Minimum Security Standards Policy

Click any statement to reveal the official text and commentary where available.
Expand All   View Printable Version

Scope

This policy applies to all devices connected to the UGA Network (wired or wireless). It also applies to any devices using the uga.edu domain to send or receive data.

Standards Summary

1. Install all security patches for major programs.
   University networked devices must have all applicable security updates installed within 2 weeks of the patch release date. The purpose of patching is risk reduction; if the risk is eliminated by another method, this is acceptable. Defense in depth (i.e. utilizing patching along with other strategies) is highly recommended. Exceptions may be granted in accordance with the UGA Minimum Security Standards for Networked Devices Policy.
   
   
2. Have updated anti-virus software installed.
   Anti-virus software must be used and kept up-to-date on every device attached to the UGA Network including personal computers, file servers, mail servers, and other types of networked devices. Units may choose to implement an alternative to the site-licensed anti-virus software provided by UGA as long as it has equivalent capabilities. Exceptions may be granted for special-purpose devices which would not be significantly protected by an anti-virus package, e.g. a Domain Name Service - DNS server or other device that does not interact with user files.
   
   
3. Use host-based firewalls.
   Host-based firewall software must be used and kept up-to-date on every device attached to the UGA Network including personal computers, file servers, mail servers, and other types of networked devices. Units may choose to implement an alternative to the site-licensed anti-virus software provided by UGA as long as it has equivalent capabilities. While the use of departmental firewalls is encouraged, they do not necessarily prevent the need for host-based firewalls.
   
   
4. Password authenticate resources, follow the password standard.
   UGA Network resources must identify users and authorize access by means of passwords or other secure authentication processes (e.g. biometrics or Smart Cards). When passwords are used, they must meet the UGA Password Standard. All default and initially assigned passwords for access to network-accessible devices must be modified. Devices like switches and printers should have restricted access lists if possible.
   
   
5. Authentication must be done over encrypted channels, such as HTTPS, SFTP, SSH, and encrypted IMAP. Do not log in using unencrypted means.

   Traffic across the university network may be surreptitiously monitored rendering unencrypted authentication mechanisms vulnerable to compromise. All networked devices must use only encrypted authentication mechanisms unless otherwise authorized by the UGA Office of Information Security.

   Services that utilize unencrypted authentication such as Telnet, File Transfer Protocol (FTP), Simple Network Management Protocol (SNMP), Post Office Protocol (POP), and Internet Message Access Protocol (IMAP) must be replaced by their encrypted equivalents, or implemented in a secure manner such as traveling through an end-to-end secure tunnel or operating on a completely private network. Hyper-Text Transfer Protocol (HTTPS) must be used for web-based authentication; a trusted certificate authority is highly recommended.

   
   
6. Do not allow unauthorized SMTP email relays.
   Email devices must not provide a Simple Mail Transfer Protocol (SMTP) service that allows unauthorized third parties to relay email message where neither the sender nor the recipient is a local user. Before transmitting email to a non-local address, the sender must authenticate with the Simple Mail Transfer Protocol (SMTP) service. Restricting the Internet Protocol (IP) address or the domain is insufficient. There may be a special need for an unauthenticated relay service (such as the UGA mail gateway service); any exceptions must be authorized by the UGA Office of Information Security.
   
   
7. Do not establish unauthenticated proxy servers.

   Unauthenticated proxy servers may enable an attacker to execute malicious programs on the server in the context of an anonymous user account. Therefore, unauthenticated proxy servers are not allowed on the UGA network; any exceptions must be authorized by the UGA Office of Information Security.

   In particular, software program default settings in which proxy servers are automatically enabled must be identified by the system administrator and reconfigured to prevent unauthenticated proxy services. For more information on the types of software typically used for proxy services, see the "Implementation Guidelines for the Minimum Standards for Security of UGA Networked Devices".

   
   
8. Auto-lock workstations and servers after 20 minutes of inactivity.
   Unauthorized physical access to an unattended device can result in harmful or fraudulent modification of data, fraudulent email use, or any number of other potentially dangerous situations. In light of this, where possible and appropriate, devices must be configured to "lock" and require a user to re-authenticate if left unattended for more than 20 minutes.
   
   
9. Disable all unnecessary services.
   Unnecessary services must be disabled; avoid installing unused services.
   
   

Network access or privileges may be revoked if these standards are not followed.