DRAFT UVic IT Security Standards

Information securityInformation security

To provide feedback on these draft standards please email information security standards

These minimum security standards enable the university to manage electronic information resources in accordance with university policies and are designed to ensure the confidentiality, integrity, and availability of university information.

Compliance with these standards does not imply a completely secure system. These standards are only a component of ensuring system security.

  1. Determine the highest applicable data classification level by reviewing the University Information Security Classification Procedures in policy IM7800. See Appendix A for Information Classification Examples.
  2. Follow the minimum security standards in the table below to safeguard your systems.

Where did the UVic IT Security Standards come from?

In July 2018, UVic Internal Audit completed its Decentralized Information Technology General Controls (ITGC) Self-Assessments (Phase 2) and recommended that “minimum security standards be developed, implemented into the Information Security Policy, and communicated to all stakeholders at the university.” 

University Systems engaged students in the Master of Engineering in Telecommunications & Information Security (MTIS) as part of their capstone project to provide guidance on developing information security standards and IT governance for UVic. The students’ recommendations included both standards to adopt as well good examples from other higher education institutions (e.g. Stanford University’s Minimum Security Standards).

An initial draft of UVic Security Standards were developed by Curtis Les, our Senior Technical and Information Security Analyst, in February 2019. These were based on the above research as well as the latest standards from accredited organizations including the Center for Internet Security (CIS), National Institute for Standards and Technology (NIST), and Payment Card Industry (PCI). Where possible, links to supporting UVic resources were included in the draft standards.

The draft standards were then reviewed by members of the University Systems Cybersecurity Working Group. The draft standards were revised after careful consideration of this feedback. For some standards, a current and future standard was developed as gap areas between a desired standard and current capabilities were identified.

The draft standards are currently being circulated with members of the UVic IT community for additional feedback and revision. We hope to incorporate this feedback and revision and publish the standards in December 2019. If you’d like to provide feedback, please contact Information Security Standards.

Data classifications legend Public Check Internal Check Confidential Check Highly Confidential Check

Data Classifications defined in Information Security Policy (IM7800):

Public Internal Confidential Highly Confidential
Definition:             Blue Public Check

Information that has been approved for distribution to the public by the information owner or Administrative Authority or through some other valid authority such as legislation or policy.

Definition:             Green Internal Check

Information that is intended for use within the University or within a specific workgroup, Unit or group of individuals with a legitimate need-to-know. Internal Information is not approved for general circulation outside the workgroup or Unit.

Definition:              Yellow Confidential Check
Information Resource is considered to be highly sensitive business or Personal Information, or a critical system. It is intended for a very specific use and may not be disclosed except to those who have explicit authorization to review such information, even within a workgroup or Unit.
Definition:             Red Highly Confidential Check

Information Resource is so sensitive or critical that it is entitled to extraordinary protections, as defined in IM7800 9.00.

 

An endpoint is defined as any laptop, desktop or mobile device primarily used by a single individual at a time. Endpoints also include network printers, VOIP telephones and multi user computers in lab environments.

 Minimum Security Standards


Standards
What To Do (Minimum)
What To Do (Better)
Data
Classification
  1. Patching
  1. Apply critical or security patches (OS and applications) within seven days of release. Normal patches should be applied within 30 days.
  2. Use managed update services.
  3. Monitor vulnerability publications (eg. US-Cert) and remediate any affected operating systems and applications.
  4. Assess risk of vulnerabilities patched in updated firmware and patch endpoint firmware as appropriate based on risk.
  5. Only use actively supported operating systems and applications (vendors are providing security patches).
  6. Systems with an unsupported OS or applications may not be directly connected to UVic Network.
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Inventory
  1. Maintain a comprehensive inventory of all endpoint devices (desktops, laptops, mobile devices, and end user network devices such as printers).
  2. Keep Network Services IPAdmin node records current.
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Whole Disk Encryption
  1. Enable FileFault2 for Mac and BitLocker for Windows with key escrow.
  2. Encrypt mobile devices.
  3. Encrypt external hard drives and USB storage devices (recommend not using these devices unless required).
Internal Check Confidential Check Highly Confidential Check
  1. Data Storage
  1. All data except for Public data must be stored within a controlled-access system.
  2. Information classified as Confidential or Highly Confidential must be encrypted.
  3. Internal and Public data encryption is strongly recommended in all environments.
  1. All information located on endpoints is encrypted.
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Firewall, Intrusion Detection and Malware Protection
  1. Install host based firewall, intrustion detection and malware protection (managed Symantec EndPoint Protection required for Mac and Windows).
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Backups
  1. Backup user data daily.
  2. Keep user and UVic data on network file storage (preferred) or use Tivoli Storage Manager.
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Physical Protection
  1. Keep all endpoints in a physically secure location when staff are not present.
  2. Physically secure laptops and mobile devices when not in use.
  3. Use physical access controls such as keys, keycards, and alarms.
Internal Check Confidential Check Highly Confidential Check
  1. Credentials and Access Control
  1. User accounts follow the principle of least privilege.
  2. Local administrator accounts use unique passphrases and are disabled if not required.
  3. Review accounts and privileges annually and enforce strong passphrases.
  4. Login with Netlink account credentials instead of local or shared accounts.
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Configuration Management
  1. Manage secure configuration for hardware and software (eg. CIS Control 5) using tools to deploy and enforce standard policies and settings. Examples include Active Directory with standardized Group Policies, System Center Configuration Manager, WSUS, JAMF, ActiveSync Policies.
  2. Follow accredited industry best practices for policies and settings (eg. CIS Benchmarks).
  3. Ensure that all network ports, protocols, services, and software configuration running on a system have a valid business need (CIS Control 9.2).
  1. Meet a minimum 90% CIS Benchmark score for standard Windows and Mac workstations.
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Network Protection
  1. Configure Access Control Lists to only allow necessary traffic.
  2. Use VPN to access UVic services on endpoints when off campus or on an untrusted network.
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Media Disposal
  1. Endpoints must be sanitized and securely destroyed following Records Management policy in IM7700.
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Regulated Data Security Controls
  1. For payment card processing use a PCI compliant Virtual Payment Terminal.
Confidential Check Highly Confidential Check
  1. Information Security Incidents
  1. Follow Information Security Incident procedures as detailed in IM7800.
  2. A workstation or mobile device that is suspected of being infected must be rebuilt from known-good media.
Internal Check Confidential Check Highly Confidential Check

A server is defined as a host that provides a network-accessible service.

 Minimum Security Standards


Standards
What To Do (Minimum)
What To Do (Better)
Data
Classification
  1. Vulnerability Management
  1. Have a defined process in place for assessing risk of vulnerabilities (eg. CIS Controls 7.1 - 3.7, PCI-DSS requirement 6.1).
  2. Perform regular vulnerability scans and remediate discovered vulnerabilities.
  3. Monitor vulnerability publications (eg. US-Cert) and remediate any affected operating systems and applications.
  1. Perform monthly or more frequent vulnerabilty scans with a SCAP compliant tool; assess scan results and remediate discovered vulnerabilities.
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Patching
  1. Apply critical security patches (OS and applications) within fourteen days of release.
  2. Apply non-critical security patches as appropriate based on assessed risk. This may be part of an application upgrade/maintenance schedule.
  3. Only use only actively supported operating systems and applications (vendors are providing security patches).
  4. Systems with an unsupported OS or applications must use compensating controls, including network segmentation, to minimize risk.
  1. Apply critical security patches within seven days of release.
  2. Apply non-critical security patches within thirty days of release.
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Inventory
  1. Keep server inventory current (eg. update ConfigManager and Nets IPAdmin records).
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Firewall, Intrusion Detection and Malware Protection
  1. Install and enable host based firewall in default deny mode; only permit the necessary services.
  2. Install managed malware and intrustion detection protection (eg. Symantec EndPoint Protection).
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Credentials and Access Control
  1. Review accounts and privileges annually and enforce strong passphrases.
  2. Login with Netlink or privileged account credentials instead of local or shared accounts. 
  3. All account access follows the principle of least privilege.
  4. Multi-Factor Authentication (yubikey) required for all privileged (root/administrator) access.
  5. Implement Vendor Access Management Plan. Do not allow vendors unescorted administrative access to servers.
  1. Multi-Factor Authentication required for all credentials accessing Confidential or Highly Confidential data.
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Centralized Logging
  1. Enable and forward logs in real time to a remote log server. UVic Syslog centralized logging recommended.
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Sysadmin Training
  1. Sysadmins maintain knowledge of best practices related to their roles and information security.
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Backups
  1. Backup servers at least weekly.
  2. Test server restores regularly (at least annually).
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Physical Protection
  1. All servers must be located in a secure location (Enterprise Data Centre recommended).
  2. Servers must be protected by physical access controls.
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Network Protection
  1. Configure Access Control Lists, network firewalls, and host based firewalls to only allow necessary traffic in default deny mode.
  2. Use VPN to manage servers from off campus or untrusted networks. Restrict VPN access by using VPN pools.
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Remote Access
  1. Use hardened remote access services when accessing servers with confidential or highly confidential data (terminal server/secure admin workstation).
  2. UVic owned and managed equipment is required for privileged (root/administrator level) account access.
  3. Multi-factor authentication required for remote access.
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Configuration Management
  1. Use configuration management tools such as Active Directory, Group Policies, LDAP.
  2. Follow accredited industry best practices such as NIST Standards, ISO Standards and CIS Benchmarks.
  3. Ensure that all network ports, protocols, services, and software configuration running on a system have a valid business need (CIS Control 9.2).
  1. Meet a minimum 90% CIS Benchmark score for standard Windows and Linux servers.
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Security, Privacy and Legal Review
  1. Have a Security Threat and Risk Assessment completed prior to deployment.
  2. Have a Privacy Impact Assessment completed prior to deployment.
Confidential Check Highly Confidential Check
  1. Regulated Data Security Controls
  1. Implement PCI or FIPPA controls as applicable.
Confidential Check Highly Confidential Check
  1. Information Security Incidents
  1. Follow Information Security Incident procedures as detailed in IM7800.
  2. A server that is suspected of being infected must be rebuilt from a clean backup or known-good media.
Internal Check Confidential Check Highly Confidential Check

An application is defined as software or service running on a UVic hosted server that is remotely accessible.

 Minimum Security Standards


Standards
What To Do (Minimum)
What To Do (Better)
Data
Classification
  1. Vulnerability Management
  1. Have a defined process in place for assessing risk of vulnerabilities (eg. CIS Controls 7.1 - 3.7, PCI-DSS requirement 6.1).
  2. Perform regular vulnerability scans and remediate discovered vulnerabilities.
  3. Monitor vulnerability publications (eg. US-Cert) and remediate any affected services.
  1. Perform monthly or more frequent vulnerabilty scans with a SCAP compliant tool; assess scan results and remediate discovered vulnerabilities.
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Patching
  1. Apply critical security patches within fourteen days of release.
  2. Apply non-critical security patches as appropriate based on assessed risk. This may be part of an application upgrade/maintenance schedule.
  3. Only use actively supported applications (vendors are providing security patches).
  4. Systems with an unsupported application must use compensating controls, including network segmentation, to minimize risk.
  1. Apply critical security patches within seven days of release.
  2. Apply non-critical security patches within thirty days of release.
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Inventory 
  1. Maintain application inventory quarterly (eg. update Application Catalogue).
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Firewall
  1. Enable web application level firewalls.
  1. Enable web application level firewalls in default deny/blocking mode; only permit the necessary services.
Confidential Check Highly Confidential Check
  1. Network Controls
  1. Configure Access Control Lists, and network firewalls to only allow necessary traffic in default deny mode.
  2. Applications must not be Internet-accessible by default unless functionally required.
  3. Use VPN to manage applications from off campus or untrusted networks. Restrict VPN access by using VPN pools.
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Credentials and Access Control 
  1. Review accounts and privileges annually and enforce strong passphrases.
  2. Login with Netlink or privileged account credentials instead of local or shared accounts.
  3. Integrate with UVic identity services such as CAS, LDAP, SAML or Active Directory where possible.
  4. All account access follows the principle of least privilege.
  5. Multi-Factor Authentication (yubikey) required for all privileged (root/administrator) access.
  6. Implement Vendor Access Management Plan. Do not allow vendors unescorted administrative access to applications.
  1. Multi-Factor Authentication required for all credentials accessing Confidential or Highly Confidential data.
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Centralized Logging
  1. Enable and forward logs to a remote log server. UVic Syslog centralized logging recommended.
  1. Enable and forward logs in real time to a remote log server. UVic Syslog centralized logging recommended.
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Product Selection
  1. Follow UVic Purchasing Services processes for product selection.
  2. Follow Protection of Privacy Policy (GV0235) and Purchasing Services Policy (FM5105).
  3. Application selection process, for both commercial/vendor applications and open source, includes privacy and security risk analyses.
  4. Prior to deployment, applications are assessed for operational readiness and maintainability.
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Secure Software Development
  1. Design software with security as a requirement. Review all code and correct identified security flaws prior to deployment. Use of static code analysis tools recommended.
  2. Use security tools such as Acunetix and Burp Suite.
  3. Fully test software before production use.
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Developer Training
  1. Developers maintain knowledge of best practices related to their roles and information security.
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Backups
  1. Backup application data at least weekly.
  2. Test data restores regularly (at least annually).
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Remote Access
  1. Use hardened remote access services when accessing application consoles with confidential or highly confidential data (terminal server/secure admin workstation).
  2. UVic owned and managed equipment is required for privileged (root/administrator level) account access.
Confidential Check Highly Confidential Check
  1. Security and Privacy Review
  1. Have a Security Threat and Risk Assessment completed prior to implementation or signifcant changes/updates.
  2. Have a Privacy Impact Assessment completed prior to implementation or significant changes/updates.
Confidential Check Highly Confidential Check
  1. Regulated Data Security Controls
  1. Implement PCI or FIPPA controls as applicable.
Confidential Check Highly Confidential Check

A cloud service is defined as any Software as a Service (SaaS) or similar Internet based service.

 Minimum Security Standards


Standards
What To Do (Minimum)
What To Do (Better)
Data
Classification
  1. Product Selection
  1. Follow UVic Purchasing Services processes for product selection.
  2. Follow Protection of Privacy Policy (GV0235) and Purchasing Services Policy (FM5105)
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Best Practices and Industry Standards
  1. Follow UVic Cloud Security Standards schedule.
  2. The cloud service must be compliant with a industry standard cloud security framework - ISO 27017, NIST 800-53, CSA Cloud Controls Matrix (CCM).
  3. The cloud service contractor must follow industry best practices for network, servers, endpoints, databases, applications, physical facilities, change control and management. 
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Inventory
  1. Maintain application inventory quarterly (eg. update Application Catalogue).
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Credential and Access Control
  1. Review accounts and privileges annually. Enforce strong passphrases.
  2. Integrate with SSO and login with Netlink or privileged account credentials instead of local or shared accounts. Adhere to Netlink equivalent password complexity rules if not integrated with SSO/Netlink.
  3. All account access follows the principle of least privilege.
  4. Do not share credentials or use shared accounts.
  1. Multi-Factor Authentication is required for all credentials accessing Confidential or Highly Confidential Data.
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Privileged Account Management
  1. Multi-Factor Authentication required for privileged (root/administrator) access.
Confidential Check Highly Confidential Check
  1. Key Management
  1. Minimize generation of API keys. Grant minimum necessary privileges, rotate API keys annually, do not hardcode API keys.
  2. Use API keys in conjunction with authentication.
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Encryption at Rest
  1. Use encryption of data at rest (whole database encryption preferred).
Confidential Check Highly Confidential Check
  1. Encryption in Transit
  1. Enabled transport layer encryption TLS 1.1 or higher.
  2. Use strong cipher suites and cipher suite order.
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Logging and Auditing
  1. Enable any available application logging that would assist in a forensic investigation in the event of a compromise. Seek vendor or Infosec guidance as needed.
  2. Contractually ensure accurate logging.
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Data Management
  1. Contractually ensure all information incidents involving UVic data are detected are reported and investigated with UVic Information Security Office.
  2. Contractually ensure data management, including access to UVic data and associated purge on termination of the agreement.
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Remote Access
  1. Use hardened remote access services when accessing application consoles with confidential or highly confidential data (terminal server/secure admin workstation).
  2. Multi-factor authentication and UVic owned and managed equipment is required for privileged (root/administrator level) account access.
Confidential Check Highly Confidential Check
  1. Security, Privacy and Legal Review
  1. Have a Security Threat and Risk Assessment completed prior to deployment and annually.
  2. Complete a Privacy Impact Assessment completed prior to deployment and review and update PIA prior to sending any new data to the cloud service.
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Regulated Data Security Controls
  1. Contractually ensure cloud vendors implement PCI or FIPPA controls as applicable.
  2. Use the cloud service in a way that is compliant with FIPPA controls, including minimal data collection and obtaining of appropriate consents.
Public Check Internal Check Confidential Check Highly Confidential Check

The network is defined as all campus voice and data networking infrastructure.

 Minimum Security Standards


Standards
What To Do (Minimum)
What To Do (Better)
Data
Classification
  1. Vulnerability Management
  1. Have a defined process in place for assessing risk of vulnerabilities (eg. CIS Controls 7.1 - 3.7, PCI-DSS requirement 6.1).
  2. Monitor vulnerability publications (eg. US-Cert) and remediate any affected operating systems and applications.
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Patching
  1. Install the latest stable version of any security related updates on all network devices within 60 days (CIS Control 11.4).
  1. Install the latest stable version of any security related updates on all network devices within 30 days.
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Inventory
  1. Keep network device inventory current (eg. update ConfigManager and Nets IPAdmin records).
  1. Document all traffic configuration rules (CIS Control 11.2).
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Credential Management
  1. Manage network devices using multi-factor authentication and encrypted sessions (CIS Control 11.5).
  2. Review accounts and privileges annually and enforce strong passphrases.
  3. All account access follows the principle of least privilege.
  4. Implement Vendor Access Management Plan. Do not allow vendors unescorted administrative access to servers.
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Network Administrator Training
  1. Network administrators maintain knowledge of best practices related to their roles and information security.
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Network Infrastructure
  1. Only authorized network devices may be connected to the UVic network (IM7200 Section 12.06).
  2. Manage network infrastructure through a dedicated management network.
  3. Maintain documented secure configurations for all authorized network devices.
  4. Deny communications with known malicious IP addresses.
  1. Use automated tools to verify standard device configurations and alert if deviations are discovered (CIS Control 11.3).
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Backups
  1. Maintain backups of network device configurations.
Public Check Internal Check Confidential Check Highly Confidential Check
  1. Centralized Logging
  1. Enable and forward logs in real time to a remote log server. UVic Syslog centralized logging recommended.
  2. Enable netflow traffic data logging on network boundary devices.
Public Check Internal Check Confidential Check Highly Confidential Check