Defense in Depth Security Strategy

12/2/2003

Defense in depth, at The University of Iowa, is a combination of controls implemented at the Enterprise level, at the Service Provider level, and at the End User level. 

The “Defense in Depth” operational philosophy and architectural design for securing information technology systems, services, and processes is a multi layered strategy that encompasses administrative and personnel controls, technology controls, and operational controls covering a broad spectrum including, but not limited to, perimeter defenses, network security, host/platform security, and application security.

Defense in Depth involves a tiered approach in defense mechanisms. Each protection layer has unique characteristics, presenting obstacles for an intruder to overcome, (as well as preventing accidents by a legitimate user), if s/he attempts to circumvent controls over confidentiality, availability, and integrity of information assets.  If one protection layer fails, the next (or the next) should prevent a breach in security.  Defense in depth provides “compound” protection, rather than the simple “sum” of all protections.

Enterprise’s Responsibility

  1. A security incident response capability has been developed to assist with detection and response to information technology related problems.
  2. Intrusion detection systems are deployed to monitor the network for anomalous activities.
  3. Antiviral and anti-spam protections are deployed at the gateway to the campus. 
  4. Network filtering is employed to block “known bad” or high-risk traffic (i.e., spoofed/forged addresses, and the well-known Microsoft networking ports).
  5. Identity management and provisioning of services is offered, for timely granting/revocation of access to confidential data.
  6. Network based vulnerability assessments (i.e., scanning) are performed on a regular basis and communicated to applicable IT staff members.
  7. Technology security training and awareness seminars, classes, and materials are developed and offered to the University community.
  8. Risk assessments that target critical systems and services offered by the University are regularly performed.
  9. Employee background checks are performed, and confidentiality agreements are signed by all staff involved with support of enterprise services.
  10. System hardening is employed to ensure that only the necessary services are enabled on systems that support enterprise services, the least-privilege principle is used for granting access, and strict patch/update management principles are followed, using documented change management procedures.
  11. Separation of critical duties is required, and no “single person dependencies,” are allowed (i.e., a minimum of two persons have privileged access to systems, and at least two persons must be involved in critical service maintenance operations).
  12. A documented disaster recovery and business resumption plan exists and is regularly tested.
  13. Licenses for security software (ssh, ssl, iss, sftp, etc) are purchased or subsidized to promote broad campus use of encrypted protocols and security services.

Service Provider’s Responsibility

  1. All institutional data is reviewed and classified by the data owner as to its confidentiality using University guidelines; security and access controls are based on the data classification and least privilege principle.
  2. System hardening is employed to ensure that only the necessary services are enabled on systems, the least-privilege principle is used for granting access, strict patch/update management principles are followed, using documented change management procedures, and firewalls, IP restrictions or filters are employed where possible to limit system access to known users.
  3. Software development (programming) is performed on non-production systems using documented change management procedures for production deployment. 
  4. Secure (encrypted) protocol alternatives are deployed in place of insecure protocols (i.e., ssh instead of telnet, sftp in place of ftp).
  5. Auditing of system activity is performed, accompanied by regular reviews of exception activity and login activity on each system.
  6. Adequate backup and recovery systems are in place, in accordance with University policy.
  7. Separation of critical duties is required, and no “single person dependencies,” are allowed (i.e., a minimum of two persons have privileged access to systems, and at least two persons must be involved in critical service operations).
  8. Employee background checks are performed, and confidentiality agreements are signed by IT support staff.
  9. All institutional technology security policies are communicated, understood, and adhered to by IT staff.
  10. A contingency plan and data recovery procedures are documented and regularly tested.
  11. Enterprise identity management services are employed for authentication, using “HawkID” identifiers, where technically feasible.

End User’s Responsibility

  1. Good password management is used at all times: passwords are changed often, never reused, difficult to guess, and contain a long combination of letters, numbers, and other characters.
  2. Automatic updating for software service patches is enabled, if possible; and updates are always installed immediately when prompted or when directed (by management) to do so.
  3. Anti-virus software is installed, and auto-updated on a daily basis.
  4. Workstations are either logged off or shut down when not in use overnight and on weekends.
  5. Automatic inactivity locking is enabled by activating a password-protected screen saver after 10 minutes during the work day.
  6. Suspicious, unusual, or unexplainable activity in the workplace, on your computer, or elsewhere in your area is always promptly reported to your supervisor or if your supervisor is not available, to the Information Security and Policy Office (for computer activity) or to Public Safety (for workplace activity).
  7. Confidential data is only shared with authorized personnel, and never used for purposes other than originally intended.
  8. Backup copies of important files and documents are created according to departmental procedures.
  9. Only hardware and software that has been purchased for your use, by your department on your workstation, is installed and used.
  10. All default operating system services and programs that are not needed in the course of your job are disabled on your workstation (e.g., personal web server, ftp server, message service).
  11. Software programs downloaded from a web site, or received as an attachment via email are never opened or used/installed unless it has been virus-scanned first.
  12. The University’s Acceptable Use of Information Technology Resources policy is read and understood.
  13. All confidential or sensitive data is removed from your workstation before it leaves your control (e.g., going to surplus or as a department hand-me-down), including software for which only you have a license.

Supporting IT Security Program, Policy, Best Practice, and Procedure Documents:

Information Security & Policy Office website: http://itsecurity.uiowa.edu