1 / 12

Proposed UW Minimum Computer Security Standards

Proposed UW Minimum Computer Security Standards. From C&C 28 Jan 2005 Draft. Background. 80K computers, plus more used from outside Compromised computers threat to neighbors and any other connected computers

jersey
Download Presentation

Proposed UW Minimum Computer Security Standards

An Image/Link below is provided (as is) to download presentation Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author. Content is provided to you AS IS for your information and personal use only. Download presentation by click this link. While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server. During download, if you can't get a presentation, the file might be deleted by the publisher.

E N D

Presentation Transcript

  1. Proposed UW Minimum Computer Security Standards From C&C 28 Jan 2005 Draft

  2. Background • 80K computers, plus more used from outside • Compromised computers threat to neighbors and any other connected computers • Computing devices must be managed in order to be allowed access to network and network services

  3. Goals • Prevent computing devices from: • being accessed or used by unauthorized entities • causing harm to other computers at UW or elsewhere • causing harm to UW network or other networks • Nongoal: information security • to be standardized later

  4. Applicability • Device is: • owned by UW • directly connected to UW network • accessing UW network via: • UW dial-in • wireless access point attached to UW network • VPN connection, if effectively part of UW network • Audience: sys admins and computer owners

  5. Minimum Standards by Type • Devices must not be attached to network: • unless protected by a firewall or properly managed • Types: • servers, desktops and laptops • PDAs and smartphones • office machines • specialized computing equipment • firewalls • Exemptions: intrusion detection, security research

  6. Servers, Desktops, Laptops • Control access: • via good passwords • optionally, secure tokens • Disable/block all unnecessary network services • Servers: allow only traffic essential for services • Desktop/laptop: block unsolicited connections • Use only operating systems for which security updates are readily available, or put behind firewall

  7. Servers, Desktops, Laptops (cont) • Enable auto-patching if provided, or provide other configuration management • Install security updates for applications, too • Don’t install software which grants unauthorized users access to non-public data • Counteract malicious software via: • antiviral programs • spyware removal programs • etc. • Enable logging, and periodically review logs

  8. PDAs and Smartphones • As viruses and worms become more commonplace, since no other method available: • keep up with security bulletins • update as needed

  9. Office Machines • Printers, copiers and fax machines on network may have software faults that allow compromise or can cause damage • Auto-patching and use of integral firewalls may not be an option • May be difficult to detect when compromised, but when detected: • remove from network until repaired or • put behind firewall

  10. Specialized Computing Equipment • PI or unit head is responsible • Still must be protected from attack or exploit • May require external security applicances (e.g. firewalls and VPN)

  11. Security Audits • All devices covered by standard are subject to audit at any time; cooperation is “expected” • Periodic reviews by UW Internal Audits; includes: • interviews and inspection of documents showing adherence to procedures • technical means such as vulnerability scans • Examine not only min standards, but info security standards and best practices • others besides those responsible must conduct reviews • Departments expected to conduct periodic reviews

  12. Consequences • Noncompliant devices disconnected • Responsible parties may be subject to reconnection fee • Disconnection could be automatic or from a manual intervention • PASS Council may take action if multiple incidents or willful disregard

More Related