University of Connecticut University of UC Title Fallback Connecticut

Security Best Practices

In the hopes of enabling everyone at the University to understand Informatio Security-related best practices, the following guidelines are presented. It is important to know that when you connect your computer to the UConn network it is directly linked to the public Internet, and these security precautions must be followed to keep your system protected from attacks. For official State of Connecticut and University of Connecticut policy, visit the IT Policy web site. The site also contains additional guidelines, standards, and recommendations.

1. Install and Maintain a firewall to limit access to systems storing Protected or Confidential data

  • Restrict inbound and outbound traffic to systems storing Protected or Confidential data to only those systems and services necessary for performing University business
  • Build a firewall configuration that restricts connections between untrusted networks (the University’s wired and wireless networks and the internet) and systems storing Protected or Confidential data
  • Periodically review firewall rules and update as people and infrastructure change
  • Deploy host-based firewalls to any system accessing Protected or Confidential data

 

2. Change default configurations and passwords

  • Disable all unnecessary functionality, such as applications, servers, services, protocols, drivers, scripts, features, and accounts
  • Implement only one primary function per server
  • Develop configuration standards for all system components consistent with industry best practices

 

3. Properly secure Protected and Confidential data

  • Keep storage of Protected and Confidential data to a minimum
  • Mask, redact, or remove any Protected or Confidential data which is not necessary to perform University business
  • Use file-level encryption to secure Protected or Confidential data. Ensure that strong, open encryption standards are employed, encryption keys are restricted to the fewest number of individuals possible, and secure data backups exist
  • Encrypt data in transit using SSL/TLS or IPSEC
  • Never store Protected or Confidential data on systems which are publicly available to untrusted networks (such as web servers), even if the data is not readily available to the public

 

4. Use file monitoring and protection software

  • Deploy antivirus software to systems storing or accessing Protected or Confidential data and ensure the software is configured to update automatically and removing threats in real time
  • Deploy file integrity monitoring software to systems storing Protected or Confidential data
  • Ensure that security software is configured to audit\log malicious activity and perform automatic notifications of unexpected events

 

5. Develop and maintain secure systems and applications

  • Ensure that all systems and applications have the latest vendor-supplied security patches installed. Install ongoing security patches on a pre-determined schedule
  • Develop web applications using OWASP best practices (http://www.owasp.org/)
  • Test all configurations and applications using an automated vulnerability scanner
  • Perform scanning each time patches are applied or configurations change
  • Separate development and test environments from production environments
  • Don’t use actual Protected or Confidential data on development or test systems

 

6. Restrict access to systems and data by business need-to-know

  • Limit access to systems storing Protected or Confidential data to only those individuals whose job requires such access
  • Implement a default deny-all setting for access control systems with explicit permission to users and groups\roles requiring access
  • Use role-based access control

 

7. Assign unique ID’s to each person with access to Protected or Confidential data

  • Never use group, shared, or generic accounts and passwords
  • Require minimum password length or 8 and require numeric and alphabetic characters passwords for all accounts with access to Protected or Confidential data
  • Require users change their password upon first use and every 90 days
  • Do not allow previous 5 passwords to be used as a new password
  • Limit repeated access attempts by locking out user ID’s after not more than six attempts
  • Remove\disable inactive user accounts at least every 90 days
  • Immediately revoke access to terminated users

 

8. Restrict physical access to Protected or Confidential data

  • Limit and monitor access to areas storing Protected or Confidential electronic data and physical records or media
  • Properly protect backup media
  • Properly dispose of media containing Protected or Confidential data by shredding

 

9. Track and monitor all access to network resources and Protected and Confidential data

  • Enable auditing on systems storing Protected or Confidential data, including network-based access attempts, console-based log in attempts, and file-level access attempts
  • Synchronize system clocks with the University’s time server, time.uconn.edu
  • Secure audit trails so that they cannot be altered and audit modification attempts
  • Periodically review audit logs to ensure proper access to Protected or Confidential data3
  • Maintain audit logs

 

 

10. Regularly test security systems and processes

  • Perform periodic automated system vulnerability scans
  • Perform periodic automated web application vulnerability scans

 

11. Ensure that confidentiality agreements are in place with all external parties who access Protected or Confidential data

  • Ensure that all vendors and external parties with access to Protected and Confidential data understand the University’s protection requirements and agree to implement controls to comply with the requirements
  • Restrict what Protected and Confidential data is moved or copied to external entity’s systems
  • Restrict access to University systems and data to only what is necessary to perform the business function
  • Explicitly allow access to Protected and Confidential data and remove when no longer needed
  • Require external parties to notify the University if they suffer a security breach