Office of Information Technology
Home
Calendar
Map
 Home
 Computing
Library
Search

Security: Policies & Guidelines

Security Home Statistics Virus/AntiVirus POlicies &tc How-To Guides Get Our Attention
UMBC IT-02: Guidelines for Securing University IT Resources
DRAFT DATE: October 18, 2001
SUBJECT: UMBC Guidelines for Securing University IT Resources
SOURCE: Office of Information Technology
GUIDELINE NUMBER: IT-02
REVIEWERS: IT Steering Committee
Faculty Senate Computer Policy Committee
Provost Council
President's Council
DATE Finalized: Draft 2

RATIONALE:

Computing and networking and other information technologies have become critical in support of most, if not all, UMBC operations. This dependence has resulted in a very large, very diverse, and very complex technology environment, which in turn has resulted in a greater opportunity for intrusion attempts. At the same time, much more data is being stored, accessed, and manipulated electronically, and as the risk to systems increases, the risk of unauthorized disclosure or modification of personal, proprietary, or institutional data is also increased. It is very important that everyone associated with providing and using these technology services is diligent in their administration and responsive to security threats. It is also important that information related to intrusions, attempted intrusions, or other such incidents are shared, so that event can be recognized and perhaps avoided elsewhere.

The use of automated scanners and break-in scripts makes it easy for someone to quickly scan entire networks for vulnerable systems. Systems that are not properly secured are likely to be discovered, and they will then be subject to intrusion. Data on such systems will be compromised, or even altered or destroyed. Also, such systems may be used to intrude upon or initiate denial of service attacks against other local systems or systems at external sites.

GUIDELINES:

  1. The Office of Information Technology  (OIT) is responsible for establishing information security guidelines and standards, and providing technical security information and tools to members of the University community.

  2. OIT has the authority and responsibility to specify information security requirements for all UMBC computer systems, networks, or other information technology resources. OIT is responsible for providing the following security services:
    1. OIT will establish a position, Manager - Information Technology Security (MITS), as the point of contact for coordinating security services.
    2. Provide a secure, centralized authentication service for access to campus resources.
    3. Develop the operational tools and procedures necessary to secure the above information technology resources and provide a central point of coordination for security issues for non-OIT information technology personnel.
    4. Hire administrators with the necessary technical expertise so that they are fully capable of maintaining the applicable hardware, operating systems, systems software, programs and other associated components of the systems to which they are assigned.
    5. Ensure that administrators understand their responsibilities and the consequences of poorly managed systems (compromise of local or other systems, damage to data or systems, disclosure of sensitive data, potential legal liability for the department and UMBC, etc.).
    6. Provide necessary initial and refresher training to administrators as hardware or software components are revised or added.
    7. Ensure that procedures and appropriate time is allocated for systematic and periodic audit and maintenance of systems.

  3. Departments and affiliated centers and organizations maintaining information technology systems in support of their operations are primarily responsible for ensuring that these systems are managed securely, so that the risk of exposing the associated processes and data to unauthorized use or access is minimized.  For a system to be managed securely, service managers must:
    1. Hire technicians with the necessary technical expertise so that they are fully capable of maintaining the applicable hardware, operating systems, systems software, programs and other associated components of the systems to which they are assigned.
    2. Ensure that technicians understand their responsibilities and the consequences of poorly managed systems (compromise of local or other systems, damage to data or systems, disclosure of sensitive data, potential legal liability for the department and UMBC, etc.).
    3. Provide necessary initial and refresher training to technicians as hardware or software components are revised or added.
    4. Ensure that procedures and appropriate time is allocated for systematic and periodic audit and maintenance of systems.
    5. Require all system administrators to have after-hours contact information, preferably a cell phone or page, on file with the Manager - Information Technology Security.
    6. Coordinate with OIT security-related incidents within their respective operational control.

  4. Technical security incidents of any kind perpetrated against University-owned computing or other information technology resources either attached to an UMBC-operated telecommunications network or freestanding in a University office must be reported to OIT Manager - Information Technology Security. Where feasible given the circumstances, this report should be sent as soon as the situation is detected; minimally the report should be sent as soon as possible thereafter. The MITS will minimally file the incident for future reference, or they may provide advice or comment as necessary, or they may take the opportunity to warn other system administrators if it appears that the situation has the potential to occur on other UMBC systems as well.

  5. The UMBC department or agency managing a system that has been compromised is ultimately responsible for making the determination if the system will be only restored and operations resumed, or if pursuit of the perpetrator is feasible and appropriate based on possible continued affect on operations.
    1. Such investigation may be requested by law enforcement, and University Counsel must be consulted to see if any such request is legally binding before a decision is made to only recover the system and restore the service.
    2. OIT is available to consult with departmental technicians and management, University Counsel, law enforcement, and other agencies as required in a specific situation, OIT is available to perform or assist in investigations and/or to perform computer forensics.
    3. The UMBC department or agency managing a system that has been compromised is responsible for all monetary, staff, and other costs related to investigations, cleanup, and recovery activities required due to that compromise.

  6. The Manager - Information Technology Security, in consultation with the Chief Information Officer, may unilaterally decide to logically isolate a system from the University or external networks, given:
    1. The system has been reasonably identified as having been compromised,
    2. There is ongoing activity on or originating from the system that is causing or will cause damage to University systems or data or the systems or data of other internal or external agencies, and
    3. All reasonable attempts to contact the responsible technicians or department management have been exhausted, or technicians have been contacted and they are unable to or choose not to resolve the problem in a reasonable time, or the system is identified as a student-owned system that has been connected to the University network.

  7. Violations of this policy will be reported to the Chief Information Officer. In addition, depending on the seriousness of the situation, a report will be made to the senior executive officer of the applicable department and/or the Office of the Provost.

Best Practice System Administration Procedures:

For a system to be managed securely, system administrators should follow the best practices described below:

    1. Attend the OIT training course, UMBC Information Security Practices, and be subscribed to the email list, oit-security-alerts.
    2. Respond appropriately to security risks based on the classification specified by the Manager - Information Technology Security.
    3. Understand the sensitivity of the function or operation being supported by the system and the data being stored and/or manipulated on the system.
    4. Not use operating systems that they are not trained to secure.
    5. Remove unneeded services and software, especially those that are network-accessible, to eliminate potential threats.
    6. Limit access to needed services to only authorized persons, and log all successful and unsuccessful accesses to the system.
    7. Encrypt stored sensitive data where possible, to minimize disclosure if the system is compromised.
    8. Encrypt sensitive data being transmitted to-and-from the system where possible to ensure the data is protected in transit.
    9. Proactively seek out and apply vendor-supplied fixes necessary to repair security vulnerabilities.
    10. Regularly scan the system for security vulnerabilities using available technical tools, not less than once per quarter.
    11. Report any security breaches to the OIT Manager - Information Technology Services (MITS) for assistance, advice, or to file.
    12. Report any systematic unsuccessful attempts (including login attempts, "probes" or "scans") to the MITS.
    13. Provide access to only those persons who are otherwise eligible to use UMBC technology resources, and require all users be identified and authenticated before access is allowed.
    14. Use different passwords for privileged accounts ("root", for example) on various systems being maintained by the same technician(s).
    15. Use encrypted communications (e.g., Secure Shell) methods for accessing the system remotely (that is, any access from other than the console) through privileged accounts ("root", for example).
    16. Ensure that all accounts require a password, and if technically possible, that there are automatic routines (dictionaries, pattern enforcers, etc.) that force the user to choose a strong password initially and each time the password expires.
    17. Implement a system such that all re-usable passwords are not sent over the network in clear-text, where technically possible,
    18. Install and maintain anti-virus software on operating systems for which UMBC has licensed such software, and maintain current virus pattern files.
    19. React immediately to minimize the damage of reported security problems or compromises of systems, including removing the system from the network if necessary.

Information technology security classifications:

Each reported security vulnerability is classified according to the potential for damage to the local system (or adjacent systems) or inappropriate disclosure or modification of data. System administrators must respond to risks based on the coding below:

  1. Very High Risk - response should be immediate:
    1. Damage to the system or data is occurring, or
    2. Attempts to exploit the vulnerability on that system are occurring, or
    3. The vulnerability is currently being actively exploited against other similar technologies within the University; damage to systems and data is being experienced in those other incidents.
  2. High Risk - response should be within 24 hours:
    1. The vulnerability is known to exist on the system;
    2. The exposure is currently being actively exploited against other similar technologies external to the University;
    3. damage to systems and data is being experienced in those other incidents.
  3. Medium Risk - response should be within one business week:
    1. The system is susceptible to the vulnerability given that the system is configured incorrectly;
    2. The exposure is currently being actively exploited against other similar technologies external to the University;
    3. There is some potential for damage to systems and data.
  4. Low Risk - informational, response is voluntary:
    1. The system is susceptible to the vulnerability given that the system is configured incorrectly;
    2. The exposure is currently being actively exploited against other similar technologies external to the University;
    3. Damage to systems and data is possible but is not considered likely.

DEFINITIONS:

UMBC Information Technology Resources -- includes all University-owned computers, peripherals, and related equipment and software; voice communications infrastructure, peripherals, and related equipment and software; data communications infrastructure, peripherals, and related equipment and software; and all other associated tools, instruments, and facilities. Included in this definition are classroom technologies; computing and electronic communication devices and services, including modems; electronic mail; phones; voice mail; facsimile machines, multimedia and hyper media equipment and related supporting devices or technologies. The components may be individually controlled (e.g., assigned to an employee) or shared single-user or multi-user, and they may be stand-alone or networked.

Security breach -- any successful unauthorized access to an UMBC computer or system or network.

University-owned computing resources -- computer and computer-related equipment acquired and maintained all or in part by funds through UMBC University.

Systematic unsuccessful attempts -- continual probes, scans, or login attempts, where the perpetrators obvious intent is to discover a vulnerability and inappropriately access that device.

The OIT Manager - Information Technology Security Office (MITS) -- a person within the Office of Information Technology. The person is responsible for providing proactive security analysis, development, education, and guidance related to UMBC's University's information asset and information technology environment.

PROCEDURE REFERENCE:

Reports of security incidents should be sent to abuse@umbc.edu.

Technical security resources can be found at the OIT Web site: http://www.umbc.edu/oit/security.

For situations requiring immediate assistance or response by security engineers, local campus computing support centers have paging information for ITSO staff by contacting the OIT Helpdesk, 410-455-3838 or the Chief Information Officer, 410-455-2582. A response from someone should be expected with 60 minutes.

RELATED POLICY REFERENCES:

RESPONSIBLE ORGANIZATION:

UMBC Office of Information Technology
oit@umbc.edu
http://www.umbc.edu/oit


OIT Security: Footer
NOTE: " Outbound Link" Indicates a link to an external (non-UMBC)

Last modified: 3/6/2003
Office of Information Technology • Main Office: ECS 125 • Phone: 410-455-3838 • Email: oit@umbc.edu