Implementing a System-Wide Risk Mitigation Policy (288226470)

8/20/2019 Implementing a System-Wide Risk Mitigation Policy (288226470)

http://slidepdf.com/reader/full/implementing-a-system-wide-risk-mitigation-policy-288226470 1/24

IT Required Practices

Description

Authentication

Admin accounts not used for day-to-day activitiesUsers are not allowed to run systems as administrators

Employ strong authentication requirements

Secure management of passwords

All mobile devices require at least a 4-digit PI

Backups

All institutional data are bac!ed-up" tests of bac!ups routinely conducted

#aintain o$-site bac!ups

Documentation

%ata stored or shared with third party is appropriately documented%ata stored or shared with third party is approved by %ata Stewards

Up-to-date ris! mitigation plan

&usiness 'ontinuity Plan up-to-date

%isaster (ecovery Plan formally tested

Inventory of I) assets* with data classi+cations* and data analysis

,ritten incident response procedure

%(P maintained and routinely updated

ormally assign roles of security and privacy

Physical infrastructure/hardware

.$site bac!ups with critical data properly secured

Server room environmental controls are su/cient

Server room physical controls are su/cient

Procedure for equipment decommissioning 0i1e1 hard drive-wiping* shredding2

Scans and log monitoring

(egular 0at least monthly2 vulnerability scans on all servers

System logs regularly reviewed

System logs archived securely* and for the appropriate duration

Identify inder scans routinely occurring on servers

Identify inder scans routinely occurring on wor!stations

Patch management software system !uilds(outine and consistent procedures for patch management

Servers on supported operating systems

(un systems with only necessary software* services and port openings

Identify and patch third-party software on systems

#obile devices on IU3s networ! secured and managed

#aintain updated .S builds for e/cient recovery

"irewall anti#irus encryption network

All servers behind physical +rewall

Admin accounts not shared among individuals - unique adminaccountspasswords for each

Provide access to IU systems and services only to those authori5ed to accesssuch services



Antivirus scans ta!ing place on all systems

'riticalSensitive data encrypted in transmission

'riticalSensitive data encrypted at rest on servers

Encrypt communications to systems accessed through elevated privileges

Avoid whenever possible passing password over the networ! in clear-te6t

Antivirus software installed on all computers and servers

#aintain antivirus de+nitionsAll laptops employ whole dis! encryption

&ac!up media on servers encrypted

All servers on private IPs 0unless documented operational necessity2

All printers on private IPs

%isable or secure remote access

$erti%cations / training / handling of sensiti#e data

7ire technicians with the e6pertise necessary to maintain systems and hardware

Identify types data in your unit

All employees participate in securityprivacy awareness 07IPAAE(PA certs2

P'I %SS compliance training awareness for appropriate personnel

Subscribe to vendor advisory services

Sensitive data managed on secure systems* by appropriate procedures andpersonnel )raining procedures in place for appropriate use and access to electronicinformation

8eep abreast of IU security advisories* policy* and best practice updates throughProtect IUor users* identify appropriate server locations of data e6tracted or derived fromcentral sources



I)-9:* section :19;I)-9:* section :19<

I)-9:* section :19=

I)-9:* section :1:>

I)-9:* section :19?* I)-9:* section :19<

I)-9:* section :1:>

I)-9:19* section :a19

%#->9* section 991b

'.&I) 419 %S41;

%#->:%#->:

I)-:=* section 9c

'.&I) 419 %S4

'.&I) 419 %S4

I)-:=* section 9

I)-9:* section @1:* I)-9:* section @1@

'.&I) 419 %S4

ISPP-66 Standard

I)-9:* section :1=

%#->9-s section 991b

%#->9-s section 991b

I-PU(-941>

I)-9:* section :19:19-4

I)-9:* section :119-4

UIS. (ecommended

%#->9* section ;1e* ;1f

%#->9* section ;1e* ;1f

I)-9:* section :1<* I)-9:* section :19:19-4

I)-9:* section :1:

I)-9:* section :14

I)-9:* section :194

I)-9:19* section :a

I)-9:* section :1@

%#->9* section :1f

&o#erning IT Policy or Standard 'seePolicy Requirements ta! for more info(



I)-9:* section :19@

I)-9:* section :1;

I)-9:* section :1=

I)-9:* section :19>

I)-9:* section :1:9

I)-9:* section :19@

I)-9:* section :194I)-9:19* section :a1:

I)-9:* section :1=

%#->9* section :1f

I)-9:* section :1?

I)-9:* section 91:

%#->9* section 941a

%#->9* section 991dI)-><* I)-9:* section 914

I)-9:* section :194

I)-9:* section :19

%#->9* section ;1f

Educational (ights and Privacy Act

I-)(E-BI-99>

http://policies.iu.edu/policies/categories/financial/treasurers-office/FIN-TRE-VI-110-accepting-electronic-payments.shtml

http://policies.iu.edu/policies/categories/financial/treasurers-office/FIN-TRE-VI-110-accepting-electronic-payments.shtml



)ho or )hat $an *elp+

UIS. recommended best practicesUIS. recommended best practices

UIS. recommended best practices





)S# &ac!up Service

I) 'ommunity Partnerships

IU (eady

IU (eady

I) 'ommunity Partnerships

Incident (esponse Procedure )emplate

IU (eady

IU Information Security and Privacy Program

)S# &ac!up Service


UIS. Scanning )ool

7ECPnet Cog-Alert


Identify inder software

Identify inder software


















IU 8nowledgebase

IU 8nowledgebase





./ce of the )reasurer







,inks

httpsDprotect1iu1eduonline-safetyresources-professionalsbest-practices1htmlhttpsDprotect1iu1eduonline-safetyresources-professionalsbest-practices1html

httpsDprotect1iu1eduonline-safetyresources-professionalsbest-practices1html





httpDprotect1iu1edutoolsiu-ready

httpDprotect1iu1edutoolsiu-ready

httpDprotect1iu1educybersecurityincidenttemplate

httpDprotect1iu1educybersecuritypoliciesISPP-::19










httpDii1uits1iu1edubac!up1shtml

mailtoDtal!:uitsiu1edu

mailtoDtal!:uitsiu1edu

httpDprotect1iu1edublog:>94>=>departmental-disaster-recovery-planning

httpDii1uits1iu1edubac!up1shtml

httpDhelpnet1iu1edu

httpDiuware1iu1edu

httpDiuware1iu1edu

http://ii.uits.iu.edu/backup.shtml

mailto:[email protected]


http://protect.iu.edu/blog/2014/08/05/departmental-disaster-recovery-planning


http://helpnet.iu.edu/

http://iuware.iu.edu/




http://helpnet.iu.edu/


http://protect.iu.edu/blog/2014/08/05/departmental-disaster-recovery-planning


















httpDtreasurer1indiana1edupcidssinde61html





httpD!b1iu1edudataar!v1html

httpD!b1iu1edudataar!v1html

http://kb.iu.edu/data/arkv.html






Security Pro-ect PlTotal .um!er of Pro-ects

$ompleted So "ar

#erall Progress

Area0 Authentication1 Done Pro-ect Description

>F Admin accounts not used for day-to-day activities

>FUsers are not allowed to run systems as administrators

>F

>F Employ strong authentication requirements

>F

>F Secure management of passwords

>F All mobile devices require at least a 4-digit PI

Area0 Backups1 Done Pro-ect Description

>F

>F #aintain o$-site bac!ups

Area0 Documentation1 Done Pro-ect Description

>F

>F

>F Up-to-date ris! mitigation plan

>F &usiness continuity plan up-to-date

>F %(P formally tested

>F

>F ,ritten incident response procedure

>F %(P maintained and routinely updated

>F ormally assign roles of security and privacy

Area0 Physical Infrastructure/*ardware1 Done Pro-ect Description

>F .$site bac!ups with critical data properly secured

>F Server room environmental controls are su/cient>F Server room physical controls are su/cient

Admin accounts not shared among individuals - uniqueadmin accountspasswords for each

Provide access to IU systems and services only to

those authori5ed to access such services

All institutional data are bac!ed-up" tests of bac!upsroutinely conducted

%ata stored or shared with third party is appropriatelydocumented

%ata stored or shared with third party is approved by %ataStewards

Inventory of I) assets* with data classi+cations* and dataanalysis



>F

Area0 Scans and ,og 2onitoring1 Done Pro-ect Description

>F

>F System logs regularly reviewed

>F

>F Identify inder scans routinely occurring on servers

>F Identify inder scans routinely occurring on wor!stations

Area0 Patch 2anagement Software System Builds

1 Done Pro-ect Description

>F (outine and consistent procedures for patch management

>F Servers on supported operating systems

>F

>F Identify and patch third-party software on systems

>F #obile devices on IU3s networ! secured and managed

>F #aintain updated .S builds for e/cient recovery

Area0 "irewall Anti#irus 3ncryption .etwork 1 Done Pro-ect Description

>F All servers behind physical +rewall

>F Antivirus scans ta!ing place on all systems

>F 'riticalSensitive data encrypted in transmission

>F 'riticalSensitive data encrypted at rest on servers

>F

>F

>F Antivirus software installed on all computers and servers

>F #aintain antivirus de+nitions

>F All laptops employ whole dis! encryption

>F &ac!up media on servers encrypted

>F>F All printers on private IPs

>F %isable or secure remote access

Procedure for equipment decommissioning 0i1e1 harddrive-wiping* shredding2

(egular 0at least monthly2 vulnerability scans on allservers

System logs archived securely* and for the appropriateduration

(un systems with only necessary software* services andport openings

Encrypt communications to systems accessed through

elevated privilegesAvoid whenever possible passing password over thenetwor! in clear-te6t

All servers on private IPs 0unless documented operational

necessity2



Area0 $erti%cations / Training / *andling of Sensiti#e1 Done Pro-ect Description

>F

>F Identify types data in your unit

>F

>F P'I %SS compliance

>F

>F

>F Subscribe to vendor advisory services

>F

>F

7ire technicians with the e6pertise necessary to maintainsystems and hardware

All employees participate in securityprivacy awareness07IPAAE(PA certs2

Sensitive data managed on secure systems* byappropriate procedures and personnel

)raining procedures in place for appropriate use andaccess to electronic information

8ey abreast of IU security advisories* Policy and best

practice updates through Secure IUor users* identify appropriate server locations of datae6tracted or derived from central sources



nning &uide

>

>F

Due By .otes

Due By .otes

Due By .otes

Due By .otes



Due By .otes

Due By .otes

Due By .otes



ataDue By .otes



Policy IT456 Requirements

IT-07, section 1 The university does not condone censorhip, routine inspection of electronic files, the monitoring of network ac

IT-07, section 2 tored electronic files and voice and data network communications may not !e accessed !y someone o

IT-07, section 2.1 the person to whom the account in which the information has !een stored is assig

IT-07, section 2.2 the person from whom the communication originated, or to whom the communica

IT-07, section 2.$ the person to whom the device containing the stored electronic files has !een ass

IT-07, section $ % technician may access specific information technology resources and electronic information in certain

IT-07, section &

Policy IT478 RequirementsFor a computer system to be managed securely, functional unit management must:

IT-12, section 1.1 'ully understand the sensitivity of the function or operation !eing supported !y the system and the data !eing

IT-12, section 1.2

IT-12, section 1.$

IT-12, section 1.& )rovide necessary initial and refresher training to technicians as hardware or software components are revised

IT-12, section 1.* +nsure that assignments and o! plans account for time reuired for systematic and periodic audit and mainte

For a computer system to be managed securely, functional unit technicians must:

IT-12, section 2.1 'ully understand the sensitivity of the function or operation !eing supported !y the system and the da

IT-12, section 2.2 ot choose operating systems that are known as !eing difficult to maintain and secure.

IT-12, section 2.$ /se technical tools to take an image of any freshly installed operating systems in order to speed recov

IT-12, section 2.& emove or disa!le unneeded services and software, especially those that are network-accessi!le.

IT-12, section 2.* og activities on the system"

IT-12, section 2.*.1

IT-12, section 2.*.2

IT-12, section 2.*.$

IT12.2.*.&

IT-12, section 2. 3isa!le or secure remote access from system-to-system 4e.g., rlogin5.

IT-12, section 2.7

IT-12, section 2.6 +ncrypt stored sensitive data where possi!le to minimie disclosure if the system is compromised.

IT-12, section 2.8 +ncrypt sensitive data !eing transmitted to-and-from the system where possi!le to ensure the data is

IT-12, section 2.10 3eploy encrypted communications methods 4e.g., ecure hell5 for user access to the system and for a

IT-12, section 2.11 Technically limit access to local network addresses where possi!le 4e.g., T:);rappers5 given the functi

IT-12, section 2.12 can computers for security vulnera!ilities using availa!le technical tools"

IT-12, section 2.12.1

IT-12, section 2.12.2

IT-12, section 2.12.$

IT-12, section 2.12.&

IT-12, section 2.1$ Install and maintain anti-virus software on operating systems for which Indiana /niversity has licensed

IT-12, section 2.1& u!scri!e to vendor and other advisory services applica!le to the operating environment !eing mainta

IT-12, section 2.1* )eriodically visit the we! site of the /I< to view current !ulletins or to o!tain recent security guides a

IT-12, section 2.1

IT-12, section 2.17 imit access to needed services to only authoried persons.

The language used here is taken directly from each policy. ot all of the te=t of each policy is included here - only the

The num!ering scheme in the left column is provided to help map items in the previous worksheet to specific parts of organiation and num!ering in the actual policy, and in some cases it does not.

%ll other reuirements and actions outlined in policy IT-07, including notification, preservation of electronic inf

provisions.

?ire technicians with the e=pertise necessary to appropriately maintain the hardware, operating systems, syst

which they are assigned.

+nsure that technicians understand their responsi!ilities and the conseuences of poorly managed systems 4csensitive data, potential legal lia!ility for the department and Indiana /niversity, possi!le loss of 'ederal and o

1.

uccessful user logins, including the location from which the logins originated

2.

/nsuccessful login attempts, including the location from which the attempts o

$. /nsuccessful file access attempts, and

&.

uccessful file accesses for files and data!ases containing sensitive informatio

)roactively seek out and apply vendor-supplied fi=es necessary to repair security vulnera!ilities, withinhigh-risk, with &6 hours for medium-risk, and within 72 hours for low-risk5.

1.

regularly, at least every $0 days to ensure new vulnera!ilities are identified promp

2.

immediately after installation(configuration of a new system is completed,

$.

immediately after introduction of a new operating system or an upgrade to a curre

&.

immediately after installation or upgrade of networking or other system software.

)rovide access to only those persons who are otherwise eligi!le to use Indiana /niversity technology re

is allowed.



IT-12.1, section $

Policy IT48: Requireme

IT-26, section 1

IT-26, section 1a 3etermine what unit-level information technology systems and services are candidates for use

IT-26, section 1! 3evelop a plan for policy compliance with target dates agreed to !y the unit head or delegate

IT-26, section 1c )repare a formal risk assessment and risk mitigation plan to !e discussed and approved ointly

IT-26, section 1d +sta!lish and maintain appropriate capacity and e=pertise for risk mitigation, I/ policy complia

IT-26, section 1e

IT-26, section 2 'ormal reviews will !e updated every two years

Policy Standard D24574S Requ3D-01-, section 2.a

3D-01-, section 2.! %ccess to institutional data that is consistent with the data@s classification will !e granted to all

3D-01-, section 2.c

3D-01-, section 2.d

3D-01-, section 2.e

3D-01-, section 2.f

3D-01-, section 2.g

3D-01-, section 2.h The access privileges of users who change positions or separate from the university must !e u

3D-01-, section 2.i +ach data steward will !e individually responsi!le for documenting data access procedures that

3D-01-, section 8.a

3D-01-, section 8.!

3D-01-, section 8.c 3ata element names, formats, and codes must !e consistent across all applications which use

3D-01-, section 8.d The /niversity Information )olicy <ffice will assist in determining data storage location and arc

3D-01-, section 8.e

3D-01-, section 8.f 3epartments are e=pected to identify, for their users, appropriate server locations for storage

3D-01-, section 8.g

3D-01-, section 8.h

3D-01-, section 8.i

3D-01-, section 11.a Institutional data must !e maintained within professionally administrated systems in complian

3D-01-, section 11.!

/se of mo!ile devices to access, store, or manipulate critical information reuires" ;ritten approv

Goard confirming a critical !usiness need, and +ncrypting the information on the device and in tra

;ithin one year of the adoption of this policy, all I/ administrative and au=iliary units# adminis

information technology environment will perform an initial, comprehensive evaluation of their i

Identify any unit level information technology systems and services within an academic unit fo

are not practica!le for use of /IT services

To the e=tent possi!le, data stewards will work together to define a single set of procedures fodocumenting these common data access reuest procedures.

+=cept as specified elsewhere in this standard, all institutional data will !e classified as universappointees will have access to these data, without restriction or prior authoriation, for use in

4e=. assent to Institutional 3ata %ccepta!le use agreement, etc.5. These data are designated ugeneral pu!lic.

;here appropriate, data stewards may identify institutional data elements or views which have

will !e designated as pu!lic data.

;here necessary, data stewards may specify some data elements as critical or restricted. :ritiindividual authoriation prior to access, or to which only limited access may !e granted. 3ata c

reuire such access. 3esignation of data as critical or restricted will include specific reference t

restriction.

3irect access to university file servers hosting critical or restricted institutional data must !e !these servers from off-campus must connect in a secure manner, such as through the universi

% data view does not necessarily inherit the restriction characteristics of the data elements whdata elements can result in a view which contains otherwise restricted data elements !eing de

The data steward, in consultation with other university offices as appropriate, is responsi!le foofficial data storage location of valid codes and values for each data element. The data stewar

historical data for each data element.

Institutional data may !e stored on any of many diverse computing hardware platforms, provid

system.

:ritical or estricted data must never !e stored on individual user workstations, or mo!ile devwithout prior formal written approval and appropriate technical safeguards 4see IT-12 )olicy, IT

e=ecutive officer of the unit and confirm a critical !usiness need for such storage. :ritical or edepartment or central servers.

:ritical data must not !e collected, or e=tracted from central systems and stored on departmeof the office involved.

o that standards for survey research and '+)% reuirements for non-directory student reco

that responses are not associated with personally identifia!le information 4i.e. names, s, eplaced in different directories and with different naming conventions to o!scure the connection

% student may file a directory e=clusion to prevent disclosure of pu!lic information. 'or this readaily.

If institutional data are stored on any component of the university information system, that sy

assigned to it a system administrator whose responsi!ilities include generally accepted systemauthoriation systems, !ackup, recovery, and system restart procedures, data archiving, capac



3D-02, section $.1.1 completion of a data security uestionnaire provide linkJ

3D-02, section $.1.2 review !y the /niversity Information ecurity <ffice 4/I<5, and other parties as

3D-02, section $.1.$ approval !y the 3ata teward responsi!le for the institutional information involve

3D-02, section $.2

3D-02, section &

COBIT 4.1 Framework, Section DS4

eek advice from the appropriate 3ata teward4s5 and, as appropriate, egal :ounsel" there m

documentation in disclosing information with third parties.

It is recognied that in some cases the university is reuired to share information in compliance with ap

partyEs willingness to address risks raised !y /niversityEs security review, and(or enter into an agreemesituations, the law reuiring disclosing, the security concerns raised, and the response of the third party

:opyright K 2007 !y the IT Fovernance Institute. %ll rights reserved. o part of this pu!lication may !e used, copied, reproduced, modifie

form !y any means 4electronic, mechanical, photocopying, recording or otherwise5, without the prior written authorisation of ITFI. eprodacademic use only, is permitted and must include full attri!ution of the materialEs source. o other right or permission is granted with resp

The full te=t of the :<GIT &.1 framework can !e downloaded from http"((www.isaca.org(Lnowledge-:enter(co!it()ages(3ownloads.asp=

IT Fovernance Institute

$701 %lgonuin oad, uite 1010olling Deadows, I 0006 /%

)hone" M1.6&7.*80.7&81'a=" M1.6&7.2*$.1&&$

+-mail" info>itgi.org



3D-01-, section 2.a a1 )o the e6tent possible* data stewards will wor! together to de+

3D-01-, section 2.! b1 Access to institutional data that is consistent with the dataHs cl

3D-01-, section 2.c c1 E6cept as speci+ed elsewhere in this standard* all institutional

3D-01-, section 2.d d1 ,here appropriate* data stewards may identify institutional da

3D-01-, section 2.e e1 ,here necessary* data stewards may specify some data elem

3D-01-, section 2.f f1 %irect access to university +le servers hosting critical or restric

3D-01-, section 2.g g1 A data view does not necessarily inherit the restriction charact3D-01-, section 2.h h1 )he access privileges of users who change positions or separa

3D-01-, section 2.i i1 Each data steward will be individually responsible for documen

3D-01-, section 8.a a1 )he data steward* in consultation with other university o/ces

3D-01-, section 8.! b1 Institutional data may be stored on any of many diverse comp

3D-01-, section 8.c c1 %ata element names* formats* and codes must be consistent a

3D-01-, section 8.d d1 )he University Information Policy ./ce will assist in determini

3D-01-, section 8.e e1 'ritical or (estricted data must never be stored on individual u

3D-01-, section 8.f f1 %epartments are e6pected to identify* for their users* appropri

3D-01-, section 8.g g1 'ritical data must not be collected* or e6tracted from central s

3D-01-, section 8.h

h1 So that standards for survey research and E(PA requirements3D-01-, section 8.i i1 A student may +le a directory e6clusion to prevent disclosure o

3D-01-, section 11.a a1 Institutional data must be maintained within professionally ad

3D-01-, section 11.! b1 If institutional data are stored on any component of the univer

3D-01-, section 11.c c1 If institutional data are stored on any component of the univer

3D-01-, section 11.d d1 System Administrators shall ensure that adequate administrati

3D-01-, section 1&.a a1 %ata classi+cation information and data handling procedures

3D-01-, section 1&.! b1 )raining to promote understanding and appropriate use of dat

)raining may be based on data classi+cation1

)raining may be required based on role responsibilitie

)raining may be required based on the impact of decis

3D-01-, section 1&.c c1 )raining material should be reviewed and revised as appropria3D-01-, section 1&.d d1 Periodic review and renewal of individual training is strongly re



ne a single set of procedures for requesting permission to access institutional data* an

assi+cation will be granted to all data users for all legitimate university purposes1

data will be classi+ed as university-internal data for use within the university1 Universit

ta elements or views which have few access restrictions and which may be released to

nts as critical or restricted1 'ritical or restricted data would include those data for whic

ed institutional data must be bloc!ed from non-IU networ! addresses1 Individuals requi

eristics of the data elements which comprise it1 0or e6ample* removal of any associatie from the university must be updated in a timely manner as appropriate1

ing data access procedures that are unique to a speci+c information resource or set of

s appropriate* is responsible for identifying an o/cial data storage location for each d

ting hardware platforms* provided such platforms are integrated components of an ov

cross all applications which use the data and consistent with such university standards

ng data storage location and archiving requirements for institutional data1

ser wor!stations* or mobile devices 0i1e1 laptops* smart phones* tablets* personal digita

te server locations for storage of data e6tracted from central sources or derived throu

stems and stored on departmental servers unless doing so is absolutely required to m

for non-directory student records are met* all program evaluation and assessment datpublic information1 or this reason* student public information must not be stored on l

inistrated systems in compliance with university policies and applicable regulations1

ity information system* that system component must have de+ned a formal system ad

ity information system* that system component must comply with speci+c manageme

ve processes and proper security safeguards are in place and enforced1

ust be documented and communicated to all relevant audiences includingD developer

before access to information is provided is strongly recommended1

1

ions made using the data1

e1

commended1



will be Gointly responsible for documenting these common data access request proced

employees and designated appointees will have access to these data* without restric

the general public1 )hese data will be designated as public data1

h data users must obtain individual authori5ation prior to access* or to which only limit

ring access to +les stored on these servers from o$-campus must connect in a secure

n with personally-identifying data elements can result in a view which contains other

data elements1

ta element* as well as an o/cial data storage location of valid codes and values for ea

rall university information system1

as are developed1

l assistants* thumb drives* etc12 without prior formal written approval and appropriate t

h department operations1

aintain the business functions of the o/ce involved1

must be stored in such a way that responses are not associated with personally identical servers unless updated daily1

ministration function and have assigned to it a system administrator whose responsibil

t standards* as outlined in Policy I)-9: as well as any applicable sector-speci+c require

* data managers* local service providers* and users before access to institutional data i



ures1

ion or prior authori5ation* for use in the conduct of university business after complianc

d access may be granted1 %ata classi+ed as critical restricted may only be used by th

anner* such as through the universityHs modem pool or 0preferably2 the university virt

ise restricted data elements being designated as public or university-internal12

ch data element1 )he data steward will also determine archiving requirements and stra

echnical safeguards 0see I)-9: Policy* I)-9:19 Standard* and this document21 )his forma

+able information 0i1e1 names* SSs* etc121 Cin!age +les containing the association of p

ities include generally accepted system administration tas!s including" physical site se

ents 0i1e1 P'I-%SS* 7IPAA* etc121 ,eb and other servers that must be accessible from

s granted1



with appropriate request process 0e61 assent to Institutional %ata Acceptable use agr

se whose positions e6plicitly require such access1 %esignation of data as critical or res

al private networ! 0BP2 service1

tegies for storing and preserving historical data for each data element1

l approval must come from the senior e6ecutive o/cer of the unit and con+rm a critical

otected data to individuals must be placed in di$erent directories and with di$erent na

curity" administration of security and authori5ation systems* bac!up* recovery* and sys

$-campus must be physically or logically separated from servers hosting critical or res



ement* etc121 )hese data are designated university-internal1 )hey are freely available

ricted will include speci+c reference to the policy* legal* ethical* or e6ternally-imposed

business need for such storage1 'ritical or (estricted data must otherwise be stored o

ming conventions to obscure the connection* and must be permanently deleted when

tem restart procedures* data archiving* capacity planning* and performance monitoring

ricted institutional data1



ithin the university but not open to the general public1

onstraint which requires this restriction1

properly con+gured and managed* department or central servers1

o longer needed

1

Documents

Implementing a System-Wide Risk Mitigation Policy (288226470)