Self Certification for Compliance with University Policy

Click any statement to reveal the official text and commentary where available.
Expand All   View Printable Version

Privacy Policy

1. Access to sensitive information on the system is restricted to authorized personnel with a need to know.

   Access to sensitive information is limited to:

   • the individual whose information is produced or displayed;
   • a University official or agent of the University with authorized access based upon a legitimate academic or business interest and a need to know;
   • an organization or person authorized by the individual to receive the information;
   • a legally authorized government entity or representative;
   • other circumstances in which the University is legally compelled to provide access to personal information, such as the Georgia Open Records Act;
   • or other individuals or entities, as allowed by law, for purposes judged to be appropriate or necessary for the reasonable conduct of University business
2. Social Security Numbers (SSNs) are not transmitted to or from the system over unsecured methods.

   It is against both state law and University policy to:

   • Publicly post or display the Social Security number in any manner;
   • Require an individual to transmit his or her Social Security number over the Internet unless the connection is secure or the number is encrypted; or
   • Require an individual to use his or her Social Security number to access an Internet site unless a unique password or PIN is also required;
3. A link to the UGA Privacy Policy is posted (if the system has one or more web applications).

   University departments that collect sensitive information on their Web pages must post a link to the UGA Privacy Policy and inform consumers about any persons or entities outside the University with whom they may share Sensitive Information collected online. If there is a process for the consumer to change such information, that process must be described and available to the consumer on the department Web pages.

Password Policy and Standard

4. Strong passwords are used.

   Passwords must have a minimum of eight alphanumeric and special characters; if a particular system will not support eight characters, then the maximum number of characters allowed must be used. Passwords will not be composed of one or more dictionary words in any language, human or artificial.

5. Passwords are changed at least twice a year.

   Users must change their passwords at least twice (2x) per year with the new password incorporating at least 3 changed characters.

6. Passwords are not stored or remembered in an unencrypted format.

   Passwords must not be remembered by unencrypted computer applications such as email. Use of an encrypted password storage application is acceptable, although extreme care must be taken to protect access to said application.

7. System is not configured for login without a password.

   Computers must not be configured to login without a password. Exceptions may be granted for specialized devices such as kiosks which have extremely restricted accounts. Whenever possible, computer labs should be designed to authenticate each user individually for accountability purposes.

8. Passwords are changed whenever disclosed or compromised.

   If any of the following events occur, a password change will be mandatory:

   • Unauthorized password discovery or usage by another person
   • System compromise (unauthorized access to a system or account)
   • Insecure transmission of a password, for example via email or instant message. (Even an email transferred via secure Post Office Protocol (POP) or Secure Internet Message Access Protocol (S-IMAP) could be compromised at the Simple Mail Transport Protocol (SMTP) level or read while in your inbox change the password anyway.)
   • Accidental disclosure of password to an unauthorized person
   • Replacement of account user with another individual requiring access to the same account
   • Password is provided to IT support staff in order to resolve a technical issue (It is strongly recommended that IT support staff request an end-user password as a last resort.)
   • A password is provided to the end-user and the system administrator knows the password. For example, the system administrator provides a new account password or has to reset an account password.
9. System logs failed login attempts and locks after several failed login attempts.

   System administrators must harden their systems to deter password cracking:

   • An automated method to mitigate brute force password attacks must be used. For example, some systems will lock an account for a few minutes after several failed login attempts, or detect where the attack is coming from and block further attempts from that location, or at minimum alert the system administrator in real-time that an attack is underway so that manual action can be taken.
   • Logging must be set up to record all failed login attempts and preferably successful attempts as well.
10. The system and its applications use secure authentication methods.
    • Application developers must develop applications using secure authentication methods, whenever possible.
    • Application developers should avoid creating applications which store passwords. If password storage cannot be avoided, application developers must ensure that applications do not store passwords in clear text or employ a readily decrypted form.
11. The system supports unique logins.

    Applications should support unique logins. Additionally, role management (e.g. system administrators, network administrators) should not require password sharing.

12. The system's applications use MyID or another existing UGA authentication method instead of creating another unique ID or username. Authentication is done securely.

    Applications, whenever capable, should use the UGA MyID and its associated password for authenticating a member of the UGA community instead of creating another unique ID or username. Only use the MyID in a secure fashion, i.e., no unencrypted logins. In special cases where the use of the MyID/Password is not a capability, use existing UGA authentication services such as RACF or Kerberos.

13. Passwords are not well-known identifying information such as a name or ID number.

    Applications must not use well known or publicly posted identification information as a password for authentication. Names, usernames such as the MyID, and ID numbers such as the 810 or CAN are all examples of identification information that should not be used as a password in an application.

Minimum Security Policy and Standards for Networked Devices

14. The system has all applicable security patches installed within 2 weeks of release.

    University networked devices must have all applicable security updates installed within 2 weeks of the patch release date. The purpose of patching is risk reduction; if the risk is eliminated by another method, this is acceptable. Defense in depth (i.e. utilizing patching along with other strategies) is highly recommended. Exceptions may be granted in accordance with the UGA Minimum Security Standards for Networked Devices Policy.

15. The system has updated anti-virus software installed (if applicable).

    Anti-virus software must be used and kept up-to-date on every device attached to the UGA Network including personal computers, file servers, mail servers, and other types of networked devices. Units may choose to implement an alternative to the site-licensed anti-virus software provided by UGA as long as it has equivalent capabilities. Exceptions may be granted for special-purpose devices which would not be significantly protected by an anti-virus package, e.g. a Domain Name Service - DNS server or other device that does not interact with user files.

16. The system uses a host-based firewall (if applicable).

    Host-based firewall software must be used and kept up-to-date on every device attached to the UGA Network including personal computers, file servers, mail servers, and other types of networked devices. Units may choose to implement an alternative to the site-licensed anti-virus software provided by UGA as long as it has equivalent capabilities. While the use of departmental firewalls is encouraged, they do not necessarily prevent the need for host-based firewalls.

17. Access to the system is password authenticated.

    UGA Network resources must identify users and authorize access by means of passwords or other secure authentication processes (e.g. biometrics or Smart Cards). When passwords are used, they must meet the UGA Password Standard. All default and initially assigned passwords for access to network-accessible devices must be modified. Devices like switches and printers should have restricted access lists if possible.

18. Authentication must be done over encrypted channels such as HTTPS, SFTP, SSH, and encrypted IMAP.

    Traffic across the university network may be surreptitiously monitored rendering unencrypted authentication mechanisms vulnerable to compromise. All networked devices must use only encrypted authentication mechanisms unless otherwise authorized by the UGA Office of Information Security.

    Services that utilize unencrypted authentication such as Telnet, File Transfer Protocol (FTP), Simple Network Management Protocol (SNMP), Post Office Protocol (POP), and Internet Message Access Protocol (IMAP) must be replaced by their encrypted equivalents, or implemented in a secure manner such as traveling through an end-to-end secure tunnel or operating on a completely private network. Hyper-Text Transfer Protocol (HTTPS) must be used for web-based authentication; a trusted certificate authority is highly recommended.

19. The system does not allow unauthorized SMTP relays.

    Email devices must not provide a Simple Mail Transfer Protocol (SMTP) service that allows unauthorized third parties to relay email message where neither the sender nor the recipient is a local user. Before transmitting email to a non-local address, the sender must authenticate with the Simple Mail Transfer Protocol (SMTP) service. Restricting the Internet Protocol (IP) address or the domain is insufficient. There may be a special need for an unauthenticated relay service (such as the UGA mail gateway service); any exceptions must be authorized by the UGA Office of Information Security.

20. The system does not act as an unauthenticated proxy server.

    Unauthenticated proxy servers may enable an attacker to execute malicious programs on the server in the context of an anonymous user account. Therefore, unauthenticated proxy servers are not allowed on the UGA network; any exceptions must be authorized by the UGA Office of Information Security.

    In particular, software program default settings in which proxy servers are automatically enabled must be identified by the system administrator and reconfigured to prevent unauthenticated proxy services. For more information on the types of software typically used for proxy services, see the "Implementation Guidelines for the Minimum Standards for Security of UGA Networked Devices".

21. The system auto-locks after 20 minutes of inactivity.

    Unauthorized physical access to an unattended device can result in harmful or fraudulent modification of data, fraudulent email use, or any number of other potentially dangerous situations. In light of this, where possible and appropriate, devices must be configured to "lock" and require a user to re-authenticate if left unattended for more than 20 minutes.

22. The system does not run unnecessary services.

    Unnecessary services must be disabled; avoid installing unused services.

Guidelines for Trusted Computing

23. Responsibility for the security of the system is assigned.

    The sensitive system should be managed by a designated part of the organization, and responsibility for the security of the system should be assigned to an individual.

    If a sensitive system is managed by a 3^rd party or external entity, ensure that proper contractual agreements are in place that assign responsibility for security of the system.

24. Employees who access the system are screened.

    A background check should be conducted prior to employment or before a change of employment for all employees, contractors, or 3^rd party users who would operate or have access to the sensitive system.

25. Procedures exist to revoke or update system access after employment changes.

    After termination, change of employment, or change in contract or duties, the access rights of all employees, contractors and third party users to the sensitive system should be revoked or updated appropriately.

    The UGA Human Resources Exit Checklists provide detail on the required steps for transfer or termination.

26. The system is physically secure.

    Sensitive systems should be hosted in an area that protects the system from unauthorized physical access. The principle of least privilegePrinciple of Least Privilege - the idea that individuals should only have the access or privileges necessary to perform their job or purpose should be applied to physical access.

    Barriers such as walls, barred windows, card controlled or lockable doors, manned reception desks, etc. can all be used to ensure that an area is physically secure.

27. Removable media is protected.

    Media containing sensitive information should be protected against unauthorized access, misuse or corruption in storage and/or during transportation beyond the organization's physically secure area boundaries. Encryption should be considered for all removable media that contains sensitive information.

    Truecrypt is a free tool that can be used for whole disk or file encryption. Hardware encryption is another emerging option for encryption. Both Ironkey and Lexar are secure USB flash drive products.

28. Media is disposed of securely when no longer needed.

    Media containing sensitive information should be disposed of securely and safely when no longer required, using formal procedures.

    Please review our guide to sanitizing data for more information. UGA's Electronic Equipment Disposal and Transfer Recommendations and the Property Control Office should be consulted whenever disposing of sensitive media.

29. The system has a dedicated computing environment.

    Sensitive systems should have a dedicated computing environment to support the principle of least privilegePrinciple of Least Privilege - the idea that individuals should only have the access or privileges necessary to perform their job or purpose, minimize potential vulnerabilities, and reduce the risks of unauthorized access or misuse.

    For example, web servers and database servers should have separate, dedicated computing environments rather than running on the same server. Development and production environments should also be separated.

30. Network access is limited to the least access needed for the system to perform its function.

    Network access to sensitive systems should be limited as appropriate to ensure least access to the system and to prevent unauthorized access to the networked system.

    For example, a firewall may be deployed to limit connections to a web server to legitimate web traffic only, or a system may be assigned a private, non-routable IP address to assure local network communication and restrict Internet communication.

    The system should be appropriately separated from other systems and services on the local network. For example, a database server might only allow network connections from a web server that it supports.

    Appropriate authentication methods should be used to control access by remote users connecting from shared or external networks. For example, UGA's enterprise VPN service can be used to authenticate users and allow access to the core UGA network from the Internet.

31. User accounts and privileges are controlled ensuring that individuals have the least access necessary to perform their assigned roles.

    The allocation and use of user account privileges on sensitive systems should be restricted and controlled in accordance with the principle of least privilegePrinciple of Least Privilege - the idea that individuals should only have the access or privileges necessary to perform their job or purpose to reduce opportunities for unauthorized or unintentional modification or misuse of the system. There should be a formal registration process for user accounts and users should have a unique identifier (user ID/login name) that is assigned for their personal use only and not shared. User privileges should also be reviewed at regular intervals.

    The UGA MyID and Password is the recommended unique identifier and password for most applications and systems.

32. Authentication is secure.

    Access to sensitive systems should be controlled by a secure/encrypted log-on procedure. Passwords should be assigned appropriately and in compliance with the UGA Password Policy.

33. Controls are in place to limit sessions and to prevent session hijacking.

    Restrictions on connection times should be used to provide additional security for sensitive systems. Inactive sessions should expire after a defined period of inactivity.

34. System inputs and outputs are validated.

    Input and output data validation checks should be incorporated into sensitive system applications to prevent corruption of information through error or misuse, and to minimize vulnerabilities.

    Web applications in particular are subject to many threats that take advantage of insecure input and output validation practices. The Open Web Application Security Project (OWASP) can be consulted for help on validating data in web applications.

35. The system is protected against malicious code.

    Detection, prevention, and recovery measures to protect against malicious code and appropriate user awareness procedures should be implemented.

    F-Secure is freely available to the UGA community and provides anti-virus, host-based firewall, host-based intrusion detection, and anti-spyware functionality.

36. System activity is logged and monitored.

    System administrator and system user activities should be logged and monitored on sensitive systems to help detect unauthorized information processing activities. Faults should also be logged, analyzed and appropriate action taken.

    All logging systems and log information should be protected against tampering and unauthorized access, and the system clocks of the system and all relevant logging systems should be synchronized with an agreed accurate time source.

37. There is a change management process in place.

    Changes to sensitive system should be controlled by a formal process. Changes should be reviewed, documented and tested to ensure there is no adverse impact on the operation or security of the sensitive system.

38. Technical vulnerabilities are identified and managed routinely

    Vulnerabilities in sensitive systems should be identified, evaluated, and appropriate measures taken to minimize the risk of unauthorized access to or misuse of the system. Sensitive systems should be patched in a timely manner and unnecessary services should be disabled to minimize potential technical vulnerabilities. When sensitive systems are being developed and implemented, known vulnerabilities should be accounted for.

    Units can participate in the Campus Vulnerability Management service to receive scheduled vulnerability reports and remediate plans, or use the secure configuration checklists such as UGA's CheckIT or SANS SCORE to help manage technical vulnerabilities.