July 12, 2009
A. General. The primary objectives of the standards for University of Idaho networked computing devices are to:
(1) Sustain the integrity and reliability of the UI network and attached components
(2) Ensure timely and reliable access to and use of data and information technology resources
(3) Safeguard the information for authorized uses only and observe the rights of ownership associated with intellectual property (e.g., copyright, trademarks, patents licenses, etc.) [rev. 7-09]
(4) Assure the reliability and integrity of data by logging a record of unauthorized or inadvertent modification or deletion of facts
(5) Preserve information resources for authorized use and prevent the malicious use of information resources
B-1. Standards. The following minimum standards are required at all locations for devices connecting to the University of Idaho network:
(1) Device Registration – All networked devices must be registered with UI’s Network Management System (NMS) through the Information Technology Services Help Desk or approved department/college system administrator (SysAd). This includes all computers, laptops, tablets, PDAs, etc. At a minimum, the device’s unique network address (MAC address), departmental/college affiliation (domain), and the device owner’s e-mail address must be supplied.
(2) Software Security Patches/Updates - Campus networked computing devices must run software (operating system and applications) for which security patches are made available in a timely fashion. They must have all currently available security patches installed. Where applicable, the software also must be configured to automatically check for and install all security-related patches. Preferably, this would happen on a daily basis. [ed. 7-09]
(3) Anti-virus Software - Anti-virus software for any particular type of computer must be running and up-to-date on every level of computing device, including clients, file servers, e-mail servers, and other types of campus networked devices. [ed. 7-09]
(4) Host-based Firewall Software - Host-based firewall software included with the operating system (i.e., Windows XP, OS X, Linux, etc.) for any particular type of device currently used must be running and properly configured on every level of device, including clients, file servers, mail servers, and other types of campus networked devices (in accordance with the "Recommended Firewall Configuration" guidelines that are forthcoming). While the use of network access-control lists (ACLs) are encouraged, they do not necessarily obviate the need for host-based firewalls.
(5) Passwords - Please see APM 30.15 - UI Password/Passphrase Policy. [rev. 7-09]
(6) No Unencrypted Authentication - Unencrypted device authentication mechanisms are only as secure as the network upon which they are used. Some programs may allow traffic across the UI network to be surreptitiously monitored, rendering these authentication mechanisms vulnerable to compromise. Therefore, all networked devices must use only encrypted authentication.
In particular, historically insecure services such as Telnet, FTP, SNMP, POP, and IMAP must be replaced by their encrypted equivalents.
Traffic for one-time password authentication systems is exempted from this encryption requirement, because its exposure does not compromise the integrity of the underlying authentication system.
(7) No Unauthenticated Email Relays - Campus devices must not provide an active SMTP service which allows unauthorized third parties to relay e-mail messages (i.e., to process an e-mail message where neither the sender nor the recipient is a local user). Before transmitting e-mail to a non-local address, the sender must authenticate with the SMTP service. Authenticating the machine (e.g., IP address/domain name) rather than the sender is not sufficient to meet this standard. [ed. 7-09]
(8) No Unauthenticated Proxy Services - Although properly configured unauthenticated proxy servers may be used for valid purposes, such services commonly exist only as a result of inappropriate device configuration. Unauthenticated proxy servers may enable an attacker to execute malicious programs on the server in the context of an anonymous user account. Therefore, unless an unauthenticated proxy server has been reviewed and approved by the Information Technology Security Committee and the IT Information Technology Security Officer as to configuration and appropriate use, such a device is not allowed on the campus network. [rev. 7-09]
In particular, software program default settings in which proxy servers are automatically enabled must be identified by the system administrator and re-configured to prevent unauthenticated proxy services.
(9) Physical Security - Unauthorized physical access to an unattended device can result in harmful or fraudulent modification of data, fraudulent e-mail use, theft, or any number of other potentially dangerous situations. In light of this, where possible and appropriate, devices must be configured to "lock" and require a user to re-authenticate if left unattended for more than 20 minutes. If computers are high-valued and/or are used for the processing of security-sensitive data (including but not limited to research subject to security requirements and personally identifiable information), additional and more effective physical security shall be installed. In addition to lock-down devices, physical security may include monitoring devices such as cameras and card-swipe door locks. Departments and divisions are responsible for reviewing the physical security of areas where work with sensitive data occurs and appropriately securing access, hardware and software. [rev. 7-09]
(10) Unnecessary Services - If a service is not necessary for the intended purpose or operation of the device, that service shall not be running (i.e., file/print sharing, SMTP, SNMP, telnet, etc.)
B-2. Exceptions. Any department or individual may request an exception to these standards, for a limited time, by submitting in writing the following information to the UI Chief Information Officer (CIO):
- Requester’s Name
- Date of Request
- Policy Line Number
- Rationale and time period for which exception is requested
- Steps to be taken to mitigate security risks
The CIO will consult with the Financial Vice President and/or Provost, as necessary, prior to making a decision on the request. The CIO will notify the Requester of the final decision and document any special terms/conditions. [rev. 7-09]
C. Review. These standards and all exceptions are to be reviewed at least annually by the appropriate UI IT steering group(s) in consultation with the CIO.
D. Compliance. ITS will advise appropriate unit management and the office of Risk Management of any non-compliance with this policy. The unit management shall be responsible for following up with any non-compliance and shall initiate disciplinary action for such non-compliance, where appropriate. [ed. 7-09]