Home  ›  Policies  ›  Computer
 
[Graphic Version]
 

Computer Management Procedures

Computer Management PROCEDURES  (preliminary draft - including unedited user comments)

These procedures comply with the requirements of the Computer Management Policy.

Requirements for Computers Connected to the USU Network:

  • Every computer must have all used network card IDs (MAC addresses) registered in USU’s Domain Name Server/DHCP database.
  • Every USU computer must either use USU IT's DHCP servers or it must configure its network interfaces in a manner consistent with the registration data in USU's IT DHCP servers.
  • Contact information for the system administrator and end user must be kept current in the database. [How can this be checked by someone outside IT? - wait for the new registration system!]
  • Every computer must have its operating system and software applications fully patched and updated within 24 (?) hours after the availability of the patches and updates. If a patch requires a reboot, the computer should not be used until rebooted. A computer that has been disconnected for an extended period of time should be patched and updated immediately on reconnect. [What about systems in continuous use that cannot be taken down whenever a vendor happens to release a patch but must be updated during a scheduled outage at a low demand time?] [This needs to differentiate between critical and non-critical patches as well as those boxes used for testing, or not connected to the network - that's why it says "connected to the network" up at the top!]
  • Every Windows computer must run virus blocking software. USU has a site license for virus protection software on many operating systems.
  • Every Windows computer must run spyware/adware detection software [Why? There are fairly easy steps to eliminate spyware -- don't run as admin, use firefox or protected mode IE. May also want to note that McAfee includes optional anti-spyware]
  • Every computer must have unprivileged user access, for routine use, separate from privileged administrator access.
  • Every computer must have a firewall configured to block network access that is not required for the expected uses of the computer. All externally accessible system services not required by the user should be disabled.
  • Computers that are not used to provide network service to others should be powered off when the user leaves at the end of a work shift.
  • Computers that are used to store or access personal identifying information must be managed to a more secure standard. For example, they should not be used for peer-to-peer filesharing purposes. P2P often exposes some or all of the disk structure to unlimited outside access. They should not be used for personal/recreational web surfing, which exposes the computer to more web-based intrusions and "social engineering" enticements.  They should have stronger passwords.
  • Computers that are shared by multiple users in turn should be re-imaged between users so that the indiscretions of of one user do not affect the next.
  • Computers that are used for specific research or teaching purposes that preclude complying with other procedural requirements above should have alternate protections applied to achieve equivalent results of security and authenticity. These alternate procedures should be developed in conjunction with IT security staff so that any apparent vulnerabilities are known to be addressed.

Do we need to distinguish between computers that provide widely accessed server/daemon functionality and computers that are just clients for individual users? [Yes.]

Computers (and other devices) Providing Network Services:

 

Computers Used Only as a Client by an End-user at the Keyboard:

 

All-in-One Devices:

Copy/Scan/Fax/Print devices contain fully functional processors with operating systems, memory and hard disks.  They are vulnerable to attacks by hackers who can gain control of the resource and any information recently copied, scanned, faxes or printed on the device.  They need to be kept patched with vendor updates, need secure passwords and need to be registered with non-routed IP addresses unless access from outside of usu.edu is required.

Consequences of Inadequate Computer Management:

The Network Security Team monitors network traffic for patterns that indicate activity by compromised computers and scans connected computers for vulnerabilities due to lapsed patching and updating, in compliance with the Network Monitoring & Vulnerability Scanning Policy.  Vulnerable computers may be scheduled for disconnect after contacting the registered user.  Compromised computers may be disconnected immediately to protect the resource, with after-the-fact notification to the registered user.

 

GUIDELINES

Recommended “Internet Skeptic” Practices to Guard Against Vulnerabilities:

[Rob is right, these aren't Computer Management issues, but Appropriate Use issues. I guess I just can't resist throwing them at users every chance I get. Is that so bad?]

  • NEVER open any files or macros attached to an email from an unknown, suspicious or untrustworthy source. Delete these attachments immediately, then "double delete" them by emptying your Trash.
  • Delete spam, chain, and other junk email without forwarding, in compliances with USU's Appropriate Use Procedures and Standards.
  • Never download files from unknown or suspicious sources, including unfamiliar web sites or unexpected email messages
  • Avoid direct disk sharing with read/write access unless there is an absolute business requirement to do so.
  • Back-up critical data and system configurations on a regular basis and store the data in a safe place.
  • New viruses, worms, Trojans and other vulnerabilities and compromises are discovered daily. Be suspicious of anything novel.

How to Modify this Document

Proposed changes can come from a variety of sources including: central IT staff, campus-wide computer support staff (Network-Managers members), IT Users Advisory Committee members.  A member of any of these groups may bring forward a proposal from any member of the university community.  After proposals are discussed by those groups the modification will be approved or rejected by the IT Team Coordinators.

 

Here are Indiana University Computer Management Procedures from http://informationpolicy.iu.edu/policies/IT12.shtml

 

Procedures

The following are generalized goal-oriented requirements; some may have multiple methods or solutions. Attending to these is important for all systems, but is ABSOLUTELY CRITICAL for those systems that support vital business functions and/or host sensitive personal or institutional information.

(Numbers do not indicate sequence or priority; they merely provide a method to reference specific items.)

For a computer system to be managed securely, functional unit management must:

  1. Fully understand the sensitivity of the function or operation being supported by the system and the data being stored and/or manipulated on the system.
  2. Hire technicians with the expertise necessary to appropriately maintain the hardware, operating systems, systems software, programs and other associated components of the systems to which they are assigned.
  3. Ensure that technicians understand their responsibilities and the consequences of poorly managed systems (compromise of local or other systems, damage to data or systems, disclosure of sensitive data, potential legal liability for the department and Indiana University, possible loss of Federal and other funding for the department and Indiana University, etc.).
  4. Provide necessary initial and refresher training to technicians as hardware or software components are revised or added.
  5. Ensure that assignments and job plans account for time required for systematic and periodic audit and maintenance of systems.

For a computer system to be managed securely, functional unit technicians must:

  1. Fully understand the sensitivity of the function or operation being supported by the system and the data being stored and/or manipulated on the system.
  2. Not choose operating systems that are known as being difficult to maintain and secure.
  3. Use technical tools to take an image of any freshly installed operating systems in order to speed recovery in the case of a system compromise.
  4. Remove or disable unneeded services and software, especially those that are network-accessible.
  5. Log activities on the system:
    1. Successful user logins, including the location from which the logins originated,
    2. Unsuccessful login attempts, including the location from which the attempts originated,
    3. Unsuccessful file access attempts, and
    4. Successful file accesses for files and databases containing sensitive information.
  6. Disable or secure remote access from system-to-system (e.g., rlogin).
  7. Proactively seek out and apply vendor-supplied fixes necessary to repair security vulnerabilities, within a timeframe commensurate with the level of risk (i.e., within 24 hours for high-risk, with 48 hours for medium-risk, and within 72 hours for low-risk).
  8. Encrypt stored sensitive data where possible to minimize disclosure if the system is compromised.
  9. Encrypt sensitive data being transmitted to-and-from the system where possible to ensure the data is protected in transit.
  10. Deploy encrypted communications methods (e.g., Secure Shell) for user access to the system and for access via privileged accounts (e.g., "root") from other than the console.
  11. Technically limit access to local network addresses where possible (e.g., TCPWrappers) given the function or process being supported.
  12. Scan computers for security vulnerabilities using available technical tools:
    1. regularly, at least every 30 days to ensure new vulnerabilities are identified promptly,
    2. immediately after installation/configuration of a new system is completed,
    3. immediately after introduction of a new operating system or an upgrade to a current operating system, and
    4. immediately after installation or upgrade of networking or other system software.
  13. Install and maintain anti-virus software on operating systems for which Indiana University has licensed such software, and maintain current virus pattern files.
  14. Subscribe to vendor and other advisory services applicable to the operating environment being maintained.
  15. Periodically visit the web site of the ITSO to view current bulletins or to obtain recent security guides and other related material.
  16. Provide access to only those persons who are otherwise eligible to use Indiana University technology resources, and require all users be identified and authenticated before access is allowed.
  17. Limit access to needed services to only authorized persons.
  18. Use different passwords for privileged accounts ("root", for example) on various systems being maintained by the same technician(s).
  19. Perform day-to-day work as a non-privileged user and only use privileged accounts for tasks that require additional capabilities.
  20. Ensure that all accounts require a password, and if technically possible, that there are automatic routines (dictionaries, pattern enforcers, etc.) that force the user to choose a good password initially and each time the password expires.
  21. Implement a system such that all re-usable passwords are not sent over the network in clear-text, where technically possible.
  22. Securely remove data from media once that data and/or device is no longer required, in order to prevent unauthorized disclosure of the data.

Intrusion attempts, security breaches, or other technical security incidents perpetrated against University-owned computing or other information technology resources either attached to an Indiana University-operated telecommunications network or freestanding in a University office must be reported to the Incident Response team. Functional unit managers and/or technicians must:

  1. Report any successful security breaches in order to obtain assistance, advice, or (minimally) for file in the central incident database.
  2. Report any systematic unsuccessful attempts (e.g., login attempts, .probes. or .scans.).
  3. Where feasible given the circumstances, reports should be sent as soon as the situation is detected; minimally the report should be sent as soon as possible thereafter.

Upon receiving a report of a security incident, the UIPO Incident Response Coordinator will:

  1. Ensure that appropriate information is collected and logged per applicable procedures.
  2. Immediately assess actual or potential disclosure or inappropriate access to institutional or personal information.
  3. Report the situation to the University Information Policy Officer and/or the University Information Security Officer.
  4. Consult with and/or assign the incident to an UISO security engineer for further investigation as necessary.
  5. Provide preliminary advice or comment to the functional unit technician as required.
  6. Initiate steps to warn other Indiana University technicians if it appears that the situation has the potential to affect other University systems as well.
  7. Perform or assist in any subsequent investigation and/or perform computer forensics as required.

Upon receiving a report of a security incident, the University Information Policy Officer and/or University Information Security Officer will:

  1. If circumstances dictate, report to the Vice President for Information Technology and Chief Information Officer (VP/CIO).
  2. If circumstances dictate, contact the senior manager of the department or agency involved.
  3. If circumstances dictate, report and/or consult with Internal Audit, University Counsel, University Police, or other appropriate agencies.
  4. Ensure that appropriate records are filed.
  5. Confirm actual or probable disclosure or inappropriate access to institutional or personal information.
  6. Invoke formal incident response procedures commensurate with the situation.

The functional unit managing a system that has been compromised is ultimately responsible for making the determination if the system will be only restored and operations resumed, or if pursuit of the perpetrator is feasible and appropriate based on possible continued affect on operations. Such investigation may be requested by law enforcement, and University Counsel must be consulted to see if any such request is legally binding before a contrary decision is made to only recover the system and restore the service.

The functional unit managing a system that has been compromised is responsible for all monetary, staff, and other costs related to investigations, cleanup, and recovery activities resulting from the compromise, response, or recovery.

In order to protect University data and systems, as well as to protect threatened systems external to the University, the University Information Policy Officer or Information Security Officer may place limits or restrictions on technology services provided on or from any University-owned or -managed system and network.

  • Limitations may be implemented through the use of policies, standards, and/or technical methods, and could include (but may not be limited to) usage eligibility rules, password requirements, or restricting or blocking certain protocols or use of certain applications known to cause security problems.
  • Restrictions may be deployed permanently based on continuing threat or risk after appropriate consultation with affected constituents, or they may be deployed temporarily, without prior coordination, in response to an immediate and serious threat.
  • Restrictions deployed temporarily will be removed when the risk is mitigated to an acceptable level, or where the affect on University functions caused by the restriction approaches or exceeds risk associated with the threat, as negotiated between the affected constituents and the Information Policy Officer or Information Security Officer.

In order to protect University data and systems, as well as to protect threatened systems external to the University, the University Information Policy Officer or Information Security Officer may unilaterally choose to virtually isolate a specific University system from University, campus, or external networks, given:

  1. Advance consultation with the appropriate campus Chief Information Officer, where practical and where circumstances warrant.
  2. Information in-hand reasonably points to the system as having been compromised.
  3. There is ongoing activity associated with the system that is causing or will cause damage to other University systems or data or to assets of other internal or external agencies, or where there is a medium-to-high risk of such damage occurring.
  4. All reasonable attempts have been made to contact the responsible technicians or department management, or such contact has been made the technician or department managers are unable to or choose not to resolve the problem in a reasonable time.
  5. Isolation is removed when the risk is mitigated to an acceptable level, or where loss of access or function caused by the isolation approaches or exceeds risk associated with the threat, as negotiated between the responsible functional manager and the Information Policy Officer or Information Security Officer.

Reports of security incidents should be sent to it-incident@iu.edu.

Technology policies can be found at the Web site of the University Information Policy Office

Security resources and other security-related materials can be found at the Web site of the University Information Security Office.

For situations requiring immediate assistance or response by security engineers, local campus computing support centers and helpdesks have paging information for ITSO staff. A response from ITSO should be expected with 15-30 minutes. Where local support centers are not open or available, contact the Wrubel Computing Center at 812-855-9910.

 

Here are the guidelines from Oakland University  for the role of a computer system administrator:

a.      Responsibilities to the University

The system administrator should use reasonable efforts:

·        To comply with the Policy for Use of University Information Technology Resources, with the technical direction and standards established by University Technology Services, and with other guidelines or standards defined by the unit.

·        To promulgate information about specific policies and procedures that govern access to and use of the system, and services provided to the users or explicitly not provided.

·        To take precautions against theft of or damage to the system components and data, and to report such events to appropriate areas when such events occur.

·        To treat information about, and information stored by, the system's users in an appropriate manner and to take precautions to protect the security of a system or network and the privacy, confidentiality and quality of information contained therein.

·        To cooperate with the system administrators of other information technology resources, whether within or without the University, to find and correct problems caused on another system by the use of the system under his/her control. 

b.     Copyrights and Licenses

Systems administrators must respect and enforce copyrights and software licenses.  All software protected by copyright must not be copied except as specifically stipulated by the owner of the copyright or otherwise permitted by copyright law. Protected software may not be copied into, from, or by any University facility or system, except pursuant to a valid license or as otherwise permitted by copyright law.  The number and distribution of copies must be handled in such a way that the number of simultaneous users in a department does not exceed the number of original copies purchased by that department, unless otherwise stipulated in the purchase contract.    

c.      Modification or Removal of Equipment

System administrators must not attempt to modify or remove computer equipment, software, or peripherals that are controlled or administered by others without proper authorization.   Information technology resources that are retired, disposed or transferred to another location must have all data and licenses removed prior to release of the equipment.  Equipment must be disposed using methods approved by Property Management. 

d.     Data backup services

System administrators must perform regular and complete backup services for the systems they administer, or they must work with University Technology Services administrators to add their system to a larger university backup structure.  System administrators will describe the data restore services, if any, offered to the users. A written document given to users or messages posted on the computer system itself shall be considered adequate notice. 

e.      Investigate possible misuses

A system administrator may be the first witness to possible misuse as described in the Policy of Use of University Information Technology Resources and as such the administrator must comply with the guidelines for handling misuse as set forth in that document.  Systems administrators will report security breaches according to procedures defined in the Policy for Use of University Information Technology Resources immediately upon discovering the breach.  Systems administrators will immediately investigate any possible breach reported to them by the University Technology Services.  System administrators should maintain appropriate system logs for a minimum of 48 hours and not more than 30 days if such logs enable the identification of a person.  Logs that do not identify a user or person may be kept as needed by a system administrator.   Be aware that any log is subject to subpeona or other legal process.   

f.        System integrity

Systems administrators are responsible for maintaining all aspects of system integrity, including obtaining releases and fixes that assure the currency of operating system upgrades, installation of patches, managing releases, installation of anti-virus software, updates of virus definitions, and the closure of services and ports that are not needed for the effective operation of the system.  Prompt renewal of vendor hardware and software agreements is required.  Absence of a vendor support contract does not mean that the University Technology Services is able to repair and restore systems without prior agreement or notice.  Systems administrators must make every effort to remain familiar with the changing security technology that relates to their system and continually analyze technical vulnerabilities and their resulting security implications. 

g.     Access account integrity

Systems administrators will manage access accounts on a timely basis, providing new accounts and removing old accounts in a prompt manner.  Accounts will be disabled and deleted based on the access rules for the environment and in compliance with all licensing.  Systems administrators will assure that good passwords are used and that passwords are changed frequently, within the limits of the system environment.  System administrators will ensure that accounts can be traced to an individual person (or a group of people in the case of group accounts) and that the accounts have system access that match the authorization of the user.  Stored authentication data (e.g., password files, encryption keys, certificates, personal identification numbers, access codes) must be appropriately protected with access controls, encryption, shadowing, etc. - e.g., password files must not be world-readable. 

h.     Network Consistency

Systems administrators will implement systems in compliance with the overall university structure for Internet Protocol (IP) addressing, domain services, wireless connectivity strategies, and directory services, as established by the University Technology Services. 

i.        Removal from the network

For the purpose of assuring all university network users a sound environment, and to meet the university expectations for network services, a system found to be in non-compliance with the Policy for Use of University Information Technology Resources may be removed from the university network.  When immediate disconnection is not necessary, system administrators will still be expected to take prompt action, to diagnose the problem, to stop any ongoing abuse, and to make whatever changes are needed to prevent reoccurrence. Generally this will involve adopting "best practices" for security. This process should preserve any evidence that might be needed to locate the source of the problem and take any legal or disciplinary action that might be appropriate.  System administrators may be asked to demonstrate compliance to this document and to the Policy for Use of University Information Technology Resources before network services are restored after a documented instance of non-compliance.