The following are best practices related to department IT security your department administration should consider. The questions are referenced below.
1. How are we protecting our infrastructure?
- The MAC (physical address) of network devices on the Stevens network must be registered with the Computer Service Center or the user must authenticate with a valid username and password.
- Controlling physical access to offices and computer equipment is the responsibility of management. Every department should have a plan for managing access to all workspaces and wiring closets to include control of keys and swipe cards. Periodic inventories should be made of excess keys and control measures need to be in place for the assignment of keys to employees.
Every good business maintains an equipment inventory. Whether your department is large or small it's a good idea to keep track of a physical inventory for loss, emergency or business continuity. Your department should have an inventory of all hardware connected to Stevens network and determine responsibility. Assure that all devices are accounted for and maintained for security purposes.
- Location of installation CDs and back-up tapes
Installation CDs are valuable when an operating system needs to be reinstalled due to a compromise or equipment failure. These CDs should be kept (and move) with the computer, or kept in a central location. The user of the computer and support staff should know the location of the CDs and back-ups.
- Antivirus software (AV) Malware/Spyware
The university previously had a site license, including home systems, for McAfee antivirus software. However we are now using AVG as our anti-virus software. For information on AVG and its installation see the AVG IT Knowledge Base page. Every departmental Windows machine connecting to the Stevens network must have AV installed and configured for "auto-update."
- Patching (Updating operating systems/software)
2. How are we protecting our data?
Departmental data should be segregated into these three areas - confidential, internal use only, and public - and the data should be secured appropriately.
Provide for secure data transmission (with clear instructions and simple security tools) when confidential information is transmitted. Specifically:
- if you collect and transmit sensitive data via the Internet, use a Secure Sockets Layer (SSL) or other secure connection so the information is encrypted in transit. Many web sites use the protocol to obtain confidential user information, such as credit card numbers.
- caution staff against transmitting sensitive data, like account numbers, via electronic mail; and
- if sensitive data must be transmitted by email, ensure that such messages are password protected to only allow authorized employees access.
- Secure FTP (SFTP)
File transfer protocol, or FTP, is a fast way to transfer files over the internet, however, it is very insecure. Secure FTP (SFTP) is a replacement program for FTP used to provide secure encrypted and authenticated communications between two hosts. SFTP securely moves, manages and protects critical data, during the access and remote management of files.
- SSH is another protocol to encrypt communication between a client and remote system. SSH prevents potential security problems that occur when things like passwords are transmitted across the internet in plain text.
Compliance requirements (GLBA, FERPA, SEVIS, etc.)
Some departments having access or handling confidential data are required to comply with legislative requirements related to the data. Departments receiving grant funding are expected to adhere to requirements stated in the grant relative to IT security and confidentiality.
Department administration should determine retention requirements for all media.
Proper disposal of all media is essential to protect confidential and sensitive data.
In the event of a system failure, good backups ensure the ability to recover data and resume business. Hardware failure, user mistakes or carelessness, intrusion by malicious hackers or willful damage by a disgruntled insider represent possible scenarios for loss of critical data. In the event of a system intrusion, good backups also preserve data for the incident handling team. A set of recent backups should be kept at a safe off-site location in case there is serious damage to building facilities. Not only is it important to keep backups, it is vital to test the backups to make sure that critical systems can be restored as part of a periodically tested disaster recovery and business continuity plan.
It is recommended that the department have a policy requiring strong passwords. If the department is running a local server unique user accounts should be created for all users. Everyone must understand that accounts and passwords are private, and to be protected from unauthorized use. Using "Post It" notes to record the userid and password and placing them next to the monitor is a security violation. Guidance should be provided to your users in helping them select good passwords and monitored for compliance.
Administrative access/rights to departmental computers should be limited to individuals who demonstrate competency on relevant issues. Department administration should insist that these indivuduals take responsibility for following standard procedures and guidelines (established by the department), and provide documentation for the payment of any licensed software they install
Personal use of university equipment
It is recommended that department administration document appropriate use of university equipment for personal use within the department. See also Acceptable Use Policy.
3. Do we have adequate resources?
IT staff duties and skills
Guidelines for the IT responsibilities of systems administrators provides a general description of the areas in which an admin might be skilled. IT staff currently have a variety of duties for the maintenance and daily use of the numerous technological pieces of a department and its network. Administrators should be familiar with the skills of IT staff and understand that not all IT 'jobs' require the same skills (i.e., a network administrator may not be skilled in the creation of websites; someone skilled in the UNIX operating system may not be very familiar with the Windows operating systems).
To assure that departmental goals are met, be sure to include IT budget requirements you may have in the budget process.
Potential IT purchases
Consult with your IT staff when considering IT purchases for compatibility with current equipment and university requirements.
4. What are our short and long-term IT security goals?
Service level agreements
Service level agreements should be monitored for compliance; review the agreements annually to assure department needs are being met.
Incident response plan
Provide a process to follow if your systems are compromised. Contact the Stevens Information Technology Help Desk at www.stevens.edu/helpdesk or 201-2116-5500 immediately.
Information Technology periodically scans the network for vulnerabilities. These scans are forwarded to departmental network liaisons and others in the department as requested. Vulnerabilities found in your systems should be resolved in a timely manner as they could jeopardize the Stevens network if exploited.
IT security information for faculty, staff and students can be found at Stevens Security Awareness page.