Security requirements can vary considerably depending on the assets at risk and the potential threats to these assets. Implementing and maintaining security may not be particularly difficult or expensive if the asset is easily replaced or if there are few threats that could create a compromise. At the same time, maintaining security for highly sensitive information can be very resource intensive. The objective of doing a review is to determine real requirements and then evaluate whether policy and procedures match these requirements.
This document identifies responsibilities specific to Data Trustees, System Administrators, and Application Administrators. These are separately defined responsibilities, only in particular circumstances are these actually job titles or separate positions.
What assets are at risk and what are the exposures and threats to these assets?
Data Trustees are responsible for collections of University Information. Information that may require protection include BUIDs, curriculum, directory, registration, financial information, etc. The risks to this information may include unauthorized access, information disclosure, and loss of integrity. Legal issues and requirements should be considered.
System Administrators are responsible for use of their system. All systems on the Campus Network must be protected against use of ethernet “sniffing”, login spoofing, or other techniques designed to capture account names and passwords. System Administrators must also implement security adequate for requirements of any Data Trustee whose information resides on their system. System Administrators should also consider the sensitivity of correspondence, coursework, grant proposals, etc. as well as the operational requirements of those who use and depend on the system.
Application Administrators need to evaluate access control for sensitive information. Important applications to consider include Databases, FTP servers, World Wide Web (WWW) servers, Print servers, Network File Systems (e.g. NFS) and other peer to peer networking applications that implement direct network access independent of access control on the server system.
There are many different kinds of assets that may require protection. The following issues apply to all Data Trustees, System Administrators and Application Administrators.
Typical issues that should be addressed in a security review
Note: This is intended to be a sample list, it is not a checklist.
Anyone with access to information that requires authorization must understand their respective responsibilities. Data Trustees, System Administrators and Application Administrators should therefore maintain and forward answers to at least the first three issues to all personnel they authorize to access University resources.
- What is proper use?
- Who is authorized to grant access and approve usage?
- What are the resource user’s rights and responsibilities? Consider:
- Downloading data to non-mainframe systems (PC’s,etc.)
- Data redistribution to other individuals
- Maintenance and removal of downloaded data
- Removal of unnecessary data
- Who is allowed to use or access the resource? This may be specific individuals or positions or it may be sufficient to identify categories (e.g. Students, Faculty, Staff, Consultants, Guests)
- Who may have system administration privileges?
- Is the operating platform adequately secure? Different kinds of systems have different security capabilities. Consider whether the platform is adequate to the requirements.
- Is the operating platform adequately maintained? All applications and operating systems have vulnerabilities and flaws which are discovered and subsequently corrected over time. It is important to verify that these are maintained at current levels or that failure to do so does not represent a significant exposure.
- If encryption tools are available, identify measures needed to encrypt and decrypt data and to archive keys so data can be decrypted at a later date. Passwords can be reset, but if encryption keys are lost, data is unrecoverable.
Responsibilities of the Data Trustee
- Consider your legal responsibilities for the information to which you are the Data Trustee.
- Identify sensitive data and restrict access accordingly.
- Review access to that information. Is it still required?
- If you are in doubt as to the business need for access to that information, ask the requester to explain.
- Make it clear, where appropriate, that when information is downloaded to another platform, it does not mean that it may be accessed by anyone on that platform. It has only been authorized to the requester.
- Know what you are authorizing, to whom, and why.