Radford University Information Technology Security ......Technology (DoIT) website. Both the Information Technology Advisory Committee (ITAC) and the it-info listserv will be notiﬁed

RadfordUniversityInformationTechnologySecurityStandard5003s-01

ITSecurityOffice

February21,2019

Radford University IT Security Standard 5003s-01 Date: February 21, 2019

Preface

DateandPurposeFebruary21,2019–Clarifiedlogreview(9.3.2),clarifiedscopeforannualDRtesting(3.2.2),clarifiedbaselinesecurityconfigurations(4.3.2)andclarifiedwordingfortwo-factorauthentication(5.2.2).

NoticeItisthereader’sresponsibilitytoensuretheyhavethelatestversionofthisStandard.RevisionquestionsshouldbedirectedtotheUniversity’sInformationSecurityOfficer(ISO).Themostrecent,approvedversionofthisStandardwillalwaysbeavailableuponrequestandontheUniversity’sDivisionofInformationTechnology(DoIT)website.BoththeInformationTechnologyAdvisoryCommittee(ITAC)andtheit-infolistservwillbenotifiedwhennewrevisionsareapprovedandreleasedforpublication.

HistoryFebruary21,2019–Clarifiedlogreview(9.3.2),clarifiedscopeforannualDRtesting(3.2.2),clarifiedbaselinesecurityconfigurations(4.3.2)andclarifiedwordingfortwo-factorauthentication(5.2.2).September1,2018-UpdatedRoles,includingresponsibilitiesaroundThird-PartyHostedSystems/Applications,(2.2.5),ApplicationAdministrator(2.2.8)andTraining(8.3).April15,2016–updatedsections2.2.3,4.3.2,and4.7.2toclarifyannualvulnerabilityscanningrequirementsJanuary13,2015–updateddefinitionsforclarity;updatedsectionfor“PasswordManagement”toreflectchangeto180daypasswordexpirationMarch18,2013–updatedsection“ExceptionstoSecurityRequirements”toreflectproperapprovalprocess,andRequirementsfor“AccountManagement”toreflectchangesinresponsibilityforaccessapprovalsFebruary13,2012–UpdatedtoreflectchangeinsystemidletimeoutsettingFebruary9th,2011-OriginalVersion1(5003s-01) ReviewProcessTheInformationTechnologyAdvisoryCommittee(ITAC)andtheOfficeofAuditandAdvisoryServices(OAAS)willprovidetheinitialreviewofthisStandardandallsubsequentrevisions.

ApprovalAuthorityTheUniversityPresident,ordesignee,hasapprovalauthorityoverthisStandard.

PublicationDesignationInformationTechnologySecurityStandard

PublicationNumber5003s-01

PurposeofThisStandardTodefinetheminimumrequirementsfortheUniversity’sInformationSecurityProgram.

GeneralResponsibilitiesTheVicePresidentforInformationTechnology&ChiefInformationOfficer(CIO)hasdesignatedtheInformationSecurityOfficer(ISO)todevelopinformationsecuritypolicies,procedures,andstandardsto


protecttheconfidentiality,integrity,andavailabilityoftheUniversity’sinformationtechnologysystems,networksanddata.Therefore,theISOistheauthorandmaintainerofthisStandard.

SubjectAreaInformationTechnologySecurity

EffectiveDateFebruary21,2019

ComplianceDateFebruary21,2019

SupersedesNone

ScheduledReviewOne(1)yearfromeffectivedate.

AuthorityMemorandumofUnderstandingbetweenRadfordUniversityandtheCommonwealthofVirginiaSection23-38.90.

ScopeThisStandardappliestoallofRadfordUniversity.

BaseStandards1. InternationalOrganizationforStandardization(ISO)andtheInternationalElectrotechnical

Commission(IEC)ISO/IEC27000series.2. NationalInstituteofStandardsandTechnology(NIST)SpecialPublication800-88.3. CommonwealthofVirginiaITRMStandardSEC501-01(Revision5).

RelatedPolicyCurrentversionoftheUniversity’sInformationSecurityPolicyIT-PO-1503.


Contents1 INTRODUCTION .................................................................................................................................... 9

1.1 Intent ............................................................................................................................................. 9

1.2 Organization of this Standard ......................................................................................................... 9

1.3 Roles and Responsibilities .............................................................................................................. 9

1.4 Information Security Program ...................................................................................................... 10

1.5 Exceptions to Security Requirements ........................................................................................... 10

1.6 Exemptions from this Standard .................................................................................................... 10

2 RISK MANAGEMENT ........................................................................................................................... 11

2.1 Purpose ........................................................................................................................................ 11

2.2 Key Information Security Roles and Responsibilities ..................................................................... 11

2.2.1 Purpose ................................................................................................................................. 11

2.2.2 Chief Information Officer of the University (CIO) ................................................................... 11

2.2.3 Information Security Officer (ISO) .......................................................................................... 12

2.2.4 Privacy Officer ....................................................................................................................... 12

2.2.5 System Owner ....................................................................................................................... 13

2.2.6 Data Owner ........................................................................................................................... 13

2.2.7 System Administrator ............................................................................................................ 13

2.2.8 Application Administrator ..................................................................................................... 14

2.2.9 Data Custodian ...................................................................................................................... 14

2.2.10 IT System Users ................................................................................................................... 14

2.3 Business Impact Analysis .............................................................................................................. 15

2.3.1 Purpose ................................................................................................................................. 15

2.3.2 Requirements ........................................................................................................................ 15

2.4 IT System and Data Sensitivity Classification ................................................................................. 15

2.4.1 Purpose ................................................................................................................................. 15

2.4.2 Requirements ........................................................................................................................ 16


2.5 Sensitive IT System Inventory and Definition ................................................................................ 16

2.5.1 Purpose ................................................................................................................................. 16

2.5.2 Requirements ........................................................................................................................ 16

2.6 Risk Assessment ........................................................................................................................... 17

2.6.1 Purpose ................................................................................................................................. 17

2.6.2 Requirements ........................................................................................................................ 17

2.7 IT Security Audits ......................................................................................................................... 17

2.7.1 Purpose ................................................................................................................................. 17

2.7.2 Requirements ........................................................................................................................ 17

3 IT CONTINGENCY PLANNING ............................................................................................................... 17

3.1 Purpose ........................................................................................................................................ 17

3.2 Continuity of Operations Planning ................................................................................................ 18

3.2.1 Purpose ................................................................................................................................. 18

3.2.2 Requirements ........................................................................................................................ 18

3.3 IT Disaster Recovery Planning ....................................................................................................... 18

3.3.1 Purpose ................................................................................................................................. 18

3.3.2 Requirements ........................................................................................................................ 18

3.4 IT System and Data Backup and Restoration ................................................................................ 19

3.4.1 Purpose ................................................................................................................................. 19

3.4.2 Requirements ........................................................................................................................ 19

4 INFORMATION SYSTEMS SECURITY ..................................................................................................... 19

4.1 Purpose ........................................................................................................................................ 19

4.2 IT System Security Plans ............................................................................................................... 20

4.2.1 Purpose ................................................................................................................................. 20

4.2.2 Requirements ........................................................................................................................ 20

4.3 IT System Hardening .................................................................................................................... 20

4.3.1 Purpose ................................................................................................................................. 20

4.3.2 Requirements ........................................................................................................................ 20


4.4 IT Systems Interoperability Security ............................................................................................. 21

4.4.1 Purpose ................................................................................................................................. 21

4.4.2 Requirements ........................................................................................................................ 21

4.5 Malicious Code Protection............................................................................................................ 22

4.5.1 Purpose ................................................................................................................................. 22

4.5.2 Requirements ........................................................................................................................ 22

4.6 Systems Development Life Cycle Security ..................................................................................... 23

4.6.1 Purpose ................................................................................................................................. 23

4.6.2 Requirements ........................................................................................................................ 23

4.7 Application Security ..................................................................................................................... 24

4.7.1 Purpose ................................................................................................................................. 24

4.7.2 Requirements ........................................................................................................................ 24

4.8 Wireless Security .......................................................................................................................... 25

4.8.1 Purpose ................................................................................................................................. 25

4.8.2 Requirements ........................................................................................................................ 25

5 LOGICAL ACCESS CONTROL ................................................................................................................. 26

5.1 Purpose ........................................................................................................................................ 26

5.2 Account Management .................................................................................................................. 26

5.2.1 Purpose ................................................................................................................................. 26

5.2.2 Requirements ........................................................................................................................ 27

5.3 Password Management ................................................................................................................ 28

5.3.1 Purpose ................................................................................................................................. 28

5.3.2 Requirements ........................................................................................................................ 28

5.4 Remote Access ............................................................................................................................. 30

5.4.1 Purpose ................................................................................................................................. 30

6 DATA PROTECTION ............................................................................................................................. 30

6.1 Purpose ........................................................................................................................................ 30

6.2 Data Storage Media Protection .................................................................................................... 30


6.2.1 Purpose ................................................................................................................................. 30

6.2.2 Requirements ........................................................................................................................ 30

6.3 Encryption .................................................................................................................................... 31

6.3.1 Purpose ................................................................................................................................. 31

6.3.2 Requirements ........................................................................................................................ 31

6.4 Protection of Sensitive Information on Non-Electronic Media ...................................................... 32

6.4.1 Purpose ................................................................................................................................. 32

6.4.2 Recommendations ................................................................................................................ 32

7 FACILITIES SECURITY ........................................................................................................................... 32

7.1 Purpose ........................................................................................................................................ 32

7.2 Requirements............................................................................................................................... 32

8 PERSONNEL SECURITY ......................................................................................................................... 33

8.1 Purpose ........................................................................................................................................ 33

8.2 Access Determination and Control ............................................................................................... 33

8.2.1 Purpose ................................................................................................................................. 33

8.2.2 Requirements ........................................................................................................................ 33

8.3 Information Security Awareness and Training............................................................................... 34

8.3.1 Purpose ................................................................................................................................. 34

8.4 Acceptable Use ............................................................................................................................ 35

8.4.1 Purpose ................................................................................................................................. 35

8.4.2 Requirements ........................................................................................................................ 35

8.5 Email Communications ................................................................................................................. 35

8.5.1 Purpose ................................................................................................................................. 35

8.5.2 Requirements ........................................................................................................................ 35

9 THREAT MANAGEMENT ...................................................................................................................... 36

9.1 Purpose ........................................................................................................................................ 36

9.2 Threat Detection .......................................................................................................................... 36

9.2.1 Purpose ................................................................................................................................. 36


9.2.2 Requirements ........................................................................................................................ 36

9.3 Information Security Monitoring and Logging ............................................................................... 36

9.3.1 Purpose ................................................................................................................................. 36

9.3.2 Requirements ........................................................................................................................ 37

9.4 Information Security Incident Handling ........................................................................................ 37

9.4.1 Purpose ................................................................................................................................. 37

9.4.2 Requirements ........................................................................................................................ 37

9.5 Data Breach Notification .............................................................................................................. 38

9.5.1 Purpose ................................................................................................................................. 38

9.5.2 Requirements ........................................................................................................................ 38

10 IT ASSET MANAGEMENT .................................................................................................................. 38

10.1 Purpose ...................................................................................................................................... 38

10.2 IT Asset Control ......................................................................................................................... 38

10.2.1 Purpose ............................................................................................................................... 38

10.2.2 Requirements ...................................................................................................................... 38

10.3 Software License Management .................................................................................................. 39

10.3.1 Purpose ............................................................................................................................... 39

10.3.2 Requirements ...................................................................................................................... 39

10.4 Configuration Management and Change Control ........................................................................ 39

10.4.1 Purpose ............................................................................................................................... 39

10.4.2 Requirements ...................................................................................................................... 39

11 GLOSSARY ......................................................................................................................................... 40

12 ACRONYMS ....................................................................................................................................... 47


1INTRODUCTION

1.1IntentTheintentofthisStandardistoestablishabaselineforinformationsecurityandriskmanagementactivitiesfor all of Radford University. These baseline activities include, but are not limited to, any regulatoryrequirements that the University is subject to, information security best practices, and the requirementsdefinedinthisStandard.Theseinformationsecurityandriskmanagementactivitieswillprovideprotectionof,andmitigaterisksto,Universityinformationsystems,networksanddata. ThisStandarddefinestheminimumacceptablelevelofinformationsecurityandriskmanagementactivitiesfortheUniversity.AsusedinthisStandard,sensitivityencompassestheelementsofconfidentiality,integrity,andavailability.SeeITSystemandDataSensitivityClassificationforadditionaldetailsonsensitivity.

TheUniversityInformationSecurityProgramconsistsofthefollowingmajorcomponentareas: 1. RiskManagement2. ITContingencyPlanning3. InformationSystemsSecurity4. LogicalAccessControl5. DataProtection6. FacilitiesSecurity7. PersonnelSecurity8. ThreatManagement9. ITAssetManagement

Each component listed above contains requirements that, taken together, comprise the University’s ITSecurity Standard. This Standard recognizes that University departments may procure IT equipment,systems,andservicesfromthirdparties. Insuchinstances,Universitydepartmentsremainaccountableformaintaining compliance with this Standard and must enforce these compliance requirements throughdocumentedagreementswiththird-partyprovidersandoversightoftheservicesprovided.

1.2OrganizationofthisStandardThecomponentareasoftheUniversity’sInformationSecurityProgramprovidetheorganizationalframeworkforthisStandard.Eachcomponentareaconsistsofoneormoresectionscontaining:

1. APurposestatementthatprovidesahigh-leveldescriptionofthecomponentareaorsubcomponentareaanditsimportance.

2. Requirementsthataremandatorytechnicaland/orprogrammaticactivitiesforaspecificcomponentarea.

3. Asappropriate,recommendationsthatareadvisoryinnatureandprovideguidancetodepartmentsinansweringspecificquestions.

4. Notes,whichproviderationaleandexplanationregardingtherequirements.5. Examplesthatdescribethewaysinwhichtherequirementsmightbemet.

1.3RolesandResponsibilitiesThe University should utilize organizational charts depicting the reporting structure of employees when


assigning specific responsibilities for the security of IT systems, networks and data. The University shallmaintaindocumentationregardingspecificrolesandresponsibilitiesrelatingtoinformationsecurity.

1.4InformationSecurityProgramThe University shall establish, document, implement, and maintain its information security programappropriate to its business and technology environment in compliance with this Standard. In addition,becauseresourcesthatcanreasonablybecommittedtoprotectingITsystemsarelimited,theUniversitymustimplementitsinformationsecurityprograminamannercommensuratewithsensitivityandrisk.

1.5ExceptionstoSecurityRequirementsIfaUniversitydepartmentdetermines that compliancewith theprovisionsof thisStandardoranyrelatedinformationsecuritystandardwouldadverselyimpactanofficialUniversitybusinessprocess,theUniversitydepartmentmayrequestapprovaltodeviatefromaspecificrequirementbysubmittinganexceptionrequesttotheChiefInformationOfficer(CIO).Foreachexception,therequestingdepartmentshallfullydocument:

1. Thebusinessneedandjustification2. Thescopeandextentofthedeviation3. Mitigatingsafeguards4. Therelatedrisks5. Thespecificduration6. ThedepartmentDeanorDirector’sapproval7. UniversityVicePresidentsignatureacceptingresidualrisks

EachrequestshallbeinwritingtotheCIOusingtheITSecurityStandard5003sExceptionRequestlocatedat:https://www.radford.edu/content/dam/departments/administrative/doit/documents/ITSecurityStandardExceptionVer1.pdf.Therequestmustbeapprovedbythedepartment’sDeanorDirector,andbytheVicePresidentofthedivisionmakingtherequestindicatingacceptanceofandresponsibilityforthedefinedresidualrisks.Includedineachrequestshallbeastatementdetailingthereasonsfortheexceptionaswellasmitigatingcontrolsandidentifiedrelatedrisks.RequestsforexceptionshallbeevaluatedanddecideduponbytheUniversity’sInformationSecurityOfficerandCIO.Therequestingpartywillbeinformedofthedecision.Anexceptioncannotbeprocessedunlessidentifiedrelatedrisksareclearlystatedandthedepartment’sDeanorDirector,andtheareaVicePresidenthasapproved,indicatingacceptanceofandresponsibilityfortheserisks.Inaddition,whenarequirementdefinedinthisstandardisnotsupportedbyfeaturesofthesystem,mitigatingcontrolsmustbeimplementedtoaddresstherequirement.

1.6ExemptionsfromthisStandardThefollowingareexplicitlyexemptfromcomplyingwiththerequirementsdefinedinthisStandard:

1. Systemsunderdevelopmentand/orexperimentalsystemsthatdonotcreateadditionalrisktoproductionsystems,networksanddata.Tobeconsideredforexemption,thesesystemsmustnotcontainsensitivedata.

2. Surplusandretiredsystems.3. Non-sensitivesystems.


2RISKMANAGEMENT

2.1PurposeRiskManagementdelineatesthestepsnecessarytoidentify,analyze,prioritize,andmitigaterisksthatcouldcompromiseITsystems,networksanddata.Thissectiondefinesrequirementsforthefollowingareas:

1. KeyInformationSecurityRolesandResponsibilities2. BusinessImpactAnalysis3. ITSystemandDataSensitivityClassification4. SensitiveITSystemInventoryandDefinition5. RiskAssessment6. ITSecurityAudits

2.2KeyInformationSecurityRolesandResponsibilities

2.2.1PurposeThis Section defines the key IT security roles and responsibilities included in the Information SecurityProgram.Theserolesandresponsibilitiesareassignedto individuals,andmaydiffer fromtherole titleorworkingtitleoftheindividual’sposition.Individualsmaybeassignedmultipleroles,aslongasthemultipleroleassignmentsprovideadequateseparationofduties,provideadequateprotectionagainstthepossibilityoffraud,anddonotleadtoaconflictofinterests.

2.2.2ChiefInformationOfficeroftheUniversity(CIO)1. AtRadfordUniversity,theCIOisalsotheVicePresidentforInformationTechnologyandmaybe

referredtoaseitherinthisStandard.TheUniversityPresidenthasdelegatedInformationTechnologydutiesandresponsibilitiestotheCIO.Asapartofthesedelegateddutiesandresponsibilities,theCIOisresponsiblefortheoverallsecurityoftheUniversity’sinformationsystems,networksanddata.TheCIO’sinformationsecurityresponsibilitiesincludethefollowing:DesignateanInformationSecurityOfficer(ISO)fortheUniversity.Note:TheUniversityshouldhaveatleastonebackupISO.

2. EnsurethataninformationsecurityprogramismaintainedthatissufficienttoprotecttheUniversity’sITassetsandisdocumentedandeffectivelycommunicatedtotheUniversitycommunity.

3. IdentifyaSystemOwnerwhoisgenerallytheBusinessOwnerforeachUniversitysensitivesystem.EachSystemOwnershallworkwithDataOwner(s),DataCustodian(s)andSystemAdministrator(s)inthedocumentation,operationandmaintenanceoftheUniversitysensitiveITsystem.

4. ReviewandapprovetheUniversity’sBusinessImpactAnalysis(BIAs),RiskAssessments(RAs),andITDisasterRecoveryPlans.

5. ProvidetheresourcestoenableUniversityemployeestocarryouttheirresponsibilitiesforsecuringITsystems,networksanddata.

6. Ensurecompliance ismaintainedwith thecurrentversionof theUniversity’s ITAuditPolicy.Thiscompliancemustinclude,butisnotlimitedto:(a) RequiringdevelopmentandimplementationofaplanforITsecurityaudits.(b) RequiringthattheplannedITsecurityauditsareconducted.(c) ReceivingreportsoftheresultsofITsecurityaudits.(d) RequiringdevelopmentofCorrectiveActionPlanstoaddressfindingsofITsecurityaudits.


7. Preventconflictofinterestsandadheretotheconceptofseparationofdutiesbyassigningrolesso

that:(a) TheISOisnotaSystemOwneroraDataOwnerexceptinthecaseofcompliancesystemsfor

informationsecurity.(b) TheSystemOwnerandtheDataOwnerarenotSystemAdministratorsforITsystemsordata

theyown.(c) TheISO,SystemOwners,andDataOwnersareallUniversityemployees.

8.Ensurethataninformationsecurityawarenessandtrainingprogramisestablished.

2.2.3InformationSecurityOfficer(ISO)The ISO is responsible for developing, coordinating and managing the University’s information securityprogram.TheISOdutiesareasfollows:

1. Developandmanageaninformationsecurityprograminamannercommensuratewithrisk.2. DevelopandmanageanIntrusionDetectionSystem(IDS)programinamannercommensuratewith

risk.3. DevelopandmaintainaninformationsecurityawarenessandtrainingprogramforUniversityIT

userswithaccesstosensitivesystems,networksordata,includingcontractorsandITserviceproviders.RequirethatallsensitiveITsystemuserscompleterequiredITsecurityawarenessandtrainingactivitiespriorto,orassoonaspracticableafter,receivingaccesstosensitivesystems,andnolessthanannually,thereafter.

4. VerifyandvalidatethatallUniversityITsystems,networksanddataareclassifiedforsensitivityandmaintainawarenessofthesecuritystatusofsensitiveITsystems.

5. Implementandmaintaintheappropriatebalanceofpreventative,detectiveandcorrectivecontrolsforUniversityITsystemscommensuratewithdatasensitivity,riskandsystemscriticality.

6. MitigateandreportallITsecurityincidentsinaccordancewith2.2-603oftheCodeofVirginiaandtakeappropriateactionstopreventrecurrence.

7. Providesolutions,guidance,andexpertiseinITsecuritymatters.8. ReviewandapproveSystemSecurityPlansthatprovideadequateprotectionsagainstsecurityrisks

ordisapproveSystemSecurityPlansthatdonotprovideadequateprotectionsagainstsecurityrisks,andrequirethattheSystemOwnerimplementadditionalsecuritycontrolsontheITsystemtoprovideadequateprotectionsagainstsecurityrisks.

9. Performannualinternalreviewsandvulnerabilityassessmentsforallidentifiedsensitivesystems.10. DevelopandleadComputerSecurityIncidentResponseTeam(CSIRT)toprepareforintrusionsand

threats.11. Provideannualrole-basedtrainingtosystemowners,dataowners,systemadministratorsand

applicationadministrators.

2.2.4PrivacyOfficerTheUniversitymust havea PrivacyOfficer if required by lawor regulation, such as theHealth InsurancePortabilityandAccountabilityAct(HIPAA),andmaychoosetohaveonewherenotrequired.Otherwise,theseresponsibilitiesarecarriedoutbytheISO.ThePrivacyOfficerprovidesguidanceon:

1. Therequirementsofstateandfederalprivacylaws.2. Disclosureofandaccesstosensitivedata.3. SecurityandprotectionrequirementsinconjunctionwithITsystemswhenthereissomeoverlap

amongsensitivity,disclosure,privacy,andsecurityissues.


2.2.5SystemOwnerTheSystemOwneristheUniversitymanagerresponsibleforhavinganITsystemdocumented,operatedandmaintained.AnITSystemmayhaveonlyoneSystemOwner.WithrespecttoITsecurity,theSystemOwner’sresponsibilitiesincludethefollowing:

1. RequirethattheITsystemuserscompleteanysystemuniquesecuritytrainingpriorto,orassoonaspracticableafter,receivingaccesstothesystem,andnolessthanannually,thereafter.

2. Ensurethatsystemdocumentationanddiagramsareupdatedwithsystemchanges.3. Managesystemriskanddevelopanyadditionalinformationsecuritypoliciesandprocedures

requiredtoprotectthesysteminamannercommensuratewithrisk.4. MaintaincompliancewithUniversityInformationSecuritypoliciesandstandardsinallITsystem

activitiesforbothsystemshostedbyathird-partyproviderandon-premisesystems.5. MaintaincompliancewiththeThird-PartyHostedSystem/ApplicationSecurityReviewProcedures

whensystemishostedbyathird-partyprovider.6. MaintaincompliancewithrequirementsspecifiedbyDataOwnersforthehandlingofdataprocessed

bythesystem.7. DesignateSystemAdministrators,DataOwnerandApplicationAdministratorforthesystem.8. Completeannualrole-basedtraining.

Note:ASystemOwnercanownmultipleITsystems.

2.2.6DataOwnerThe Data Owner is the University manager responsible for the policy and practice decisions regardingUniversitydata,andisresponsibleforthefollowing:

1. Evaluateandclassifysensitivityofthedata.2. Defineprotectionrequirementsforthedatabasedonthesensitivityofthedata,anylegalor

regulatoryrequirements,andbusinessneeds.3. CommunicatedataprotectionrequirementstotheSystemOwner.4. Definerequirementsforaccesstothedata.5. Completeannualrole-basedtraining.6. Approveaccesstodata.7. AppointaDataCustodian,whereappropriate.

Note:ADataOwnercanowndataonmultipleITsystems.Datamayhavemultipledataowners.

2.2.7SystemAdministratorTheSystemAdministratorisananalyst,engineer,orconsultantwhoimplements,manages,and/oroperatesasystemorsystemsat thedirectionof theSystemOwner,DataOwner,and/orDataCustodian.TheSystemAdministratorisresponsibleforthefollowing:

1. AssistsUniversitymanagementintheday-to-dayadministrationofITsystems.

2. Implements security controls and other requirements of the University’s information securityprogramonITsystemsforwhichtheSystemAdministratorhasbeenassignedresponsibility.

3. EachsystemshouldhaveatleasttwoSystemAdministrators(oneprimary,onesecondary).

4. MonitorsystemlogsforanomalousactivityandnotifyITSecurityofanypotentialthreatsorcompromisesofthesystem.

5. Ensuresystemandsecurityupdatesareappliedinatimelymanner.6. Completeannual,role-basedtraining.


Note: SystemAdministrators can assume responsibility formultiple IT systems, butmaynot be a SystemOwnerorDataOwner.

2.2.8ApplicationAdministratorTheApplicationAdministratoristheUniversitymanagerresponsiblefortheoperationsandmaintenanceoftheapplication,atthedirectionoftheSystemOwner,DataOwner,and/orDataCustodian,andisresponsibleforthefollowing:

1. Implementsecuritybaseline,controlsandotherrequirementsoftheUniversity’sinformationsecurityprogramonITapplicationsforwhichtheApplicationAdministratorhasbeenassignedresponsibility.

2. IftheapplicationrequirescommunicationwithotherUniversitysystems,workwiththeDivisionofInformationTechnologytoupdateorimplementfirewallrulesandintegrationswithothersystems.

3. Assignaccessandaccounts,adheringtoSection5:LogicalAccessControl.Promptlyremoveaccessofthosewhonolongerneedaccessandmaintainprincipleofleastprivilege.

4. EachsystemshouldhaveatleasttwoApplicationAdministrators(oneprimary,onesecondary).

5. MonitorapplicationlogsforanomalousactivityandnotifyITSecurityofanypotentialthreatsorcompromisesoftheapplicationoraccounts.

6. Ensureapplicationandsecurityupdatesareappliedinatimelymanner.7. Completeannualrole-basedtraining.

2.2.9DataCustodianDataCustodiansareindividualsororganizations inphysicalor logicalpossessionofdata forDataOwners.DataCustodiansareresponsibleforthefollowing:

1. Protectingthedataintheirpossessionfromunauthorizedaccess,alteration,destruction,orusage.2. Establishing,monitoring,andoperatingITsystemsinamannerconsistentwithUniversity

InformationSecuritypoliciesandstandards.3. ProvidingDataOwnerswithreports,whennecessaryandapplicable.4. Completingannualrole-basedtraining.

2.2.10ITSystemUsersAllusersofUniversityITsystemsincludingemployeesandcontractorsareresponsibleforthefollowing:

1. ReadingandcomplyingwithUniversityinformationsecurityprogrampolicies,proceduresandstandards.

2. ReportingbreachesofITsecurity,actualorsuspected,toUniversitymanagementand/ortheISO.3. TakingreasonableandprudentstepstoprotectthesecurityofITsystems,networksanddatato

whichtheyhaveaccess.4. CompletingannualITSecurityAwarenesstraining.FailuretocompleteannualITSecurityAwareness

trainingmayresultinaccountsuspension.Note:Other rolesmaybeassigned tocontractorsworkingwith theUniversityonsystemsordata thatareclassified as sensitive. For roles assigned to contractors, the contract language must include specificresponsibilityandbackgroundcheckrequirements.


2.3BusinessImpactAnalysis

2.3.1PurposeBusiness Impact Analysis (BIA) delineates the steps necessary for the University to identify businessfunctions that are essential to its mission, and identify the resources that are required to support theseessentialbusinessfunctions.

2.3.2Requirements1. TheUniversityshould:RequiretheparticipationofSystemOwnersandDataOwnersinthede-

velopmentoftheUniversity’sBIA.2. Identifybusinessfunctions.3. Identifyessentialbusinessfunctions.

Note:AbusinessfunctionisessentialifdisruptionordegradationofthefunctionpreventstheUniversityfromperformingitsmission,asdescribedintheUniversitymissionstatement.

4. Identifydependentfunctions,ifany.Determineanddocumentanyadditionalfunctionsonwhicheachessentialbusinessfunctiondepends.Thesedependentfunctionsareessentialfunctionsaswell.

5. Foreachessentialbusinessfunctionanddependentfunction,assesswhetherthefunctiondependsonanITsystemtoberecovered.EachITsystemthatisrequiredtorecoveranessentialfunctionoradependentfunctionshallbeconsideredsensitiverelativetoavailability.Foreachsuchsystem,theUniversityshall:(a) DetermineanddocumenttherequiredRecoveryTimeObjective(RTO),basedonUniversity

goalsandobjectives.(b) DetermineanddocumenttheRecoveryPointObjectives(RPO).

6. UsetheITinformationdocumentedintheBIAreportasaprimaryinputtoITSystemandDataSensitivityClassification,RiskAssessment,ITContingencyPlanningandITSystemSecurityPlans.

7. ConductperiodicreviewandrevisionoftheUniversityBIAs,asneeded,butatleastonceeverythreeyears.

2.4ITSystemandDataSensitivityClassification

2.4.1PurposeIT SystemandData Sensitivity Classification requirements identify the steps necessary to classify all ITsystems,networksanddataaccordingtotheirsensitivitywithrespecttothefollowingcriteria:

1. Confidentiality,whichaddressessensitivitytounauthorizeddisclosure.2. Integrity,whichaddressessensitivitytounauthorizedmodification.3. Availability,whichaddressessensitivitytooutages.

Sensitivedata(alsoknownasHighlySensitiveData)isanydataofwhichthecompromisewithrespecttoconfidentiality, integrity,and/oravailabilitycouldhaveamaterialadverseeffectonUniversity interests,the conduct of University programs, or the privacy towhich individuals are entitled.Data sensitivity isdirectly proportional to themateriality of a compromise of the datawith respect to these criteria.DataOwnersandSystemOwnersmustclassifyeachITsystembysensitivityaccordingtothemostsensitivedatathattheITsystemstores,processes,ortransmits.


2.4.2RequirementsTheISOshall:

1. RequirethattheDataOwneridentifythetype(s)ofdatahandledbytheUniversityITsystem.2. RequirethattheDataOwnerdeterminewhethereachtypeofdataisalsosubjecttootherregulatory

requirements.3. RequirethattheDataOwnerdeterminethepotentialdamagestotheUniversityofacompromiseof

confidentiality,integrityoravailabilityofeachtypeofdatahandledbytheITsystem,andclassifythesensitivityofthedataaccordingly.

4. ClassifytheITsystemassensitiveifanytypeofthedatahandledbytheITsystemhasasensitivityofhighonanyofthecriteriaofconfidentiality,integrity,oravailability.

5. ReviewITsystemanddataclassificationsandsubsequentlyobtainCIOapprovaloftheseclassifications.

6. VerifyandvalidatethatallUniversityITsystems,networksanddatahavebeenreviewedandclassifiedforsensitivity.

7. CommunicateapprovedITsystemanddataclassificationstoSystemOwners,DataOwners,andend-users.

8. RequirethattheUniversityprohibitpostinganydataclassifiedassensitivewithrespecttoconfidentialityonapublicwebsite,FTPserver,driveshare,bulletinboardoranyotherpubliclyaccessiblemediumunlessawrittenexceptionisapprovedbytheCIOidentifyingthebusinesscase,risks,mitigatingcontrols,andidentifiedresidualrisks.Thisrequirementmaybeimplementedbypolicy,procedureand/orstandards.

9. UsetheinformationdocumentedinthesensitivityclassificationasaprimaryinputtotheRiskAssessmentprocessdefinedinthisStandard.

2.5SensitiveITSystemInventoryandDefinition

2.5.1PurposeSensitive IT System Inventory and Definition requirements identify the steps in listing and marking theboundaries of sensitive IT systems in order to providecost-effective, risk-based security protection for ITsystems,fortheUniversityasawhole.

2.5.2RequirementsTheITSecurityofficeshallprovideaconsultingroletotheresponsiblepartiesto:

1. DocumenteachsensitiveITsystemownedbytheUniversity,includingitsownershipandboundaries,andupdatethedocumentationaschangesoccur.Note:AsensitiveITsystemmayhavemultipleDataOwners,and/orSystemAdministrators,butmusthaveasingleSystemOwner.

2. Maintainorrequirethatitsnetworkinggroup/serviceprovidermaintainupdatednetworkdiagrams.3. Maintainareferencelistthatcorrelateseachsensitivesystemwiththecomponentsrequiredtorun

thesystem(suchasservers,networks,personnel,etc.).


2.6RiskAssessment

2.6.1PurposeRiskAssessment(RA)requirementsdelineatethestepstheUniversitymusttakeforeachITsystemclassifiedassensitiveto:

1. IdentifypotentialthreatstoanITsystemandtheenvironmentinwhichitoperates.2. Determinethelikelihoodthatthreatswillmaterialize.3. Identifyandevaluatevulnerabilities.4. Determinethelossimpactifoneormorevulnerabilitiesareexploitedbyapotentialthreat.

Note:ThisStandardrequiresariskassessmentbasedonoperationalrisk.

2.6.2RequirementsForeachITsystemclassifiedassensitive,theUniversityshall:

1. ConductanddocumentaRAoftheITsystemasneeded,butnotlessthanonceeverythreeyears.2. Conductanddocumentanannualself-assessmenttodeterminethecontinuedvalidityoftheRA.3. Prepare a report of each RA that includes, at a minimum, identification of all vulnerabilities

discovered during the assessment, and an executive summary, including major findings and riskmitigationrecommendations.

2.7ITSecurityAudits

2.7.1PurposeIT Security Audit requirements define the steps necessary to assess whether IT security controlsimplementedtomitigaterisksareadequateandeffective.

2.7.2RequirementsForeachITsystemclassifiedassensitive,theUniversityshall:

1. RequirethattheITsystemsundergoanITSecurityAudit.2. AssignanindividualtoberesponsibleformanagingITSecurityAudits.

3ITCONTINGENCYPLANNING

3.1PurposeITContingencyPlanningdelineatesthestepsnecessarytoplanforandexecuterecoveryandrestorationofITsystems,networksanddataifaneventoccursthatrenderstheITsystems,networksand/ordataunavailable.ThiscomponentoftheUniversityInformationSecurityProgramdefinesrequirementsinthefollowingareas:

1. ContinuityofOperationsPlanning.2. DisasterRecoveryPlanning.3. ITSystemandDataBackupandRestoration.


3.2ContinuityofOperationsPlanning

3.2.1PurposeTheContinuityofOperationsPlan(COOP)requirementsareoutsideofthescopeofthisStandard.ThissectionaddressesonlytheITdisasterrecoverycomponentsoftheCOOPforITsystems,networksanddata.TheseITdisaster recovery components of theCOOP identify the steps necessary to provide continuity foressentialUniversityITsystems,networksanddata.

3.2.2RequirementsTheUniversityshall:

1. DesignateanemployeetocollaboratewiththeUniversityContinuityofOperationsPlan(COOP)coordinatorasthefocalpointforITaspectsofCOOPandrelatedDisasterRecovery(DR)planningactivities.Unlessotherwisespecified,theISOassumesthisdesignation.

2. BasedonBIAandRAresults,developITdisastercomponentsoftheUniversityCOOPwhichidentifies:(a) EachITsystemthatisnecessarytorecoveressentialbusinessfunctionsordependentbusiness

functionsandtheRecoveryTimeObjective(RTO)andRecoveryPointObjective(RPO)foreach.(b) Personnelcontactinformationandincidentnotificationprocedures.(c) Thenecessarycomponentstorecovereachidentifiedsystem.Note:IftheCOOPcontainssensitivedata,thosecomponentswithsensitivedatashouldbeprotectedandstoredatasecureoff-sitelocation.

3. RequireanexerciseofbusinessessentialITDRcomponents,asdefinedbytheBIA,toassesstheiradequacyandeffectivenessatleasteverythreeyears.

4. RequirereviewandrevisionofITDRcomponentsfollowingtheexercise(andatothertimesasnecessary).

3.3ITDisasterRecoveryPlanning

3.3.1PurposeITDisasterRecoveryPlanningisthecomponentofContinuityofOperationsPlanningthatidentifiesthestepsnecessarytoprovideforrestoringessentialbusinessfunctionsonaschedulethatsupportstheUniversity’smission.ThesestepsleadtothecreationofanoverallITDisasterRecoveryStrategy(DRS).


1. DevelopandmaintainanITDRS,whichsupportstherestorationofessentialbusinessfunctionsanddependentbusinessfunctions.

2. RequireapprovaloftheITDRSbytheCIO.3. Requireannualreviews,reassessments,testing,andrevisionsoftheITDRStoreflectchangesin

essentialbusinessfunctions,services,ITsystemhardwareandsoftware,andpersonnel.4. EstablishcommunicationmethodstosupportITsystemusers’localandremoteaccesstoITsystems,

asnecessary.


3.4ITSystemandDataBackupandRestoration

3.4.1PurposeIT System and Data Backup and Restoration requirements identify the steps necessary to protect theavailabilityandintegrityofUniversitydatadocumentedinbackupandrestorationplans.

3.4.2RequirementsForeveryITsystemidentifiedassensitiverelativetoavailability,theUniversityshallorshallrequirethatitsserviceproviderimplementbackupandrestorationplanstosupportrestorationofsystems,networks,dataandapplications inaccordancewithUniversity requirements.Ataminimum, theseplansshalladdress thefollowing:

1. Secureoff-sitestorageforbackupmedia.2. Storeoff-sitebackupmediainanoff-sitelocationthatisgeographicallyseparateanddistinctfrom

theprimarylocation.3. Performanceofbackupsonlybyauthorizedpersonnel.4. Reviewofbackuplogsafterthecompletionofeachbackupjobtoverifysuccessfulcompletion5. ApprovalofbackupschedulesofasystembytheSystemOwnerinconsultationwiththeDataOwner.6. ApprovalofemergencybackupandoperationsrestorationplansbytheSystemOwner.7. Protectionofanybackupmediathatissentoff-site(physicallyorelectronically),orshippedbythe

UnitedStatesPostalServiceoranycommercialcarrier,inaccordancewithUniversityrequirements.8. Authorizationandloggingofdepositsandwithdrawalsofallmediathatisstoredoffsite.9. RetentionofthedatahandledbyanITsysteminaccordancewiththeCommonwealthofVirginiaor

theUniversity’srecordsretentionpolicy.10. Managementofelectronicinformationinsuchawaythatitcanbeproducedinatimelyandcomplete

mannerwhennecessary,suchasduringalegaldiscoveryproceeding.11. DocumentandexerciseastrategyfortestingthatITsystemanddatabackupsarefunctioningas

expectedandthedataispresentinausableform.12. Forbusinessessentialsystems,documentandexerciseastrategyfortestingbackupandrecovery

procedures,inaccordancewiththeUniversity’sContinuityofOperationsPlan,atleasteverythreeyears.

4INFORMATIONSYSTEMSSECURITY

4.1PurposeInformationSystemsSecurityrequirementsdelineatestepstoprotect informationsystemsinthefollowingareas:

1. ITSystemSecurityPlans2. ITSystemHardening3. ITSystemsInteroperabilitySecurity4. MaliciousCodeProtection5. SystemsDevelopmentLifeCycleSecurity6. ApplicationSecurity


7. WirelessSecurity

4.2ITSystemSecurityPlans

4.2.1PurposeITSystemSecurityPlans(SSP)documentthesecuritycontrolsrequiredtodemonstrateadequateprotectionofinformationsystemsagainstsecurityrisksincludingthoserisksidentifiedinriskassessments.

4.2.2RequirementsEachSystemOwnerofasensitiveITsystemshall:

1. Document an IT System Security Plan (SSP) for the IT system based on the results of the riskassessment.Thisdocumentationshallincludeadescriptionof:(a) AllexistingandplannedsecuritycontrolsfortheITsystem,includingaschedulefor

implementingplannedcontrols.(b) HowthesecontrolsprovideadequatemitigationofriskstowhichtheITsystemissubject.

2. SubmittheITSystemSecurityPlantotheISOforapproval.3. Plan,documentandimplementadditionalsecuritycontrolsfortheITsystemiftheISOdisapproves

oftheITSystemSecurityPlan,andresubmittheITSystemSecurityPlantotheISOforapproval.4. UpdatetheITSystemSecurityPlaneverythreeyears,ormoreoftenifnecessary(e.g.,duetomaterial

change),andresubmittheITSystemSecurityPlantotheISOforapproval.

4.3ITSystemHardening

4.3.1PurposeIT System Hardening requirements delineate technical security controls to protect IT systems againstsecurityvulnerabilities.

4.3.2RequirementsTheUniversityshallorshallrequirethatitsserviceprovider:

1. Identify,document,andapplyappropriatebaselinesecurityconfigurationstoallUniversityITsystems,regardlessoftheirsensitivity.

2. Identify,document,andapplymorerestrictivesecurityconfigurationsforsensitiveUniversityITsystems,asnecessary.Note:TheUniversitymaydevelopUniversityspecificbaselinesecurityconfigurationstandardsormayelecttousebaselinesecurityconfigurationstandardsthatarepubliclyavailable,suchasthosedevelopedbytheCenterforInternetSecurity(www.cisecurity.org).

3. Maintainrecordsthatdocumenttheapplicationofbaselinesecurityconfigurations.4. Monitorsystemsforsecuritybaselinesandpolicycompliance.5. Reviewandreviseallbaselinesecurityconfigurationstandardsannually,ormorefrequently,as

needed.Note:TheUniversityshouldestablishaprocesstoreviewapplicablesecuritynotificationsissuedbyequipmentmanufacturers,bulletinboards,security-relatedwebsites,andothersecurityvenues,and


establishaprocesstoupdatesecuritybaselineconfigurationstandardsbasedonthosenotifications.6. Reapply all baseline securityconfigurations toUniversity IT systems,as appropriate,when the IT

systemundergoesamaterialchange,suchasanoperatingsystemupgrade.7. RequireannualoperatingsystemlevelvulnerabilityscanningofsensitiveITsystems.8. Modify individual IT system configurations or baseline security configuration standards, as

appropriate,toimprovetheireffectivenessbasedontheresultsofvulnerabilityscanning.9. Security patches should be applied when they can eliminate or mitigate applicable security

vulnerabilities.However,automaticupdatesshouldneverbeenabledonsensitivesystemsthathavehigh-availabilityrequirementsassomesecuritypatchesmaycauseapplications(orentiresystems)to fail.Therisksassociatedwithapplyingsecuritypatchesshouldbe taken intoconsiderationandcomparedagainsttherisksoftheidentifiedsecurityvulnerability.Ifnosecuritypatchisavailable,orisavailablebutunabletobeappliedbecausedoingsoisdeemedtobethegreaterrisk,thefollowingcompensatingcontrolsmaybeutilized:(a) Modifyorcreateaccessrestrictions,e.g.firewalls,tolimitaccesstothesystem.(b) Disableservicesorfunctionalityrelatedtotheidentifiedsecurityvulnerability.(c) Raiseawarenessoftheidentifiedsecurityvulnerability.(d) IncreaseIDSloggingtodetectpotentialattacks.

4.4ITSystemsInteroperabilitySecurity

4.4.1PurposeITSystemInteroperabilitySecurityrequirementsidentifystepstoprotectdatasharedwithotherITsystems.

4.4.2RequirementsForeverysensitiveUniversity ITsystemthat sharesdatawithnon-Universityentities, theUniversityshallrequireorshallspecifythatitsserviceproviderrequire:

Note: Best practice dictates that Interoperability Agreements should be in place for sensitive IT systeminteroperability between University departments. However, this Standard currently only requiresagreementsbetweenUniversityandnon-Universityentities.

1. TheSystemOwners, inconsultationwith theDataOwners, shalldocument ITsystemswithwhichdataisshared.Thisdocumentationmustinclude:(a) Thetypesofshareddata.(b) Thedirection(s)ofdataflow.(c) ContactinformationfortheorganizationthatownstheITsystemwithwhichdataisshared,

includingtheSystemOwner,theInformationSecurityOfficer(ISO),orequivalent,andtheSystemAdministrator.

2. TheSystemOwnersoftheITsystemswhichsharedatashalldevelopawrittenagreementthatdelineatessecurityrequirementsforeachinterconnectedITsystemandforeachtypeofdatashared.

3. TheSystemOwnersoftheITsystemsthatsharedatashallinformoneanotherregardingotherITsystemswithwhichtheirITsystemsinterconnectorsharedata,andshallinformoneanotherpriortoestablishinganyadditionalinterconnectionsordatasharing.

4. ThewrittenagreementshallspecifyifandhowtheshareddatawillbestoredoneachITsystem.5. ThewrittenagreementshallspecifythatSystemOwnersoftheITsystemsthatsharedata

acknowledgeandagreetoabidebyanylegalrequirements(e.g.,HIPAA,PCI,etc.)regardinghandling,protection,anddisclosureoftheshareddata.


6. ThewrittenagreementshallspecifyeachDataOwner’sauthoritytoapproveaccesstotheshareddata.

7. TheSystemOwnersshallapproveandenforcetheagreement.

4.5MaliciousCodeProtection

4.5.1PurposeMalicious Code Protection requirements identify controls to protect IT systems from damage caused bymaliciouscode.

4.5.2RequirementsTheUniversityshall,orshallrequirethatitsserviceprovider:

1. ProhibitallITsystemusersfromdevelopingorexperimentingwithmaliciousprograms(e.g.,viruses,worms,spy-ware,keystrokeloggers,phishingsoftware,Trojanhorses,etc.)unlessthisdevelopmentorexperimentationisforacademicorresearchpurposesinanofflineenvironmentthatdoesnotimpactproductionsystems,networksordata.

2. Providemaliciousprogramdetection,protection,eradication,logging,andreportingcapabilities.3. ProvidemaliciouscodeprotectionmechanismsviamultipleITsystemsandforallITsystemusers

preferablydeployingmaliciouscodedetectionproductsfrommultiplevendorsonvariousplatforms.Example:TheUniversitymayelecttoprovideprotectionagainstmaliciouscodetransmittedviaemailontheemailserversandonthedesktop.

4. Provideprotectionagainstmaliciousprogramsthroughtheuseofmechanismsthat:(a) Eliminatesorquarantinesmaliciousprogramsthatitdetects.(b) Providesanalertnotification.(c) Automaticallyrunsscansonmemoryandstoragedevices.(d) Automaticallyscansallfilesretrievedthroughanetworkconnection,modemconnection,orfrom

aninputstoragedevice.(e) Allowsonlyauthorizedpersonneltomodifyprogramsettings.(f) Maintainsalogofprotectionactivities.

5. ProvidetheabilitytoeliminateorquarantinemaliciousprogramsinemailmessagesandfileattachmentsastheyattempttoentertheUniversity’sinternalemailsystem.

6. Providetheabilityforautomaticdownloadofdefinitionfilesformaliciouscodeprotectionprogramswhenevernewfilesbecomeavailable,andpropagatethenewfilestoalldevicesprotectedbythemaliciouscodeprotectionprogram.

7. Requireallformsofmaliciouscodeprotectiontostartautomaticallyuponsystemboot.8. Providenetworkdesignsthatallowmaliciouscodetobedetectedandremovedorquarantined

beforeitcanenterandinfectaproductiondevice.9. ProvideproceduresthatinstructadministratorsandITsystemusersonhowtorespondtomalicious

programattacks,includingshutdown,restoration,notification,andreportingrequirements.10. Requireuseofonlynewmedia(e.g.,USBsticks,CD-ROM)orsanitizedmediaformakingcopiesof

softwarefordistribution.11. Prohibittheuseofsharedcomputersanddesktops(e.g.,trainingrooms)tocreatedistribution

media.


4.6SystemsDevelopmentLifeCycleSecurity

4.6.1PurposeSystemsDevelopmentLifeCycle(SDLC)securityrequirementsdocumentthesecurityrelatedactivitiesthatmust occur in each phase of the development life cycle (from project definition through disposal) forUniversityITapplicationsystems.


1. Incorporate security requirements in each phase of the life cycle, aswell as for eachmodificationproposedfortheITapplicationsystemineachstageofitslifecycle.

ProjectInitiation

1. Performaninitialriskanalysisbasedontheknownrequirementsandthebusinessobjectivestoprovidehigh-levelsecurityguidelinesforthesystemdevelopers.

2. ClassifythetypesofdatathatthesystemwillprocessandthesensitivityoftheproposedITsystem.3. Assesstheneedforcollectionandmaintenanceofsensitivedatabeforeincorporatingsuchcollection

andmaintenanceinITsystemrequirements.4. DevelopaninitialITSystemSecurityPlan(seeITSystemSecurityPlans)thatdocumentsthesecurity

controlsthatthesystemwillenforcetoprovideadequateprotectionagainstsecurityrisks.ProjectDefinition

1. Identify,develop,anddocumentsecurityrequirementsforthesystemduringtheProjectDefinitionphase.

2. IncorporatesecurityrequirementsinITsystemdesignspecifications.3. Verifythatthesystemdevelopmentprocessdesigns,develops,andimplementssecuritycontrolsthat

meetinformationsecurityrequirementsinthedesignspecifications.4. UpdatetheinitialITSystemSecurityPlantodocumentthesecuritycontrolsincludedinthedesignof

thesystemtoprovideadequateprotectionagainstsecurityrisks.5. Developevaluationprocedurestovalidatethatsecuritycontrolsdevelopedforanewsystemare

workingproperlyandareeffective.Note:Somesecuritycontrols (primarily thosecontrolsofanon-technicalnature)cannotbe testedandevaluateduntilafterdeploymentofthesystem.

Implementation

1. Executetheevaluationprocedurestovalidateandverifythatthefunctionalitydescribedinthespecificationisincludedintheproduct.Note:Resultsshouldbedocumentedinareport,includingidentificationofcontrolsthatdidnotmeetdesignspecifications.

2. ConductaRiskAssessment(seeRiskAssessment)toassesstherisklevelofthesystem.3. RequirethatthesystemcomplywithallrelevantRiskManagementrequirementsinthisStandard.4. UpdatetheITSystemSecurityPlantodocumentthesecuritycontrolsincludedinthesystemas

implementedtoprovideadequateprotectionagainstinformationsecurityrisks,andcomplywiththeotherrequirements(seeITSystemSecurityPlans)ofthisdocument.

Disposition

1. RequireretentionofthedatahandledbyasystemtakesplaceinaccordancewiththeCommonwealth


ofVirginiaortheUniversity’srecordsretentionpolicypriortodisposingofthesystem.2. Requirethatelectronicmediaissanitizedpriortodisposalsothatalldataisremovedfromthe

system.3. VerifythedisposalofhardwareandsoftwareinaccordancewiththeDataStorageandMedia

ProtectionPolicy5102.

4.7ApplicationSecurity

4.7.1PurposeApplicationsecurityrequirementsdefinethehigh-levelspecificationsforsecurelydevelopinganddeployingUniversityapplications.

4.7.2RequirementsTheUniversityISOisaccountableforensuringthefollowingstepsaredocumentedandfollowed:

ApplicationPlanning

1. DataClassification-Dataused,processedorstoredbytheproposedapplicationshallbeclassifiedaccordingtothesensitivityofthedata.

2. RiskAssessment-Ifthedataclassificationidentifiesthesystemassensitive,ariskassessmentshallbeconductedbeforedevelopmentbeginsandafterplanningiscomplete.

3. SecurityRequirements-Identifyanddocumentthesecurityrequirementsoftheapplicationearlyinthedevelopmentlifecycle.Forasensitivesystem,thisshallbedoneafterariskassessmentiscompletedandbeforedevelopmentbegins.

4. SecurityDesign-UsetheresultsoftheDataClassificationprocesstoassessandfinalizeanyencryption,authentication,accesscontrol,andloggingrequirements.Whenplanningtouse,processorstoresensitiveinformationinanapplication,thefollowingdesigncriteriamustbeaddressed:(a) Encryptedcommunicationchannelsshallbeestablishedforthetransmissionofsensitive

information.(b) Sensitiveinformationshallnotbevisiblytransmittedbetweentheclientandtheapplication.(c) Sensitiveinformationshallnotbestoredinhiddenfieldsthatarepartoftheapplication

interface.ApplicationDevelopment

The following requirements represent a minimal set of coding practices, which shall be applied to allapplicationsunderdevelopment.

1. Authentication-Application-basedauthenticationandauthorizationshallbeperformedforaccesstodatathatisavailablethroughtheapplicationbutisnotconsideredpubliclyaccessible.

2. SessionManagement-Anyusersessionscreatedbyanapplicationshallsupportanautomaticinactivitytimeoutfunction.

3. Datastorageshallbeseparatedeitherlogicallyorphysically,fromtheapplicationinterface(i.e.,designtwoorthreetierarchitectures).Note:TheUniversitymayconsidertheuseofdatascrubbingroutinestoremoveallsensitivedatafromnon-productiondatastorage.

4. InputValidation-Allapplicationinputshallbevalidatedirrespectiveofsource.Inputvalidationshouldalwaysconsiderbothexpectedandunexpectedinput,andnotblockinputbasedonarbitrarycriteria.


5. DefaultDeny-Applicationaccesscontrolshallimplementadefaultdenypolicy,withaccessexplicitlygranted.

6. PrincipleofLeastPrivilege-Allprocessingshallbeperformedwiththeleastsetofprivilegesrequired.

7. QualityAssurance-Internaltestingshallincludeatleastoneofthefollowing:penetrationtesting,fuzztesting,orasourcecodeauditingtechnique.Thirdpartysourcecodeauditingand/orpenetrationtestingshouldbeconductedcommensuratewithsensitivityandrisk.Note:Sourcecodeauditingtechniquesinclude,butarenotlimitedto:(a) Manualcodereviewcanidentifyvulnerabilitiesaswellasfunctionalflaws,butmostUniversity

departmentsdonothavetheskilledsecurityresourcesortimeavailablewithinthesoftwarelifecyclethatamanualcodereviewrequires,andtherefore,manywhodecidetoperformmanualcodereviewscanonlyanalyzeasmallportionoftheirapplications

(b) Applicationpenetrationtestingtriestoidentifyvulnerabilitiesinsoftwarebylaunchingasmanyknownattacktechniquesaspossibleonlikelyaccesspointsinanattempttobringdowntheapplicationortheentiresystem

(c) Automatedsourcecodeanalysistoolsmaketheprocessofmanualcodereviewmoreefficient,affordable,andachievable.Thistechniqueofcodeauditresultsinsignificantreductionofanalysistime,actionablemetrics,significantcostsavings,andcanbeintegratedintoallpointsofthedevelopmentlifecycle.

8. Configureapplicationstoclearthecacheddataandtemporaryfilesuponexitoftheapplicationorlogoffofthesystem.

ProductionandMaintenance

1. ProductionapplicationsshallbehostedonserverscompliantwiththeUniversitySecurityrequirementsforITsystemhardening.

2. Internet-facingapplicationsclassifiedassensitiveshallhavevulnerabilityscansrunagainsttheapplicationsandsupportingserverinfrastructureatleastannually,andalwayswhenanysignificantchangetotheenvironmentorapplicationhasbeenmade.Anyremotelyexploitablevulnerabilityshallberemediatedimmediately.Othervulnerabilitiesshouldberemediatedwithoutunduedelay.Note: It is strongly recommended that theUniversityadoptapplicationvulnerability scanningandremediationforallinternalsensitiveapplicationsaswell.

4.8WirelessSecurity

4.8.1PurposeWireless security requirements define the high-level specifications for the secure deployment and use ofwirelessnetworking.

4.8.2RequirementsTheUniversityISOisaccountableforensuringthefollowingstepsarefollowedanddocumented:

WirelessLAN(WLAN)ConnectivityontheUniversitynetworks

1. The following requirements shall be met in the deployment, configuration and administration ofWLANinfrastructureconnectedtoanyinternalUniversitynetwork.(a) WLANinfrastructuremustauthenticateclientdevicespriortopermittingaccesstotheWLAN.(b) Userauthorizationinfrastructure(e.g.,ActiveDirectory)mustbeusedtoauthorizeaccessto


Universityresources.(c) Encryptionmustbeusedtoaccesssensitivesystems(e.g.VPN).(d) PhysicalorlogicalseparationbetweenWLANandwiredLANsegmentsmustexist.(e) UniversityWLANaccessandWLANegresstrafficwillbemonitoredformaliciousactivity,and

associatedeventlogfilesstoredonacentralizedstoragedevice.WLANHotspot(WirelessInternet)

1. Whenbuildingawirelessnetwork,whichwillonlyprovideunauthenticatedaccesstotheInternet,thefollowingmustbeinplace:(a) WLANHotspotsmusthavelogicalorphysicalseparationfromtheUniversity’sLAN.(b) WLANHotspotaccessandWLANegresstrafficwillbemonitoredformaliciousactivity,andlog

filesstoredonacentralizedstoragedevice.WirelessBridging

1. ThefollowingnetworkconfigurationshallbeusedwhenbridgingtwowiredLANs:(a) Allwirelessbridgecommunicationsmustutilizesecureencryption.(b) Wirelessbridgingdevicesmustnotbeconfiguredforanyotherservicethanbridging(e.g.,a

wirelessaccesspoint).

5LOGICALACCESSCONTROL

5.1PurposeLogicalAccessControlrequirementsdelineatethestepsnecessarytoprotectITsystems,networksanddatabyverifyingandvalidating thatusersarewho theysay theyareand that theyarepermitted touse the ITsystems, networks and data they are attempting to access. Users are accountable for any activity on thesystemandnetworkperformedwiththeuseoftheiraccount.ThiscomponentoftheUniversityInformationSecurityProgramdefinesrequirementsinthefollowingthreeareas:

1. AccountManagement2. PasswordManagement3. RemoteAccess

5.2AccountManagement

5.2.1PurposeAccountManagement requirements identify those steps necessary to formalize the process of requesting,granting,administering,andterminatingaccounts.TheUniversityshouldapplytheseAccountManagementpracticestoaccountsonITsystems,includingaccountsusedbyvendorsandthirdparties.

The requirements below distinguish between internal and external IT systems. Internal IT systems aredesignedandintendedforuseonlybyUniversityemployees,contractors,andbusinesspartners.ExternalITsystemsaredesignedandintendedforusebyUniversitycustomersandbymembersofthepublic.


5.2.2RequirementsTheUniversityshallorshallrequirethatitsserviceproviderdocumentandimplementaccountmanagementpractices for requesting, granting, administering,and terminating accounts. Ataminimum, these practicesshallincludethefollowingcomponents:

Note:Itisstronglyrecommendedtechnicalcontrolsbeimplementedwhereverpossibletofulfillthefollowingrequirements, understanding that manual processes must sometimes be implemented to compensate fortechnicalcontrolsthatmightnotbefeasible.

ForallinternalandexternalITsystems

1. GrantITsystemusers’accesstoITsystems,networksanddatabasedontheprincipleofleastprivilege.

2. Defineauthenticationandauthorizationrequirements.3. EstablishpoliciesandproceduresforapprovingandterminatingauthorizationtoITsystems.4. Requirerequestsforandapprovalsofemergencyortemporaryaccessthat:

(a) Aredocumentedaccordingtostandardpracticeandmaintainedonfile.(b) Includeaccessattributesfortheaccount.(c) AreapprovedbytheSystemOwner.(d) Expireafterapredeterminedperiod,basedonsensitivityandrisk.

5. Implementtwo-factorauthentication,wherepossible,foraccesstoITsystems.6. SystemOwnersandDataOwnersmustreviewalluseraccountsfortheuser’scontinuedneedto

accesssensitivesystems.Thesereviewsshouldoccurannually.7. NotifytheDivisionofInformationTechnology(DoIT)whenITsystemuseraccountsarenolonger

required,orwhenanITsystemuser’saccesslevelrequirementschange.8. IftheITsystemisclassifiedassensitive,prohibittheuseofguest(non-authenticated)accounts.9. ProhibitthedisplayofthelastlogonuserIDonmulti-usersystems.Desktopandlaptopsystems

assignedtoaspecificuserareexemptfromthisrequirement.10. Lockanaccountautomaticallyifitisnotusedforapredefinedperiod.

Note:TheUniversity shouldstronglyconsider lockingaccounts thatgounused for90consecutivedays.

11. Disableunneededaccounts.Example:Rootaccountsthatarenotroutinelyusedshouldbedisabled.12. RetainunneededaccountsinadisabledstateinaccordancewiththeCommonwealthofVirginiaor

theUniversity’srecordsretentionpolicy.13. Associateaccesslevelswithgroupmembership,wherepractical,andrequirethateverysystemuser

accountbeamemberofatleastoneusergroup.14. Require that the SystemOwner and the System Administrator investigate unusual system access

activities.15. Require that System Administrators have both an administrative account and at least one user

account and require that administrators use their administrative accounts onlywhen performingtasksthatrequireadministrativeprivileges.

16. Prohibit the granting of local administrator rights to users without documented need. Localadministrative accounts are prohibited in areas subject to high risk or subject to additionalregulationsorstandards(PCI,HIPAA,etc.).

17. Require that at least two individuals have administrative accounts to each IT system, to providecontinuityofoperations.

ForallinternalITsystems


1. Requireadocumentedrequestandapprovalbytheuser’ssupervisorandbythesystem’sDataOwnerordesigneetoestablishauseraccountonanysensitiveITsystem.

2. RequireadocumentedrequestandapprovalbytheITsystemuser’ssupervisorandapprovalbytheSystemOwnerordesigneetoestablishanelevatedprivilegedaccountonanysensitiveITsystem.

3. CompleteanyUniversityrequiredbackgroundchecksbeforeestablishingaccounts,orassoonaspracticalthereafter.

4. Requiresecuredeliveryofaccesscredentialstotheuserbasedoninformationalreadyonfile.5. UniversitydepartmentsmustnotifyHumanResourcesandtheDivisionofInformationTechnology

(DoIT)inatimelymannerabouttermination,transferofemployeesandcontractorswithaccessrightstosensitiveITsystems,networksanddata.

6. Promptlyremoveaccesswhennolongerrequired.

ForallexternalITsystems

1. RequiresecuredeliveryofaccesscredentialstousersofallexternalITsystems.2. Requireconfirmationoftheuser’srequestforaccesscredentialsbasedoninformationalreadyonfile

priortodeliveryoftheaccesscredentialstousersofallsensitiveexternalITsystems.3. Requiredeliveryofaccesscredentials tousersofall sensitiveexternal ITsystemsbymeansofan

alternatechannel(e.g.,U.S.Mail).

Forallserviceandhardwareaccounts

1. DocumentaccountmanagementpracticesforallUniversitycreatedserviceaccounts, including,butnotlimitedtogranting,administeringandterminatingaccounts.

5.3PasswordManagement

5.3.1PurposePassword Management specifies requirements for password use, storage and transmission to protectUniversityITsystems,networksanddata.

5.3.2RequirementsTheUniversityshallorshallrequirethatitsserviceproviderimplementpasswordmanagementpractices.Ataminimum,thesepracticesshallincludethefollowingcomponents:

1. UsersareresponsibleforselectingauniquepasswordthatisdifferentfromanyotherRUornon-RUsystem.(Asanexample,usersmustnotusethesamepasswordforFacebookandBanner.)

2. Sharedaccountsthatareusedprimarilyfordepartmentalorclubactivitiesmaynotbeusedtoaccesssensitivesystemsorsensitivedata.

3. Requirepasswords,PINsorothermodesofprotection(e.g.patternunlockingorfingerprints)onmobiledevicessuchassmartphones,tabletsandlaptopsIfusingaPIN,itmusthaveaminimumof4digits.

4. Requirepasswordcomplexity:(a) Atleasteightcharactersinlength.(b) Passwordcannotcontaintheuser’sfirstname,lastname,oraccountusername.(c) Utilizeatleastthreeofthefollowingfourcharactersets:

i. Specialcharacters(.@?)ii. Uppercasealphabeticalcharacters(ABC)


iii. Lowercasealphabeticalcharacters(abc)iv. Numericalcharacters(123)

Note:Itisconsideredbestpracticenottobasepasswordsonasingledictionarywordandnottousewordswithnumbers(orspecialcharacters)appendedtotheend.Forexample,”Classof2014!”wouldbeanextremelyweakpassword.

5. Requirethatdefaultpasswordsbechangedimmediatelyafterinstallation.6. Prohibit the transmission of password data without the use of industry accepted encryption

standards.7. RequireITsystemuserstomaintainexclusivecontrolanduseoftheirpasswords,toprotectthem

frominadvertentdisclosuretoothers.8. RequireallsensitiveITsystemaccountstochangepasswordsatleastevery180days.9. RequirethatITsystemusersimmediatelychangetheirpasswordsandnotifytheISOiftheysuspect

theirpasswordshavebeencompromised.10. Configure all sensitive IT systems tomaintain at least the last 6 passwords used in the password

historyfilestopreventthereuseofthesameorsimilarpasswords.11. ProvideauniqueinitialpasswordforeachnewaccountofsensitiveITsystemsandrequirethatIT

systemuserschangetheinitialpasswordsissueduponfirstlogin.12. For sensitive IT systems, deliver the initial password to the IT system user in a secure and

confidentialmanner.13. Prohibit the storage of passwords in clear text and, use the strongest available hashing storage

solution to better withstand off-line attacks. The ISO should approve password hash storagesolutions.Example:InaMicrosoftWindowsActiveDirectorydomainthatnolongerhaslegacyclients,considerdisablingLanManhashingandrequireNTHashingforpasswordstorage.InanOpenLDAPdirectory,useSecureSHA1hashing(SSHA)ratherthansimpleSHA1hashingforpasswordstorage,etc.Note:SystemOwnersshouldconsultwiththeISOtodeterminethestrongesthashstoragesolutionfortheirsystems.

14. LimitaccesstofilescontainingpasswordstotheITsystemanditsadministrators,andlogsuchaccesstothesefiles.

15. Suppressthedisplayofpasswordsonthescreenastheyareentered.16. Implementascreensaverlockoutperiodafteramaximumof30minutesofinactivityforUniversity

owneddevicesinnon-academicareas.17. Requirepasswordstobesetondevicemanagementinterfacesforallnetworkdevices.18. Documentandstorehardwarepasswordssecurely.19. Implementprocedurestohandlelostorcompromisedpasswordsand/ortokens.20. In areas identified to be subject to specific regulations or other standards, set an account lockout

threshold of not greater than fifty (50) invalid attempts and the lockout duration for at least 15minutes.

21. Useraccounts thathavesystem-levelprivilegesgranted throughgroupmembershipsorprogramssuchas“sudo”musthaveauniquepasswordfromallotheraccountsheldbythatuser.

22. Where practical, sensitive systems should be configured to prevent a user from changing theirpasswordmorethanonceperday


5.4RemoteAccess

5.4.1PurposeRemoteAccessrequirementsidentifythestepsnecessarytoprovideforthesecureuseofremoteaccesstoresourcesusedbytheUniversity.

5.4.2Requirements

TheUniversityshallorshallrequirethatitsserviceprovider:

1. ProtectthesecurityofallremoteaccesstotheUniversity’ssensitiveITsystems,networksanddatabymeansofencryption,inamannerconsistentwithSection6.3.Note:Thisencryptionrequirementappliesbothtosessioninitiation(e.g.,identificationandauthentication)andtoallexchangescontainingsensitivedata.

2. ProtectthesecurityofremotefiletransferofsensitivedatatoandfromUniversityITsystemsbymeansofencryption,inamannerconsistentwithSection6.3.

3. Documentrequirementsforuseofremoteaccessandforremoteaccesstosensitivedata,basedonUniversitypolicies,standards,guidelines,andprocedures.

4. RequirethatITsystemusersobtainauthorizationandauniqueuserIDandpasswordpriortousingtheUniversity’sremoteaccesscapabilities.

5. Documentrequirementsforthephysicalandlogicalhardeningofremoteaccessdevices.6. Requiremaintenanceofauditablerecordsofallremoteaccess.7. Wheresupportedbyfeaturesofthesystem,sessiontimeoutsshallbeimplementedafteraperiodof

nolongerthan2hoursofinactivity,commensuratewithsensitivityandrisk.

6DATAPROTECTION

6.1PurposeData Protection requirements delineate the steps necessary to protect University data from improper orunauthorized disclosure. This component of the University Information Security Program definesrequirementsinthefollowingtwoareas:

1. DataStorageMediaProtection2. Encryption

6.2DataStorageMediaProtection

6.2.1PurposeData StorageMedia Protection requirements identify the steps necessary for the appropriate handling ofstoreddatatoprotectthedatafromcompromise.

6.2.2RequirementsThe University shall or shall require that its service provider implement Data Storage Media Protectionpractices.Ataminimum,thesepracticesmustincludethefollowingcomponents:

1. DefineprotectionofstoredsensitivedataastheresponsibilityoftheDataOwner.


2. Prohibitthestorageofsensitivedataonanynon-networkstoragedeviceormedia,exceptforbackupmedia,unlessthedataisencryptedandthereisawrittenexceptionapprovedbytheCIOacceptingidentifiedresidualrisks.Theexceptionshallincludethefollowingelements:(a) Thebusinessortechnicaljustification.(b) Thescope,includingquantificationandduration(nottoexceedoneyear).(c) Adescriptionofallassociatedrisks.(d) Identificationofcontrolstomitigatetherisks,oneofwhichmustbeencryption.(e) Identificationofanyresidualrisks.

Note:Non-networkstoragedeviceormedia,includesremovabledatastoragemediaandthefixeddiskdrivesofalldesktops,mobiledevicesandmobilestoragedevices.

3. Require logical and physical protection for all data storage media containing sensitive data,commensuratewithsensitivityandrisk.

4. Restrictthepickup,receipt,transfer,anddeliveryofalldatastoragemediacontainingsensitivedatatoauthorizedpersonnel.

5. Procedures must be implemented and documented to safeguard handling of all backup mediacontainingsensitivedata.Encryptionofbackupmediashallbeconsideredwherethedataissensitiveasrelatedtoconfidentiality.Whereencryptionisnotaviableoption,mitigatingcontrolsandproce-duresmustbeimplementedanddocumented.

6. Implementprocessestosanitizedatastoragemediapriortodisposalorreuse.

6.3Encryption

6.3.1PurposeEncryptionrequirementsprovideaframeworkforselectingandimplementingencryptioncontrolstoprotectsensitivedata.SeeDataBreachNotificationfornotificationrequirementsregardingabreachofunencryptedsensitivedata.

6.3.2RequirementsCommensuratewithsensitivityandrisk,theUniversityortheirserviceprovidershall:

1. Defineanddocumentpracticesforselectinganddeployingencryptiontechnologiesandfortheencryptionofdata.

2. Documentappropriateprocessesbeforeimplementingencryption.Theseprocessesmustincludethefollowingcomponents:(a) InstructionsintheSecurityIncidentResponsePlanonhowtorespondwhenencryptionkeysare

compromised.(b) Asecurekeymanagementsystemfortheadministrationanddistributionofencryptionkeys.(c) Requirementstogenerateallencryptionkeysthroughanapprovedencryptionpackageand

securelystorethekeysintheeventofkeylossduetounexpectedcircumstances.3. Requireencryptionforthetransmissionofdatathatissensitiverelativetoconfidentialityor

integrity.Digitalsignaturesmaybeutilizedfordatathatissensitivesolelyrelativetointegrity.


6.4ProtectionofSensitiveInformationonNon-ElectronicMedia

6.4.1PurposeThissectionoutlinesthebestpracticestepsthatshouldbetakentoprotectsensitiveUniversityinformationthatmaybestoredortransmittedonnon-electronicmediasuchas,thespokenword,paperdocuments,whiteorblackboards,photographs,etc.

6.4.2RecommendationsTheserecommendationsapplytonon-electronicmedia:

1. Whileinuse,limitaccessbasedonaneedtoknowbasisbyphysicallycontrollingaccess.Forexample,sensitivedocumentsprintedtoaglobalprintershouldberetrievedwithoutdelay.

2. Whilenotinuse,storeinasecurelocationwithappropriatephysicalcontrols.3. Whennolongerneeded,securelydestroyusingappropriatedestructionmethodssuchaserasing

whiteorblackboardsandshreddingpaperdocuments.

7FACILITIESSECURITY

7.1PurposeFacilitiesSecurityrequirementsidentifythestepsnecessarytosafeguardthephysicalfacilitiesthathouseITequipment,systems,services,networksandpersonnel.

7.2RequirementsThe University shall or shall require that its service provider document and implement facilities securitypractices.Ataminimum,thesepracticesmustincludethefollowingcomponents:

1. SafeguardITsystems,networksanddataresidinginbuildings,mobilefacilities,andportablefacilities.

2. Designsafeguards,commensuratewithrisk,toprotectagainsthuman,natural,andenvironmentalthreats.

3. Requireappropriateenvironmentalcontrolssuchaselectricpower,heating,firesuppression,humiditycontrol,ventilation,air-conditioningandairpurification,asrequiredbytheITsystems,networksand/ordata.

4. Protectagainstunauthorizedphysicalaccess.5. Controlphysicalaccesstoessentialcomputerhardware,wiring,displays,andnetworksbythe

principleofleastprivilegeinallnewinstallations.6. ProvideasystemofmonitoringandauditingphysicalaccesstosensitiveITsystems.7. RequirethattheISOordesigneeannuallyreviewthelistofpersonsallowedphysicalaccessto

sensitiveITsystems.8. Shouldunauthorizedphysicalaccessoccur,departmentsmustalerttheISOassoonaspractical.


8PERSONNELSECURITY

8.1PurposePersonnelSecurityrequirementsdelineatethestepsnecessarytorestrictaccesstoITsystems,networksanddata to those individuals who require such access as part of their job duties and responsibilities. ThiscomponentoftheUniversityInformationSecurityProgramdefinesrequirementsinthefollowingareas:

1. AccessDeterminationandControl2. InformationSecurityAwarenessandTraining3. AcceptableUse4. EmailCommunications

8.2AccessDeterminationandControl

8.2.1PurposeAccessDeterminationandControlrequirementsidentifythestepsnecessarytorestrictaccesstoITsystems,networksanddatatoauthorizedindividuals.

8.2.2RequirementsTheUniversityshallorshallrequirethatitsserviceproviderdocumentandimplementaccessdeterminationand control practices for all sensitive University IT systems and all third-party IT systems with whichsensitive University IT systems interconnect. At a minimum, these practices shall include the followingcomponents:

1. PerformbackgroundinvestigationsofallinternalITSystemusersinaccordancewithUniversityHRbackgroundcheckpolicy.Existingusersmaybegrandfatheredunderthepolicyandmaynotberequiredtohavebackgroundinvestigations.

2. RestrictvisitoraccessfromfacilityareasthathousesensitiveITsystems,networksordata.3. Requirenon-disclosureandsecurityagreementsforaccesstoITsystems,networksanddata.4. Removephysicalandlogicalaccessrightsuponpersonneltransferortermination,orwhen

requirementsforaccessnolongerexist.5. Establishterminationandtransferpracticesthatrequirereturnoflogicalandphysicalassetsthat

provideaccesstosensitiveITsystems,networksanddataandthefacilitiesthathousethem.6. Temporarilydisablephysicalandlogicalaccessrightswhenpersonneldonotneedsuchaccessfora

prolongedperiodinexcessof30daysbecausetheyarenotworkingduetoleave,disabilityorotherauthorizedpurpose,basedonrequestsfromdepartments.

7. Disablephysicalandlogicalaccessrightsuponsuspensionofpersonnelforgreaterthan1dayfordisciplinarypurposes,basedonrequestsfromdepartments.

8. EstablishseparationofdutiesinordertoprotectsensitiveITsystems,networksanddata,orestablishcompensatingcontrolswhenconstraintsorlimitationsoftheUniversityprohibitacompleteseparationofduties.Example:Suchcompensatingcontrolsmayincludeincreasedsupervisoryreview;reducedspanofcontrol;rotationofassignments;independentreview,monitoring,and/orauditing;andtimedandspecificaccessauthorizationwithauditreview,amongothers.

9. ExplicitlygrantphysicalandlogicalaccesstosensitiveITsystems,networksanddataandthefacilitiesthathousethembasedontheprincipleofleastprivilege.


8.3InformationSecurityAwarenessandTraining

8.3.1PurposeSecurityAwarenessandTrainingrequirementsidentifythestepsnecessarytoprovideITsystemmanagers,administrators,anduserswith awareness of system security requirements and of their responsibilities toprotectITsystems,networksanddata.

8.3.2Requirements

TheUniversityISOshall:

1. IncludeanyUniversityspecificinformationsecuritytrainingrequirementsintheUniversityinformationsecurityawarenessandtrainingprogram.Example:AUniversitydepartmentthatprocessesdatacoveredbytheHealthInsurancePortabilityandAccountabilityAct(HIPAA)orthePaymentCardIndustryDataSecurityStandard(PCI-DSS)musthaveaninformationsecurityawarenesstrainingprogramthataddressesspecificdatasecurityrequirements.

2. RequirethatallemployeesandcontractorsreceiveinformationsecurityawarenesstrainingduringtheUniversity’strainingcycle.

3. Requireadditionalrole-basedinformationsecuritytrainingcommensuratewiththelevelofexpertiserequiredforthoseemployeesandcontractorswhomanage,administer,operate,anddesignITsystems,aspracticableandnecessary.Example:TheUniversityemployeesandcontractorswhoaremembersoftheDisasterRecoveryTeamorSecurityIncidentResponseTeamrequirespecializedtrainingintheseduties.

4. Monitorandtrackcompletionofinformationsecuritytraining.5. Requireinformationsecuritytrainingbefore(orassoonaspracticableafter)ITsystemusersreceive

accessrightstotheUniversity’ssensitiveITsystems,andinordertomaintaintheseaccessrights.6. Developaninformationsecuritytrainingprogramthatcoverssuchtopicsas,butnotlimitedto:

(a) TheUniversity’spolicyforprotectingITsystems,networksanddata,withaparticularemphasisonsensitiveITsystems,networksanddata

(b) Theconceptofseparationofduties(c) Preventionanddetectionofinformationsecurityincidents,includingthosecausedbymalicious

code(d) Properuseofdatastoragemedia(e) Properuseofencryption(f) Accesscontrols,includingcreatingandchangingpasswordsandtheneedtokeepthem

confidential(g) Acceptableusepolicies(h) ResponsibilityforthesecurityofUniversitydata(i) Phishing(j) Socialengineering

7. RequiredocumentationofITsystemusers’acceptanceoftheUniversity’ssecuritypoliciesafterreceivinginformationsecuritytraining.


8.4AcceptableUse

8.4.1PurposeAcceptable Use requirements identify the steps necessary to define acceptable and permitted use ofUniversityITsystems,networksanddata.


1. Documentanacceptableusepolicy.2. Directtheproperuseofencryptionfortransmittingsensitivedata.3. DirecttheuseofanauthorizedUniversitywarningbannertocommunicatethatITsystemsandtheir

usemaybemonitoredandviewedbyauthorizedpersonnel;andthereisnoexpectationofprivacywhenusingaUniversityownedsystemornetwork.

4. RequireacknowledgmentthatmonitoringofITsystems,networksanddatamayinclude,butwillnotbe limited to, network traffic; application and data access; keystrokes (only when required forsecurity investigations and approved in writing by the University President or CIO); and usercommands;emailandInternetusage;andmessageanddatacontent.

5. Prohibitusersfrom:(a) Installingorusingproprietaryencryptionhardware/softwareonUniversitysystems(b) TamperingwithsecuritycontrolsconfiguredonUniversityownedsystems(c) Installingunauthorized,personalsoftwareonUniversityownedsystems(d) Addingsystemhardwareto,removingsystemhardwarefrom,ormodifyingsystemhardwareon

aUniversityownedsystem6. Prohibittheunauthorizedstorage,useortransmissionofcopyrightedandlicensedmaterialson

Universitysystemsandnetworks.7. WhenconnectedtosensitiveinternalUniversitynetworks,datatransmissionshallbeencrypted.8. RequiredocumentationofITsystemusers’acceptanceoftheUniversity’sAcceptableUsePolicy

before,orassoonaspracticalafter,gainingaccesstoUniversityITsystems.

8.5EmailCommunications

8.5.1PurposeEmail shall not be used to send sensitive data unless said data is encrypted. As stated in the Encryptionsection of this Standard, encryption is required for the transmission of data that is sensitive relative toconfidentialityandintegrity.

Anemaildisclaimerisasetofstatementsthatareeitherpre-pendedorappendedtoemails.Thesestatementsarefrequentlyusedtocreateawarenessofhowtotreatthedataintheemail.Anemaildisclaimerisnotasubstituteforjudgmentonwhatcontenttoputintoanemail.


1. Requireapprovedencryptiontechnologiesforthetransmissionofemailandattacheddatathatis


classifiedassensitive.DigitalsignaturesmaybeutilizedfordatathatissensitivesolelyrelativetointegrityasstatedintheencryptioncomponentofthisStandard.Note:ApprovedencryptiontechnologiesforemailareOpenPGPorS/MIMEbasedencryption.

2. ConsultwithDoITbeforeadoptinganemaildisclaimer.EmailssentfromUniversitysystemsarepublicrecordsoftheCommonwealthofVirginiaandmustbemanagedassuch.

9THREATMANAGEMENT

9.1PurposeThreatManagementdelineatesthestepsnecessarytoprotectITsystems,networksanddatabypreparingfor and responding to information security incidents. This component area of the Standard definesrequirementsforthefollowing:

1. ThreatDetection2. InformationSecurityMonitoringandLogging3. InformationSecurityIncidentHandling4. DataBreachNotification

9.2ThreatDetection

9.2.1PurposeThreatDetectionrequirementsidentifythepracticesforimplementingintrusiondetectionandprevention.

9.2.2RequirementsTheUniversityshallorshallrequirethatitsserviceproviderimplementthreatdetectionpracticesthatataminimumincludethefollowing:

1. DesignateanindividualresponsiblefortheUniversity’sthreatdetectionprogram,includingplanning,development,acquisition,implementation,testing,training,andmaintenance.Unlessotherwisespecified,theISOassumesthisdesignation.

2. ImplementanIntrusionDetectionSystem(IDS).3. ConductIDSlogreviewstodetectnewattackpatternsasquicklyaspossible.4. DevelopandimplementrequiredmitigationmeasuresbasedontheresultsofIDSlogreviews.5. Maintainregularcommunicationwithsecurityresearchandcoordinationorganizations,suchasUS

CERT,REN-ISAC,etc.toobtaininformationaboutnewattacktypes,vulnerabilities,andmitigationmeasures.

9.3InformationSecurityMonitoringandLogging

9.3.1PurposeInformation Security Monitoring and Logging requirements identify the steps necessary to monitor andrecordITsystemactivity.


9.3.2RequirementsTheUniversity shall, or shall require that its service provider, implement information securitymonitoringandloggingpracticesthatincludethefollowingcomponents,ataminimum:

1. Designateindividualsresponsibleforthedevelopmentandimplementationofinformationsecurityloggingcapabilities.

2. Developproceduresforreviewingandadministeringthelogs.3. EnableloggingonallsensitiveITsystems.Ataminimum,logswillinclude:

(a) Theevent.(b) TheuserIDassociatedwiththeevent.(c) Thedateandtimetheeventoccurred.

4. MonitorITsystemlogs,correlateinformationwithotherautomatedtools,identifysuspiciousactivities,andprovidealertnotificationsincompliancewithIT-PO-5200,LogReviewandStoragePolicy.

5. DocumentstandardsthatspecifythetypeofactionsanITsystemadministratorshouldtakewhenasuspiciousorapparentmaliciousactivityistakingplace.Example: Possible actions include stopping the event, shutting down the IT system, and alertingappropriatestaff.Note:Multipleactionsmaybewarrantedandadvisable,basedonsensitivityandrisk.

6. Prohibittheinstallationoruseofunauthorizedmonitoringdevices.7. Prohibit the use of keystroke logging, except when required for security investigations and/or

academicinstruction/researchpurposes.Note:Forinvestigativepurposes,theISOhastheresponsibilitytoauthorizemonitoringorscanningactivitiesfor network traffic; application and information access; user commands; email and Internet usage; andmessageandinformationcontentforITsystems,networksanddata.

9.4InformationSecurityIncidentHandling

9.4.1PurposeInformationSecurityIncidentHandlingrequirementsidentifythestepsnecessarytorespondtosuspectedorknownbreachestoinformationsecuritysafeguards.

9.4.2RequirementsTheUniversity shalldocument informationsecurity incidenthandlingpracticesandwhereappropriate theUniversityshallincorporateitsserviceprovider’sproceduresforincidenthandlingpracticesthatincludethefollowing,ataminimum:

1. DesignateaComputerSecurityIncidentResponseTeam(CSIRT)thatincludespersonnelwithappropriateexpertiseforrespondingtoattacks.

2. Identifycontrolstodeteranddefendagainstattackstobestminimizelossortheftofinformationanddisruptionofservices.

3. Implementproactivemeasurestodefendagainstnewformsofattacksandzero-dayexploits.4. Establishinformationsecurityincidentcategorizationandprioritizationbasedontheimmediateand

potentialadverseeffectoftheinformationsecurityincidentandthesensitivityofaffectedITsystems,networksanddata.

5. Identifyimmediatemitigationprocedures,includingspecificinstructions,basedoninformation


securityincidentcategorizationlevel,onwhetherornottoshutdownordisconnectaffectedITsystems.

6. EstablishaprocessforreportinginformationsecurityincidentstotheISO.AllUniversitydepartmentsmustreportinformationsecurityincidentstotheISO.

7. EstablishrequirementsforinternalUniversityinformationsecurityincidentrecordingandreportingrequirements,includingatemplatefortheincidentreport.

8. Establishproceduresforinformationsecurityincidentinvestigation,preservationofevidence,andforensicanalysis.

Note: The ISO, in conjunction with the CIO or other Administration authorities as necessitated bycircumstances,mayauthorizetheconfiscationandremovalofanyUniversityownedITresourcesuspectedtobetheobjectofinappropriateuseorviolationoflaws,regulations,policiesorstandardsinordertopreserveevidence.

9.5DataBreachNotification

9.5.1PurposeTospecifythenotificationrequirementsforunauthorizedreleaseofunencryptedsensitiveinformation.

9.5.2RequirementsShouldadatabreachoccur,theUniversityshall:

1. Comply with Commonwealth of Virginia data breach notification laws (and any other applicablelaws)inconsultationwithlegalcounselasnecessary.

10ITASSETMANAGEMENT

10.1PurposeITAssetManagementdelineatesthestepsnecessarytoprotectITsystems,networksanddatabymanagingthe IT assets themselves in a planned, organized, and secure fashion. This component area definesrequirementsforthefollowing:

1. ITAssetControl2. SoftwareLicenseManagement3. ConfigurationManagementandChangeControl

10.2ITAssetControl

10.2.1PurposeITAssetControlrequirementsidentifythestepsnecessarytocontrolandcollectinformationaboutITassets.

10.2.2RequirementsCommensurate with sensitivity and risk, the University shall or shall require that its service providerimplementinventorymanagementpracticesthataddressthefollowingcomponents,ataminimum:


1. AssociateaprimarycustodiantoeachITasset.2. TrackITassettransfersinatimelyandaccuratemanner.3. Identifytheprimarylocation(s)ofeachITasset.4. Requirethatdigitalmediabesanitizedpriortodisposal.Thisprocessmustoccurinaccordancewith

theDataStorageandMediaProtectionPolicy5102.5. RequirecreationandannualreviewofalistofUniversityhardwareandsoftwareassets.

10.3SoftwareLicenseManagement

10.3.1PurposeSoftwareLicenseManagementrequirementsidentifythestepsnecessarytoprotectagainstuseofcomputersoftwareinviolationofapplicablelawsandcontracts.

10.3.2RequirementsThe University shall or shall require that its service provider document and implement software licensemanagementpracticesthataddressthefollowingcomponents:

1. Assessannuallywhetherallsoftwareisusedinaccordancewithlicenseagreements.

10.4ConfigurationManagementandChangeControl

10.4.1PurposeConfigurationManagementandChangeControlrequirementsidentifythestepsnecessarytodocumentandmonitortheconfigurationofITsystems,andtocontrolchangestotheseitemsduringtheirlifecycles.Whilethe full extentofConfigurationManagementandChangeControl isbeyond thescopeof thisStandard, theUniversitywillestablishandmaintainachangecontrolprocess.

10.4.2RequirementsThe University shall, or shall require that its service provider, document and implement configurationmanagementandchangecontrolpracticessothatchangestotheITenvironmentdonotcompromiseexistingsecuritycontrols.


11GLOSSARYAccess:Theabilitytouse,modifyoraffectaninformationsystemortogainphysicalentrytoanareaorlocation. AccessControls:Asetofsecurityproceduresthatmonitoraccessandeitheralloworprohibitusersfromaccessinginformationsystems,networksanddata. Alert:Notificationthataneventhasoccurredormayoccur. Application:Anexecutablecomputerprogram. ApplicationSystem:Aninterconnectedsetofinformationresourcesunderthesamedirectmanagementcontrol. Asset:Anysoftware,data,hardware,administrative,physical,communications,orpersonnelresource. Assurance:Measureofconfidence. Attack:Anattempttobypasssecuritycontrols,disruptservicesand/orgainunauthorizedaccesstosystems,networksand/ordata. Audit:Anindependentreviewandexaminationofrecordsandactivitiestotestforadequacyofcontrols,measurecompliancewithestablishedpoliciesandoperationalprocedures,andrecommendchanges. Authentication:Theprocessofverifyingtheidentityofausertodeterminetheiraccessrights. Authorization:Theprocessofgrantingaccessafterproperidentificationandauthenticationhasoccurred. Availability:Theextenttowhichaninformationassetisavailableandaccessibleforauthorizeduse. Backup:Theprocessofproducingareservecopyofsoftwareorelectronicfilesasaprecautionincasetheprimarycopyisunavailable. BaselineSecurityConfiguration:TheminimumsetofsecuritycontrolsthatmustbeimplementedonallUniversityinformationsystemstoincludevendorprovidedsystemsandhostedsystems. BroadcastDomain:Abroadcastdomainisalogicalpartofanetwork(anetworksegment)inwhichanynetworkequipmentcantransmitdatadirectlytoanotherequipmentordevicewithoutgoingthrougharoutingdevice(assumingthedevicessharethesamesubnetandusethesamegateway).BusinessEssential:systemsdefinedassupportingessentialbusinessfunctionsintheBusinessImpactAnalysis(BIA).BusinessFunction:Acollectionofrelatedstructuralactivitiesthatproducesomethingofvaluetotheorganization,itsstakeholdersoritscustomers.BusinessImpactAnalysis(BIA):Theprocessofdeterminingthepotentialconsequencesofadisruptionordegradationofbusinessfunctions. ChangeControl:Amanagementprocesstoprovidecontrolandtraceabilityforallchangesmadetoasystem. ChiefInformationOfficeroftheUniversity(CIO):TheCIOoverseestheoperationoftheDivisionofInformationTechnology(DoIT)and,underthedirectionandcontroloftheUniversityPresident,exercisesthepowersandperformsthedutiesconferredorimposedandperformssuchotherdutiesasmayberequiredbytheUniversityPresident. CommonwealthofVirginia:ThegovernmentoftheCommonwealthofVirginia,anditsagenciesanddepartments. ComputerSecurityIncidentResponseTeam(CSIRT):AgroupwithintheUniversityconstitutedtomonitorandrespondtoinformationsecuritythreats. Confidentiality:Theextenttowhichinformationdatamustbeprotectedagainstunauthorizeddisclosure. ConfigurationManagement:Aprocessforauthorizingandtrackingallchangestoaninformationsystemduringitslifecycle. ContinuityofOperationsPlan(COOP):Asetofdocumentedplansdevelopedtoprovideforthecontinuanceof


essentialbusinessfunctionsduringanemergency. ContinuityofOperationsPlanning:Theprocessofdevelopingplansandprocedurestocontinuetheperformanceofessentialbusinessfunctionsintheeventofabusinessinterruptionorthreatofinterruption. Control:Anyprotectiveaction,device,procedure,techniqueorothermeasurethatreducesexposures.Typesofcontrolsincludepreventative,detective,corrective,etc. ControlObjectivesforInformationandrelatedTechnology(COBIT):AframeworkofbestpracticesforITmanagementthatprovidesmanagers,auditors,andITuserswithasetofgenerallyacceptedmeasures,indicators,processesandbestpracticestoassisttheminmaximizingthebenefitsderivedthroughtheuseofinformationtechnologyanddevelopingappropriateITgovernanceandcontrol.Countermeasure:Anaction,device,procedure,technique,orothermeasurethatreducesvulnerabilityortheimpactofathreattoaninformationsystem. Credential:Informationusedtoestablishaccessrights.Anexampleisapassword. Cryptography:Theprocessoftransformingplaintextintociphertext(encryption),andciphertextintoplaintext(decryption). Data:Anarrangementofnumbers,characters,and/orimagesthatrepresentconceptssymbolically. Database:Acollectionoflogicallyrelateddata(andadescriptionofthisdata),designedtomeettheinformationneedsofanorganization. DataBreach:Theunauthorizedaccessandacquisitionofun-redactedcomputerizeddatathatcompromisesthesecurityorconfidentialityofpersonalinformation. DataClassification:Theprocessofcategorizingdatabasedonconfidentiality,integrityandavailability. DataCustodian:AnindividualororganizationinphysicalorlogicalpossessionofdataforDataOwners.DataCustodiansareresponsibleforprotectingthedataintheirpossessionfromunauthorizedaccess,alteration,destruction,orusageandforprovidingandadministeringgeneralcontrols,suchasback-upandrecoverysystems. DataOwner:AUniversityManager,designatedbytheInformationSecurityOfficer,whoisresponsibleforthepolicyandpracticedecisionsregardingdata.Dataownersapprove(ordeny)accesstoUniversitydata. DataSecurity:Practices,technologies,and/orservicesusedtoapplysecurityappropriatelytodata. DataStorageMedia:Adeviceusedtostoredata.Examplesofdatastoragemediaincludefixeddisks,CDROMs,andUSBflashdrives.Seemedia. Decryption:Transformciphertextintohumanormachine-readabletext. DigitalCertificate:Anelectronicdocumentattachedtoorassociatedwithafilethatcertifiesthefileisfromtheorganizationitclaimstobefromandhasnotbeenmodified. DisasterRecoveryPlan(DRP):AsetofdocumentedplansthatidentifythestepstorestoreessentialbusinessfunctionsonaschedulethatsupportstheUniversity’smissionrequirements. ElectronicInformation:Anyinformationstoredinaformatthatenablesittoberead,processed,manipulated,ortransmittedbyaninformationsystem. Encryption:Transforminghumanormachine-readabletext(oftencalledplaintext)intociphertext. EssentialBusinessFunction:AbusinessfunctionisessentialifdisruptionordegradationofthefunctionpreventstheUniversityfromperformingitsmissionasdescribedintheUniversity’smissionstatement. Evaluation:Proceduresusedintheanalysisofsecuritymechanismstodeterminetheireffectivenessandtosupportorrefutespecificsystemweaknesses. ExternalITSystem:Aninformationsystemdesignedandintendedforusebyexternalpartiesand/orbythepublic. Firewall:Traffic-controllinggatewaythatcontrolsaccess,traffic,andservicesbetweentwonetworksornetworksegments,onetrustedandtheotheruntrusted. FullTunneling:Allnetworktrafficgoesthroughthetunneltotheorganization.TheUniversity’sVPNisanexampleofafulltunnelingtechnology.


Function:Apurpose,process,orrole. FuzzTesting:Thisisasoftwaretestingtechniquethatprovidesrandomdata(”fuzz”)totheinputsofaprogram.Iftheprogramfails(forexample,bycrashing,orbyfailingbuilt-incodeassertions),thedefectscanbenotedandperhapsfurtherexploited(bysecurityresearchersorcrackers)togainelevatedaccesstoITsystems,networksordata. Group:Anamedcollectionofinformationsystemusers;createdforconveniencewhenstatingauthorizationpolicy. GuestAccount:Adefaultsetofpermissionsandprivilegesgiventononregisteredusersofasystemorservice. Harden:Theprocessofimplementingsoftware,hardware,orphysicalsecuritycontrolstomitigateriskassociatedwithUniversityinfrastructureand/orsensitiveinformationsystems,networksanddata. HealthInsurancePortabilityandAccountabilityAct(HIPAA):Enactedin1996tohelpprotecthealthinsurancecoverageforworkersandtheirfamilieswhenemployeeschangeorlosetheirjobs.ProvisionsofHIPAAalsoaddressthesecurityandprivacyofhealthandpatientdata. HighAvailability:Arequirementthattheinformationsystemiscontinuouslyavailable,hasalowthresholdfordowntime,orboth. HighlySensitiveData:Universitydatawhich,becauseofitsassociatedlegalrestrictionsorpotentialsecurityramifications,isapprovedforuseonlyonaverylimitedbasisandonlywithspecialsecurityprecautions.Afewexamplesofhighlysensitivedataaresocialsecuritynumbers,financialcardnumbersandpassportinformation. Identification:TheprocessofassociatingauserwithauniqueuserIDorloginID. Information:Dataorganizedinamannertoenabletheirinterpretation. InformationSecurityBreach:Theviolationofanexplicitorimpliedsecuritypolicythatcompromisestheintegrity,availability,orconfidentialityofaninformationsystem,networkordata. InformationSecurityControls:TheprotectionmechanismsprescribedtomeetthesecurityrequirementsspecifiedforanITsystem. InformationSecurityIncident:Anadverseeventorsituation,whetherintentionaloraccidental,thatposesathreattotheintegrity,availability,orconfidentialityofanITsystem. InformationSecurityLogging:Chronologicalrecordingofsystemactivitiessufficienttoenablethereconstruction,review,andexaminationofthesequenceofeventsandactivitiessurroundingorleadingtoanoperation,aprocedure,oraneventinatransactionfromitsinceptiontoitsfinalresults. InformationSecurityOfficer(ISO):TheindividualdesignatedbytheCIOtoberesponsibleforthedevelopment,implementation,oversight,andmaintenanceoftheUniversity’sinformationsecurityprogram. InformationSecurity(IS)Policy:Astatementoftheinformationsecurityobjectivesofanorganization,andwhatemployees,contractors,vendors,businesspartners,andthirdpartiesoftheUniversitymustdotoachievetheseobjectives. InformationSecurityProgram:Acollectionofsecurityprocesses,standards,rules,andproceduresthatrepresentstheimplementationofanorganization’ssecuritypolicy. InformationSecurityRequirements:Thetypesandlevelsofprotectionnecessarytoadequatelysecureasystem,networkordata. InformationSecuritySafeguards:SeeInformationSecurityControls. InformationSecurityStandards:Detailedstatementsofhowemployees,contractors,vendors,businesspartners,andthirdpartiesoftheUniversitymustcomplywithitsinformationsecuritypolicy. InformationTechnology:Telecommunications,automateddataprocessing,databases,theInternet,managementinformationsystems,andrelatedinformation,equipment,goods,andservices. InformationTechnologyContingencyPlanning:ThecomponentofContinuityofOperationsPlanningthatpreparesforcontinuityand/orrecoveryoftheUniversity’sITsystems,networksanddatathatsupportitses-sentialbusinessfunctionsintheeventofabusinessinterruptionorthreatofinterruption.InformationTechnologyInfrastructureLibrary(ITIL):Aframeworkofbestpracticeprocessesdesignedtofacilitatethedeliveryofhighqualityinformationtechnologyservices.


InformationTechnologySecurity:TheprotectionaffordedtoITsystems,networksanddatainordertopreservetheiravailability,integrity,andconfidentiality. InformationTechnologySecurityArchitecture:Thelogicalandphysicalsecurityinfrastructuremadeupofproducts,functions,locations,resources,protocols,formats,operationalsequences,administrativeandtechnicalsecuritycontrols,etc.,designedtoprovidetheappropriatelevelofprotectionforITsystems,networksanddata. InformationTechnologySecurityAudit:TheexaminationandassessmentoftheadequacyofITsystemcontrolsandcompliancewithestablishedinformationsecuritypolicyandprocedures. InformationTechnologySecurityAuditor:UniversityInternalAuditors,theAuditorofPublicAccounts,oraprivatefirmthat,inthejudgmentoftheUniversity,hastheexperienceandexpertiserequiredtoperformITsecurityaudits. InformationTechnologySystem:AninterconnectedsetofITresourcesunderthesamedirectmanagementcontrol.SeeApplicationSystemandSupportSystem. InformationTechnologySystemSensitivity:SeeSensitivity. InformationTechnologySystemUsers:AsusedinthisStandard,atermthatincludesUniversityemployees,contractors,vendors,third-partyproviders,andanyotherauthorizedusersofITsystems,applications,telecommunicationnetworks,data,andrelatedresources. Integrity:Theextenttowhichinformationdataorinformationsystemsmustbeprotectedfromintentionaloraccidentalunauthorizedmodification. InternalITSystem:AnITsystemdesignedandintendedforuseonlybyUniversityemployees,contractors,andbusinesspartners.SeeInformationTechnologySystemandExternalITSystem. InternalITSystemUser:AUniversityemployeewhousesanITsysteminanycapacitytoperformjobduties. InternalNetwork:AninternalnetworkisaprivatecomputernetworkusedtosecurelyshareanypartoftheUniversity’sinformationoroperationalsystemswithitsemployees. Internet:AnexternalworldwidepublicdatanetworkusingInternetprotocolstowhichtheUniversitycanestablishconnections. Intranet:Atrustedmulti-function(data,voice,video,image,facsimile,etc.)privatedigitalnetworkusingInternetprotocols,whichcanbedeveloped,operatedandmaintainedfortheconductofUniversitybusiness,research,education,etc. IntrusionDetection:Amethodofmonitoringtrafficonthenetworktodetectbreak-insorbreak-inattempts,eithermanuallyorviasoftwaresystems. IntrusionDetectionSystems(IDS):Softwarethatdetectsanattackonanetworkorcomputersystem.ANetworkIDS(NIDS)isdesignedtosupportmultiplehosts,whereasaHostIDS(HIDS)issetuptodetectillegalactionswithinthehost.MostIDSprogramstypicallyusesignaturestosignalanalert.Otherslookfordeviationsofthenormalroutineasindicationsofanattackandaresometimescalledanomalydetectionsystems. ISO/IEC:AseriesofITsecuritystandardspublishedbytheInternationalOrganizationforStandardization(ISO)andtheInternationalElectrotechnicalCommission(IEC),providingbestpracticerecommendationsonITsecuritymanagementforusebythosewhoareresponsibleforinitiating,implementingormaintaininginformationsecuritymanagementsystems. ITSupportServices:ITsupportservicesisarangeofservicesprovidingassistancewithtechnologyproductssuchasmobilephones,computers,orotherelectronicormechanicalgoods.Ingeneral,technicalsupportservicesattempttohelptheusersolvespecificproblemswithaproductratherthanprovidingtraining,customization,orothersupportservices. Key:Asequenceofdatausedincryptographytoencryptordecryptdata.Apasswordorpassphraseisanexampleofasymmetrickey.Withsymmetrickeys,theexactsamekeyencryptsanddecryptsthedata.Withasymmetrickeys,onekeyencryptsthedatawhileaseparate,differentkeydecryptsit. LeastPrivilege:Theminimumlevelofdata,functions,andcapabilitiesnecessarytoperformauser’sduties. LogonID:Anidentificationcodeassignedtoaparticularuserthatidentifiestheusertotheinformationsystem.


MaliciousCode:Harmfulcode(suchasvirusesandworms)introducedintoaprogramorfileforthepurposeofcontaminating,stealing,damaging,ordestroyinginformationsystemsand/ordata.Maliciouscodeincludesviruses,Trojanhorses,trapdoors,worms,spy-ware,andcounterfeitcomputerinstructions(executables).MaliciousSoftware:SeeMaliciousCode. ManagementControl:Asetofmechanismsdesignedtomanageandachievedesiredobjectives. Media:Pluralofmedium. MediaSanitization:Ageneraltermreferringtotheactionstakentorenderdatawrittenonmediaunrecoverablebybothordinaryandextraordinarymeans. Medium:Materialonwhichdataareormayberecorded,suchaspaper,punchedcards,magnetictape,magneticdisks,solidstatedevices,oropticaldiscs. MinimumSystemConfiguration:SeeBaselineSecurityConfiguration.MobileDevices:Anycomputingdevicethatcanbeeasilytransportedandthathasthecapabilitytoprocessandtransmitdata,includingbutnotlimitedtolaptops,smartphones,tablets,andhandheldPCs. MobileStorageDevices:AnytransportablestoragedevicethatcanbeusedtostoredataincludingbutnotlimitedtoportableharddrivesandUSBflashdrives. Monitoring:Listening,viewing,orrecordingdigitaltransmissions,electromagneticradiation,sound,andvisualsignals. NIST:NationalInstituteofStandardsandTechnology. Non-SensitiveSystem:Systemsnotclassifiedassensitive.Thereisnoconcernwhatsoeverforsystemordataintegrity,confidentialityoravailability. Off-siteStorage:Theprocessofstoringvitalrecordsinafacilitythatisphysicallyremotefromtheprimarysite.Toqualifyasoff-site,thefacilityshouldbegeographically,separatelyanddistinctfromtheprimarysiteandofferenvironmentalandphysicalaccessprotection. OperationalControls:Informationsecuritymeasuresimplementedthroughprocessesandprocedures.Password:Auniquestringofcharactersthat,inconjunctionwithalogonID,authenticatesauser’sidentity. PenetrationTesting:Apenetrationtestisamethodofevaluatingthesecurityofacomputersystemornetwork. PersonalDigitalAssistant(PDA):Adigitaldevice,whichcanincludethefunctionalityofacomputer,acellulartelephone,amusicplayerandacamera.Alsocalledasmartphone. PersonalIdentificationNumber(PIN):Ashortsequenceofdigitsusedasapassword.PersonalInformation(PI):Allinformationthatdescribes,locatesorindexesanythingaboutanindividualincludinghisrealorpersonalpropertyholdingsderivedfromtaxreturns,andhiseducation,financialtransactions,medicalhistory,ancestry,religion,politicalideology,criminaloremploymentrecord,orthataffordsabasisforinferringpersonalcharacteristics,suchasfingerandvoiceprints,photographs,orthingsdonebyortosuchindividual;andtherecordofhispresence,registration,ormembershipinanorganizationoractivity,oradmissiontoaninstitution.”Personalinformation”shallnotincluderoutineinformationmaintainedforthepurposeofinternalofficeadministrationwhoseusecouldnotbesuchastoaffectadverselyanydatasubjectnordoesthetermincluderealestateassessmentinformation.CodeofVirginia2.2-3801. Personnel:AllUniversityemployees,contractors,andsubcontractors,bothpermanentandtemporary. Phishing:Aformofcriminalactivitycharacterizedbyattemptstoacquiresensitiveinformationfraudulently,suchaspasswordsandcreditcarddetails,bymasqueradingasatrustworthypersonorbusinessinanapparentlyofficialelectroniccommunication. Privacy:Therightsanddesiresofanindividualtolimitthedisclosureofindividualinformationtoothers. PrivacyOfficer:Theprivacyofficer,ifrequiredbystatute(suchasHIPAA)providesguidanceontherequirementsofstateandfederalPrivacylaws;disclosureofandaccesstosensitivedata;andsecurityandprotectionrequirementsinconjunctionwiththeinformationsystemwhenthereissomeoverlapamongsensitivity,disclosure,privacy,andsecurityissues.


ProtectedData:Universitydataindividuallyrequestedandapprovedbyadataownerforaspecificbusinessuseandwhichissubjecttothegeneralprovisionsassociatedwithuniversityinformationsecuritypolicyandmaybesubjecttostateand/orfederallaw.OneexampleofprotecteddatawouldbeFERPAprotecteddata.PublicData:Universitydatawhichcanbesharedwithoutrestrictionwiththegeneralpublic(e.g.universitycourselistings,publicityandnewsarticles,directorylistings,etc.) PublicWebSite:ApublicwebsiteisthemostvisibleandreadilyaccessibletotheaverageWebuser.AsiteontheWebthatisaccessiblebyanyonewithaWebbrowserandaccesstotheInternet. Recovery:Activitiesbeyondtheinitialcrisisperiodofanemergencyordisasterthataredesignedtoreturninformationsystemsand/ordatatonormaloperatingstatus. RecoveryPointObjective(RPO):Themeasurementofthepointintimetowhichdatamustberestoredinordertoresumeprocessingtransactions.Directlyrelatedtotheamountofdatathatcanbelostbetweenthepointofrecoveryandthetimeofthelastdatabackup. RecoveryTimeObjective(RTO):Theperiodoftimeinwhichsystems,applicationsorfunctionsmustberecoveredafteranoutage. ResidualRisk:Theportionofriskthatremainsaftersecuritymeasureshavebeenapplied. Restoration:Activitiesdesignedtoreturndamagedfacilities,equipment,systemsandnetworkstoanoperationalstatus. Risk:Thepotentialthataneventmaycauseamaterialnegativeimpacttoanasset.RiskAnalysis:Asystematicprocesstoidentifyandquantifyriskstoinformationsystems,networksanddataandtodeterminetheprobabilityoftheoccurrenceofthoserisks. RiskManagement:Identificationandimplementationofinformationsecuritycontrolsinordertoreduceriskstoanacceptablelevel. RiskAssessment(RA):Theprocessofidentifyingandevaluatingriskssoastoassesstheirpotentialimpact. RiskMitigation:Thecontinuousprocessofminimizingriskbyapplyingsecuritymeasurescommensuratewithsensitivityandrisk. RoleBasedTraining:SpecificannualtrainingthataddressestherolesandresponsibilitiesofSystemOwners,DataOwners,DataCustodiansandSystemAdministrators.ThistrainingisinadditiontoannualITSecurityAwarenesstraining. RolesandResponsibility:Rolesrepresentadistinctsetofoperationsandresponsibilitiesrequiredtoperformsomeparticularfunctionthatanindividualmaybeassigned.Rolesmaydifferfromtheindividual’sbusinesstitle.ThisStandardcontainstherolesandresponsibilitiesassociatedwithimplementinginformationsecurity. Secure:Astatethatprovidesadequateprotectionofinformationsystems,networksanddataagainstcompromise,commensuratewithsensitivityandrisk. SeparationofDuties:Assignmentofresponsibilitiessuchthatnooneindividualorfunctionhascontrolofanentireprocess.Itisatechniqueformaintainingandmonitoringaccountabilityandresponsibilityforinforma-tionsystems,networksanddata. SensitiveSystem:Asystemissensitivebasedonconfidentiality,integrityoravailability.Alsoseesensitivity. SensitiveData:AtRadfordUniversity,thephrase”sensitivedata”hastheexactsamedefinitionashighlysensitivedata.Becauseoftheiridenticaldefinition,thesephrasesmaybeusedinterchangeably.Whilethephrase”sensitivedata”ismorecommonlyusedinspeechandtext,thephrase”highlysensitivedata”,istheofficialUniversityclassificationforsuchdata. Sensitivity:AmeasureoftheadverseaffectonUniversityinterests,theconductofUniversityprograms,and/ortheprivacytowhichindividualsareentitledthatcompromisedinformationsystems,networksanddatawithrespecttoconfidentiality,integrity,and/oravailabilitycouldcause.Informationsystems,networksanddataaresensitiveindirectproportiontothematerialityoftheadverseeffectcausedbytheircompromise. SensitivityClassification:Theprocessofdeterminingwhetherandtowhatdegreeinformationsystems,networksanddataaresensitive. SharedAccounts:AlogonIDoraccountutilizedbymorethanoneentity.AnexampleofasharedaccountwouldbeaUniversityclubaccount.


SourceCodeAuditing:Asoftware(source)codeauditisacomprehensiveanalysisofsourcecodeinaprogrammingprojectwiththeintentofdiscoveringbugs,securitybreachesorviolationsofprogrammingconventions.Itisanintegralpartofthedefensiveprogrammingparadigm,whichattemptstoreduceerrorsbeforethesoftwareisreleased. SplitTunneling:Routingorganization-specifictrafficthroughtheVPNtunnel,butothertrafficusestheremoteuser’sdefaultgateway. Spy-ware:Acategoryofmalicioussoftwaredesignedtointerceptortakepartialcontrolofacomputer’soperationwithouttheinformedconsentofthatmachine’sownerorlegitimateuser.Whilethetermtakenliterallysuggestssoftwarethatsurreptitiouslymonitorstheuser,ithascometorefermorebroadlytosoftwarethatsubvertsthecomputer’soperationforthebenefitofathirdparty. State:CommonwealthofVirginia. SupportSystem:AninterconnectedsetofITresourcesunderthesamedirectmanagementcontrolthatsharescommonfunctionalityandprovidesservicestoothersystems.SeealsoApplicationSystemandInformationTechnologySystem. System:SeeInformationTechnologySystem. SystemAdministrator:Ananalyst,engineer,orconsultantwhoimplements,manages,and/oroperatesasystematthedirectionoftheSystemOwner,DataOwner,and/orDataCustodian. SystemClassification:Theprocessofcategorizingsystemsbasedonconfidentiality,integrityandavailability.SystemOwner:TheUniversityManagerwhoisresponsiblefortheoperation,documentationandmaintenanceofaUniversityITsystem.AnITSystemmayhaveonlyoneSystemOwner. TechnicalControls:Informationsecuritymeasuresimplementedthroughtechnicalsoftwareorhardware. TemporaryFiles:Filesthatarecreatedasanapplicationexecutes,butuponapplicationtermination,arenolongerrequiredforprocessing;noraretheypartofthefinalrepresentationofdata. TheUniversity:RadfordUniversity. Third-PartyProvider:AcompanyorindividualthatsuppliesITequipment,systems,networksorservicestotheUniversity. Threat:Anycircumstanceorevent(human,physical,orenvironmental)withthepotentialtocauseharmtoaninformationsystemintheformofdestruction,disclosure,adversemodificationofdata,and/ordenialofservicebyexploitingvulnerability. Token:Asmalltangibleobjectthatcontainsabuilt-inmicroprocessorutilizedtostoreandprocessinformationforauthentication. TrojanHorse:Amaliciousprogramthatisdisguisedasorembeddedwithinlegitimatesoftware.TrustedSystemorNetwork:AnITsystemornetworkthatisrecognizedautomaticallyasreliable,truthful,andaccurate,withoutcontinualvalidationortesting.Uniquepassword:Passwordsusedmustbeseparateanddifferentfrompasswordsusedforanyotheruniversityorcommercialaccount. UniversalSerialBus(USB):Astandardforconnectingdevicestocomputers.University:RadfordUniversity. UniversityPresident:ThechiefexecutiveofficeroftheUniversity.USBFlashDrive:Asmall,lightweight,removableandrewritabledatastoragedevice.UserID:AuniquesymbolorcharacterstringthatisusedbyanITsystemtoidentifyaspecificuser.SeeLogonID. VersionControl:Themanagementofchangestodocuments,programs,andotherdatastoredascomputerfiles. VirginiaDepartmentofEmergencyManagement(VDEM):ACommonwealthofVirginiadepartmentthatprotectsthelivesandpropertyofVirginia’scitizensfromemergenciesanddisastersbycoordinatingthe


state’semergencypreparedness,mitigation,response,andrecoveryefforts. Virus:SeeMaliciousCode. VitalRecord:Adocument,regardlessofmedia,which,ifdamagedordestroyed,woulddisruptbusinessoperations. Vulnerability:Aconditionorweaknessinsecurityprocedures,technicalcontrols,oroperationalprocessesthatexposesthesystemtolossorharm. Zero-Day(Zero-Hour)AttackorThreat:Acomputerthreatthatattemptstoexploitcomputerapplicationvulnerabilitieswhichareunknowntoothers,undisclosedtothesoftwarevendor,orforwhichnosecurityfixisavailable.

12ACRONYMSBIA:BusinessImpactAnalysis

CIO:ChiefInformationOfficer

COOP:ContinuityofOperationsPlan

DoIT:DivisionofInformationTechnology

DRP:DisasterRecoveryPlan

FTP:FileTransferProtocol

HIPAA:HealthInsurancePortabilityandAccountabilityAct

IDS:IntrusionDetectionSystems

ISO:InformationSecurityOfficer

ISO/IEC:InternationalOrganizationforStandardization/InternationalElectrotechnicalCommission

ITRM:InformationTechnologyResourceManagement

NIST:NationalInstituteofStandardsandTechnology

PCI:PaymentCardIndustry

PDA:PersonalDigitalAssistant

PI:PersonalInformation

PIN:PersonalIdentificationNumber

RA:RiskAssessment

RPO:RecoveryPointObjective

RTO:RecoveryTimeObjective

SDLC:SystemsDevelopmentLifeCycleSolutionsDirectorate

SSID:ServiceSetIdentifier

SSP:SystemSecurityPlan

VDEM:VirginiaDepartmentofEmergencyManagement