1 / 26

PolyU IT Security Policy

PolyU IT Security Policy. PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology Services office. PolyU Systems Security Policy. Importance of IT Security Recommendation from auditors PolyU Systems Security Policy by ITS

tea
Download Presentation

PolyU IT Security Policy

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. PolyU IT Security Policy PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology Services office

  2. PolyU Systems Security Policy • Importance of IT Security • Recommendation from auditors • PolyU Systems Security Policy by ITS • Endorsement of the Policy by ITSC • Policy and Guidelines on Web

  3. PolyU Systems Security Policy • Physical Security • Campus Network and Internet Security • Operating System Security • Application System Security • Personal Computer Security • Backup and Recovery

  4. Physical Security • Equipment housed in safe environment • Access control to computer room • Equipment installed in open areas should be attended or fixed

  5. Physical Security (Cont’d) • Proper electrical power protection should be employed, e.g. surge protector, UPS • Food, liquid or powdery substances should be keep away from equipment • University’s health and safety requirements should be observed

  6. Campus Network and Internet Security • Security procedures against intrusion should be implemented and maintained • Network management and security monitoring should be performed • Security control mechanisms should be documented

  7. Campus Network and Internet Security (Cont’d) • Proper protection mechanisms should be implemented • Non PolyU equipment and external links should not be connected to campus network • HARNET Acceptable Use Policy should be observed (URL: http://www.jucc.edu.hk/jucc/haup.htm)

  8. Operating Systems Security • Update list of system administrators • Scanning programs to detect security bugs • Latest system and security patches should be adopted • All accounts should be protected by ‘good’ password and changed regularly

  9. Operating Systems Security (Cont’d) • Passwords should not be disclosed to others • Passwords should not be stored or transmitted in plain text form • Users should report security violation to system administrator • Accounting, auditing and logging facilities should be adopted for audit trails

  10. Application Systems Security • System owner must determine security level required for various kinds of data • Only authorised users are allowed to access system and data • Production data or files must only be used on production systems

  11. Application Systems Security (Cont’d) • Confidential data should be protected by passwords • Passwords should not be written down or shared with others, standards on password length, format and frequency of change should be enforced • Effective data encryption techniques should be used for storing highly confidential information

  12. Application Systems Security (Cont’d) • Changes to production programs should be authorised, controlled and recorded, timestamps, logs and audit trails must be employed • Software developers must not access production data without prior approval of system owners

  13. Personal Computer Security • Access to standalone and networked personal computer equipment and resources should be restricted to authorised users only • Data and programs should be backed up regularly

  14. Personal Computer Security (Cont’d) • Preventive and detective measures should be enforced to minimise damages caused by computer viruses • Only licensed software should be used • Security problems should be reported to system administrators promptly

  15. Backup and Recovery • System owners must determine their backup requirements • Backup and restoration should be performed by authorised personnel only • Backed up should be performed periodically on a transportable media and stored appropriately (onsite or offsite)

  16. Backup and Recovery (Cont’d) • Backup and restoration procedures should be test and review regularly • Disaster Recovery Plan for mission critical systems should be in place and periodical drilling is required

  17. IT Security Guidelines • Physical Security • Campus Network and Internet Security • Firewall Security • Remote Access Security • Proxy Server Security • Personal Computer Security

  18. IT Security Guidelines (Cont’d) • UNIX System Security • Web Server Security • Novell NetWare and GroupWise Systems Security • Student Computing Cluster Security • E-mail System Security • PolyU Administrative Computer Systems Security

  19. Recommendations of Auditor Establish the Internet/Intranet Security Policy with the following contents: • What services are allowed • User access and privileges • Policies for managing web pages • Procedures for ensuring no alternate access paths to Internet • University’s response to security violation • User signing internet usage agreement

  20. Recommendations of Auditor (Cont’d) Establish the Internet/Intranet Security Policy with the following contents (cont’d): • Enforcing password requirements • Management of increased network traffic resulting from Internet use • Hardware, software and client applications • Client configuration • Frequency of security audit • Independent internet assessment

  21. Recommendations of Auditor (Cont’d) Establish Security Procedures for: • Granting of users’ access rights • Monitoring of users with administrative rights on IS • Guidelines on data encryption • Computer security policy training and distribution

  22. Recommendations of Auditor (Cont’d) Establish Security Procedures for: • Virus protection policy • Promote proper usage of internet • Sharing of user accounts • User accounts housekeeping • Utilizing networking scanning tools • E-mail virus protection

  23. Recommendations of Auditor (Cont’d) Establish Security Procedures for: • Door-entry control system • Automatic directory listing • Banners • Vulnerable services • World-writeable files • System logging

  24. Some Security Tips • Always apply security patch on OS and service • Remove unnecessary services • Review and change default settings • Implement a personal firewall • Apply encryption on sensitive data • Enable auditing & review log

  25. Thank you!

More Related