Access to UFIT resources must be restricted to authorized methods. Facilities must be established to identify who was using any node on the network and when they were doing so. Access methods must be sanctioned by the Level 2 Unit ISM. Access must be logged and each log entry must include user identification, network address, hardware address, and an accurate time stamp. Logs must be regularly reviewed for anomalies including unauthorized access. Access logs must be retained for at least three years unless required by law to be retained longer.
Units must establish and document criteria for issuing and revoking accounts used for access. Each UF and subsidiary unit must establish policy and procedures regarding guest access. The unit policy must describe minimum authentication requirements, including password restrictions where applicable.
Network Security Standard
Nodes, services and individuals shall not have network exposure and visibility beyond that which is necessary for their intended functions. Similar IT resources should be logically aggregated to facilitate network security zone management. In cases where network firewalls are used, they must be documented and coordinated with Network Services.
UF and applicable subsidiary Level 2 Unit ISMs will coordinate and document the establishment of all external network connections for their unit with Network Services. As every external network connection is potentially an entry point for intruders, Level 2 Unit ISMs must document all external network connections in their unit, including modems.
Only network access locations designated by the UF and Level 2 Unit ISM may be used by personally managed IT resources. UF and Level 2 Unit ISMs are responsible for all network access locations used by personally managed IT resources, but are not responsible for the resources themselves. UF and Level 2 Unit ISMs have the responsibility to identify a user connected to a given port at any given time. UFand Level 2 Unit ISMs must be able to instigate disruption of service to the user and/or address. UF and Level 2 Unit ISMs also have the responsibility to coordinate notification to the user and ensure that the incident is resolved. For units that do not provide their own network service, their service provider must provide the functionality described above.
Network access for personally managed IT resources should be more restricted than network access for professionally managed IT resources. Possible restrictions include:
- WIPA authentication where possible.
- A VLAN separate from the professionally managed machines.
- Restriction to private IP only.
- Incoming and outgoing network firewalls or access control lists to prevent commonly exploited network services.
- Restrictions that prevent external hosts from initiating connections.
Node Security Standard
Before connecting to the UF network, devices managed by UF IT workers must:
- Have a clearly defined UF purpose and intended user base.
- Be protected during the installation process by some combination of restricted network access, specific ACLs, private IP, or off-line installation (Best Practices for Secure Installation).
- Be operated and secured appropriately for its specified network zone.
- Have appropriate access restrictions, including but not limited to physical, ACL, firewall, authentication, authorization restrictions, screen locks, and inactivity timeouts. Network restrictions must allow access to the UF security scanner.
- Be on private IP, unless public IP is required.*
- Be at current patch levels.*
- Have current anti-malware protection.*
- Have a specific individual designated as manager.
- Be documented for recreating the system.*
- Be documented for operating the system and troubleshooting.*
- Have alerting and/or logging for security-related events or patterns where appropriate.
- Be reviewed for security-related events or patterns with a frequency appropriate to the system.
- Run only the services necessary to support its function.
- Run only software necessary to support its function.*
- Be monitored for proper system operation where appropriate.*
- Provide system facilities to allow users to secure their data.*
- Have been scanned for vulnerabilities within the last 3 months.
- Comply with appropriate Software Security Standard(s).
- Comply with appropriate Data Security Standard(s).
- Have defined power and backup power requirements where appropriate.*
- Have defined heat generation data where appropriate.*
- Not have trust relationships beyond those required for proper function. Where needed, trust relationships should be based on secure cryptographic methods (e.g., SSH public keys or SSL certificates), and not on IP numbers or domain names alone.*
- Be synchronized with an accurate time server.*
* This standard recognizes that there is more than one way to secure a device. Alternative methods to secure a device may be used where it is not possible to implement this standard or it interferes with proper device function. In addition, production servers must:
- Be located in physically secure space approved by the Level 2 Unit ISM and ISA for production servers.
- Be routinely backed up, use off-site backup storage, and document restoration testing as appropriate.
Associates that manage hosts on the UF network must be informed of, and sign an agreement to comply with, appropriate UF policies, standards, and procedures. The Level 2 Unit ISM must maintain contact information for all business associates managing hosts in their unit. Requests for exceptions must be submitted in writing by the Level 2 Unit ISM to ITAC-ISM. ITAC-ISM will make a recommendation regarding the request to the UF ISA. The UF ISA will respond to all requests for exceptions in writing.
Associates that maintain hosts connected to the UF network are encouraged to use private IP and should access their host through a UFmanaged secure tunnel provided by Network Services or the unit. Network Services can restrict access to hosts managed by business associates, but access controls should also be applied on such hosts and the local network. Secure encrypted authentication and communication such as SSH or SSL is encouraged. If passwords are transmitted from business associates to resources on the UF network using clear text protocols, those passwords must be single-use passwords.
It is the responsibility of the Level2 Unit ISA to ensure that all software provided by the unit is properly licensed. Level 2 Unit ISMs must ensure that users in their units are properly informed of their responsibilities regarding legal use of software. The Level 2 Unit ISM has the responsibility to request the removal of software that does not comply with licensing agreements or copyright law, but it is the responsibility of the user to comply with licensing agreements and copyright law as defined in the UF Acceptable Use Policy. UF IT workers must be aware of and comply with applicable laws and policies regarding their use of software on IT resources they manage. All software systems must be as robust against unauthorized use or attack as is possible consistent with providing necessary services. A means for scanning every IT resource for invasive or malicious software must be provided. The Level 2 Unit ISA has the authority and responsibility to ensure an appropriate level of security of computer applications developed at or intended for use at the University of Florida for processing financial data, student data, health data, mission critical data, intellectual property or any other data that is Sensitive and Critical. This applies to the development process as well as to the deployment process. It is particularly critical for network applications. Unless the Level 2 Unit ISA has instituted alternative guidelines, it is incumbent upon the developer to demonstrate to the Level 2 Unit ISM that they follow secure application development procedures described in UF Procedures to Develop Applications for Secure Deployment. Security must be considered throughout the coding life cycle including design, implementation, testing, auditing and improvement. A secure application:
- Is auditable, both in source code and in actual use.
- Has its design and implementation reviewed by experienced practitioners.
- Does not rely on just one layer of security.
- Has been tested against malicious usage and in general, follows UF Procedures to Develop Applications for Secure Deployment.
Changes to IT resources must be planned, documented and announced to the appropriate audience. The planning must consider the impact on confidentiality, integrity, availability, recoverability and auditability.