Controls- Protecting Public Information | University Technology, [U]Tech

Title: Controls- Protecting Public Information
Approved by: Office of the President
Date approved by President or Board of Trustees: October 4, 2016
Effective date: October 4, 2016
Responsible Official: Chief Information Security Officer
Responsible University Office: UTech Security and Policy
Revision History: 2
Related legislation and University policies:

Review Period: 3 Years
Date of Last Review: August 21, 2024
Relates to: Faculty, Staff, Students, Alumni, affiliate account holders

Summary

As a risk mitigation action for enterprise wide information protection, the CWRU standard network host configuration is provided to guide users and administrators with the basic requirements which must be met for all networked hosts on the CWRU networks, based on Information Categories (Public, Official Use, or Restricted).

This Procedure applies to all information technology systems that use the CWRU network infrastructure. It is designed to support the CWRU Information Security Policies and to be auditable.

Purpose

General

Public Information baseline standards are considered to be the minimum security configuration standards.

Administrative Controls

Registration. All hosts (personal computers, servers, printers, etc.) on CWRU networks are required to be registered in accordance with the Network Management Policy. When practicable, the registration process will include the intended information category for each host. Registration is not required for the use of the CaseGuest wireless network, but is recommended. Wireless registration can be performed by calling the CWRU Help Desk at (216) 368-4357 or by using the online portal at your first connection.
Responsibility. All persons who register hosts on CWRU networks are fully responsible for protecting information and infrastructure from security threats by implementing applicable security controls commensurate with the information types used on the host
Awareness. All users and registered owners for Public Information systems should complete security awareness training and maintain familiarity with network based security threats to their systems and information. A guide to security awareness can be found at SecurityAware.case.edu.

Technical Controls

Login Screen. All hosts that support a login screen shall be configured to require individual users to login with credentials (e.g. username and password). Hosts shall not be configured to auto-login. Special exceptions for managed kiosk devices will be made on a case-by-case basis, and must be approved by Information Security.
Basic Hardening. All hosts shall undergo some basic hardware and operating system assessment and configuration to assure default options to not permit easy and rapid host compromise. Basic hardening can be implemented via local policy, or via a managed network environment (e.g. Active Directory Group Policy). Specific examples include:
1. Minimizing unnecessary network based services and ports. The use of the CIS Critical Security Controls can be a key guideline in hardening a host at this level.
2. Using an account with normal User privileges for daily operations, and using an account with Administrator or root privileges only when needed for system maintenance.
3. The Center for Internet Security also has tools and resources to aid in configuring hosts securely. Assistance may be obtained from the Information Security Office (security@case.edu).
4. Additional configuration checklists can be found here.
Firewall. All hosts which support a host-based firewall shall have it operate in a manner to mitigate common network-based attacks.
Operating System and Software Security Updates. When applicable, all hosts shall be configured to receive and implement security updates to software and operating system software within a time frame of 2 months after the release of updates by software vendors. This can be simply met by application of automatic software updates. Software feature updates are not in the scope of this requirement.
Anti-Virus Software. All Windows-based hosts have a supported anti-virus application, and thus shall have anti-virus software installed and enabled for automated signature updates. For non-Windows hosts that have a supported anti-virus application, the installation of this software is recommended. At a minimum users should conduct full system scans on a monthly basis.
Anti-Spyware. Anti-spyware software is recommended for all users who use web-based resources. The CWRU Help Desk lists available anti-spyware.
Anti-Theft Utilities. For mobile systems (e.g. tablet PC, notebook computers, PDAs, etc.), anti-theft technologies are highly recommended. Locking cables are highly recommended. Software-based tracking services are also recommended.
Data Backup. Public Information that is of value to the user should be retained in a backup capability to mitigate the impact of hardware failure, loss, and theft.
Data Loss Protection. Systems intended solely for processing Public Information must be free of Restricted Information. Therefore, everyone using such systems should take care to identify and remove any Restricted data (such as SSNs) to eliminate the risk of data loss or disclosure.

Responsibility

CWRU End Users: Assure controls based on CWRU information categories are implemented.

CWRU UTech Security Staff: Monitor security risks on a continual basis and regularly update the procedural controls based on changing security threat scenarios.

CWRU Registered System Owners: Assure that Public Information controls are applied where applicable. Take reasonable steps to remove Internal Use Only and Restricted data from Public Information systems.

Definitions

Host: Any network capable device utilizing network services. A host may be a personal computer, a network appliance, server resources, printers, scanners, copiers.