UVic Information Security Standards

Information security

These security standards enable the university to manage electronic information resources in accordance with university policies and are designed to ensure the confidentiality, integrity, and availability of university information.

Compliance with these standards does not imply a completely secure system. These standards are only a component of ensuring system security. The standards will be revised and updated regularly.

These security standards apply to all members of the UVic community responsible for managing UVic electronic information resources. The requisite skills and knowledge level are required to maintain compliance to the standards; University Systems offers services to manage electronic information resources in a secure and reliable manner: University Systems Service Catalogue.

The standards are based on the IM7800 data classification of the information at risk.

Determine the highest applicable data classification level by reviewing the University Information Security Classification Procedures in policy IM7800. See Appendix A for Information Classification Examples.
Follow the security standards in the table below to safeguard your systems. Where possible, we recommend implementing stronger security controls than the current standard.

Where did the UVic Information Security Standards come from?

In July 2018, UVic Internal Audit completed its Decentralized Information Technology General Controls (ITGC) Self-Assessments (Phase 2) and recommended that “minimum security standards be developed, implemented into the Information Security Policy, and communicated to all stakeholders at the university.”

University Systems engaged students in the Master of Engineering in Telecommunications & Information Security (MTIS) as part of their capstone project to provide guidance on developing information security standards and IT governance for UVic. The students’ recommendations included both standards to adopt as well good examples from other higher education institutions (e.g. Stanford University’s Minimum Security Standards).

An initial draft of UVic Security Standards were developed by Curtis Les, our Senior Technical and Information Security Analyst, in February 2019. These were based on the above research as well as the latest standards from accredited organizations including the Center for Internet Security (CIS), National Institute for Standards and Technology (NIST), and Payment Card Industry (PCI). Where possible, links to supporting UVic resources were included in the draft standards.

The draft standards were then reviewed by members of the University Systems Cybersecurity Working Group. The draft standards were revised after careful consideration of this feedback. For some standards, a current and future standard was developed as gap areas between a desired standard and current capabilities were identified.

The draft standards were circulated with members of the UVic IT community for additional feedback and revision. We reviewed and incorporated this feedback and published the standards in December 2019. If you’d like to provide additonal feedback, please contact Information Security Standards.

How are the Information Security Standards kept current?

The UVic Information Security Standards follow a regular review and update process to reflect the nature of rapid changes and improvements to best practices in information security.

Proposals for changes and additions to the Standards are open at all times. To make a proposal, please email infosecstandards@uvic.ca. Proposed changes should include rationale.

Review and updates to the Standards are completed at minimum once per year.
All proposals are recorded by the Information Security Office.
Proposals are circulated with subject matter experts for feedback.
The UVic Chief Information Security Officer approves all changes to the Information Security Standards.
Updated standards are published to uvic.ca/securitystandards.
An Informed message advising of updated security standards is posted.

Data classifications legend

Data Classifications defined in Information Security Policy (IM7800):

Public

Internal

Confidential

Highly Confidential

Definition:

Information that has been approved for distribution to the public by the information owner or Administrative Authority or through some other valid authority such as legislation or policy.

Definition:

Information that is intended for use within the University or within a specific workgroup, Unit or group of individuals with a legitimate need-to-know. Internal Information is not approved for general circulation outside the workgroup or Unit.

Definition:

Information Resource is considered to be highly sensitive business or Personal Information, or a critical system. It is intended for a very specific use and may not be disclosed except to those who have explicit authorization to review such information, even within a workgroup or Unit.

Definition:

Information Resource is so sensitive or critical that it is entitled to extraordinary protections, as defined in IM7800 9.00.

Endpoints
Servers
Applications
Cloud Services
Network
Operational Technology

An endpoint is defined as any laptop, desktop or mobile device primarily used by a single individual at a time. Endpoints also include network printers, VOIP telephones and multi user computers in lab environments.

Security Standards

Table description: UVic Security Standards for Endpoint Devices required for each of UVic's data classifications
Category	Current Standard	Future Standard	Data Classification
Patching	Apply critical or security patches (OS and applications) within seven days of release. Normal patches should be applied within 30 days. Use managed update services. Monitor vulnerability publications such as US-Cert and remediate any affected operating systems and applications. Assess risk of vulnerabilities patched in updated firmware and patch endpoint firmware as appropriate based on risk. Only use actively supported operating systems and applications (vendors are providing security patches). Systems with an unsupported (no future security updates from vendor) OS or applications may not be directly connected to UVic Network.
Inventory	Maintain a comprehensive inventory of all endpoint devices (desktops, laptops, mobile devices, and end user network devices such as printers). Keep Network Services IPAM records current.
Whole Disk Encryption	Enable FileVault2 for Mac, BitLocker for Windows, and equivalent full disk encryption for Linux, with secure key escrow. Encrypt mobile devices. Encrypt external hard drives and USB storage devices (recommend not using these devices unless required).
Data Storage	All data except for Public data must be stored within a controlled-access system. Information classified as Confidential or Highly Confidential must be encrypted. Internal and Public data encryption is strongly recommended in all environments.	All information located on endpoints is encrypted.
Firewall, Intrusion Detection and Malware Protection	Install advanced endpoint protection with a host based firewall and endpoint detection and response (EDR). Microsoft Defender for Endpoint is required for UVic owned workstation endpoints.
Backups	Backup user data daily. Keep user and UVic data on network file storage (preferred) or use Tivoli Storage Manager.
Physical Protection	Keep all endpoints in a physically secure location when staff are not present. Physically secure laptops and mobile devices when not in use. Use physical access controls such as keys, keycards, and alarms.
Credentials and Access Control	User accounts follow the principle of least privilege. Local administrator accounts use unique passphrases and are disabled if not required. Review accounts and privileges annually and enforce strong passphrases. Login with Netlink account credentials instead of local or shared accounts.	Require Multi-Factor Authentication to login to endpoints used as privileged access workstations.
Configuration Management	Manage secure configuration for hardware and software (CIS Controls 8 - 4.1) using tools to deploy and enforce standard policies and settings. Examples include Active Directory with standardized Group Policies, System Center Configuration Manager, WSUS, JAMF, ActiveSync Policies. Follow accredited industry best practices for policies and settings, including application allowlisting, macro controls, and restricting command line access (CIS Benchmarks). Ensure that all network ports, protocols, services, and software configuration running on a system have a valid business need (CIS Controls 8 - 4.4, 4.5).	Meet a minimum 90% CIS Benchmark score for standard Windows and Mac workstations. Enroll all mobile devices into an Enterprise Mobility Management system with recommended security policies (NIST 800-124).
Network Protection	Configure Access Control Lists to only allow necessary traffic. Use VPN to access UVic services on endpoints when off campus or on an untrusted network.
Media Disposal	Endpoints must be sanitized and securely destroyed following Records Management policy in IM7700.
Regulated Data Security Controls	For payment card processing use a PCI compliant Virtual Payment Terminal.
Information Security Incidents	Follow Information Security Incident procedures as detailed in IM7800. A workstation or mobile device that is suspected of being infected must be rebuilt from known-good media.
Support Staff Training	Support Staff must participate at least annually in training to maintain knowledge of information security best practices related to their roles.

A server is defined as a host that provides a network-accessible service.

Security Standards

Table description: UVic Security Standards for Servers required for each of UVic's data classifications
Category	Current Standard	Future Standard	Data Classification
Vulnerability Management	Have a defined process in place for assessing risk of vulnerabilities (CIS Controls 8 - 7.1,7.2, PCI-DSS requirement 6.1). Perform regular vulnerability scans and remediate discovered vulnerabilities. Monitor vulnerability publications such as US-Cert and remediate any affected operating systems and applications.	Perform monthly or more frequent vulnerability scans with a SCAP compliant tool; assess scan results and remediate discovered vulnerabilities.
Patching	Apply critical security patches (OS and applications) within 3 days of release. Apply non-critical security patches as appropriate based on assessed risk. This may be part of an application upgrade/maintenance schedule. Use automated, managed update services where possible. Only use only actively supported operating systems and applications (vendors are providing security patches). Systems with an unsupported (no future security updates from vendor) OS or applications must use compensating controls, including network segmentation, to minimize risk.	Apply critical security patches within 24 hours of release. Apply non-critical security patches within 30 days of release.
Inventory	Keep server inventory current (update ConfigManager and Nets IPAM records).
Firewall, Intrusion Detection and Malware Protection	Install and enable host based firewall in default deny mode; only permit the necessary services. Use the institutionally managed and supported Extended Detection and Response (EDR/XDR) software; contact the Information Security Office for more information.
Credentials and Access Control	Review accounts and privileges annually and enforce strong passphrases. Login with Netlink or privileged account credentials instead of local or shared accounts. All account access follows the principle of least privilege. Multi-Factor Authentication required for all privileged (root/administrator) access. Multi-Factor Authentication required for all credentials accessing Confidential or Highly Confidential data. Implement Vendor Access Management Plan. Do not allow vendors unescorted administrative access to servers.	Multi-Factor Authentication required for all credentials.
Centralized Logging	Enable and forward logs in real time to a remote log server. UVic Syslog centralized logging recommended. SIEM logging recommended for identity, access management and high risk systems. Log all access requests, including userID, IP address, date and timestamp, and result.
Sysadmin Training	Sysadmins must participate at least annually in training to maintain knowledge of information security best practices related to their roles.
Backups	Backup servers at least weekly. Test server restores regularly (at least annually).
Physical Protection	All servers must be located in a secure location (Enterprise Data Centre recommended). Servers must be protected by physical access controls.
Network Protection	Configure Access Control Lists, VRFs, network firewalls, and host based firewalls to only allow necessary traffic in default deny mode. Use VPN to manage servers from off campus or untrusted networks. Restrict VPN access by using VPN pools.
Remote Access	Use hardened remote access services when accessing servers with confidential or highly confidential data (terminal server/secure admin workstation). UVic owned and managed equipment is required for privileged (root/administrator level) account access. Multi-factor authentication required for remote access.
Configuration Management	Use configuration management tools such as Active Directory, Group Policies, LDAP. Follow accredited industry best practices such as NIST Standards, ISO Standards and CIS Benchmarks. Ensure that all network ports, protocols, services, and software configuration running on a system have a valid business need (CIS Control 8 - 4.4, 4.5).	Meet a minimum 90% CIS Benchmark score for standard Windows and Linux servers.
Security, Privacy and Legal Review	Follow a defined process to identify whether a Privacy Impact Assessment (PIA) and/or Security Threat and Risk Assessment (STRA) is required for each application. If required, complete a PIA and/or STRA prior to deployment. Review and update the PIA and STRA before significant changes to the application or the data used by the application.
Regulated Data Security Controls	Implement PCI or FIPPA controls as applicable.
Information Security Incidents	Follow Information Security Incident procedures as detailed in IM7800. A server that is suspected of being infected must be rebuilt from a clean backup or known-good media.

An application is defined as software or service running on a UVic hosted server that is remotely accessible.

Security Standards

Table description: UVic Security Standards for Applications required for each of UVic's data classifications
Category	Current Standard	Future Standard	Data Classification
Vulnerability Management	Have a defined process in place for assessing risk of vulnerabilities (CIS Controls 8 - 7.1,7.2, PCI-DSS requirement 6.1). Perform regular vulnerability scans and remediate discovered vulnerabilities. Monitor vulnerability publications such as US-Cert and remediate any affected services.	Perform monthly or more frequent vulnerability scans with a SCAP compliant tool; assess scan results and remediate discovered vulnerabilities.
Patching	Apply critical security patches within 3 days of release. Apply non-critical security patches as appropriate based on assessed risk. This may be part of an application upgrade/maintenance schedule. Only use actively supported applications (vendors are providing security patches). Systems with an unsupported (no future security updates from vendor) application must use compensating controls, including network segmentation, to minimize risk.	Apply critical security patches within 24 hours of release. Apply non-critical security patches within 30 days of release.
Inventory and Repository	Maintain application inventory quarterly. Maintain a centrally managed repository for storing software code securely. Restrict access to the repository following principle of least privilege.
Firewall	Enable web application level firewalls in default deny/blocking mode; only permit the necessary services (CIS v8 control 13.1).
Network Controls	Configure Access Control Lists, and network firewalls to only allow necessary traffic in default deny mode. Applications must not be Internet-accessible by default unless functionally required. Use VPN to manage applications from off campus or untrusted networks. Restrict VPN access by using VPN pools.
Credentials and Access Control	Review accounts and privileges annually and enforce strong passphrases. Login with Netlink or privileged account credentials instead of local or shared accounts. Integrate with UVic identity services such as CAS, LDAP, SAML or Active Directory where possible. All account access follows the principle of least privilege. Multi-Factor Authentication required for all privileged (root/administrator) access. Multi-Factor Authentication required for all credentials accessing Confidential or Highly Confidential data. Implement Vendor Access Management Plan. Do not allow vendors unescorted administrative access to applications.	Multi-Factor Authentication required for all credentials.
Centralized Logging	Enable and forward logs in real time to a remote log server. UVic Syslog centralized logging recommended. SIEM logging recommended for identity, access management and high risk systems. Log all access requests, including userID, IP address, date and timestamp, and result.
Product Selection	Follow UVic Purchasing Services processes for product selection. Follow Protection of Privacy Policy (GV0235) and Purchasing Services Policy (FM5105). Application selection process, for both commercial/vendor applications and open source, includes privacy and security risk analyses. Prior to deployment, applications are assessed for operational readiness and maintainability.
Secure Software Development	Design software with security as a requirement. Review all code and correct identified security flaws prior to deployment. Use of static code analysis tools recommended. Fully test software before production use, with a complete suite of tests: - Unit tests - Integration tests - Security tests such as with Burp Suite. Ensure tests validate both expected and unexpected behavior. Integrate automated testing into the CI/CD pipeline. Ensure developed applications meet OWASP Application Security Verification Standard 4, Level 2. Use automated tools for application deployment, to provide consistency and ability to audit.	Perform Software Composition Analysis (SCA) activities monthly or more frequent to check for outdated and/or vulnerable dependencies.
Developer Training	Require developer participation in regular training (minimum annually) or developer security certification, to maintain knowledge of information security best practices related to their roles.
Backups	Backup application data at least weekly. Test data restores regularly (at least annually).
Remote Access	Use hardened remote access services when accessing application consoles with confidential or highly confidential data (terminal server/secure admin workstation). UVic owned and managed equipment is required for privileged (root/administrator level) account access.
Security and Privacy Review	Follow a defined process to identify whether a Privacy Impact Assessment (PIA) and/or Security Threat and Risk Assessment (STRA) is required for each application. If required, complete a PIA and/or STRA prior to deployment. Review and update the PIA and STRA before significant changes to the application or the data used by the application.
Regulated Data Security Controls	Implement PCI or FIPPA controls as applicable.

A cloud service is defined as any Infrastructure, Platform or Software 'as a Service' or similar Internet based service. If information is stored or used in a cloud service, this standard applies.
Other standards may also apply to cloud services, for example, Server or Application standards could apply to servers, containers, or applications running on a cloud platform.

Security Standards

Table description: UVic Security Standards for Cloud Services required for each of UVic's data classifications
Category	Current Standard	Future Standard	Data Classification
Product Selection	Follow UVic Purchasing Services processes for product selection. Follow Protection of Privacy Policy (GV0235) and Purchasing Services Policy (FM5105).
Best Practices and Industry Standards	Follow UVic Cloud Security Standards schedule. The cloud service must be compliant with a industry standard cloud security framework - ISO 27017, NIST 800-53, CSA Cloud Controls Matrix (CCM). The cloud service contractor must follow industry best practices for network, servers, endpoints, databases, applications, physical facilities, change control and management.
Inventory	Maintain application inventory quarterly.
Credential and Access Control	Review accounts and privileges annually. Enforce strong passphrases. Integrate with SSO and login with Netlink or privileged account credentials instead of local or shared accounts. Adhere to Netlink equivalent password complexity rules if not integrated with SSO/Netlink. All account access follows the principle of least privilege. Do not share credentials or use shared accounts. Multi-Factor Authentication is required for all credentials. accessing Confidential or Highly Confidential Data.	Multi-Factor Authentication is required for all credentials.
Privileged Account Management	Multi-Factor Authentication required for privileged (root/administrator) access for all cloud systems.
Key Management	Minimize generation of API keys. Grant minimum necessary privileges, rotate API keys annually, do not hard-code API keys. Use API keys in conjunction with authentication.
Encryption at Rest	Use encryption of data at rest (whole database encryption preferred).
Encryption in Transit	Enabled transport layer encryption TLS 1.2 or higher. Use strong cipher suites and cipher suite order.
Logging and Auditing	Enable any available application logging that would assist in a forensic investigation in the event of a compromise, such as all access requests, including userID, IP address, date and timestamp, and result. SIEM logging recommended for identity, access management and high risk systems. Seek vendor or Information Security Office guidance as needed. Contractually ensure accurate logging.
Data Management	Contractually ensure all information incidents involving UVic data are detected are reported and investigated with UVic Information Security Office. Contractually ensure data management, including access to UVic data and associated purge on termination of the agreement.
Remote Access	Use hardened remote access services when accessing application consoles with confidential or highly confidential data (terminal server/secure admin workstation). Multi-factor authentication and UVic owned and managed equipment is required for privileged (root/administrator level) account access for all cloud systems.	Use hardened remote access services when accessing an application console for all data classifications (terminal server/secure admin workstation).
Security, Privacy and Legal Review	Have a Security Threat and Risk Assessment completed prior to deployment and annually. Complete a Privacy Impact Assessment completed prior to deployment and review and update PIA prior to sending any new data to the cloud service.
Regulated Data Security Controls	Contractually ensure cloud vendors implement PCI or FIPPA controls as applicable. Use the cloud service in a way that is compliant with FIPPA controls, including minimal data collection and obtaining of appropriate consents.
Administrator Training	Cloud Service administrators must participate at least annually in training to maintain knowledge of information security best practices related to their roles.

The network is defined as all campus voice and data networking infrastructure.

Security Standards

Table description: UVic Security Standards for Network Devices required for each of UVic's data classifications
Category	Current Standard	Future Standard	Data Classification
Vulnerability Management	Have a defined process in place for assessing risk of vulnerabilities (CIS Controls 8 - 7.1,7.2, PCI-DSS requirement 6.1). Monitor vulnerability publications such as US-Cert and remediate any affected operating systems and applications.
Patching	Install the latest stable version of any security related updates on all network devices within 60 days (CIS Control 8 - 12.1).	Install the latest stable version of any security related updates on all network devices within 30 days.
Inventory	Keep network device inventory current (update ConfigManager, IPAM and Nets Tools records).	Document all traffic configuration rules (CIS Control 8 - 12.4).
Credential Management	Manage network devices using multi-factor authentication and encrypted sessions (CIS Control 8 - 4.6, 6.5). Review accounts and privileges annually and enforce strong passphrases. All account access follows the principle of least privilege. Implement Vendor Access Management Plan. Do not allow vendors unescorted administrative access to servers.
Network Administrator Training	Network administrators must participate at least annually in training to maintain knowledge of information security best practices related to their roles.
Network Infrastructure	Only authorized network devices may be connected to the UVic network (IM7200 Section 12.06). Manage network infrastructure through a dedicated, segregated management network. Maintain documented secure configurations for all authorized network devices. Deny communications with known malicious IP addresses.	Use automated tools to verify standard device configurations and alert if deviations are discovered (CIS Control 8 - 4.2).
Backups	Maintain backups of network device configurations.
Centralized Logging	Enable and forward logs in real time to a remote log server. UVic Syslog centralized logging recommended. SIEM logging recommended for identity, access management and high risk systems. Enable netflow traffic data logging on network boundary devices.

Operational Technology includes programmable systems or devices with an embedded operating system that interact with or manage the physical environment, including scientific equipment and Internet of Things devices. Examples include industrial control systems, building management systems, fire control systems, physical access controls, microscopes, medical scanners, conference room systems, video streaming devices, and security cameras.

Security Standards

Table description: UVic Security Standards for Operational Technology required for each of UVic's data classifications
Category	Current Standard	Future Standard	Data Classification
Vulnerability Management	Have a defined process in place for assessing risk of vulnerabilities (CIS Controls 8 - 7.1,7.2, PCI-DSS requirement 6.1). Monitor vulnerability publications such as US-Cert and remediate any affected firmware and applications.
Patching	Install the latest stable version of any security related updates on all Operational Technology within 60 days (CIS Control 8 - 12.1).	Install the latest stable version of any security related updates on all Operational Technology devices and applications within 30 days.
Inventory	Maintain a comprehensive inventory of all Operational Technology devices and applications.
Credential Management	Where possible, protect Operational Technology devices and management consoles with multi-factor authentication, and encrypted sessions (CIS Control 8 - 4.6, 6.5). Use Central Authentication Systems with NetLink account logins where possible instead of silo or shared accounts. Review accounts and privileges annually and enforce strong passphrases, including local device access controls. All account access follows the principle of least privilege. Implement Vendor Access Management Plan. Do not allow vendors unescorted remote administrative access to Operational Technology.
Operational Technology Infrastructure	Only authorized Operational Technology devices may be connected to the UVic network (IM7200 Section 12.06). Use dedicated, segregated infrastructure, including the use of VLANs, VRFs and network firewalls, for all Operational Technology devices. Physically secure Operational Technology where applicable. Ensure that all network ports, protocols, services, and software configuration running on operational technology have a valid business need.
Backups	Keep and test backups of necessary information.
Logging	Log authentications and changes in Operational Technology, stored centrally where possible.

An Excel version of these standards: uvicsecuritystandards.xlsx.

Related support
Related services

UVic Information Security Standards

Information security

Where did the UVic Information Security Standards come from?

How are the Information Security Standards kept current?

Data classifications legend

Definition:

Definition:

Definition:

Definition:

Security Standards

Category

Current Standard

Future Standard

Data

Classification

Patching

Inventory

Whole Disk Encryption

Data Storage

Firewall, Intrusion Detection and Malware Protection

Backups

Physical Protection

Credentials and Access Control

Configuration Management

Network Protection

Media Disposal

Regulated Data Security Controls

Information Security Incidents

Support Staff Training

Security Standards

Category

Current Standard

Future Standard

Data

Classification

Vulnerability Management

Patching

Inventory

Firewall, Intrusion Detection and Malware Protection

Credentials and Access Control

Centralized Logging

Sysadmin Training

Backups

Physical Protection

Network Protection

Remote Access

Configuration Management

Security, Privacy and Legal Review

Regulated Data Security Controls

Information Security Incidents

Security Standards

Category

Current Standard

Future Standard

Data

Classification

Vulnerability Management

Patching

Inventory and Repository

Firewall

Network Controls

Credentials and Access Control

Centralized Logging

Product Selection

Secure Software Development

Developer Training

Backups

Remote Access

Security and Privacy Review

Regulated Data Security Controls

Security Standards

Category

Current Standard

Future Standard

Data

Classification

Product Selection

Best Practices and Industry Standards

Inventory

Credential and Access Control