The following was published For Comment on June 18, 1996, and has been forwarded for publication Of Record by the University Information Security Officer.
Users must be sure that critical data on their personal computers are backed up and stored remotely.
Computer viruses can waste time and can destroy data. The user must be sure that the most current anti-virus software is running on his or her computer.
The user must ensure that any restricted information stored on his/her personal computer is safeguarded, through either physical security (locked offices, or keyboards), access control software, or encryption.
When a computer is left signed on, it is easy for someone to gain unauthorized access. Users must either sign off of accounts before they leave their computer, or restrict access by some other means (locked office/keyboard, desktop access control, or a password-protected screen saver). Note, however, that many access control packages and screen savers can be easily bypassed.
Users must abide by the terms of all software licenses. (See Penn's policy on Unauthorized Copying or Use of Licensed Computer Software).
Since short passwords or dictionary words are easy to guess using automated password crackers, any re-usable passwords must be at least seven characters long; must not be simple, dictionary words; must contain a mix of alphabetic, numeric and special characters (e.g. "*&^%$%$#"); and must change at least every sixty days. To prevent password sniffing, systems administrators are encouraged to implement one-time or encrypted password authentication.
Dormant (unused) accounts make attractive targets to intruders, since no one will likely notice the activity. Accounts must be regularly reviewed for inactivity, and any dormant accounts suspended.
Temporary access privileges granted to students, contractors/temps/ part-timers and vendors must be for a period no longer than one year or until the end of the contract term, whichever is sooner, and may only be created and renewed with written authorization from a Penn faculty or staff member.
Special care should be taken with privileged accounts (including, e.g., but not limited to "root" for UNIX and "supervisor" for Netware), commensurate with the privileges afforded the account. Systems administrators must never allow a re-usable password for the most privileged accounts to travel over the network un-encrypted. Passwords for privileged accounts should be given only to people with a need for privileged access.
Vendor- or author-provided security patches must be evaluated for compatibility, and installed as soon as practical.
Wherever feasible, a login banner, stating that the system is for authorized use only, should be displayed for anyone attempting to connect to the system.
Where feasible, all operating system, version/release numbers, and vendor information provided in login/sign-on banners should be limited or disabled. Providing this information makes attacks easier by allowing intruders to pinpoint hosts with known security vulnerabilities.
Wherever feasible, login restrictions (by time of day, by system address, etc.) should be implemented.
Logs of user activity must be retained for a period of at least six months. Knowledge that logs are kept acts as a deterrent to abuse. Logs are also essential in investigating incidents after the fact. Logs should include (where feasible) the time and date of activities, the user ID, commands (and command arguments) executed, ID of either the local terminal or remote computer initiating the connection, associated system job or process number, and error conditions (failed/rejected attempts, failures in consistency checks, etc.)
Systems administrators are responsible for taking proactive steps to assure the security of the server. Examples include regularly checking for weak user passwords and checking the system for common security vulnerabilities.
Systems administrators must implement backup procedures consistent with the requirements of the Data Steward. (See Data Stewardship policy)
Systems administrators are responsible for compliance with each relevant campus operating-system-specific security standard.
Management Responsibilities Within reason, management (School/Unit/Department management) must make available the resources that users and systems administrators need to carry out the responsibilities above.
Management must retain copies of the original software licenses for commercial software used in their department. For site-licensed software, management must retain a copy of the site license. Management must ensure compliance with the terms of all commercial software licenses.
Management must ensure the physical security of servers. It is strongly recommended that departmental and central servers be kept in a locked area. Servers must be protected from power surges, power failures, water damage, overheating, fire, and other physical threats.
Management must approve all modems installed on Penn administrative computers in their department. Unauthorized modem connections pose a security risk because if left uncontrolled, widespread, unauthenticated entry to PennNet becomes possible. Sensitive areas should consider the use of dial-back or caller-id modems. All modem access must be authenticated.
Management of departments/units providing University administrative information systems must ensure that all users have viewed a confidentiality statement at the time that access is granted, and annually thereafter (statement attached).
Management/supervisors must ensure that access to administrative systems is revoked or modified as appropriate upon employee resignation, termination, job changes, or when grants or contracts expire.
Violations of this policy will be handled under the University Policy on Adherence to University Policy for violations by employees and by the Office of Student Conduct or the respective School for violations by students.
Management or supervisors may be required to resolve violations by members of their staff.
The following notice is issued as a reminder of the policy published Of Record in Almanac September 15, 1992.
If you have questions about this policy, please contact Dave Millar, University Information Security Officer, at 898-2172.
-- Dave Millar, University Information Security Officer
Volume 43 Number 18
January 21, 1997
Return to Almanac's homepage.
Return to index for this issue.