POLICY #: IT - 08
DATE DRAFTED: 11/04/01
APPROVED DATE: 04/04/02, 07/18/05
REVISION DATE: 06/24/05 (V2), 02/13/2007 (Baseline Securty Standards)
BRIEF DESCRIPTION: Any computer or device physically connected to or accessing the University telecommunications network must be secured using baseline security standards to minimize disruptions to the operation of the network.
This policy governs all devices (e.g., server, desktop, laptop, handheld) that are connected to the campus network. Systems that are not properly administered can become a threat to the operation of the network. The responsibility for the security and integrity of the devices connected to the campus network initially rests with the person who connects the device to the network. Thereafter, the primary user of a computer shares responsibility with whoever provides IT support for that computer, followed by the department housed in the physical space the computer occupies. Technical staff who manage multi-user shared resources will have primary responsibility for them, followed by the department housed in the physical space the computers occupy. Faculty, staff, students, and other individuals (i.e., contractors, vendors, trainers, visitors) who have devices connected to the network, even if the devices are not owned by the University, as well as persons who have authorized the purchase of vendor operated and administered systems, are included as “system administrators” for the purpose of this policy.
The network citizenship policy is intended to protect the integrity of the campus network and to mitigate the risk and losses associated with threats to the campus network and networked resources. System administrators and users must
- Follow University of Iowa Baseline Security Standards for securing network attached devices in order to ensure that key security vulnerabilities are addressed. Key vulnerabilities will change over time as new threats and risks emerge. Security standards will evolve in the same manner. See Appendix A for current Baseline Security Standards.
- Cooperate with the University of Iowa Information Technology Security Office (email@example.com or 319-335-6332) to resolve security problems identified with any systems you are responsible for.
- Submit network connected devices to vulnerability scans, and resolve high risk issues identified by the scans.
- Immediately report compromises and other security incidents to the Information Technology Security Office (use the web form at http://itsecurity.uiowa.edu/incidents/incident-form.shtml or call 319-335-6332) or report it to your local IT support staff.
- Comply with the individual responsibilities stated in Section IV of the University’s Acceptable Use Policy for Information Technology Resources.
Systems posing an immediate threat to the campus network will be removed from the network to isolate the intrusion or problem and minimize risk to other systems, until the system is repaired and the threat is removed, as determined by the Information Technology Security Office. Systems involved in security incidents which do not have Baseline Security Standards implemented will remain off the campus network until the system administrator brings the system into compliance. Departmental Network and Security Contacts have the authority to remove devices from the network in their area of responsibility, and will be notified when systems in their department are removed from the network by central security or networking staff.
Systems that are involved in multiple incidents may be disconnected from the campus network for longer periods of time as required. System administrators will be required to show that they understand best practices and know how to implement them through an audit review or other assessment of their devices, before they will be allowed to reconnect them to the campus network. If a system administrator lacks the knowledge or training needed to comply with this policy, the Information Technology Security Officer will work with the department to help plan an appropriate training program for the system administrator.
Related Policies, References and Attachments:
This collection of University of Iowa Information Technology policies and procedures contains acceptable use, security, networking, administrative, and academic policies that have been developed to supplement and clarify University of Iowa policy.
They are incorporated into the University of Iowa Operations Manual (http://www.uiowa.edu/~our/opmanual/index.html) by reference, per the Policy on Acceptable Use of Information Technology Resources (http://www.uiowa.edu/~our/opmanual/ii/19.htm).
Computer Vulnerability Scanning Policy
Information Security Framework Policy
Enterprise Password Policy
Security Best Practices Documentation
Appendix A: Baseline Security Standards
1. UPDATES: Keep all software (operating systems and applications) up to date to the extent possible (i.e., within compatibility and certification constraints). Configure devices to install security updates automatically, or perform the operation manually on a frequent, regular basis. Only use operating systems and applications that are actively supported. Software that isn't supported or that doesn't have recent security updates should not be directly connected to the campus network.
2.ANTI-VIRUS: Install anti-virus software on all eligible devices, using UI site-licensed software where possible, and make certain the virus detection signatures are updated on a daily basis. Configure the software to scan all incoming files.
3. ADMINISTRATOR PASSWORDS: Configure accounts with high-level system access (e.g., administrator or root) to have strong passwords that are changed often, consistent with the Enterprise Password Policy.
4. SUPPORT: Know who provides technical support for the computers you use. Department IT support staff, central (ITS) help desk, or other (contracted) support names, phone numbers, and/or email addresses should be known and available at all times. Register all systems that store Level III sensitive data with the Security Office.
5. BEST PRACTICES: Review and implement security best practices appropriate for the device in question. A collection of resources and documentation for best practices is available at the IT Security website.