Polyu it security policy
1 / 26

PolyU IT Security Policy - PowerPoint PPT Presentation

  • Uploaded on

PolyU IT Security Policy. PolyU IT/Computer Systems Security Policy (SSP) By Ken Chung Senior Computing Officer Information Technology Services office. PolyU Systems Security Policy. Importance of IT Security Recommendation from auditors PolyU Systems Security Policy by ITS

I am the owner, or an agent authorized to act on behalf of the owner, of the copyrighted work described.
Download Presentation

PowerPoint Slideshow about ' PolyU IT Security Policy' - tea

An Image/Link below is provided (as is) to download presentation

Download Policy: Content on the Website is provided to you AS IS for your information and personal use and may not be sold / licensed / shared on other websites without getting consent from its author.While downloading, if for some reason you are not able to download a presentation, the publisher may have deleted the file from their server.

- - - - - - - - - - - - - - - - - - - - - - - - - - E N D - - - - - - - - - - - - - - - - - - - - - - - - - -
Presentation Transcript
Polyu it security policy
PolyU IT Security Policy



Systems Security Policy



Ken Chung

Senior Computing Officer

Information Technology Services office

Polyu systems security policy
PolyU Systems Security Policy

  • Importance of IT Security

  • Recommendation from auditors

  • PolyU Systems Security Policy by ITS

  • Endorsement of the Policy by ITSC

  • Policy and Guidelines on Web

Polyu systems security policy1
PolyU Systems Security Policy

  • Physical Security

  • Campus Network and Internet Security

  • Operating System Security

  • Application System Security

  • Personal Computer Security

  • Backup and Recovery

Physical security
Physical Security

  • Equipment housed in safe environment

  • Access control to computer room

  • Equipment installed in open areas should be attended or fixed

Physical security cont d
Physical Security (Cont’d)

  • Proper electrical power protection should be employed, e.g. surge protector, UPS

  • Food, liquid or powdery substances should be keep away from equipment

  • University’s health and safety requirements should be observed

Campus network and internet security
Campus Network and Internet Security

  • Security procedures against intrusion should be implemented and maintained

  • Network management and security monitoring should be performed

  • Security control mechanisms should be documented

Campus network and internet security cont d
Campus Network and Internet Security (Cont’d)

  • Proper protection mechanisms should be implemented

  • Non PolyU equipment and external links should not be connected to campus network

  • HARNET Acceptable Use Policy should be observed (URL: http://www.jucc.edu.hk/jucc/haup.htm)

Operating systems security
Operating Systems Security

  • Update list of system administrators

  • Scanning programs to detect security bugs

  • Latest system and security patches should be adopted

  • All accounts should be protected by ‘good’ password and changed regularly

Operating systems security cont d
Operating Systems Security (Cont’d)

  • Passwords should not be disclosed to others

  • Passwords should not be stored or transmitted in plain text form

  • Users should report security violation to system administrator

  • Accounting, auditing and logging facilities should be adopted for audit trails

Application systems security
Application Systems Security

  • System owner must determine security level required for various kinds of data

  • Only authorised users are allowed to access system and data

  • Production data or files must only be used on production systems

Application systems security cont d
Application Systems Security (Cont’d)

  • Confidential data should be protected by passwords

  • Passwords should not be written down or shared with others, standards on password length, format and frequency of change should be enforced

  • Effective data encryption techniques should be used for storing highly confidential information

Application systems security cont d1
Application Systems Security (Cont’d)

  • Changes to production programs should be authorised, controlled and recorded, timestamps, logs and audit trails must be employed

  • Software developers must not access production data without prior approval of system owners

Personal computer security
Personal Computer Security

  • Access to standalone and networked personal computer equipment and resources should be restricted to authorised users only

  • Data and programs should be backed up regularly

Personal computer security cont d
Personal Computer Security (Cont’d)

  • Preventive and detective measures should be enforced to minimise damages caused by computer viruses

  • Only licensed software should be used

  • Security problems should be reported to system administrators promptly

Backup and recovery
Backup and Recovery

  • System owners must determine their backup requirements

  • Backup and restoration should be performed by authorised personnel only

  • Backed up should be performed periodically on a transportable media and stored appropriately (onsite or offsite)

Backup and recovery cont d
Backup and Recovery (Cont’d)

  • Backup and restoration procedures should be test and review regularly

  • Disaster Recovery Plan for mission critical systems should be in place and periodical drilling is required

It security guidelines
IT Security Guidelines

  • Physical Security

  • Campus Network and Internet Security

  • Firewall Security

  • Remote Access Security

  • Proxy Server Security

  • Personal Computer Security

It security guidelines cont d
IT Security Guidelines (Cont’d)

  • UNIX System Security

  • Web Server Security

  • Novell NetWare and GroupWise Systems Security

  • Student Computing Cluster Security

  • E-mail System Security

  • PolyU Administrative Computer Systems Security

Recommendations of auditor
Recommendations of Auditor

Establish the Internet/Intranet Security Policy with the following contents:

  • What services are allowed

  • User access and privileges

  • Policies for managing web pages

  • Procedures for ensuring no alternate access paths to Internet

  • University’s response to security violation

  • User signing internet usage agreement

Recommendations of auditor cont d
Recommendations of Auditor (Cont’d)

Establish the Internet/Intranet Security Policy with the following contents (cont’d):

  • Enforcing password requirements

  • Management of increased network traffic resulting from Internet use

  • Hardware, software and client applications

  • Client configuration

  • Frequency of security audit

  • Independent internet assessment

Recommendations of auditor cont d1
Recommendations of Auditor (Cont’d)

Establish Security Procedures for:

  • Granting of users’ access rights

  • Monitoring of users with administrative rights on IS

  • Guidelines on data encryption

  • Computer security policy training and distribution

Recommendations of auditor cont d2
Recommendations of Auditor (Cont’d)

Establish Security Procedures for:

  • Virus protection policy

  • Promote proper usage of internet

  • Sharing of user accounts

  • User accounts housekeeping

  • Utilizing networking scanning tools

  • E-mail virus protection

Recommendations of auditor cont d3
Recommendations of Auditor (Cont’d)

Establish Security Procedures for:

  • Door-entry control system

  • Automatic directory listing

  • Banners

  • Vulnerable services

  • World-writeable files

  • System logging

Some security tips
Some Security Tips

  • Always apply security patch on OS and service

  • Remove unnecessary services

  • Review and change default settings

  • Implement a personal firewall

  • Apply encryption on sensitive data

  • Enable auditing & review log