CASE.EDU:    HOME | DIRECTORIES | SEARCH
case western reserve university

INFORMATION SECURITY
 
 

ITS QUICK LINKS:

III-1c  Case Standard Network Host Configuration for Tier I Information
Overview

Version 1.0
Last Revision Date: January 17, 2008
Approval Date: February 5, 2008
Approval Authority:  Case Chief Information Security Officer

Purpose
As a risk mitigation action for enterprise wide information protection, the Case standard network host configuration is provided to guide users and administrators with the basic requirements which must be met for all networked hosts on the Case networks, based on Information Tier (Tier I, Tier II, or Tier III).

Scope

This Procedure applies to all information technology systems that use the Case network infrastructure.  It is designed to support the Case Information Security Policies and to be auditable.

Cancellation

Not applicable.

Procedure Statement
General
This procedure outlines basic controls necessary for all registered hosts processing, storing, or transmitting Tier I information on Case networks.  Because Tier I (public) information is the base level of information in the university, this procedure serves as a baseline for all networked hosts. 

Tier I baseline standards are considered to be the minimum security configuration standards.


Procedure

Administrative Controls

  1. Registration.  All hosts (personal computers, servers, printers, etc.) on Case networks are required to be registered in accordance with the II-3 Network Management Policy.  When practicable, the registration process will include the intended information Tier for each host.  Registration is not required for the use of the CaseGuest wireless network, but is recommended.  Wireless registration can be performed by calling the Case Help Desk.
  2. Responsibility.  All persons who register hosts on Case networks are fully responsible for protecting information and infrastructure from security threats by implementing applicable security controls commensurate with the information types used on the hosts.
  3. Awareness.  All users and registered owners for Tier I systems should complete security awareness training and maintain familiarity with network based security threats to their systems and information.  A guide to security awareness can be found at SecurityAware.case.edu.

Technical Controls

  1. Login Screen.  All hosts that support a login screen shall be configured to require individual users to login with credentials (e.g. username and password).  Hosts shall not be configured to auto-login.  Special exceptions for managed kiosk devices will be made on a case-by-case basis, and must be approved by Information Security.
  2. Basic Hardening.  All hosts shall undergo some basic hardware and operating system assessment and configuration to assure default options to not permit easy and rapid host compromise.  Basic hardening can be implemented via local policy, or via a managed network environment (e.g. Active Directory Group Policy).  Specific examples include:
    1. Minimizing unnecessary network based services and ports. The use of the SANS/FBI Top 20 List  can be a key guideline in hardening a host.
    2. Using an account with normal User privileges for daily operations, and using an account with Administrator or root privileges only when needed for system maintenance.
    3. Case also has a CIS-based configuration file that can be obtained from the Information Security Office (security@case.edu). 
    4. Additional configuration checklists can be found here.
  3. Firewall.  All hosts which support a host-based firewall shall have it operate in a manner to mitigate common network-based attacks. Additional firewall guidance for the Windows Vista firewall can be found here.
  4. Operating System and Software Security Updates.  When applicable, all hosts shall be configured to receive and implement security updates to software and operating system software within a time frame of 2 months after the release of updates by software vendors.  This can be simply met by application of automatic software updates.  Software feature updates are not in the scope of this requirement.
  5. Anti-Virus Software.  All Windows-based hosts have a supported anti-virus application, and thus shall have anti-virus software installed and enabled for automated signature updates.  For non-Windows hosts that have a supported anti-virus application, the installation of this software is recommended.   At a minimum users should conduct full system scans on a monthly basis.
  6. Anti-Spyware.  Anti-spyware software is recommended for all users who use web-based resources.  The Case Help Desk lists available anti-spyware.
  7. Anti-Theft Utilities. For mobile systems (e.g. tablet PC, notebook computers, PDAs, etc.), anti-theft technologies are highly recommended.  Locking cables are highly recommended.  Software-based tracking services are also recommended.
  8. Data Backup.  Tier I data that is of value to the user should be retained in a backup capability to mitigate the impact of hardware failure, loss, and theft.  Case has a branded partnership for online backup services through Carbonite (PC users)

Responsibility
Case End Users:  Assure controls based on Case information categories are implemented.

Case ITS Security Staff:  Monitor security risks on a continual basis and regularly update the procedural controls based on changing security threat scenarios.

Case Registered System Owners:  Assure that Tier I controls are applied where applicable. Take reasonable steps to remove Tier II and Tier III data from Tier I systems.


Definitions
host:  Any network capable device utilizing network services.  A host may be a personal computer, a network appliance, server resources, printers, scanners, copiers.


Standards Review Cycle
This procedure will be reviewed every three years on the anniversary of the policy effective date, at a minimum. The standard may be reviewed on a more frequent basis depending on changes of risk exposure.