PolyU IT Security Policy - PowerPoint PPT Presentation

1 / 26
About This Presentation
Title:

PolyU IT Security Policy

Description:

Proper electrical power protection should be employed, e.g. surge protector, UPS ... Novell NetWare and GroupWise Systems Security. Student Computing Cluster Security ... – PowerPoint PPT presentation

Number of Views:151
Avg rating:3.0/5.0
Slides: 27
Provided by: itri5
Category:

less

Transcript and Presenter's Notes

Title: PolyU IT Security Policy


1
PolyU IT Security Policy
  • PolyU
  • IT/Computer
  • Systems Security Policy
  • (SSP)
  • By
  • Ken Chung
  • Senior Computing Officer
  • Information Technology Services office

2
PolyU Systems Security Policy
  • Importance of IT Security
  • Recommendation from auditors
  • PolyU Systems Security Policy by ITS
  • Endorsement of the Policy by ITSC
  • Policy and Guidelines on Web

3
(No Transcript)
4
PolyU Systems Security Policy
  • Physical Security
  • Campus Network and Internet Security
  • Operating System Security
  • Application System Security
  • Personal Computer Security
  • Backup and Recovery

5
Physical Security
  • Equipment housed in safe environment
  • Access control to computer room
  • Equipment installed in open areas should be
    attended or fixed

6
Physical Security (Contd)
  • Proper electrical power protection should be
    employed, e.g. surge protector, UPS
  • Food, liquid or powdery substances should be keep
    away from equipment
  • Universitys health and safety requirements
    should be observed

7
Campus Network and Internet Security
  • Security procedures against intrusion should be
    implemented and maintained
  • Network management and security monitoring should
    be performed
  • Security control mechanisms should be documented

8
Campus Network and Internet Security (Contd)
  • Proper protection mechanisms should be
    implemented
  • Non PolyU equipment and external links should not
    be connected to campus network
  • HARNET Acceptable Use Policy should be observed
    (URL http//www.jucc.edu.hk/jucc/haup.htm)

9
Operating Systems Security
  • Update list of system administrators
  • Scanning programs to detect security bugs
  • Latest system and security patches should be
    adopted
  • All accounts should be protected by good
    password and changed regularly

10
Operating Systems Security (Contd)
  • Passwords should not be disclosed to others
  • Passwords should not be stored or transmitted in
    plain text form
  • Users should report security violation to system
    administrator
  • Accounting, auditing and logging facilities
    should be adopted for audit trails

11
Application Systems Security
  • System owner must determine security level
    required for various kinds of data
  • Only authorised users are allowed to access
    system and data
  • Production data or files must only be used on
    production systems

12
Application Systems Security (Contd)
  • Confidential data should be protected by
    passwords
  • Passwords should not be written down or shared
    with others, standards on password length, format
    and frequency of change should be enforced
  • Effective data encryption techniques should be
    used for storing highly confidential information

13
Application Systems Security (Contd)
  • Changes to production programs should be
    authorised, controlled and recorded, timestamps,
    logs and audit trails must be employed
  • Software developers must not access production
    data without prior approval of system owners

14
Personal Computer Security
  • Access to standalone and networked personal
    computer equipment and resources should be
    restricted to authorised users only
  • Data and programs should be backed up regularly

15
Personal Computer Security (Contd)
  • Preventive and detective measures should be
    enforced to minimise damages caused by computer
    viruses
  • Only licensed software should be used
  • Security problems should be reported to system
    administrators promptly

16
Backup and Recovery
  • System owners must determine their backup
    requirements
  • Backup and restoration should be performed by
    authorised personnel only
  • Backed up should be performed periodically on a
    transportable media and stored appropriately
    (onsite or offsite)

17
Backup and Recovery (Contd)
  • Backup and restoration procedures should be test
    and review regularly
  • Disaster Recovery Plan for mission critical
    systems should be in place and periodical
    drilling is required

18
IT Security Guidelines
  • Physical Security
  • Campus Network and Internet Security
  • Firewall Security
  • Remote Access Security
  • Proxy Server Security
  • Personal Computer Security

19
IT Security Guidelines (Contd)
  • UNIX System Security
  • Web Server Security
  • Novell NetWare and GroupWise Systems Security
  • Student Computing Cluster Security
  • E-mail System Security
  • PolyU Administrative Computer Systems Security

20
Recommendations of Auditor
  • Establish the Internet/Intranet Security Policy
    with the following contents
  • What services are allowed
  • User access and privileges
  • Policies for managing web pages
  • Procedures for ensuring no alternate access paths
    to Internet
  • Universitys response to security violation
  • User signing internet usage agreement

21
Recommendations of Auditor (Contd)
  • Establish the Internet/Intranet Security Policy
    with the following contents (contd)
  • Enforcing password requirements
  • Management of increased network traffic resulting
    from Internet use
  • Hardware, software and client applications
  • Client configuration
  • Frequency of security audit
  • Independent internet assessment

22
Recommendations of Auditor (Contd)
  • Establish Security Procedures for
  • Granting of users access rights
  • Monitoring of users with administrative rights on
    IS
  • Guidelines on data encryption
  • Computer security policy training and distribution

23
Recommendations of Auditor (Contd)
  • Establish Security Procedures for
  • Virus protection policy
  • Promote proper usage of internet
  • Sharing of user accounts
  • User accounts housekeeping
  • Utilizing networking scanning tools
  • E-mail virus protection

24
Recommendations of Auditor (Contd)
  • Establish Security Procedures for
  • Door-entry control system
  • Automatic directory listing
  • Banners
  • Vulnerable services
  • World-writeable files
  • System logging

25
Some Security Tips
  • Always apply security patch on OS and service
  • Remove unnecessary services
  • Review and change default settings
  • Implement a personal firewall
  • Apply encryption on sensitive data
  • Enable auditing review log

26
Thank you!
Write a Comment
User Comments (0)
About PowerShow.com