Title: PolyU IT Security Policy
1PolyU IT Security Policy
- PolyU
- IT/Computer
- Systems Security Policy
- (SSP)
- By
- Ken Chung
- Senior Computing Officer
- Information Technology Services office
2PolyU Systems Security Policy
- Importance of IT Security
- Recommendation from auditors
- PolyU Systems Security Policy by ITS
- Endorsement of the Policy by ITSC
- Policy and Guidelines on Web
3(No Transcript)
4PolyU Systems Security Policy
- Physical Security
- Campus Network and Internet Security
- Operating System Security
- Application System Security
- Personal Computer Security
- Backup and Recovery
5Physical Security
- Equipment housed in safe environment
- Access control to computer room
- Equipment installed in open areas should be
attended or fixed
6Physical Security (Contd)
- Proper electrical power protection should be
employed, e.g. surge protector, UPS - Food, liquid or powdery substances should be keep
away from equipment - Universitys health and safety requirements
should be observed
7Campus Network and Internet Security
- Security procedures against intrusion should be
implemented and maintained - Network management and security monitoring should
be performed - Security control mechanisms should be documented
8Campus Network and Internet Security (Contd)
- Proper protection mechanisms should be
implemented - Non PolyU equipment and external links should not
be connected to campus network - HARNET Acceptable Use Policy should be observed
(URL http//www.jucc.edu.hk/jucc/haup.htm)
9Operating Systems Security
- Update list of system administrators
- Scanning programs to detect security bugs
- Latest system and security patches should be
adopted - All accounts should be protected by good
password and changed regularly
10Operating Systems Security (Contd)
- Passwords should not be disclosed to others
- Passwords should not be stored or transmitted in
plain text form - Users should report security violation to system
administrator - Accounting, auditing and logging facilities
should be adopted for audit trails
11Application Systems Security
- System owner must determine security level
required for various kinds of data - Only authorised users are allowed to access
system and data - Production data or files must only be used on
production systems
12Application Systems Security (Contd)
- Confidential data should be protected by
passwords - Passwords should not be written down or shared
with others, standards on password length, format
and frequency of change should be enforced - Effective data encryption techniques should be
used for storing highly confidential information
13Application Systems Security (Contd)
- Changes to production programs should be
authorised, controlled and recorded, timestamps,
logs and audit trails must be employed - Software developers must not access production
data without prior approval of system owners
14Personal Computer Security
- Access to standalone and networked personal
computer equipment and resources should be
restricted to authorised users only - Data and programs should be backed up regularly
15Personal Computer Security (Contd)
- Preventive and detective measures should be
enforced to minimise damages caused by computer
viruses - Only licensed software should be used
- Security problems should be reported to system
administrators promptly
16Backup and Recovery
- System owners must determine their backup
requirements - Backup and restoration should be performed by
authorised personnel only - Backed up should be performed periodically on a
transportable media and stored appropriately
(onsite or offsite)
17Backup and Recovery (Contd)
- Backup and restoration procedures should be test
and review regularly - Disaster Recovery Plan for mission critical
systems should be in place and periodical
drilling is required
18IT Security Guidelines
- Physical Security
- Campus Network and Internet Security
- Firewall Security
- Remote Access Security
- Proxy Server Security
- Personal Computer Security
19IT Security Guidelines (Contd)
- UNIX System Security
- Web Server Security
- Novell NetWare and GroupWise Systems Security
- Student Computing Cluster Security
- E-mail System Security
- PolyU Administrative Computer Systems Security
20Recommendations of Auditor
- Establish the Internet/Intranet Security Policy
with the following contents - What services are allowed
- User access and privileges
- Policies for managing web pages
- Procedures for ensuring no alternate access paths
to Internet - Universitys response to security violation
- User signing internet usage agreement
21Recommendations of Auditor (Contd)
- Establish the Internet/Intranet Security Policy
with the following contents (contd) - Enforcing password requirements
- Management of increased network traffic resulting
from Internet use - Hardware, software and client applications
- Client configuration
- Frequency of security audit
- Independent internet assessment
22Recommendations of Auditor (Contd)
- Establish Security Procedures for
- Granting of users access rights
- Monitoring of users with administrative rights on
IS - Guidelines on data encryption
- Computer security policy training and distribution
23Recommendations of Auditor (Contd)
- Establish Security Procedures for
- Virus protection policy
- Promote proper usage of internet
- Sharing of user accounts
- User accounts housekeeping
- Utilizing networking scanning tools
- E-mail virus protection
24Recommendations of Auditor (Contd)
- Establish Security Procedures for
- Door-entry control system
- Automatic directory listing
- Banners
- Vulnerable services
- World-writeable files
- System logging
25Some Security Tips
- Always apply security patch on OS and service
- Remove unnecessary services
- Review and change default settings
- Implement a personal firewall
- Apply encryption on sensitive data
- Enable auditing review log
26Thank you!