electronic mail message.

Data and Software Availability

Back up and store important records and programs on a regular schedule.

Check data and software integrity.

Fix software problems immediately.

Confidential Information.



February 12, 2010

Encrypt sensitive and confidential information where appropriate.

Monitor printers used to produce sensitive and confidential information.

Overwrite sensitive files on fixed disks, floppy disks, or cartridges.

Software

Software is protected by copyright law. Unauthorized copying is a violation of

University Copyright policy. Anyone who uses software should understand and

comply with the license requirements of the software. The university is subject to

random license audits by software vendors.

Viruses

Computer viruses are self-propagating programs that infect other programs. Viruses

and worms may destroy programs and data as well as using the computer's memory

and processing power. Viruses, worms, and Trojan horses are of particular concern

in networked and shared resource environments because the possible damage they

can cause is greatly increased. Some of these cause damage by exploiting holes in

system software. Fixes to infected software should be made as soon as a problem is

found.

To decrease the risk of viruses and limit their spread:

Check all software before installing it.

Use software tools to detect and remove viruses.

Isolate immediately any contaminated system.

Computer Networks.

Networked computers may require more stringent security than stand-alone

computers because they are access points to computer networks.

While IT Department has responsibility for setting up and maintaining appropriate

security procedures on the network, each individual is responsible for operating

their own computer with ethical regard for others in the shared environment.

The following considerations and procedures must be emphasized in a network

environment:



February 12, 2010

Check all files downloaded from the Internet. Avoid downloading shareware

files.

Test all software before it is installed to make sure it doesn't contain a

virus/worm that could have serious consequences for other personal computers

and servers on University networks.

Choose passwords with great care to prevent unauthorized use of files on

networks or other personal computers.

Always BACK-UP your important files.

Use (where appropriate) encrypting/decrypting and authentication services to

send confidential information over a University network.

Never store University passwords or any other confidential data or information

on your laptop or home PC or associated floppy disks or CD’s. All such

information should be secured after any dialup connection to the University

network.



February 12, 2010

Referenceshttp://www.wisegeek.com/what-is-information-security.htm

http://www.webopedia.com/DidYouKnow/Internet/2008/terms_to_know_2009.asp

http://evanjones.ca/opencirrus.html

http://opencirrus.intel-research.net/doc/droh-opencirrus-whitepaper-hotcloud09.pdf

Pollette, Chris. "How the Google-Apple Cloud Computer Will Work." 06 February 2008.

HowStuffWorks.com. <http://computer.howstuffworks.com/google-apple-cloud-

computer.htm> 11 February 2010

http://www.cioinsight.com/c/a/Expert-Voices/Cloud-Computing-Demystifying-150976/


http://www.cioinsight.com/c/a/Expert-Voices/Cloud-Computing-Demystifying-150976/

http://opencirrus.intel-research.net/doc/droh-opencirrus-whitepaper-hotcloud09.pdf

http://evanjones.ca/opencirrus.html

http://www.webopedia.com/DidYouKnow/Internet/2008/terms_to_know_2009.asp

http://www.wisegeek.com/what-is-information-security.htm

Documents

UTech Security Policy February2010