番茄社区

UVic Information Security Standards

Information securityInformation security

These security standards enable the university to manage electronic information resources in accordance with university policies and are designed to ensure the confidentiality, integrity, and availability of university information.

Compliance with these standards does not imply a completely secure system. These standards are only a component of ensuring system security. The standards will be revised and updated regularly.

These security standards apply to all members of the UVic community responsible for managing UVic electronic information resources. The requisite skills and knowledge level are required to maintain compliance to the standards; University Systems offers services to manage electronic information resources in a secure and reliable manner: University Systems Service Catalogue

The standards are based on the IM7800 data classification of the information at risk.

  1. Determine the highest applicable data classification level by reviewing the University Information Security Classification Procedures in policy IM7800. See Appendix A for Information Classification Examples.
  2. Follow the security standards in the table below to safeguard your systems. Where possible, we recommend implementing stronger security controls than the current standard.

Where did the UVic Information Security Standards come from?

In July 2018, UVic Internal Audit completed its Decentralized Information Technology General Controls (ITGC) Self-Assessments (Phase 2) and recommended that “minimum security standards be developed, implemented into the Information Security Policy, and communicated to all stakeholders at the university.” 

University Systems engaged students in the Master of Engineering in Telecommunications & Information Security (MTIS) as part of their capstone project to provide guidance on developing information security standards and IT governance for UVic. The students’ recommendations included both standards to adopt as well good examples from other higher education institutions (e.g. Stanford University’s ).

An initial draft of UVic Security Standards were developed by Curtis Les, our Senior Technical and Information Security Analyst, in February 2019. These were based on the above research as well as the latest standards from accredited organizations including the , , and . Where possible, links to supporting UVic resources were included in the draft standards.

The draft standards were then reviewed by members of the University Systems Cybersecurity Working Group. The draft standards were revised after careful consideration of this feedback. For some standards, a current and future standard was developed as gap areas between a desired standard and current capabilities were identified.

The draft standards were circulated with members of the UVic IT community for additional feedback and revision. We reviewed and incorporated this feedback and published the standards in December 2019. If you’d like to provide additonal feedback, please contact Information Security Standards.

How are the Information Security Standards kept current?

The UVic Information Security Standards follow a regular review and update process to reflect the nature of rapid changes and improvements to best practices in information security. 

Proposals for changes and additions to the Standards are open at all times. To make a proposal, please email infosecstandards@uvic.ca. Proposed changes should include rationale.

  • Review and updates to the Standards are completed at minimum once per year.
  • All proposals are recorded by the Information Security Office.
  • Proposals are circulated with subject matter experts for feedback.
  • The UVic Chief Information Security Officer approves all changes to the Information Security Standards.
  • Updated standards are published to uvic.ca/securitystandards.
  • An Informed message advising of updated security standards is posted.

Data classifications legend Public Check Internal Check Confidential Check Highly Confidential Check

Data Classifications defined in Information Security Policy (IM7800):

Public Internal Confidential Highly Confidential
Definition:             Public Information (Blue)

Information that has been approved for distribution to the public by the information owner or Administrative Authority or through some other valid authority such as legislation or policy.

Definition:             Internal Information (Green)

Information that is intended for use within the University or within a specific workgroup, Unit or group of individuals with a legitimate need-to-know. Internal Information is not approved for general circulation outside the workgroup or Unit.

Definition:              Confidential Information (Yellow)
Information Resource is considered to be highly sensitive business or Personal Information, or a critical system. It is intended for a very specific use and may not be disclosed except to those who have explicit authorization to review such information, even within a workgroup or Unit.
Definition:             Highly Confidential Information (Red)

Information Resource is so sensitive or critical that it is entitled to extraordinary protections, as defined in IM7800 9.00.

 

An endpoint is defined as any laptop, desktop or mobile device primarily used by a single individual at a time. Endpoints also include network printers, VOIP telephones and multi user computers in lab environments.

 Security Standards


Table description: UVic Security Standards for Endpoint Devices required for each of UVic's data classifications
Category
Current Standard
Future Standard
Data
Classification
  1. Patching
  1. Apply critical or security patches (OS and applications) within seven days of release. Normal patches should be applied within 30 days.
  2. Use managed update services.
  3. Monitor vulnerability publications such as  and remediate any affected operating systems and applications.
  4. Assess risk of vulnerabilities patched in updated firmware and patch endpoint firmware as appropriate based on risk.
  5. Only use actively supported operating systems and applications (vendors are providing security patches).
  6. Systems with an unsupported (no future security updates from vendor) OS or applications may not be directly connected to UVic Network.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Inventory
  1. Maintain a comprehensive inventory of all endpoint devices (desktops, laptops, mobile devices, and end user network devices such as printers).
  2. Keep Network Services IPAM records current.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Whole Disk Encryption
  1. Enable FileVault2 for Mac, BitLocker for Windows, and equivalent full disk encryption for Linux, with secure key escrow.
  2. Encrypt mobile devices.
  3. Encrypt external hard drives and USB storage devices (recommend not using these devices unless required).
Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Data Storage
  1. All data except for Public data must be stored within a controlled-access system.
  2. Information classified as Confidential or Highly Confidential must be encrypted.
  3. Internal and Public data encryption is strongly recommended in all environments.
  1. All information located on endpoints is encrypted.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Firewall, Intrusion Detection and Malware Protection
  1. Install advanced endpoint protection with a host based firewall and endpoint detection and response (EDR). Microsoft Defender for Endpoint is required for UVic owned workstation endpoints.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Backups
  1. Backup user data daily.
  2. Keep user and UVic data on network file storage (preferred) or use Tivoli Storage Manager.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Physical Protection
  1. Keep all endpoints in a physically secure location when staff are not present.
  2. Physically secure laptops and mobile devices when not in use.
  3. Use physical access controls such as keys, keycards, and alarms.
Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Credentials and Access Control
  1. User accounts follow the principle of least privilege.
  2. Local administrator accounts use unique passphrases and are disabled if not required.
  3. Review accounts and privileges annually and enforce strong passphrases.
  4. Login with Netlink account credentials instead of local or shared accounts.
  1. Require Multi-Factor Authentication to login to endpoints used as privileged access workstations.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Configuration Management
  1. Manage secure configuration for hardware and software ( - 4.1) using tools to deploy and enforce standard policies and settings. Examples include Active Directory with standardized Group Policies, System Center Configuration Manager, WSUS, JAMF, ActiveSync Policies.
  2. Follow accredited industry best practices for policies and settings, including application allowlisting, macro controls, and restricting command line access ().
  3. Ensure that all network ports, protocols, services, and software configuration running on a system have a valid business need ( - 4.4, 4.5).
  1. Meet a minimum 90% score for standard Windows and Mac workstations.
  2. Enroll all mobile devices into an Enterprise Mobility Management system with recommended security policies ().
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Network Protection
  1. Configure Access Control Lists to only allow necessary traffic.
  2. Use VPN to access UVic services on endpoints when off campus or on an untrusted network.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Media Disposal
  1. Endpoints must be sanitized and securely destroyed following Records Management policy in IM7700.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Regulated Data Security Controls
  1. For payment card processing use a PCI compliant Virtual Payment Terminal.
Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Information Security Incidents
  1. Follow Information Security Incident procedures as detailed in IM7800.
  2. A workstation or mobile device that is suspected of being infected must be rebuilt from known-good media.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Support Staff Training
  1. Support Staff must participate at least annually in training to maintain knowledge of information security best practices related to their roles.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)

A server is defined as a host that provides a network-accessible service.

 Security Standards


Table description: UVic Security Standards for Servers required for each of UVic's data classifications
Category
Current Standard
Future Standard
Data
Classification
  1. Vulnerability Management
  1. Have a defined process in place for assessing risk of vulnerabilities ( - 7.1,7.2, ).
  2. Perform regular vulnerability scans and remediate discovered vulnerabilities.
  3. Monitor vulnerability publications such as  and remediate any affected operating systems and applications.
  1. Perform monthly or more frequent vulnerability scans with a compliant tool; assess scan results and remediate discovered vulnerabilities.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Patching
  1. Apply critical security patches (OS and applications) within 3 days of release.
  2. Apply non-critical security patches as appropriate based on assessed risk. This may be part of an application upgrade/maintenance schedule.
  3. Use automated, managed update services where possible.
  4. Only use only actively supported operating systems and applications (vendors are providing security patches).
  5. Systems with an unsupported (no future security updates from vendor) OS or applications must use compensating controls, including network segmentation, to minimize risk.
  1. Apply critical security patches within 24 hours of release.
  2. Apply non-critical security patches within 30 days of release.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Inventory
  1. Keep server inventory current (update ConfigManager and Nets IPAM records).
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Firewall, Intrusion Detection and Malware Protection
  1. Install and enable host based firewall in default deny mode; only permit the necessary services.
  2. Use the institutionally managed and supported Extended Detection and Response (EDR/XDR) software; contact the Information Security Office for more information.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Credentials and Access Control
  1. Review accounts and privileges annually and enforce strong passphrases.
  2. Login with Netlink or privileged account credentials instead of local or shared accounts. 
  3. All account access follows the principle of least privilege.
  4. Multi-Factor Authentication required for all privileged (root/administrator) access.
  5. Multi-Factor Authentication required for all credentials accessing Confidential or Highly Confidential data.
  6. Implement Vendor Access Management Plan. Do not allow vendors unescorted administrative access to servers.
  1. Multi-Factor Authentication required for all credentials.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Centralized Logging
  1. Enable and forward logs in real time to a remote log server. UVic Syslog centralized logging recommended. SIEM logging recommended for identity, access management and high risk systems.
  2. Log all access requests, including userID, IP address, date and timestamp, and result.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Sysadmin Training
  1. Sysadmins must participate at least annually in training to maintain knowledge of information security best practices related to their roles.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Backups
  1. Backup servers at least weekly.
  2. Test server restores regularly (at least annually).
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Physical Protection
  1. All servers must be located in a secure location (Enterprise Data Centre recommended).
  2. Servers must be protected by physical access controls.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Network Protection
  1. Configure Access Control Lists, VRFs, network firewalls, and host based firewalls to only allow necessary traffic in default deny mode.
  2. Use VPN to manage servers from off campus or untrusted networks. Restrict VPN access by using VPN pools.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Remote Access
  1. Use hardened remote access services when accessing servers with confidential or highly confidential data (terminal server/secure admin workstation).
  2. UVic owned and managed equipment is required for privileged (root/administrator level) account access.
  3. Multi-factor authentication required for remote access.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Configuration Management
  1. Use configuration management tools such as Active Directory, Group Policies, LDAP.
  2. Follow accredited industry best practices such as  Standards, Standards and .
  3. Ensure that all network ports, protocols, services, and software configuration running on a system have a valid business need ( - 4.4, 4.5).
  1. Meet a minimum 90% score for standard Windows and Linux servers.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Security, Privacy and Legal Review
  1. Follow a defined process to identify whether a Privacy Impact Assessment (PIA) and/or Security Threat and Risk Assessment (STRA) is required for each application.
  2. If required, complete a PIA and/or STRA prior to deployment.
  3. Review and update the PIA and STRA before significant changes to the application or the data used by the application.
Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Regulated Data Security Controls
  1. Implement PCI or FIPPA controls as applicable.
Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Information Security Incidents
  1. Follow Information Security Incident procedures as detailed in IM7800.
  2. A server that is suspected of being infected must be rebuilt from a clean backup or known-good media.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)

An application is defined as software or service running on a UVic hosted server that is remotely accessible.

 Security Standards


Table description: UVic Security Standards for Applications required for each of UVic's data classifications
Category
Current Standard
Future Standard
Data
Classification
  1. Vulnerability Management
  1. Have a defined process in place for assessing risk of vulnerabilities ( - 7.1,7.2, ).
  2. Perform regular vulnerability scans and remediate discovered vulnerabilities.
  3. Monitor vulnerability publications such as  and remediate any affected services.
  1. Perform monthly or more frequent vulnerability scans with a compliant tool; assess scan results and remediate discovered vulnerabilities.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Patching
  1. Apply critical security patches within 3 days of release.
  2. Apply non-critical security patches as appropriate based on assessed risk. This may be part of an application upgrade/maintenance schedule.
  3. Only use actively supported applications (vendors are providing security patches).
  4. Systems with an unsupported (no future security updates from vendor) application must use compensating controls, including network segmentation, to minimize risk.
  1. Apply critical security patches within 24 hours of release.
  2. Apply non-critical security patches within 30 days of release.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Inventory and Repository 
  1. Maintain application inventory quarterly.
  2. Maintain a centrally managed repository for storing software code securely. Restrict access to the repository following principle of least privilege.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Firewall
  1. Enable web application level firewalls in default deny/blocking mode; only permit the necessary services ( control 13.1).
Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Network Controls
  1. Configure Access Control Lists, and network firewalls to only allow necessary traffic in default deny mode.
  2. Applications must not be Internet-accessible by default unless functionally required.
  3. Use VPN to manage applications from off campus or untrusted networks. Restrict VPN access by using VPN pools.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Credentials and Access Control 
  1. Review accounts and privileges annually and enforce strong passphrases.
  2. Login with Netlink or privileged account credentials instead of local or shared accounts.
  3. Integrate with UVic identity services such as CAS, LDAP, SAML or Active Directory where possible.
  4. All account access follows the principle of least privilege.
  5. Multi-Factor Authentication required for all privileged (root/administrator) access.
  6. Multi-Factor Authentication required for all credentials accessing Confidential or Highly Confidential data.
  7. Implement Vendor Access Management Plan. Do not allow vendors unescorted administrative access to applications.
  1. Multi-Factor Authentication required for all credentials.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Centralized Logging
  1. Enable and forward logs in real time to a remote log server. UVic Syslog centralized logging recommended. SIEM logging recommended for identity, access management and high risk systems.
  2. Log all access requests, including userID, IP address, date and timestamp, and result.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Product Selection
  1. Follow UVic Purchasing Services processes for product selection.
  2. Follow Protection of Privacy Policy (GV0235) and Purchasing Services Policy (FM5105).
  3. Application selection process, for both commercial/vendor applications and open source, includes privacy and security risk analyses.
  4. Prior to deployment, applications are assessed for operational readiness and maintainability.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Secure Software Development
  1. Design software with security as a requirement. Review all code and correct identified security flaws prior to deployment. Use of static code analysis tools recommended.
  2. Fully test software before production use, with a complete suite of tests:
    - Unit tests
    - Integration tests
    - Security tests such as with .
    Ensure tests validate both expected and unexpected behavior.
  3. Integrate automated testing into the CI/CD pipeline.
  4. Ensure developed applications meet OWASP , Level 2.
  5. Use automated tools for application deployment, to provide consistency and ability to audit.
  1. Perform Software Composition Analysis (SCA) activities monthly or more frequent to check for outdated and/or vulnerable dependencies.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Developer Training
  1. Require developer participation in regular training (minimum annually) or developer security certification, to maintain knowledge of information security best practices related to their roles.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Backups
  1. Backup application data at least weekly.
  2. Test data restores regularly (at least annually).
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Remote Access
  1. Use hardened remote access services when accessing application consoles with confidential or highly confidential data (terminal server/secure admin workstation).
  2. UVic owned and managed equipment is required for privileged (root/administrator level) account access.
Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Security and Privacy Review
  1. Follow a defined process to identify whether a Privacy Impact Assessment (PIA) and/or Security Threat and Risk Assessment (STRA) is required for each application.
  2. If required, complete a PIA and/or STRA prior to deployment.
  3. Review and update the PIA and STRA before significant changes to the application or the data used by the application.
Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Regulated Data Security Controls
  1. Implement PCI or FIPPA controls as applicable.
Confidential Information (Yellow) Highly Confidential Information (Red)

A cloud service is defined as any Infrastructure, Platform or Software 'as a Service' or similar Internet based service. If information is stored or used in a cloud service, this standard applies.
Other standards may also apply to cloud services, for example, Server or Application standards could apply to servers, containers, or applications running on a cloud platform.

 Security Standards


Table description: UVic Security Standards for Cloud Services required for each of UVic's data classifications
Category
Current Standard
Future Standard
Data
Classification
  1. Product Selection
  1. Follow UVic Purchasing Services processes for product selection.
  2. Follow Protection of Privacy Policy (GV0235) and Purchasing Services Policy (FM5105)
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Best Practices and Industry Standards
  1. Follow UVic Cloud Security Standards schedule.
  2. The cloud service must be compliant with a industry standard cloud security framework - , , (CCM).
  3. The cloud service contractor must follow industry best practices for network, servers, endpoints, databases, applications, physical facilities, change control and management. 
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Inventory
  1. Maintain application inventory quarterly.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Credential and Access Control
  1. Review accounts and privileges annually. Enforce strong passphrases.
  2. Integrate with SSO and login with Netlink or privileged account credentials instead of local or shared accounts. Adhere to Netlink equivalent password complexity rules if not integrated with SSO/Netlink.
  3. All account access follows the principle of least privilege.
  4. Do not share credentials or use shared accounts.
  5. Multi-Factor Authentication is required for all credentials. accessing Confidential or Highly Confidential Data.
  1. Multi-Factor Authentication is required for all credentials.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Privileged Account Management
  1. Multi-Factor Authentication required for privileged (root/administrator) access for all cloud systems.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Key Management
  1. Minimize generation of API keys. Grant minimum necessary privileges, rotate API keys annually, do not hard-code API keys.
  2. Use API keys in conjunction with authentication.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Encryption at Rest
  1. Use encryption of data at rest (whole database encryption preferred).
Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Encryption in Transit
  1. Enabled transport layer encryption TLS 1.2 or higher.
  2. Use strong cipher suites and cipher suite order.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Logging and Auditing
  1. Enable any available application logging that would assist in a forensic investigation in the event of a compromise, such as all access requests, including userID, IP address, date and timestamp, and result. SIEM logging recommended for identity, access management and high risk systems. Seek vendor or Information Security Office guidance as needed.
  2. Contractually ensure accurate logging.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Data Management
  1. Contractually ensure all information incidents involving UVic data are detected are reported and investigated with UVic Information Security Office.
  2. Contractually ensure data management, including access to UVic data and associated purge on termination of the agreement.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Remote Access
  1. Use hardened remote access services when accessing application consoles with confidential or highly confidential data (terminal server/secure admin workstation).
  2. Multi-factor authentication and UVic owned and managed equipment is required for privileged (root/administrator level) account access for all cloud systems.
  1. Use hardened remote access services when accessing an application console for all data classifications (terminal server/secure admin workstation).
Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Security, Privacy and Legal Review
  1. Have a Security Threat and Risk Assessment completed prior to deployment and annually.
  2. Complete a Privacy Impact Assessment completed prior to deployment and review and update PIA prior to sending any new data to the cloud service.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Regulated Data Security Controls
  1. Contractually ensure cloud vendors implement PCI or FIPPA controls as applicable.
  2. Use the cloud service in a way that is compliant with FIPPA controls, including minimal data collection and obtaining of appropriate consents.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Administrator Training
  1. Cloud Service administrators must participate at least annually in training to maintain knowledge of information security best practices related to their roles.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)

The network is defined as all campus voice and data networking infrastructure.

 Security Standards


Table description: UVic Security Standards for Network Devices required for each of UVic's data classifications
Category
Current Standard
Future Standard
Data
Classification
  1. Vulnerability Management
  1. Have a defined process in place for assessing risk of vulnerabilities  - 7.1,7.2, ).
  2. Monitor vulnerability publications such as  and remediate any affected operating systems and applications.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Patching
  1. Install the latest stable version of any security related updates on all network devices within 60 days ( - 12.1).
  1. Install the latest stable version of any security related updates on all network devices within 30 days.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Inventory
  1. Keep network device inventory current (update ConfigManager, IPAM and Nets Tools records).
  1. Document all traffic configuration rules ( - 12.4).
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Credential Management
  1. Manage network devices using multi-factor authentication and encrypted sessions ( - 4.6, 6.5).
  2. Review accounts and privileges annually and enforce strong passphrases.
  3. All account access follows the principle of least privilege.
  4. Implement Vendor Access Management Plan. Do not allow vendors unescorted administrative access to servers.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Network Administrator Training
  1. Network administrators must participate at least annually in training to maintain knowledge of information security best practices related to their roles.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Network Infrastructure
  1. Only authorized network devices may be connected to the UVic network (IM7200 Section 12.06).
  2. Manage network infrastructure through a dedicated, segregated management network.
  3. Maintain documented secure configurations for all authorized network devices.
  4. Deny communications with known malicious IP addresses.
  1. Use automated tools to verify standard device configurations and alert if deviations are discovered ( - 4.2).
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Backups
  1. Maintain backups of network device configurations.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Centralized Logging
  1. Enable and forward logs in real time to a remote log server. UVic Syslog centralized logging recommended. SIEM logging recommended for identity, access management and high risk systems.
  2. Enable netflow traffic data logging on network boundary devices.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)

Operational Technology includes programmable systems or devices with an embedded operating system that interact with or manage the physical environment, including scientific equipment and Internet of Things devices. Examples include industrial control systems, building management systems, fire control systems, physical access controls, microscopes, medical scanners, conference room systems, video streaming devices, and security cameras.

 Security Standards


Table description: UVic Security Standards for Operational Technology required for each of UVic's data classifications
Category
Current Standard
Future Standard
Data
Classification
  1. Vulnerability Management
  1. Have a defined process in place for assessing risk of vulnerabilities  - 7.1,7.2, ).
  2. Monitor vulnerability publications such as  and remediate any affected firmware and applications.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Patching
  1. Install the latest stable version of any security related updates on all Operational Technology within 60 days ( - 12.1).
  1. Install the latest stable version of any security related updates on all Operational Technology devices  and applications within 30 days.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Inventory
  1. Maintain a comprehensive inventory of all Operational Technology devices and applications.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Credential Management
  1. Where possible, protect Operational Technology devices and management consoles with multi-factor authentication, and encrypted sessions ( - 4.6, 6.5).
  2. Use Central Authentication Systems with NetLink account logins where possible instead of silo or shared accounts.
  3. Review accounts and privileges annually and enforce strong passphrases, including local device access controls.
  4. All account access follows the principle of least privilege.
  5. Implement Vendor Access Management Plan. Do not allow vendors unescorted remote administrative access to Operational Technology.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Operational Technology Infrastructure
  1. Only authorized Operational Technology devices may be connected to the UVic network (IM7200 Section 12.06).
  2. Use dedicated, segregated infrastructure, including the use of VLANs, VRFs and network firewalls, for all Operational Technology devices.
  3. Physically secure Operational Technology where applicable.
  4. Ensure that all network ports, protocols, services, and software configuration running on operational technology have a valid business need.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Backups
  1. Keep and test backups of necessary information.


Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)
  1. Logging
  1. Log authentications and changes in Operational Technology, stored centrally where possible.
Public Information (Blue) Internal Information (Green) Confidential Information (Yellow) Highly Confidential Information (Red)

An Excel version of these standards: uvicsecuritystandards.xlsx