Clayton State University follows the Board of Regents Information Security policies, state and federal laws and supplements with our own local policies.
Access Control (AC): Organizations must limit information system access to authorized users, processes acting on behalf of authorized users, or devices (including other information systems) and to the types of transactions and functions that authorized users are permitted to exercise.
- Network accounts are created based on requests from HR and based on automated information from Banner/ADP (AC-2)
- Temporary/Part Time accounts expire after 180 days if not renewed (AC-2)
- Account modifications (such as password changes) should be logged to the system log (AC-2)
- Accounts with special privileges should only be used for those tasks requiring it, not for day-to-day usage (AC-2)
- For systems not relying on domain accounts, the admin will document their account creation/removal process (AC-2)
- Security groups and ACL's should be used to provide limited access to shared resources (AC-3, AC-6)
- All systems by default are blocked at the campus firewall (AC-4)
- Only the most minimal access should be granted to perform a function (AC-6)
- Systems should lock accounts after more than 5 failed login attempts in a 20 minute period (AC-7)
- Systems should lock sessions after 20 minutes of idle time. Domain machines will force this. (AC-11)
- The campus VPN server (vpn.clayton.edu) is the only authorized remote access solution (AC-17)
- Wireless is considered insecure (AC-18)
- Departments can not setup their own wireless access-points or networks (AC-18)
- All connections between campus Information Systems and external systems must be approved and documented (AC-20)
- The CIO must approve any system which interfaces with Banner (AC-20)
- Publicly identifying information should not be posted to the campus web site (AC-22)
Awareness and Training (AT): Organizations must: (i) ensure that managers and users of organizational information systems are made aware of the security risks associated with their activities and of the applicable laws, Executive Orders, directives, policies, standards, instructions, regulations, or procedures related to the security of organizational information systems; and (ii) ensure that organizational personnel are adequately trained to carry out their assigned information security-related duties and responsibilities.
- Employees must take the annual security training via the HR web site (AT-2,AT-3,AT-4)
Audit and Accountability (AU): Organizations must: (i) create, protect, and retain information system audit records to the extent needed to enable the monitoring, analysis, investigation, and reporting of unlawful, unauthorized, or inappropriate information system activity; and (ii) ensure that the actions of individual information system users can be uniquely traced to those users so they can be held accountable for their actions.
- Login and Logout information should be logged (AU-2)
- Logs should be sent to the central syslog server which should be configured to maintain logs for a minimum of 45 days (AU-4,AU-9,AU-11)
- The central syslog server will be monitored for disk capacity, availability, and running of the syslog process (AU-5)
- All servers should receive their time via NTP from time.clayton.edu or time2.clayton.edu. Windows domain computers receive theirs from the domain controllers, which in turn are synced to time.clayton.edu (AU-8)
- Both successful and unsuccessful events should be logged (AU-10)
Certification, Accreditation, and Security Assessments (CA): Organizations must: (i) periodically assess the security controls in organizational information systems to determine if the controls are effective in their application; (ii) develop and implement plans of action designed to correct deficiencies and reduce or eliminate vulnerabilities in organizational information systems; (iii) authorize the operation of organizational information systems and any associated information system connections; and (iv) monitor information system security controls on an ongoing basis to ensure the continued effectiveness of the controls.
- OITS will conduct periodic scans of campus Information Systems (CA-2)
- Before a new system is brought online, a security scan will be performed. In addition to this security scan, any information that needs to be incorporated into DR/CoP will need to be created. Also, a backup plan for the data on the system will need to be created (CA-6)
- Scans will be repeated when upgrades are performed (CA-7)
Configuration Management (CM): Organizations must: (i) establish and maintain baseline configurations and inventories of organizational information systems (including hardware, software, firmware, and documentation) throughout the respective system development life cycles; and (ii) establish and enforce security configuration settings for information technology products employed in organizational information systems.
Contingency Planning (CP): Organizations must establish, maintain, and effectively implement plans for emergency response, backup operations, and post-disaster recovery for organizational information systems to ensure the availability of critical information resources and continuity of operations in emergency situations.
Identification and Authentication (IA): Organizations must identify information system users, processes acting on behalf of users, or devices and authenticate (or verify) the identities of those users, processes, or devices, as a prerequisite to allowing access to organizational information systems.
- Each user will have their own userid (IA-2)
- Group accounts will not be used unless a) there is no other way or b) a group account actually provides more protection (such as a group account for the Milestone system where the password was entered once and multiple users can use the system without knowing the password) (IA-2)
- UserID's will not be reused (IA-4)
- Password input fields must not show the password being entered (IA-6)
- Initial passwords will be sent to the employee's supervisor where that password can not be initial entered by the end user based on authentication by other means (such as students logging into the Swan the first time) (IA-5)
- Passwords will only be reset for users when they present photo ID for identity verification (IA-5)
- Passwords will be changed every xx days (IA-5)
- Passwords will conform to a minimal complexity standard (IA-5)
- Guest access will be limited to minimal functions (web and vpn) to bridge the need for a secure environment with the need to provide courtesy services to visitors. (IA-8)
- Guest accounts are not created. (IA-8)
Incident Response (IR): Organizations must: (i) establish an operational incident handling capability for organizational information systems that includes adequate preparation, detection, analysis, containment, recovery, and user response activities; and (ii) track, document, and report incidents to appropriate organizational officials and/or authorities.
Maintenance (MA): Organizations must: (i) perform periodic and timely maintenance on organizational information systems; and (ii) provide effective controls on the tools, techniques, mechanisms, and personnel used to conduct information system maintenance.
- System Maintenance should be done in the safest method possible. If it requires bringing a system down to avoid an accidental crash, that is the method which should be used. (MA-2)
- When being performed by those outside of OITS, maintenance personnel must be escorted into the location where the work is to be performed and monitored while the work is being performed (MA-2, MA-3)
- Remote access for support will only be allowed through the firewall while the work is being performed (MA-4)
- Network credentials are not given out for people doing maintenance. VPN access will not be provided for remote support. (MA-5)
- For a production system, support contracts should be maintained for the hardware and software. Some services have multiple physical pieces of hardware (DNS, Domain Controller) backing them allowing hardware contracts to be somewhat relaxed (MA-6)
- Where possible and cost-effective, replacement parts should be kept on site for faster remediation (such as hard drives) (MA-6)
Media Protection (MP): Organizations must: (i) protect information system media, both paper and digital; (ii) limit access to information on information system media to authorized users; and (iii) sanitize or destroy information system media before disposal or release for reuse.
- Mobile devices (phones, notebooks, USB drives) should not store confidential or sensitive data as they are easier to lose or have stolen (MP-2)
- Removable media used for backups should be kept secure while in transit (MP-2,MP-4,MP-5)
- All computers being surplussed must be done so via The Hub. They will destroy the hard drives (MP-4,MP-6)
- USB drives should be treated with care. They can have malicious software which may AutoRun on insertion. (MP-6)
Physical and Environmental Protection (PE): Organizations must: (i) limit physical access to information systems, equipment, and the respective operating environments to authorized individuals; (ii) protect the physical plant and support infrastructure for information systems; (iii) provide supporting utilities for information systems; (iv) protect information systems against environmental hazards; and (v) provide appropriate environmental controls in facilities containing information systems.
- Each department which houses servers with critical, confidential or otherwise sensitive information must maintain a list of who has access to their equipment. This list should be maintained internally and shared with Public Safety. It should be regularly reviewed, especially after any terminations. (PE-2)
- Server locations should have limited and controlled access. Best is entry via another occupied office area. Any automated means to monitor and log access should be considered (PE-3, PE-6)
- Data connections to the server rooms should be secured as much as possible. Tap points should be keyed to minimize access. (PE-4)
- Printers and other output devices which output sensitive data should be located in secure areas or all output monitored and immediately picked up (PE-5)
- Access to server rooms should be recorded. Where access is not recorded by the door entry system, motion control camera recording of entry should be utilized, recording to the campus Milestone system (PE-6)
- Any visitors to the server rooms should be escorted in and out and monitored. Visitor access should also be written down or otherwise recorded along with the reason. (PE-7,PE-8)
- Server rooms should have emergency lighting, fire-suppression and emergency power. (PE-11,PE-12,PE-13)
- Server rooms will need to have dedicated air-conditioning which is monitored for faults (PE-14)
Planning (PL): Organizations must develop, document, periodically update, and implement security plans for organizational information systems that describe the security controls in place or planned for the information systems and the rules of behavior for individuals accessing the information systems.
Personnel Security (PS): Organizations must: (i) ensure that individuals occupying positions of responsibility within organizations (including third-party service providers) are trustworthy and meet established security criteria for those positions; (ii) ensure that organizational information and information systems are protected during and after personnel actions such as terminations and transfers; and (iii) employ formal sanctions for personnel failing to comply with organizational security policies and procedures.
- Accounts will be disabled withing 5 days of leaving employment (PS-4)
- When employees switch departments, their old access will be removed (PS-5)
- All users must agree to the Acceptable Use Policy (PS-6)
- Failure to comply with the AUP, these policies, etc may result in loss of network access, reporting to your supervisor, Human Resources or Public Safety (PS-8)
Risk Assessment (RA): Organizations must periodically assess the risk to organizational operations (including mission, functions, image, or reputation), organizational assets, and individuals, resulting from the operation of organizational information systems and the associated processing, storage, or transmission of organizational information.
System and Services Acquisition (SA): Organizations must: (i) allocate sufficient resources to adequately protect organizational information systems; (ii) employ system development life cycle processes that incorporate information security considerations; (iii) employ software usage and installation restrictions; and (iv) ensure that third-party providers employ adequate security measures to protect information, applications, and/or services outsourced from the organization.
- When new information systems are being planned, security should be a part of the planning and security management roles should be decided up front and not as an afterthought (SA-2,SA-3)
- When purchasing systems/services, security questions should be raised with the vendor – especially if student data or monetary transactions are involved (SA-4)
- Procured web services must at least support https for logins. (SA-4)
- Documentation on how to bypass security measures (such as forgotten passwords) should be restricted to those who need it. However, as most companies have their documentation public on the web and these bypass methods usually require physical machine access, physical machine access must be restricted to only those who need it (SA-5, PE-6)
- Software must be licensed and in use with contract agreements and copyright laws (SA-6)
- Peer to Peer software is not to be used except where documented as acceptable (SA-6)
- While CSU currently has no rules as far as end-user installed software, care should be taken when downloading and installing tools from the Internet. (SA-7)
- Only required software should be installed on servers. Servers should not be used in the role of a daily-use/desktop machine (SA-7)
System and Communications Protection (SC): Organizations must: (i) monitor, control, and protect organizational communications (i.e., information transmitted or received by organizational information systems) at the external boundaries and key internal boundaries of the information systems; and (ii) employ architectural designs, software development techniques, and systems engineering principles that promote effective information security within organizational information systems.
- Where possible, separation between user accounts and management accounts should be maintained (SC-2)
- Where possible, separation between user accessible areas and management areas of a system should be maintained (SC-2)
- Denial of Service attacks should be mitigated or eliminated. Campus firewalls shall only allow traffic which has been deemed necessary to enter the network (SC-5)
- Administrative and academic traffic take priority over other traffic (such as games,Facebook, etc). The campus Packetshaper performs prioritization (SC-6)
- Campus firewalls control the flow of traffic into the network (and in some cases out of). (SC-7)
- Only resources accessible to the public or to the majority of the campus population (ie. Email) will be allowed though the firewall from anywhere (SC-7(2))
- Only OITS maintained and authorized network connections are allowed. Users may not setup their own network links (such as routing via a cellular device) (SC-7(3))
- All traffic entering the network is setup as “deny all, permit by exception” (SC-7(5))
- Wherever possible, encrypted data paths should be used both to protect data in transmission and verify the remote hosts validity (SC-8, SC-9)
- Systems which are publicly accessible may have limited data on them, but should be regarded as high-risk targets because of the relaxed access rules for the public to access them (SC-14)
- Where possible, cameras and microphones on systems should provide feedback indicating they are in use. (SC-15)
- Certificates should be obtained via reputable vendors, such as DigiCert, Verisign, GeoTrust,etc. (SC-17)
- Self-signed certificates should not be used on public facing systems (SC-17)
- For internal systems, the Clayton State Certificate Authority is the only one which should be recognized (SC-17)
- Honeypots shall not be setup on the campus network. (SC-26)
- Login banners and other information which could be used to determine system information (such as ssh banners) should be obfuscated when possible to release the least amount of information (if not false information) (SC-30)
System and Information Integrity (SI): Organizations must: (i) identify, report, and correct information and information system flaws in a timely manner; (ii) provide protection from malicious code at appropriate locations within organizational information systems; and (iii) monitor information system security alerts and advisories and take appropriate actions in response.
- Scans will be run against systems on a regular basis (at min once a month). Flaws identified by these scans will need to be re-mediated within 5 business days. (SI-2)
- Any exception on vulnerability remediation must be documented by the system administrator and approved. These exceptions should only be in the cases where the remediation would interfere with normal functionality (ie. a service pack upgrade would break the application.) These exceptions should be revisited on a quarterly basis to make sure the reason for the exception is still valid.
- If a system is determined to be compromised, it WILL be removed from the network.
- The campus virus/malware protection standard is LANDeskAV. This is required to be running on desktop machines and should be kept up to date (SI-3)
- OITS receives notifications from the Board of Regents, REN-ISAC, USG ISO, etc about ongoing threats. This may generate internal advisories to the campus (SI-5)
- Regular tests of security controls should be executed to verify they are running as expected. This includes verifying firewall rules are blocking traffic, network policies are restricting traffic as designed, etc. (SI-6)
- Servers which house confidential information should employ automated software to verify system software does not change without administrator knowledge. Tripwire, AIDE, and other tools are examples of how to accomplish this. (SI-7)
- Spam protection will be maintained by OITS and all e-mail should flow through these central gateways (SI-8)
- Wherever possible, data should be checked for validity against rules for the given input field. Data should also be sanitized to prevent an input string being interpreted as commands (SQL injection, etc) (SI-10)
- Error messages should be specific enough to allow support without logging sensitive information (ie. Password failures should not log the attempted password) (SI-11)