Penn Computing

Penn Computing

Computing Menu Computing A-Z
Computing Home Information Systems & Computing Penn

 

Sunday, April 23, 2017

 
  New Resources
Security Logging Service
Travel Tips for Data Security
Free Security/Privacy Training Resources
Penn+Box
Two-step verification
Combating Malware
SafeDNS
Phishing Archive
Cloud Computing and Data Outsourcing
Best Practices for Applications with Confidential University Data
 
  Security "Greatest Hits"
Managing Passwords
E-mail Harassment & Forgery
Hoaxes, frauds & scams
Spam
Phishing
Wireless Networking
Encryption
 
  Best Practices
Standards
Secure desktop computing
Secure servers
Secure data deletion
Securing printers
Tips for safe computing
Computing policies
 
  More in-depth information for
Local support providers
System administrators
 
  Security initiatives
Critical Component compliance
Authentication & authorization
Penn Security & Privacy Assessment (SPIA)
Security Liaisons (Restricted Access)
Secure Share
Secure Space
Vulnerability Scanner
 
  Related links
Electronic privacy
PennKey
Viruses
Worms, trojans, backdoors

Information Security Standards

The Office of Information Security (OIS) has published several standards for common IT environments and scenarios encountered across the University.  These standards represent recommended minimum security controls, and are considered voluntary recommendations at this time.  Additionally, all listed controls are recommended to be implemented regardless of the sensitivity of the data on the machine, as these standards represent the minimum security posture.

You are encouraged to evaluate your environment to determine if it meets these recommendations, and to prioritize system implementation efforts by risk level.  As the field of Information Security is constantly evolving, these standards may be updated over time.

All of the recommendations will be considered for future inclusion in official University IT Policy.

 

If you have any questions regarding these standards, you may email OIS at security@isc.upenn.edu.

 

You may jump to a specific standard here:

Application Standards
Endpoint Standards
Server Standards

 

Application Standards

Definition: An application is defined as software running on a server that is network accessible, including mobile applications.

Standard

Recommendation

Resource

Critical Components

If there is sensitive data, register the host and application in Critical Components to ensure regular vulnerability scanning starting before rollout. For web applications, scan with a web application vulnerability scanner.

Critical Components
https://secure.www.upenn.edu/computing/security/internal/critcomp.php
WebInspect
http://www.upenn.edu/oacp/audit/audit101/it-controls.html#application-security

Secure Coding

Follow secure coding best practices, such as OWASP (for web applications) and implement a SDLC (Software Development Life Cycle) whenever possible. A SDLC should include regular regression testing, code review, security as a design requirement; and use of a framework.

OWASP (See Quick Download section)
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
CERT (See coding standads for C, Android, C++, Java, and Perl) https://www.securecoding.cert.org/confluence/display/seccode/SEI+CERT+Coding+Standards
Join Developer SIG
https://secure.www.upenn.edu/computing/group/signup/index.html
Developer SIG Code Contributions
https://gitlab.com/groups/upenn-dev-sig
Developer SIG Slack Channel
https://upenn-dev-sig.slack.com

Sensitive Data

Consider your use of sensitive data - if you must store it, use encryption in transit and at rest.

Computer Security Policy
http://www.upenn.edu/computing/group/npc/approved/20100308-computersecurity.html
Consult ISC Information Security (security@isc.upenn.edu) about alternatives to handling sensitive data.

Patching

Security patches must be applied on a timely basis.

Computer Security Policy
http://www.upenn.edu/computing/group/npc/approved/20100308-computersecurity.html
University Computing Policies
http://www.upenn.edu/computing/policy/

SPIA

Conduct SPIA (Security and Privacy Impact Assessment), including inventory of applications, libraries on which they depend, application contacts/developers, data classifications, and data volume estimates. Consider any policy or legal implications as appropriate, consulting others as needed.

SPIA
http://www.upenn.edu/computing/security/spia/index.php

Account Review

Review accounts & privileges regularly.

PennGroups where possible, or equivalent control
http://www.upenn.edu/computing/penngroups/

Credential Management

Follow secure password handling practices for passwords used by the application, and wherever possible, use campus authentication system for user passwords.

Strong password recommendations for PennKeys
https://weblogin.pennkey.upenn.edu/changepassword
Best Practices for passwords used by the application
https://secure.www.upenn.edu/computing/security/standards/app-password-best-practices-v2.rtf
Penn WebLogin
http://www.upenn.edu/computing/weblogin/
Two-Step Verification with Duo
http://www.upenn.edu/computing/weblogin/two-step/duo.html

 

 

 

 

Endpoint Standards

Definition: Any laptop, desktop or mobile operating system.

Standard

Recommendation

Resource

Security Patching

Apply security patches within seven days of being published. Use a supported OS version.

Penn Endpoint Management Service (PennEM)
http://www.upenn.edu/computing/isc/lts/PennEM/index.html
Configure OS to perform automatic updates.

Whole Disk/Device Encryption

Run native encryption as available on newer devices.

InfoSec encryption recommendations
http://www.upenn.edu/computing/security/encrypt.php

Backups

Backup user data daily.

Secure Remote Backup
http://www.upenn.edu/computing/isc/lts/srb/srbfaq.html

Access Control

Always use a password or a PIN on the device. Set device to lock the screen automatically when not in use.

Computer Security Policy
http://www.upenn.edu/computing/group/npc/approved/20100308-computersecurity.html

Malware Protection

Run antimalware/antivirus software.

Symantec Endpoint Protection
https://secure.www.upenn.edu/computing/resources/category/applications/article/symantec-endpoint-protection

Configuration Management

Use an endpoint management solution selected and supported at the school or center level.

IBM Endpoint Management
http://www.upenn.edu/computing/isc/lts/PennEM/index.html

Secure Deletion

Erase or destroy storage media before recycling or donating devices.

Secure Data Deletion
http://www.upenn.edu/computing/security/privacy/data_clear.php

 

 

 

 

Server Standards

Definition: A server is defined as a host that provides a network accessible resource.

Standard

Recommendation

Resource

Physical security

Physical controls to prevent unauthorized access. Server hardware placed inside data centers wherever possible.

ISC Hosting
https://www.isc.upenn.edu/hosting
Facilities Managed Computing
https://www.mr.isc-seo.upenn.edu/Pages/FMComputing.aspx

Multi-Factor Login

Multi-factor authentication required when logging into servers with privileged account access.

Two-Step Verification with Duo
http://www.upenn.edu/computing/weblogin/two-step/duo.html

Patching

Patches to vulnerabilities applied promptly after they have been made available.

IBM Endpoint Management
http://www.upenn.edu/computing/isc/lts/PennEM/index.html

Credential management

Credentials reviewed periodically. Group password management used for all shared credentials. Credential lifecycle management applied.

LastPass Premium at Penn
https://www.isc.upenn.edu/news-announcements/lastpass-premium-now-available-penn-community

Secure Disposal

Hard drives and writeable media used on servers follow secure destruction/deletion upon disposal.

Secure Data Deletion
http://www.upenn.edu/computing/security/privacy/data_clear.php

Inventory

Inventory created, maintained, and periodically reviewed regarding system hardware, applications/software in use, data classification, and any regulated data present on the server (HIPAA, PCI, FERPA, etc).

IBM Endpoint Management
http://www.upenn.edu/computing/isc/lts/PennEM/index.html

Identity Finder

https://secure.www.upenn.edu/computing/resources/category/applications/article/identity-finder

Network firewall

Host-based network filtering (e.g. firewall) configured. Hardware firewall used wherever possible.

 

Centralized logging


Security-relevant events, including privileged access, are logged to a separate system.


Security Logging Service
http://www.upenn.edu/computing/security/logging/

 

Vulnerability management


Servers regularly scanned with a vulnerability scanner. Findings resolved as soon as is practicable. Continuous monitoring used wherever possible.


Nessus Vulnerability Scanner
http://www.upenn.edu/computing/security/scanner/

 

SysAdmin Training


SAs trained with the tools and procedures required to implement the items listed in this standard. University policy, as well as prohibited behaviors covered.

 

Host integrity


Host integrity maintained through some combination of antivirus, antimalware, rootkit detection, and file integrity monitoring, configured with external alerting whenever possible (see Centralized Logging).


OSSEC
https://ossec.github.io/

 

Least privilege

 

Admin/user accounts, processes, and applications limited to the most restrictive set of resources necessary. Periodic review of privileges.

 


Information Systems and Computing
University of Pennsylvania
Comments & Questions


Penn Computing University of Pennsylvania
Information Systems and Computing, University of Pennsylvania