9.0 Guidelines for Small Systems

The Guidelines outlined in this section are appropriate for small PC-based and stand-alone systems. The university should ensure that these minimum guidelines are respected for any external system that may have access to the system resources of the University (eg. remote access by researchers, students, etc.).

  1. Administration and Organisation
  2. Personnel
  3. Physical and Environmental
  4. Hardware
  5. Communications
  6. Software
  7. Operations

9.1 Administration and Organisation

  1. The organisation operating a small system (referred to in this section as the university) should adopt a written Security and Privacy Policy concerning the collection, processing, maintenance, retention, reproduction, destruction, storage, communication and release of university data.

  2. The university should designate an individual who will be responsible for ensuring that prudent security practices are maintained.

    Note: This individual should be a permanent employee of the university.

  3. The individual responsible for security should be consulted whenever there are additions, changes or deletions to the hardware/software/communications configuration of the system and/or the network to ensure that security requirements have been addressed.

  4. The university should conduct a Threat Risk Assessment on an annual basis.

  5. Contingency plans for system failure or destruction should be established.

  6. Procedures for dealing with security incidents should be established.

  7. The university should establish conditions and procedures for the access and release of university data to students/clients and third parties.

  8. University data must be accurate and current. Every reasonable step must be taken to rectify data that is inaccurate or incomplete.

    Note: Corrections to computerised university data should never delete or overwrite the original entry. The correction should append the revised data to the original entry, together with information identifying the individual who is making the correction, the date and time of the correction.

9.2 Personnel

  1. Prospective employees who may collect, access or otherwise use university data should be screened for knowledge of university information principles and demonstration of appropriate practice relating to university information issues, confidentiality and security. Reference checks and security clearances should be undertaken when appropriate.

  2. As a condition of employment, each employee should sign a witnessed and dated "pledge of confidentiality and privacy" indicating that they have been made aware of the small university's Security and Privacy Policy and the consequences of breaching the Security and Privacy Policy.

  3. Employees should attend a small computer systems security awareness program that includes information concerning the security vulnerabilities associated with the use of small computer systems.

  4. On termination or transfer of employment, the small university should:

    a) revoke access privileges (eg. user-IDs and passwords) to system and data resources,
    b) retrieve sensitive material including access control items (eg. keys and badges), and
    c) retrieve small systems-related hardware, software and documentation.

9.3 Physical and Environmental

  1. The university should implement measures to secure the physical area containing university data and computer equipment.

    Examples:.
    Entrances to areas containing university data, hardware or software should be protected with secure doors and locking hardware.

    Walls of rooms containing university data, hardware or software should be constructed from the real floor to the real ceiling (eg. slab to slab).

    Access to areas containing health data, hardware or software should be restricted to authorised personnel.

    Access to the areas containing university data, hardware or software should be secured in the absence of personnel authorised for the system.

    Surveillance methods, such as motion detectors and alarms, are implemented for the areas housing the equipment;

  2. Removable media (eg. diskettes, magnetic tape) which is used to store university data should be stored in a secure container when not in use (eg. fireproof safe rated for storage of computer media). Where confidentiality is a concern, the data should be encrypted.

  3. Printer ribbons and cartridges, laser printer cartridges, and carbon paper should be:

    a) physically secured and controlled when the printer is left unattended;
    b) disposed of in an approved manner (eg. by burning or shredding); and
    c) suitably protected, including inventory control, while awaiting destruction.

  4. Arrangements should be made for the disposal of hardcopy waste containing university data by such means as shredding, mulching or burning.

  5. University data contained in magnetic or optical storage media (eg. hard disk, floppy diskettes, magnetic tapes, optical disks) should be destroyed by such means as overwriting, degaussing or burning.

9.4 Hardware

  1. An inventory of all system components should be maintained indicating model numbers, serial numbers and other unique identification numbers, the location, and the individual responsible for the equipment.

  2. A hardware configuration chart should be developed and maintained.

  3. Hardware maintenance personnel should be supervised by an employee of the small university.

  4. Where equipment maintenance requires the exchange or release of components (tapes, disks, diskettes, memory, EPROMS) which may contain university data, those components should not be released to the vendor unless the data has been erased or encrypted.

  5. Power surge suppressors and uninterrupted power supplies (UPS) should be installed in those localities which have a history of frequent significant power fluctuations.

  6. Where static electricity may affect the integrity and reliability of the data and programs processed and stored on the equipment, anti-static devices should be installed.

  7. Records of all hardware modifications, configuration changes and maintenance activities should be retained for a period of one year.

  8. To detect and prevent small systems from being infected by computer viruses, all newly acquired hardware, or hardware returned from maintenance, should be scanned for the existence of viruses.

9.5 Communications

  1. For local area networks, a configuration chart of the current data communications should be maintained.

  2. Where sensitive data is processed or stored on a system, or on a system which is part of a network, all communications with that system or network should be controlled. Where the Local area network is connected to public networks such as the InterNet, it should be protected by means of a firewall.

  3. Where unauthorised access is a concern, all unsuccessful system access attempts should be recorded and reviewed.

  4. When transmitting data where data integrity is a concern, an integrity code should be included with the data to verify that the data has not been altered during transmission.

  5. The following steps should be taken when transmitting personal (including personnel) data or sensitive university related data by facsimile:

    a) The receiver should be notified by telephone that the data is being transmitted.
    b) The receiver should stand by to receive the data.
    c) The sender must take the utmost care to assure the accuracy of the fax numbers dialled.
    d) The sender should transmit a cover sheet to accompany the personal (including personnel) data or sensitive university related data. The cover sheet should contain the following:

    i) name, address and phone number of the sender;
    ii) name, address and fax number of the receiver;
    iii) number of pages transmitted;
    iv) a notice that the data is confidential and is not to be copied or released without the prior written approval of the sender;
    v) the purpose for which the data is provided.

    e) Where there is frequent transmission between two points, or where faxes are sent to a fax mail-box, transmissions should be encrypted.

  6. Cellular telephones and other radio frequency communications should not be used for voice, facsimile or data transmission of university data unless the data is required urgently and no other alternative is available. Data transmitted over analogue cellular and other radio frequencies should be encrypted.

  7. Data transmitted by electronic mail or electronic data interchange (EDI) should be encrypted.

9.6 Software

  1. All acquired software should be examined for viruses, logic bombs or other extraneous malicious features.

  2. The university should strictly enforce the conditions of software licenses, and respect software copyright requirements.

  3. A current inventory should be maintained of all software (copyrighted/licensed/developed) and important (or shared) data.

  4. Where the user identification is authenticated, the user authentication information should not be displayed, and should be protected from unauthorised access.

  5. At the time of initial system access, the user should be informed of the date and time of the last successful log-on and any subsequent failed log-on attempts. The system should display a banner indicating that the user has accessed a private and restricted system, that all usage will be monitored, that all communications such as data and e-mail are not considered private, and unauthorised activity may result in prosecution.

    If a user recognises that an unauthorised access attempt has been made using their user ID or password, the user should report the incident to the individual responsible for security and privacy matters.

  6. A system development life cycle (SDLC) methodology should be implemented where custom software or modifications to commercial software packages are developed for the small university. The SDLC should ensure that:

    a) security concerns are addressed,
    b) test criteria are met prior to implementation of operational software,
    c) change control procedures for operational software are implemented, and
    d) discrepancies for all data and software are reported, monitored and resolved.

9.7 Operations

  1. A physical inventory of all storage media containing university data should be carried out at least annually.

  2. Where user identification and authentication mechanisms are used, procedures should be implemented which:

    a) Control the issue, change, cancellation and audit of user identifiers and authentication mechanisms; and
    b) ensure that authentication codes or passwords are:

    - generated, controlled and distributed so as to maintain the confidentiality and availability of the authentication code;
    - known only to the authorised user of the account;
    - pseudo-random in nature or vetted through a verification technique designed to counter triviality and repetition;
    - no less than five characters in length;
    - one-way encrypted;
    - excluded from unprotected automatic log-on processes; and
    - changed at least annually.

  3. Backup copies of the essential information should be taken at regular intervals and stored at an offsite location.

  4. System display units and hardcopy production units should be positioned or equipped with protective material, eg. limited vision screens or printer covers, such that the data displayed or processed cannot be readily viewed by unauthorised persons.

  5. Users of a system or network which processes university data should be uniquely identified. This identification should be authenticated prior to users being given access to the system and data resources.

  6. Where equipment is to be removed from the premises on a temporary basis, control procedures should be implemented and include:

    a) the approval authority,
    b) the identity of the borrower,
    c) the equipment identification,
    d) a signed acknowledgment of acceptance and return of equipment, and
    e) a requirement to sanitise the equipment before and after the loan period.

  7. The contents of erasable media should be obscured using an approved technique before the media is re-used.

  8. Automated and/or manual controls should be implemented to prevent unauthorised copying, transmission or printing.

  9. Where data integrity is a concern, control procedures should be implemented to:

    a) ensure data to be entered or processed has been duly authorised,
    b) verify the accuracy of the data,
    c) retain the identity of the individual(s) who authorised and entered the data, and
    e) maintain an audit trail of transactions entered on the system.

  10. The system should maintain a log of all security-relevant activities on the system, eg. logins and file accesses.

  11. Procedures should be implemented to ensure that critical operational material and media resources are identified on a continuing basis to enable restoration of the minimum essential level of service following the loss of equipment or service.

  12. To detect and prevent small systems from being infected by computer viruses, the following precautions should be observed:

    a) all media received from external sources, including licensed or copyright software, should be scanned for the existence of viruses,
    b) all original master copies of software should be stored on media with the write-protect security feature activated, and
    c) computer systems should be scanned for the existence of viruses after software and hardware maintenance.

  13. A contingency procedure should be developed detailing the course of action to be followed when a virus attack is suspected.

Contents
Background: [1] [2] [3] _Section: [1] [2] [3] [4] [5] [6] [7] [8] [9] _Annex: [1] [2] [3] [4] [Index]
Guidelines for Computer Security at CQU, A C Lynn Zelmer, PhD; Editor/Adaptor
Copyright © 1996 CQU Computer Security Committee

Central Queensland University Home Page