III-1c Case Standard Network Host Configuration and Security Controls for Public Information
Version 1.2 DRAFT
Last Revision Date: July 21, 2010
Approval Date: February 5, 2008
Approval Authority: Case Chief Information Security Officer
As a risk mitigation action for enterprise wide information protection, the Case standard network host configuration is provided to guide users and administrators with the basic requirements which must be met for all networked hosts on the Case networks, based on Information Tier (Public, Official Use, or Restricted)
This Procedure applies to all information technology systems that use the Case network infrastructure. It is designed to support the Case Information Security Policies and to be auditable.
This procedure outlines basic controls necessary for all registered hosts processing, storing, or transmitting Public Information on Case networks. Because Public Information is the base level of information in the university, this procedure serves as a baseline for all networked hosts.
Public Information baseline standards are considered to be the minimum security configuration standards.
- Registration. All hosts (personal computers, servers, printers, etc.) on Case networks are required to be registered in accordance with the II-3 Network Management Policy. When practicable, the registration process will include the intended information Tier for each host. Registration is not required for the use of the CaseGuest wireless network, but is recommended. Wireless registration can be performed by calling the Case Help Desk.
- Responsibility. All persons who register hosts on Case networks are fully responsible for protecting information and infrastructure from security threats by implementing applicable security controls commensurate with the information types used on the hosts.
- Awareness. All users and registered owners for Tier I systems should complete security awareness training and maintain familiarity with network based security threats to their systems and information. A guide to security awareness can be found at SecurityAware.case.edu.
- Login Screen. All hosts that support a login screen shall be configured to require individual users to login with credentials (e.g. username and password). Hosts shall not be configured to auto-login. Special exceptions for managed kiosk devices will be made on a case-by-case basis, and must be approved by Information Security.
- Basic Hardening. All hosts shall undergo some basic hardware and operating system assessment and configuration to assure default options to not permit easy and rapid host compromise. Basic hardening can be implemented via local policy, or via a managed network environment (e.g. Active Directory Group Policy). Specific examples include:
- Minimizing unnecessary network based services and ports. The use of the SANS Top 20 Critical Securiyt Controls List can be a key guideline in hardening a host at this level.
- Using an account with normal User privileges for daily operations, and using an account with Administrator or root privileges only when needed for system maintenance.
- Case also has a CIS-based configuration file that can be obtained from the Information Security Office (firstname.lastname@example.org).
- Additional configuration checklists can be found here.
- Firewall. All hosts which support a host-based firewall shall have it operate in a manner to mitigate common network-based attacks. Additional firewall guidance for the Windows Vista firewall can be found here.
- Operating System and Software Security Updates. When applicable, all hosts shall be configured to receive and implement security updates to software and operating system software within a time frame of 2 months after the release of updates by software vendors. This can be simply met by application of automatic software updates. Software feature updates are not in the scope of this requirement.
- Anti-Virus Software. All Windows-based hosts have a supported anti-virus application, and thus shall have anti-virus software installed and enabled for automated signature updates. For non-Windows hosts that have a supported anti-virus application, the installation of this software is recommended. At a minimum users should conduct full system scans on a monthly basis.
- Anti-Spyware. Anti-spyware software is recommended for all users who use web-based resources. The Case Help Desk lists available anti-spyware.
- Anti-Theft Utilities. For mobile systems (e.g. tablet PC, notebook computers, PDAs, etc.), anti-theft technologies are highly recommended. Locking cables are highly recommended. Software-based tracking services are also recommended.
- Data Backup. Public Information that is of value to the user should be retained in a backup capability to mitigate the impact of hardware failure, loss, and theft. Case has a branded partnership for online backup services through Carbonite (PC and Mac users).
- Data Loss Protection. Systems intended solely for processing Public Information must be free of Restricted Information. Therefore, all hosts, such as workstations, servers, and compatible devices, shall use software utilities provided by the university to identify and remove any Restricted data (such as SSNs) to eliminate the risk of data loss or disclosure. Currently, Identity Finder is a data loss protection utilitiy available from the Case Software Center to be used to remediate and protect public information systems from holding Restricted Information.
Case End Users: Assure controls based on Case information categories are implemented.
Case ITS Security Staff: Monitor security risks on a continual basis and regularly update the procedural controls based on changing security threat scenarios.
Case Registered System Owners: Assure that Tier I controls are applied where applicable. Take reasonable steps to remove Tier II and Tier III data from Tier I systems.
host: Any network capable device utilizing network services. A host may be a personal computer, a network appliance, server resources, printers, scanners, copiers.
Standards Review Cycle
This procedure will be reviewed every three years on the anniversary of the policy effective date, at a minimum. The standard may be reviewed on a more frequent basis depending on changes of risk exposure.