Polyu it security policy
This presentation is the property of its rightful owner.
Sponsored Links
1 / 26

PolyU IT Security Policy PowerPoint PPT Presentation


  • 279 Views
  • Uploaded on
  • Presentation posted in: General

PolyU IT Security Policy. PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology Services office. PolyU Systems Security Policy. Importance of IT Security Recommendation from auditors PolyU Systems Security Policy by ITS

Download Presentation

PolyU IT Security Policy

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -

Presentation Transcript


Polyu it security policy

PolyU IT Security Policy

PolyU

IT/Computer

Systems Security Policy

(SSP)

By

Ken Chung

Senior Computing Officer

Information Technology Services office


Polyu systems security policy

PolyU Systems Security Policy

  • Importance of IT Security

  • Recommendation from auditors

  • PolyU Systems Security Policy by ITS

  • Endorsement of the Policy by ITSC

  • Policy and Guidelines on Web


Polyu systems security policy1

PolyU Systems Security Policy

  • Physical Security

  • Campus Network and Internet Security

  • Operating System Security

  • Application System Security

  • Personal Computer Security

  • Backup and Recovery


Physical security

Physical Security

  • Equipment housed in safe environment

  • Access control to computer room

  • Equipment installed in open areas should be attended or fixed


Physical security cont d

Physical Security (Cont’d)

  • Proper electrical power protection should be employed, e.g. surge protector, UPS

  • Food, liquid or powdery substances should be keep away from equipment

  • University’s health and safety requirements should be observed


Campus network and internet security

Campus Network and Internet Security

  • Security procedures against intrusion should be implemented and maintained

  • Network management and security monitoring should be performed

  • Security control mechanisms should be documented


Campus network and internet security cont d

Campus Network and Internet Security (Cont’d)

  • Proper protection mechanisms should be implemented

  • Non PolyU equipment and external links should not be connected to campus network

  • HARNET Acceptable Use Policy should be observed (URL: http://www.jucc.edu.hk/jucc/haup.htm)


Operating systems security

Operating Systems Security

  • Update list of system administrators

  • Scanning programs to detect security bugs

  • Latest system and security patches should be adopted

  • All accounts should be protected by ‘good’ password and changed regularly


Operating systems security cont d

Operating Systems Security (Cont’d)

  • Passwords should not be disclosed to others

  • Passwords should not be stored or transmitted in plain text form

  • Users should report security violation to system administrator

  • Accounting, auditing and logging facilities should be adopted for audit trails


Application systems security

Application Systems Security

  • System owner must determine security level required for various kinds of data

  • Only authorised users are allowed to access system and data

  • Production data or files must only be used on production systems


Application systems security cont d

Application Systems Security (Cont’d)

  • Confidential data should be protected by passwords

  • Passwords should not be written down or shared with others, standards on password length, format and frequency of change should be enforced

  • Effective data encryption techniques should be used for storing highly confidential information


Application systems security cont d1

Application Systems Security (Cont’d)

  • Changes to production programs should be authorised, controlled and recorded, timestamps, logs and audit trails must be employed

  • Software developers must not access production data without prior approval of system owners


Personal computer security

Personal Computer Security

  • Access to standalone and networked personal computer equipment and resources should be restricted to authorised users only

  • Data and programs should be backed up regularly


Personal computer security cont d

Personal Computer Security (Cont’d)

  • Preventive and detective measures should be enforced to minimise damages caused by computer viruses

  • Only licensed software should be used

  • Security problems should be reported to system administrators promptly


Backup and recovery

Backup and Recovery

  • System owners must determine their backup requirements

  • Backup and restoration should be performed by authorised personnel only

  • Backed up should be performed periodically on a transportable media and stored appropriately (onsite or offsite)


Backup and recovery cont d

Backup and Recovery (Cont’d)

  • Backup and restoration procedures should be test and review regularly

  • Disaster Recovery Plan for mission critical systems should be in place and periodical drilling is required


It security guidelines

IT Security Guidelines

  • Physical Security

  • Campus Network and Internet Security

  • Firewall Security

  • Remote Access Security

  • Proxy Server Security

  • Personal Computer Security


It security guidelines cont d

IT Security Guidelines (Cont’d)

  • UNIX System Security

  • Web Server Security

  • Novell NetWare and GroupWise Systems Security

  • Student Computing Cluster Security

  • E-mail System Security

  • PolyU Administrative Computer Systems Security


Recommendations of auditor

Recommendations of Auditor

Establish the Internet/Intranet Security Policy with the following contents:

  • What services are allowed

  • User access and privileges

  • Policies for managing web pages

  • Procedures for ensuring no alternate access paths to Internet

  • University’s response to security violation

  • User signing internet usage agreement


Recommendations of auditor cont d

Recommendations of Auditor (Cont’d)

Establish the Internet/Intranet Security Policy with the following contents (cont’d):

  • Enforcing password requirements

  • Management of increased network traffic resulting from Internet use

  • Hardware, software and client applications

  • Client configuration

  • Frequency of security audit

  • Independent internet assessment


Recommendations of auditor cont d1

Recommendations of Auditor (Cont’d)

Establish Security Procedures for:

  • Granting of users’ access rights

  • Monitoring of users with administrative rights on IS

  • Guidelines on data encryption

  • Computer security policy training and distribution


Recommendations of auditor cont d2

Recommendations of Auditor (Cont’d)

Establish Security Procedures for:

  • Virus protection policy

  • Promote proper usage of internet

  • Sharing of user accounts

  • User accounts housekeeping

  • Utilizing networking scanning tools

  • E-mail virus protection


Recommendations of auditor cont d3

Recommendations of Auditor (Cont’d)

Establish Security Procedures for:

  • Door-entry control system

  • Automatic directory listing

  • Banners

  • Vulnerable services

  • World-writeable files

  • System logging


Some security tips

Some Security Tips

  • Always apply security patch on OS and service

  • Remove unnecessary services

  • Review and change default settings

  • Implement a personal firewall

  • Apply encryption on sensitive data

  • Enable auditing & review log


Thank you

Thank you!


  • Login