Robert OnoOffice of the Vice Provost, Information and Educational
TechnologySeptember 9, 2010
TIF-Security Cyber-safety Plans for 2010
Security Tools UpdateIncident response plan unit template released in
2009Audit log practices – training in September 2010Physical security – new security template released
in 2009Security awareness training – 2010 system-wide
workgroupEquipment release - multi-function printing device
guidance released to campus/UCDHS in 2010Web application security vulnerability scanning –
security lifecycle development training in August 2010
2010 Cyber-safety Policy RevisionsClarify mobile devices integration within CS
standardsBroaden reference to “computers” to include mobile
devicesRequire firmware updates for mobile devices Remove AV requirement for mobile devicesRequire mobile devices to use at least a four
character password, where availableRequire mobile devices to support remote wipe
capability, where availableModify annual survey items to include mobile devices
Modify annual survey password references to include passphrases
Recommended Cyber-safety Survey RevisionsUpdate definition of “restricted information”
Existing definition: Restricted information is defined as data that is considered sensitive to some degree and may include personal information or information whose unauthorized access, modification or loss could seriously or adversely affect the university.
Proposed definition: Restricted information describes any confidential or personal information that is protected by law or policy and that requires the highest level of access control and security protection, whether in storage or in transit. (BFB IS-3, 5/20/2009)
2010 Cyber-safety Survey Items
SOFTWARE PATCHESAV SoftwareRemoval of insecure
servicesSecure authenticationPERSONAL
INFORMATION PROTECTION*
Firewall Services*PHYSICAL
SECURITY*Open email relays
Proxy servicesAUDIT LOGS*BACKUP/RECOVERY*Security training*Anti-spyware*EQUIPMENT
RELEASE*INCIDENT
RESPONSE PLAN*WEB APPLICATION
SECURITY*
2009 survey items Underline: needed improvement areas
Cyber-safety Survey Schedule
October through December 2010: Survey data collection
January through February 2011: Analysis and reporting to units, as appropriate
March 2011: Reporting to CS oversight committee, Technical Infrastructure Forum and Campus Council for Information Technology
April 2011: Report to Chancellor’s cabinet
Continued Support of Organizational Effectiveness Web application scanning serviceAnti-malware licensingComputer host vulnerability scanning and reportingIntrusion prevention capability at network borderNetwork firewalls at network borderAuthentication services and identity and access
managementPersonal identity information scanner – licensed for
Windows and Mac OS XInCommon certificates for SSL Encryption for email with restricted contentForensic investigation and reporting assistance