Polyu it security policy
Download
1 / 26

PolyU IT Security Policy - PowerPoint PPT Presentation


  • 346 Views
  • Uploaded on

PolyU IT Security Policy. PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology Services office. PolyU Systems Security Policy. Importance of IT Security Recommendation from auditors PolyU Systems Security Policy by ITS

loader
I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
capcha
Download Presentation

PowerPoint Slideshow about ' PolyU IT Security Policy' - tea


An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.


- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Polyu it security policy
PolyU IT Security Policy

PolyU

IT/Computer

Systems Security Policy

(SSP)

By

Ken Chung

Senior Computing Officer

Information Technology Services office


Polyu systems security policy
PolyU Systems Security Policy

  • Importance of IT Security

  • Recommendation from auditors

  • PolyU Systems Security Policy by ITS

  • Endorsement of the Policy by ITSC

  • Policy and Guidelines on Web


Polyu systems security policy1
PolyU Systems Security Policy

  • Physical Security

  • Campus Network and Internet Security

  • Operating System Security

  • Application System Security

  • Personal Computer Security

  • Backup and Recovery


Physical security
Physical Security

  • Equipment housed in safe environment

  • Access control to computer room

  • Equipment installed in open areas should be attended or fixed


Physical security cont d
Physical Security (Cont’d)

  • Proper electrical power protection should be employed, e.g. surge protector, UPS

  • Food, liquid or powdery substances should be keep away from equipment

  • University’s health and safety requirements should be observed


Campus network and internet security
Campus Network and Internet Security

  • Security procedures against intrusion should be implemented and maintained

  • Network management and security monitoring should be performed

  • Security control mechanisms should be documented


Campus network and internet security cont d
Campus Network and Internet Security (Cont’d)

  • Proper protection mechanisms should be implemented

  • Non PolyU equipment and external links should not be connected to campus network

  • HARNET Acceptable Use Policy should be observed (URL: http://www.jucc.edu.hk/jucc/haup.htm)


Operating systems security
Operating Systems Security

  • Update list of system administrators

  • Scanning programs to detect security bugs

  • Latest system and security patches should be adopted

  • All accounts should be protected by ‘good’ password and changed regularly


Operating systems security cont d
Operating Systems Security (Cont’d)

  • Passwords should not be disclosed to others

  • Passwords should not be stored or transmitted in plain text form

  • Users should report security violation to system administrator

  • Accounting, auditing and logging facilities should be adopted for audit trails


Application systems security
Application Systems Security

  • System owner must determine security level required for various kinds of data

  • Only authorised users are allowed to access system and data

  • Production data or files must only be used on production systems


Application systems security cont d
Application Systems Security (Cont’d)

  • Confidential data should be protected by passwords

  • Passwords should not be written down or shared with others, standards on password length, format and frequency of change should be enforced

  • Effective data encryption techniques should be used for storing highly confidential information


Application systems security cont d1
Application Systems Security (Cont’d)

  • Changes to production programs should be authorised, controlled and recorded, timestamps, logs and audit trails must be employed

  • Software developers must not access production data without prior approval of system owners


Personal computer security
Personal Computer Security

  • Access to standalone and networked personal computer equipment and resources should be restricted to authorised users only

  • Data and programs should be backed up regularly


Personal computer security cont d
Personal Computer Security (Cont’d)

  • Preventive and detective measures should be enforced to minimise damages caused by computer viruses

  • Only licensed software should be used

  • Security problems should be reported to system administrators promptly


Backup and recovery
Backup and Recovery

  • System owners must determine their backup requirements

  • Backup and restoration should be performed by authorised personnel only

  • Backed up should be performed periodically on a transportable media and stored appropriately (onsite or offsite)


Backup and recovery cont d
Backup and Recovery (Cont’d)

  • Backup and restoration procedures should be test and review regularly

  • Disaster Recovery Plan for mission critical systems should be in place and periodical drilling is required


It security guidelines
IT Security Guidelines

  • Physical Security

  • Campus Network and Internet Security

  • Firewall Security

  • Remote Access Security

  • Proxy Server Security

  • Personal Computer Security


It security guidelines cont d
IT Security Guidelines (Cont’d)

  • UNIX System Security

  • Web Server Security

  • Novell NetWare and GroupWise Systems Security

  • Student Computing Cluster Security

  • E-mail System Security

  • PolyU Administrative Computer Systems Security


Recommendations of auditor
Recommendations of Auditor

Establish the Internet/Intranet Security Policy with the following contents:

  • What services are allowed

  • User access and privileges

  • Policies for managing web pages

  • Procedures for ensuring no alternate access paths to Internet

  • University’s response to security violation

  • User signing internet usage agreement


Recommendations of auditor cont d
Recommendations of Auditor (Cont’d)

Establish the Internet/Intranet Security Policy with the following contents (cont’d):

  • Enforcing password requirements

  • Management of increased network traffic resulting from Internet use

  • Hardware, software and client applications

  • Client configuration

  • Frequency of security audit

  • Independent internet assessment


Recommendations of auditor cont d1
Recommendations of Auditor (Cont’d)

Establish Security Procedures for:

  • Granting of users’ access rights

  • Monitoring of users with administrative rights on IS

  • Guidelines on data encryption

  • Computer security policy training and distribution


Recommendations of auditor cont d2
Recommendations of Auditor (Cont’d)

Establish Security Procedures for:

  • Virus protection policy

  • Promote proper usage of internet

  • Sharing of user accounts

  • User accounts housekeeping

  • Utilizing networking scanning tools

  • E-mail virus protection


Recommendations of auditor cont d3
Recommendations of Auditor (Cont’d)

Establish Security Procedures for:

  • Door-entry control system

  • Automatic directory listing

  • Banners

  • Vulnerable services

  • World-writeable files

  • System logging


Some security tips
Some Security Tips

  • Always apply security patch on OS and service

  • Remove unnecessary services

  • Review and change default settings

  • Implement a personal firewall

  • Apply encryption on sensitive data

  • Enable auditing & review log



ad