Your SlideShare is downloading. ×
Office of Information Technology
Upcoming SlideShare
Loading in...5

Thanks for flagging this SlideShare!

Oops! An error has occurred.


Saving this for later?

Get the SlideShare app to save on your phone or tablet. Read anywhere, anytime - even offline.

Text the download link to your phone

Standard text messaging rates apply

Office of Information Technology


Published on

  • Be the first to comment

  • Be the first to like this

No Downloads
Total Views
On Slideshare
From Embeds
Number of Embeds
Embeds 0
No embeds

Report content
Flagged as inappropriate Flag as inappropriate
Flag as inappropriate

Select your reason for flagging this presentation as inappropriate.

No notes for slide


  • 1. Office of Information Technology Computer Use Security and Internet Access Policy
  • 2. General 1. Information Security Policy 1.1 Concepts 1.2 Classification of information 2. Personnel Security policies 2.1 Ethics 2.2 Password Policy 2.3 General Software Policy 2.4 Networks 2.5 Internet 3. Computer & Network Policy 3.1. System administration policy 3.1.1. Access Control 3.1.2. Logon Policy 3.1.3. Assurance 3.1.4. Accountability and Audit 3.2 Network Policy Network / Distributed Systems Policy 3.2.2. Dial-in access 3.2.3. Dial-out 3.2.4. Information in websites 3.2.5. Electronic email and electronic communications 3.2.6. Internet Firewall 4. Enforcement 5. References
  • 3. General The Office of Information Technology, OIT, provides a wide variety of IT resources, including computers, networks, software and computer accounts for use by University students, faculty, and staff. These resources are administered by OIT and are intended for the legitimate business of St. Thomas University. Computer accounts are provided to faculty, staff, and students as a privilege associated with membership in the University community. When an individual accepts this privilege, a number of responsibilities must be assumed, including knowledge of appropriate University policies and procedures. In recognition of the World Wide Web (WWW) as an important communication medium, OIT encourages its use as a means of supporting and fulfilling the mission and official work of the University. This and all policies and procedures associated with OIT resources are not intended to abridge academic freedom, constitutional guarantees of free speech, or freedom of expression. The use of IT resources is available to all members of the University community. While the rights of academic freedom and intellectual creativity are recognized, the interests of the University, students, faculty, and staff must be protected. In addition to consideration of legal liability issues, the institutional image and reputation of St Thomas University as a major research institution are valuable assets requiring protection. All uses of University IT resources are subject to applicable rules, policies and procedures of the University and/or governing boards as well as Florida Statutes governing computer fraud, misuse of state equipment resources, public information, and related criminal offenses. To help maintain the proper functioning of computer and networking hardware and software, the Office of Information Technology will take reasonable steps to ensure its computing resources are free of deliberately destructive software, such as viruses. Individuals must share responsibility for protecting University computers and should ensure the integrity of any electronic media they introduce. Owners of computer accounts are responsible for all use of the accounts. They should prevent unauthorized use by others and report intrusions to the system administrators. The University cannot guarantee that, in all instances, copies of critical data will be retained on University systems. It is ultimately the responsibility of computer users to obtain secure, backup copies of essential files for disaster recovery. Respect for intellectual labor, creativity, and the right to privacy is vital to academic discourse and enterprise. System integrity is also essential for individual function. Invasion of privacy and unauthorized access to files can be justified only by real threats to the integrity of the network or node. 1. Information Security Policy 1.1 Concepts All major information assets shall have an owner.
  • 4. The owner shall classify the information into one of the sensitivity levels (listed below), depending on legal obligations, costs, university policy and business needs. He/she is responsible for protection of this information. The owner shall declare who is allowed access to the data. The owner is responsible for this data and shall secure it or have it secured according to its sensitivity. 1.2 Classification of information A classification system is proposed which classifies information into four levels: The lowest (1), is the least sensitive and the highest (4), is for the most important data / processes. Each level is a superset of the previous level. For example, if a system is classified as class 3, then the system must follow the directives of class 1, 2 and 3. If a system contains data or more than one sensitivity class, it must be classified according that needed for the most confidential data on the system. Class 1: Public / non-classified Information: Description: Data on these systems could be made public without any implications for the University (i.e. the data is not confidential). Data integrity is not vital. Loss of service due to malicious attacks is an acceptable danger. Examples: Test services without confidential data, certain public information services. Guidelines on storage: none Guidelines on transmission: none Guidelines on destruction: none Class 2: Internal Information: Description: External access to this data is to be prevented, but should this data become public, the consequences are not critical (e.g. St Thomas University may be publicly embarrassed). Internal access is selective. Data integrity is important but not vital. Examples of this type of data are found in development groups (where no live data is present), certain production public services, certain Customer Data, "normal" working documents and project/meeting protocols and internal telephone books. Guidelines on storage: Information shall be labeled. i.e. the classification level should be written on documents, media (tapes, diskettes, disks, CD's etc), electronic messages and files. IT Systems susceptible to virus attacks should be regularly scanned for viruses. The integrity of systems should be regularly monitored. Guidelines on transmission: For projects involving collaboration with external partners, a project policy document shall stipulate what information may be shared with the external partners. This information shall stay within the University, if it must transit public media (e.g. the Internet), it should be encrypted. Internal data shall not be transferred outside the University except as in points 1 and 2. Guidelines on destruction: none Class 3: Confidential Information
  • 5. Description: Data in this class is confidential within the University and protected from external access. Examples: Salaries, Personnel data, Accounting data, very confidential customer data, sensitive projects and confidential contracts. Data centers normally maintain this level of security. Guideline on storage: Information shall be labeled. i.e. the classification level should be written on documents, media (tapes, diskettes, disks, CD's etc), electronic messages and files. IT Systems susceptible to virus attacks should be regularly scanned for viruses. The integrity of systems should be regularly monitored. IT Systems shall be configured to protect against unauthorized modification of data and programs. Information shall be kept under lock and key (e.g. documents in locked cabinets, computers in locked rooms). Guidelines on transmission: Passwords should not be transmitted in clear-text (electronically or on paper). This information shall stay within the University, if it must transit public media (e.g. the Internet), it should be encrypted. Encryption algorithms used should be strong. Guidelines on destruction: Information shall be securely disposed of when no longer needed (e.g. shredders for documents, destruction of old disks and diskettes etc.). Class 4: Secret Information Description: Unauthorized external or internal access to this data could be critical to the University. Data integrity is vital. The number of people with access to this data should be very small. Very strict rules must be adhered to in the usage of this data. Guideline on storage: Information shall be labeled. i.e. the classification level should be written on documents, media (tapes, diskettes, disks, CD's etc), electronic messages and files. IT Systems susceptible to virus attacks shall be regularly scanned for viruses. The integrity of systems shall be regularly monitored. IT Systems shall be configured to protect against unauthorized modification of data / programs and shall be audited yearly. Information shall be kept under lock and key (e.g. documents in locked cabinets, computers in locked rooms). Information shall be stored in encrypted format or on removable disks, which are physically secured. Guidelines on transmission: This information shall be encrypted during transmission outside of secure zones. Encryption algorithms used shall be strong[4] Guidelines on destruction: Information shall be securely disposed of when no longer needed (e.g. shredders for documents, destruction of old disks and diskettes etc.). Internet pornography: The Internet is now seen as a major carrier of illicit material, from soft pornography to pedophile information to nazi propaganda. If it is known that such
  • 6. material is passing over St Thomas University’s Internet gateways, it should be blocked. Personnel may not use University computers or infrastructure to access such material. Users may be disciplined if this directive is contravened. 2. Personnel Security Policies 2.1. Ethics Users are not allowed to: share accounts or passwords with friends or relatives, run password checkers on system password files, run network sniffers, break into other accounts, disrupt service, abuse system resources, misuse email, examine other users files unless asked to do so by the file owner, download PC binaries, copy unlicensed software or allow other users to copy unlicensed software. 2.2. Password Policy It is vitally important that all users connected to the network understand the importance of keeping their password secret. If a password needs to be written down they must be placed in a sealed envelope and placed in a safe place with an access list. Passwords should not be or contain any of the following: • Dictionary words (including foreign and technical dictionaries) • Anyone’s or anything's name • A place • A proper noun • A phone number • Passwords of the same character • Simple pattern of letters on keyboards • Any of the above reversed or concatenated • Any or the above with digits prep ended or appended • Users must choose their passwords according to the following: • Mixture of numbers, capital letters, small letters, punctuation • Easy to remember (don't need to write it down) • Easy to type quickly (difficult for an observer) Password Guidelines • Password must not be written down, or disclosed via email. • Default passwords should not be used. • If passwords are disclosed on a system must be immediately changed. • Users will be informed in detail of cracking dangers/successes.
  • 7. • All vendor defined default passwords must be changed before the system is used. • Passwords should be stored in encrypted form. The encryption should be strong, resisting brute force decryption for at weeks on a powerful workstation. • A user should not be able to read other users (encrypted) passwords (from the password file). • Embedding of clear-text passwords into software should be avoided at all costs. Embedded encrypted passwords are also to be avoided where possible. • A password minimum age, maximum age, minimum length & history list will be specified as follows: • Minimum age = 60 days, Maximum age = 90 days, Minimum length = 6 characters. • Password history: the use of the last 2 passwords should be prohibited. • The allowed password content is to be specified. The system will check the password content according to these rules, before accepting the password. • Users should not be able to change other user's passwords, but the account operator can change user passwords. • Change of password will be forced on first login after the password has expired. If any St. Thomas University Faculty, Staff member or student types or misspells their STU account’s password incorrectly three(3) consecutive times, their account will be locked out for a ten(10)-minute period. This counter for invalid attempts will then be reset after another 10-minute duration period. 2.3. General Software Policy Public domain software may be used on class 1 & 2 systems if OIT is convinced of the integrity of the author / sources. Public domain software on class 3 systems is to be avoided. However, when necessary, it is only allowed after either a review of the source code, or (if the source is too big) after the software is in general use for at least a year on comparable systems in many other (well known and trusted) companies and the software has been rigorously tested in a protected environment. Unlicensed software will not be used. Games are allowed on the system, if OIT can ensure that they will not use more that 5% (for example) of resources (disk/memory/CPU) and they are not abused. 2.4. Networks Confidential information: Confidential data transmitted over public networks shall be encrypted. Connection to networks:
  • 8. A user may not connect a machine to any network except St Thomas University’s LAN. Access to external (public & private) networks shall occur over a Firewall. All Firewalls shall be installed and maintained by OIT. Modems: Users may not have modems on their machines. Dial-in access to the University LAN is allowed for certain users. All Dial-in access shall occur via secured Servers with one-time-password mechanisms. Email: Users should be aware that conventional email systems often guarantee neither privacy nor proof of origin or receipt. Class 2 data may be sent internally within the University without encryption. Class 3 should be encrypted. Class 4 data may not be transmitted via email. Only Class 1 data and information specifically allowed for projects with external entities may be emailed outside the University. Users should be aware of the risks of opening documents with macros, postscript files, and installing programs received via email. 2.5. Internet OIT will protect St Thomas University from risks associated to Internet access such as: Disclosure of confidential information. Attempts to penetrate University network, carried out by hackers from the Internet. Change or lose of information. All users are allowed Internet access, therefore they must be aware of the risks involved and the policy as regards Internet usage. All outgoing access to the Internet must go over approved gateways, which have been certified as conforming to the security policy. 2.6. Laptops and portable computers Users must be educated as to the risks of Laptop usage. All laptops will be prepared and installed by OIT professional staff. Users are responsible for Laptops outside the University buildings. Automatic screen locking mechanisms and boot passwords must be enforced where possible. An active virus scanner must be installed. Laptops should be carried as hand baggage on public transport. Class 3 data should not be transported on laptops unless it is encrypted. Laptops must be switched off when not in use. Passwords of any kind should ever be stored on a Laptop, which allow access to University network systems.
  • 9. Modems will be turned off when not in use. Dial-in access to the University network is specified in the Network access policy. 3. Computer & Network Policy 3.1. System administration policy The Office of Information Technology ensures that systems are available when needed, that confidential information is only available to those authorized access and that the information is not subject to unauthorized changes. Users are not allowed administrator access to their workstations. 3.1.1. Access Control All users must be authorized prior to accessing any network resource. Users are able to set the privileges of objects belonging to them in their environment. Users must be prevented from deleting others user's files in shared directories. It must be possible to control user access to all objects on the system (files, printers, devices, databases, commands, applications etc.) according to a stated policy. Users will not be able to examine the Access Control granted to other users. It should be possible to label data with a classification 1 to 4 as stated above (1.ii Classification of Information). Mandatory access control should be provided. 3.1.2. Logon Policy All users will be given minimum privileges for the shortest time necessary to do their work. Accounts should only exist for authorized persons. Each user must be identified by a name or number and belong to a group. Username and group name structure should be standardized University wide (number of characters, composition). User and groups must be managed by OIT, not by users themselves. Each user should have only one account on the system. Guest accounts are not allowed unless special cases. If guest accounts are used, their working environment will be very restricted. When a user is transferred or terminates employment, his account will be blocked or deleted immediately. Procedures exist whereby the personnel administration automatically informs OIT. A screen lock should be activated after 15mins idle time with password protection.
  • 10. User application & system configuration should only be writ able by the user and not be world readable. Users should be informed of actions that violate security. Likewise they must inform their supervisor and he/she should inform to OIT if they suspect a security violation. If an account is subjected to continuous login failures, exactly 20 attempts in 1 hour, the account will be blocked and the user will be notified. When a user logs on the following will be displayed: A legal notice informing the user of implications of system abuse. The time & device of last successful and unsuccessful login (user should check that they are correct). On dialup systems the phone line will be disconnected after3rd unsuccessful login attempt. OIT will not currently restrict how many simultaneous sessions a user may have, though it may be implemented in the future. It is possible to set an expiration date for a user account if required. 3.1.3. Assurance Audits should be run regularly on the system, once per year, once every 3 months). Conformance of current operating systems to ITSEC/TCSEC requirements are discussed the Chapter "Operating Systems Overview". 3.1.4. Accountability and Audit Audit trail logs and programs/utilities are protected. Logs do not contain passwords. Unsuccessful login attempts will be logged and notified if required. Important events raise an alarm (high priority message) automatically. All machines should have their clocks synchronized to guarantee the validity of audit log timestamps. 3.2. Network Policy 3.2.1. Network / Distributed Systems Policy Network configuration shall be documented. Users are accountable for their actions. They must observe the "Network User Policy". Access Control: Unnecessary network services shall be disabled. Network services shall be configured restrictively and have all security bug fixes (patches) installed.
  • 11. Available networks could be labeled open access, restricted access or highly restricted access, so that users/data owners are aware of the protection offered. If a LAN is labeled open access and confidential information needs to be transmitted over this LAN, then additional measures such as application level encryption will be necessary to make up for the deficiency on LAN security. Where restricted access networks are required, cabling should not be passed through public areas, it should be protected in conduit and connection points should be only be available to authorized persons. If externals install the cabling, inspect it. Data Exchange: Confidential information shall only be transmitted by approved transport mechanisms (e.g. Email systems used for confidential data shall be approved by security management). Login session information (e.g. username, password) should not be sent over the network in clear form. Networks shall be protected against information eavesdropping; Network sniffers such as snoop, etherfind, tcpdump, iptrace etc. will not be available to users. Networks shall be divided up into subnets, active bridges and hubs shall be used and unused network connection points shall be disabled. Encryption of Class 3 data before transmission on internal networks should be considered. Class 3 data transmitted over public networks must be encrypted. If possible networks should be protected against electromagnetic eavesdropping. When information is being transmitted (sent or received), the sender or receiver’s identity must be attached to the information and checked by the various components responsible for the transmission. Class 3 data should not be sent to unauthorized users or to systems with a lower classification. In certain applications (e.g. class 3 email), mechanisms should exist for proving that sender / receiver did actually transmit / receive that data. (Proof of origin / receipt). Reliability of Service / Availability: The network is required 24 hours, 7 days a week. Maintenance window for running backups: 2:30-7:30 everyday and first weekend of every month Maximum down time during office hours shall be 1 hour, maximum frequency once every two months. The network shall be monitored for errors and performance problems. Preventative action must be taken before serious network disruptions occur, where possible. Remote Access Policy. External network interfaces: Networks (X.25, Dial-up, Internet, Vendor networks, Telephone networks, Customer networks etc.) will not be interconnected if it results in breach of the security policy. Access to external networks must occur over a Firewall. The Firewall must have a security policy and be regularly monitored and audited.
  • 12. 3.2.2. Dial-in access All incoming Dialup connections (via PSTN or IDSN) shall use a strong authentication system: one-time passwords, challenge-response, etc. Dial-in access to the University network should only be allowed where necessary and where the following conditions are met: Assurance: The dial-in server configuration shall be accurately documented. It shall be subjected to yearly audits. Identification and Authentication: Administrator login shall not send passwords in clear-text. In addition, the call-back or closed user groups features should be used, where possible. Accountability and audit: Users shall be accountable for their actions. Dial-up servers shall provide detailed logging and auditing of connections. Logs will be automatically analyzed, with critical errors generating alarms. Logs shall be archived for at least one year. The non-trivial log entries shall be examined daily. Statistics on usage should be available. The servers shall be subject to regular monitoring (weekly) and yearly audits. Access Control: Dial-up servers shall not share file or printer resources with other internal machines. Only administrators shall be allowed to log on locally. Dial-up servers shall be installed in a physically secured (locked) room. A list should be kept of those users with modems. If possible the telephone network should be regularly scanned for unauthorized modems. Switch off modems at night if not needed (you can get a $5 timer to do this). Data Exchange Use encrypted password communication (e.g. encrypted Telnet, SSH) if possible, especially for remote administrator access. Reliability of Service: Dial-up servers shall have all unnecessary services stopped. Dial-up servers shall be a robust multitasking machines. Dial-up servers must offer the following availability: 7x24h, maximum downtime 4 hours (during office hours), maximum frequency twice per month. Maintenance window: Wednesday evening after office hours.
  • 13. 3.2.3. Dial-out Dial-out network connections can extend the network, creating uncontrolled points of access to the network. Users shall not use dial-out capability (modems) on their machines. If such functionality is required, it shall: • Be authorized by the concerned line manager and University Security and the authorization shall be reissued yearly. • Take place via a centralized "dial-out" server regularly audited by OIT security. • Be recorded on a list of those users with modems. 3.2.4. Information in websites Advertisements for personal gain are not allowed on Web sites. This does not preclude additional limits on personal use of University equipment as may be determined by individual units within the University in accordance with normal supervisory procedures. Any commercial use of IT resources by an individual must be pre-approved consistent with existing University policies and procedures regarding outside employment. A link from the Web site to an external site may only occur if the main focus of the site supports or enhances the University mission. Commercial advertising on unofficial Web sites using a University computing account is a violation of University policy. Individuals are prohibited from using their computing accounts in association with any commercial purpose or enterprise. This policy is intended to govern commercial use of the Web site, but not prohibit its use as a component of academic instruction and research. Therefore, commercial references may be included on sites as exceptions if determined to be in the best interest of the University. An example of an appropriate exception would be commercial references necessary as part of an academic assignment for students. Official pages are viewed as analogous to print publications of the institution in the approval process they must go through (must be reviewed and signed by the appropriate approving authority). The Office of Information Technology does not actively monitor content of Web sites; however, it reserves the right to remove a Web site from any STU server found to be in violation of federal, state, or local law; or any University rules, policies or procedures (including this policy). Individual faculty, staff, and students at STU may use University Web space to publish a Web site that contains information pertinent to their role and responsibility at St Thomas University. However, Web sites are not to be used for professional business or advertising. When providing links from official University Web sites to any off-site or unofficial on-site content, surrounding text should make it clear the viewer is leaving STU’s official Web site.
  • 14. 3.2.5. Electronic email and electronic communications The University supports open access to electronic communication and information and members of the University community may freely communicate and access information on electronic networks. E-mail massages may not contain content that may be considered offensive or disruptive. Offensive content includes but is not limited to obscene or harassing language or images, racial, ethnic, sexual or gender specific comments or images or other comments or images that would offend someone on the basis of their religious or political beliefs, sexual orientation, national origin or age. Employees may not retrieve or read e-mail that was not sent to them unless authorized by the University or by the e-mail recipient. Employees should report any misuse of the University e-mail system or violations of this policy to the appropriate supervisor. Other e-mail issues may be addressed in this policy or included as part of OIT's overall information systems standards and procedures. They include: 1. Virus checking of attachments 2. Password protection 3. Archival/storage of old messages 4. Use of distribution lists 5. Restricting use of "copy all" for sending or responding to messages In addition, St Thomas University’s OIT resources may not be used: 1. To access or view pornographic or obscene materials unless necessary for academic instruction or research. 2. To utilize the University's trademarks or logos without specific authorization from St Thomas University. 3. To impersonate another person or misrepresent authorization to act on behalf of others. 4. For Personal financial or commercial purposes. 5. To state or imply, without authorization, that a user speaks or acts on behalf of the University. 6. To invade the privacy of others or make unauthorized use of their work. Users should not attempt to read or copy files belonging to others, or decrypt or translate encrypted material, unless the files have deliberately been made accessible by the owner(s) or authorization has been obtained to do so. 7. To send or create junk mail, spams, chain letters, computer viruses or hoaxes, or other disruptive material. 8. To intentionally damage or disable computer systems, networks, or software. 9. In violation of copyright laws.
  • 15. 10. In violation of federal, state, or local law governing use of computer and information technology. Unauthorized or fraudulent use of the University's computing resources may result in felony prosecution and punishment as provided for by state or federal law. 11. In violation of University or governing board rules and regulations concerning computer and information technology. 12. To delete or destroy public records without authorization. 13. To undermine the security or the integrity of computing systems or networks or to attempt to gain unauthorized access. Users may not use any computer program or device to intercept or decode passwords or similar access control information. Security gaps should be reported to the appropriate system administrators. 14. To copy or use software, except as explicitly permitted under licensing agreements. Computer users should be able to prove ownership of software in their possession. Any information, including e-mail messages or other data, produced, transmitted, or received by University employees "pursuant to law or ordinance or in connection with the transaction of official business" is defined as a public record by Florida Law, and is subject to the provisions of Chapter 119, Florida Statutes. Public records must be retained according to specific retention schedules, are subject to inspection and copying upon request by any member of the public (except as specifically exempted by law), and may not be deleted or destroyed except as authorized by law. Responsibility for adhering to public records requirements is the individual responsibility of each employee. Subject to public records law(s), the University supports each individual's right to private communication, and will take reasonable steps to ensure security of the network; however, the University cannot guarantee absolute privacy of electronic communication. Violation of this policy will result in disciplinary action up and including termination and/or legal action if warranted. 3.2.6. Internet Firewall A firewall has been placed between our private networks and the Internet to protect our systems. Students as well as faculty and staff must not circumvent the firewall by using modems or network tunneling software to connect to the Internet. Such firewall is being placed between the University's network and the Internet to prevent untrusted networks from accessing STU network. The firewall will be selected by and maintained by the Office of Information Technology. All users who require access to Internet services must do so by using OIT- approved software and Internet gateways. Some protocols have been blocked or redirected. If a user has a business need for a particular protocol, you must raise the issue with your manager. All other forms of Internet access (such as via dial-out modems) from sites connected to the University LAN are prohibited.
  • 16. The firewall will not accept traffic on its external interfaces that appear to be coming from internal network addresses. The firewall will provide detailed audit logs of all sessions so that these logs can be reviewed for any anomalies. Secure media shall be used to store log reports such that access to this media is restricted to only authorized personnel. All in-bound services shall be intercepted and processed by the firewall. Appropriate firewall documentation will be maintained on off-line storage at all times. Such information shall include but not be limited to the network diagram, including all IP addresses of all network devices, the IP addresses of relevant hosts of the Internet Service Provider (ISP) such as external news server, router, DNS server, etc. and all other configuration parameters such as packet filter rules, etc. Such documentation shall be updated any time the firewall configuration is changed. The network security policy shall be reviewed on a regular basis, where requirements for network connections and services have changed, the security policy shall be updated and approved. If a change is to be made, the firewall administrator shall ensure that the change is implemented and the policy modified. The details of St Thomas University’s internal trusted network should not be visible from outside the firewall. The firewall will be configured to deny all services not expressly permitted and will be regularly audited and monitored to detect intrusions or misuse. The firewall shall notify the system administrator in near-real-time of any item that may need immediate attention such as a break-in into the network, little disk space available, or other related messages so that an immediate action could be taken. The firewall software will run on a dedicated computer - all non-firewall related software, such as compilers, editors, communications software, etc., will be deleted or disabled. Access Control: • All Internet access from the network must occur over proxies situated in a firewall. • Default configuration: unless otherwise specified, services are forbidden. • All users are allowed to exchange email with the Internet • Users may not provide services to the Internet. • Users should not be able to logon directly onto Firewall machines. • Internet access to illicit material should be prevented where possible. • Accuracy: The firewall machine(s) shall have the integrity of their files regularly (every month) checked and must be subject to regular monitoring and yearly audits.
  • 17. • The firewall policy and configuration must be accurately documented. Identification and Authentication: • Incoming user connections from the Internet shall use a strong authentication system: one-time passwords, challenge-response, etc. • Administrator accounts shall also use either a one time password mechanisms or encrypted login sessions. Accountability and audit: • Firewall and proxy machines will be securely installed. All unnecessary services will be stopped in the operating system. • Detailed firewall logs shall be kept. • Logs of all security audits shall be kept. • Logs shall be automatically analyzed, with critical errors generating alarms. • Logs shall be archived for at least on year. • The non-trivial log entries shall be examined weekly. • Statistics on usage should be available. Data Exchange: • All login sessions to Firewall machines shall use encrypted login or one- time passwords. • Subversion and spoofing of network services such as routing, DNS and email should be prevented. Reliability of Service: • The Firewall shall be available 7x24h, maximum downtime 4 hours (during office hours), maximum frequency twice per month. Maintenance slot: Wednesday after 18:00. • Alerts should be raised if important services/processes crash. • Important services (such as WWW proxy) should be configured for high availability. • Regular backups shall be made where necessary (e.g. configuration files, changing data such as WWW). • It is possible to specify what ports are available at what time of day. Incident Response Procedure: The Firewall is designed to protect the internal network from unauthorized Internet access. It is regularly monitored for security breaches. The reaction to an incident aims to protect and restore the normal operating condition of computers, services and information Incident Response Team:
  • 18. The principal roles are indicated in italics below. For each role a backup person should be available. Management Responsible: Arnol Lopez, (Tel. 7862954114) Technical Responsible Firewall: Alejandro Cantero (Tel. 7862954119). Responsibility: Knows how to technically administer the systems in question. Can detect incidents and can take technical measures to limit damage. A good technical understanding of the system is essential. Procedure: In case of an emergency, each of the following points will be considered and acted upon. The principal steps involved are: 1. Preparation: The team should have read this chapter and be aware of the implications. • Incident detection: quick assessment • Immediate action: limit damage • Public Relations / Communications • Detailed situation analysis • Recovery: restore data/services/systems • Follow-up 2. Incident detection: quick assessment • Source of threat: e.g. Accidental administrator damage/mistakes, accidental disclosure of internal or confidential documents, attack from the Internet, attack from the telephone network, attack from internal network or a hoax. • Result of threat: Integrity, confidentiality or availability of systems/services/data may have been affected. • If an attack has occurred: Has the attacker successfully penetrated the systems. Can he re-enter at will? Where have intruders been detected? What is the extent of the damage? What is the principal danger posed? e.g. availability, information privacy, information integrity, adverse publicity. 3. Immediate action: Limit damage: • If a serious attack or disaster occurs, the Management Responsible and Technical Responsible should decide on the immediate action necessary to eliminate the threat or limit damage (depending on the gravity of the situation and user's needs). • It should be clear who is in charge of handling the incident in question. • Start an event log: Document every single action taken, events, evidence found (with time & date). 4. Recovery: restore data/services/systems: Depending on the incident, the following may be necessary:
  • 19. • Clear systems and restore data/programs/services. • Fix weaknesses found in the system. • Untrust programs on compromised systems, compare with safe copies (e.g. OS on CDROM). 5. Follow-up • Have all services been restored? • Has the weakness used by the attacker been addressed? Has the cause been dealt with? • Do insurance or legal claims/procedures have to be filed? • Does this Incident Response Procedure need changing? • If changes to the Firewall are required, active the Firewall change procedure. General Guidelines: • Contact names, telephone numbers, email addresses off-line. That the on-line address book will be available in an emergency is not to be assumed. • If the intruder seems very clever and difficult to stop, then it is worthwhile calling in experts to help. • Reliable, frequent backups going back several months are very important and thus will be kept. • This incident response procedure should be tested, possibly yearly. • Disruption to users will be minimized and all inquiries about the status of this procedure will be answered at all times. 4. Enforcement Users who do not adhere to this policy shall be warned and the corresponding line manager informed. A user who continues to ignore warnings may be removed from his function. 5. References Chapter 815, Florida Statutes (Florida Computer Crimes Act) Electronic Communications Privacy Act of 1986