Minimum Security Standards for Systems with Cat I, II, III Data

THE UNIVERSITY OF TEXAS AT DALLASINFORMATION SECURITYMinimum Security Standards forSystems Associated with Category I, II,or III DataEffective Date: March 17, 2007PurposeScopeAudienceMinimum StandardSecurity Review for New Security Software and AppliancesNon-Compliance and ExceptionsRelated UT Dallas Policies, Procedures, Best Practices and Applicable LawsI. PurposeThis minimum standard serves as a supplement to IR Security OperationsManual, The University of Texas at Dallas’ implementation of UT-System UTS165. Adherence to the standard will increase the security of systems and helpsafeguard university information technology resources.Compliance with these requirements does not imply a completely securesystem. Instead, these requirements should be integrated into a comprehensivesystem security plan.II. ScopeThis standard applies to all devices, physical or virtual, connected to theuniversity network through a physical, wireless, or VPN connection where data isclassified as Category I, II, or III (see Data Classification Standards).III. Audience

THE UNIVERSITY OF TEXAS AT DALLASINFORMATION SECURITYAll users with systems connected to the university network as in Sec. II, above.IV. Minimum StandardThis section lists the minimum standards that should be applied and enabled inCategory I, II, and III data systems that are connected to the university network.Standards for Category I are generally required.If products are not available from reputable commercial or reliable open sourcecommunities for a specific requirement, then the specific requirement is waiveduntil an appropriate solution is available. Information Resources owners andcustodians, Primary Investigators (PIs), and/or systems administrators areexpected to use their professional judgment in managing risks to the informationand systems they use and/or support. All security controls should beproportional to the confidentiality, integrity, and availability requirements of thedata processed by the system.Backups# Practice Cat I Cat II & III1.1System administrators should establish and follow a procedure tocarry out regular system backups.RequiredRecommended1.2Backups must be verified at least monthly, either throughautomated verification, through customer restores, or throughtrial restores.RequiredRecommended1.3Systems administrators must maintain documented restorationprocedures for systems and the data on those systems.RequiredRecommendedChange Management# Practice Cat I Cat II & III

THE UNIVERSITY OF TEXAS AT DALLASINFORMATION SECURITY2.1There must be a change control process for systems configuration. Thisprocess must be documented.RequiredRecommendedSystem changes should be evaluated prior to being applied in aproduction environment.2.2Patches must be tested prior to installation in the productionenvironment if a test environment is available.RequiredRecommendedIf a test environment is not available, the lack of patch testingshould be communicated to the service subscriber or data customer,along with possible changes in the environment due to the patch.Computer Virus Prevention# Practice Cat I Cat II & III3.1 Anti-virus software must be installed and enabled. Required Required3.2Anti-spyware software must be installed and enabled if the machine is used byadministrators to browse Web sites not specifically related to the administration ofthe machine. In addition, anti-spyware software must be installed if users are ableto install software.RecommendedRecommended3.3Anti-virus and, if applicable, anti-spyware software should be configured to updatesignatures daily.RequiredRecommended3.4Systems administrators should maintain and keep available a description of thestandard configuration of anti-virus software.RequiredRecommendedPhysical Access# Practice Cat I Cat II & III4.1Systems must be physically secured in racks or areas withrestricted access. Portable devices shall be physically secured ifleft unattended.RequiredRecommended4.2Backup media must be secured from unauthorized physicalaccess. If the backup media is stored off-site, it must beencrypted.RequiredRecommended

THE UNIVERSITY OF TEXAS AT DALLASINFORMATION SECURITYSystem Hardening# Practice Cat I Cat II & III5.1Systems must be set up in a protected network environment or by usinga method that assures the system is not accessible via a potentiallyhostile network until it is secured.RequiredRecommended5.2Operating system and application services security patches should beinstalled expediently and in a manner consistent with changemanagement procedures.RequiredRequired5.3WSUS is the preferred method for updating Windows systems. If this isnot used and if automatic notification of new patches is available on theoperating system you are running, that option should be enabled.RequiredRequired5.4Services, applications, and user accounts that are not being utilizedshould be disabled or uninstalled.RequiredRecommended5.5Methods should be enabled to limit connections to services running onthe host to only the authorized users of the service. Software firewalls,hardware firewalls, and service configuration are a few of the methodsthat may be employed.RequiredRecommended5.6Services or applications running on systems manipulating Category Idata should implement secure (that is, encrypted) communications toensure Category I data does not traverse the Internet in clear text.RequiredRecommended5.7Systems will provide secure (that is, encrypted) storage for Category Idata as required by confidentiality and integrity needs.RequiredRecommended5.8If the operating system supports it, integrity checking of critical operatingsystem files should be enabled and tested. Third-party tools may also beused to implement this.RequiredRecommended5.9Integrity checking of system accounts, group memberships, and theirassociated privileges should be enabled and tested.RequiredRecommended

THE UNIVERSITY OF TEXAS AT DALLASINFORMATION SECURITY5.10 The required University warning banner should be installed. Required Required5.11Whenever possible, all non-removable or (re-) writeable media must beconfigured with file systems that support access control.RequiredRecommended5.12 Access to non-public file system areas must require authentication. Required RecommendedSecurity Monitoring# Practice Cat I Cat II & III6.1If the operating system comes with a means to log activity, enabling andtesting of those controls is required.RequiredRecommended6.2Operating system and service log monitoring and analysis should beperformed routinely. This process should be documented.RequiredRecommended6.3The systems administrator must follow a documented backup strategy forsecurity logs (for example, account management, access control, dataintegrity, etc.). Security logs should retain at least 14 days of relevant loginformation (data retention requirements for specific data should beconsidered).RequiredRecommended6.4 All administrator or root access must be logged. Required RequiredData Disposal# Practice Cat I Cat II & III7.1If the data resides on electronic media (disks, tapes, hard drives, USBs, PDAs,etc.), the data must be rendered unrecoverable or indecipherable. This can beaccomplished by shredding the media (UTD has a certified contract for thisprocess), for example: any device that is sent to surplus must have the diskremoved and shredded before being shipped off-site. Any media that is beingrepurposed, for instance, transferred to another person or department, mustRequiredRequired

THE UNIVERSITY OF TEXAS AT DALLASINFORMATION SECURITYhave a Department of Defense level reformat (wipe) performed on the media.7.2 Records must be maintained according to the UTD Records Retention Policy Required Required.V. Security Review for New Security Softwareand AppliancesDepartments evaluating the implementation of new security software orappliances, involving Category I type data, must request a security review bysending a written description of the proposed implementation to the InformationSecurity Office prior to selecting vendors or products. Security reviews tend tobe informal and can often be performed quickly, while ensuring that bestpractices are being considered.VI. Non-Compliance and ExceptionsFor all system administrators — if any of the minimum standards containedwithin this document cannot be met on systems manipulating Category I or IIdata that you support, an Exception Process must be initiated that includesreporting the non-compliance to the Information Security Office, along with aplan for risk assessment and management. (See Security Exception Report.)Non-compliance with this standard may result in revocation of system or networkaccess, notification of supervisors, and reporting to the Office of Internal Audit.University of Texas at Dallas employees are required to comply with bothinstitutional rules and regulations and applicable UT System rules andregulations. In addition to University and System rules and regulations, TheUniversity of Texas at Dallas employees are required to comply with state lawsand regulations.VII. Related UT Dallas Policies, Procedures, BestPractices and Applicable Laws

THE UNIVERSITY OF TEXAS AT DALLASINFORMATION SECURITYThe policies and practices listed here inform the system hardening proceduresdescribed in this document and with which you should be familiar. (This is not anall-inclusive list of policies and procedures that affect information resources.)UTD Information Resources Security Operations ManualUTD Acceptable Use PolicyUTD Data Classification GuidelinesUTD Information Security Exception Process