Robert OnoOffice of the Vice Provost, Information and Educational

TechnologySeptember 9, 2010

TIF-Security Cyber-safety Plans for 2010

Security Tools UpdateIncident response plan unit template released in

2009Audit log practices – training in September 2010Physical security – new security template released

in 2009Security awareness training – 2010 system-wide

workgroupEquipment release - multi-function printing device

guidance released to campus/UCDHS in 2010Web application security vulnerability scanning –

security lifecycle development training in August 2010

2010 Cyber-safety Policy RevisionsClarify mobile devices integration within CS

standardsBroaden reference to “computers” to include mobile

devicesRequire firmware updates for mobile devices Remove AV requirement for mobile devicesRequire mobile devices to use at least a four

character password, where availableRequire mobile devices to support remote wipe

capability, where availableModify annual survey items to include mobile devices

Modify annual survey password references to include passphrases

Recommended Cyber-safety Survey RevisionsUpdate definition of “restricted information”

Existing definition: Restricted information is defined as data that is considered sensitive to some degree and may include personal information or information whose unauthorized access, modification or loss could seriously or adversely affect the university.

Proposed definition: Restricted information describes any confidential or personal information that is protected by law or policy and that requires the highest level of access control and security protection, whether in storage or in transit. (BFB IS-3, 5/20/2009)

2010 Cyber-safety Survey Items

SOFTWARE PATCHESAV SoftwareRemoval of insecure

servicesSecure authenticationPERSONAL

INFORMATION PROTECTION*

Firewall Services*PHYSICAL

SECURITY*Open email relays

Proxy servicesAUDIT LOGS*BACKUP/RECOVERY*Security training*Anti-spyware*EQUIPMENT

RELEASE*INCIDENT

RESPONSE PLAN*WEB APPLICATION

SECURITY*

2009 survey items Underline: needed improvement areas

Cyber-safety Survey Schedule

October through December 2010: Survey data collection

January through February 2011: Analysis and reporting to units, as appropriate

March 2011: Reporting to CS oversight committee, Technical Infrastructure Forum and Campus Council for Information Technology

April 2011: Report to Chancellor’s cabinet

Continued Support of Organizational Effectiveness Web application scanning serviceAnti-malware licensingComputer host vulnerability scanning and reportingIntrusion prevention capability at network borderNetwork firewalls at network borderAuthentication services and identity and access

managementPersonal identity information scanner – licensed for

Windows and Mac OS XInCommon certificates for SSL Encryption for email with restricted contentForensic investigation and reporting assistance