Operations Security Standard
- Operational procedures and responsibilities
- Responsibilities, processes, and procedures should be established and documented for the management and operation of all information processing facilities. This includes the development of appropriate operating instructions and incident response procedures.
- Operating procedures for all WSSU administrative systems and applications should be documented and maintained. Operating procedures should be treated as formal documents with changes authorized by the supervisor. Documented procedures should also be prepared for housekeeping activities associated with information processing and communication facilities such as computer startup and shutdown procedures, back-up, equipment maintenance, and data center room management and safety.
- Operational Change Control
Changes to WSSU administrative information processing facilities and systems must be authorized and controlled through a change management process with appropriate checks and balances. Formal management responsibilities and procedures ensure satisfactory control of all changes to equipment, software or procedural documentation. The operational software will be subject to strict change control. When programs are changed, an audit log containing all the relevant information will be created and maintained. The change control process will consider the following activities:- Identification and recording of significant changes
- Assessment of risk of the potential impact of the change
- Formal approval process for proposed changes
- Communication of changes to all affected people and organizations
- Procedures are identifying responsibilities for aborting and recovering from unsuccessful changes.
- Protection from malware
Software and associated controls will be implemented across all Winston-Salem State University (WSSU) systems to prevent and detect the introduction of malicious software. The introduction of malicious software such as a computer virus, network worm programs, and Trojan Horses can cause serious damage to networks, workstations, and business data. User education will outline the dangers of unauthorized or malicious software. The types of controls and frequency of updating signature files, etc., is dependent on the value and sensitivity of the information that could be potentially at risk. For most WSSU workstations, and all systems or servers, virus signature files are updated at least daily. - Backup
- Back-ups of WSSU data residing on network file servers and software are performed regularly. A threat and risk assessment are performed at least annually on mission-critical business systems to assist in determining the time frame required for recovery. Processes will be developed to back-up the data and software. Restoration of data is tested periodically. Formal disaster recovery plans for each mission-critical WSSU application will be developed, documented and tested periodically. Test results will inform changes to WSSU Office of Information Technology disaster recovery plans.
- Logging and monitoring
- Event Logging
All systems should be configured to support security event logging, recording user activities, exceptions, faults, and information security events. System administrators should monitor and report inappropriate access to the Information Security office. Mission critical systems should be configured to support automated logging to a facility that protects the integrity of the logs. - Availability and Performance Monitoring
Mission critical systems should be configured to support the Office of Information Technology approved automated monitoring of system availability and performance. - Protection of Log Information
Logging facilities and log information should be protected against tampering and unauthorized access. - Administrator and Logs
System administrator activities should be logged and the logs protected and regularly reviewed. - Clock Synchronization
Approved Office of Information Technology managed enterprise network time servers should be the only devices permitted to synchronize with external time services. All provided or managed systems will synchronize time with the approved managed enterprise network time servers. All non-University provided or managed systems storing, processing or transmitting University data should be synchronized to approved time synchronization services.
- Event Logging
- Control of operational software
- Installation of Software on Operational Systems
The only software that has been licensed and approved as a standard software product or that has been approved as an exception through the University’s IT Governance architecture standards approval process should be installed on devices covered by the software’s license agreement.- Patch Management
All applications and processing devices that are attached to the University’s enterprise technology infrastructure will have a critical application, operating system, and/or security related patches made available by the software or hardware vendor applied within 60 calendar days or sooner if an acceptable date can be agreed upon by all affected parties. Emergency patches and updates will be applied as soon as possible following successful validation and testing. - Software Development Code
Software development code cannot be installed on production systems (i.e. non-compiled software programming code). - Review of Application and Operating System Changes
Applications and operating systems should be reviewed and tested to ensure that there is no adverse impact on operations or security when a change has been performed on the operating system. (e.g. patch).
- Patch Management
- Installation of Software on Operational Systems
- Technical vulnerability management
- Host Scanning
OIT Information Security Office (ISO) reserves the right to scan any device attached to the WSSU network on a periodic and tiered basis to ensure optimal configuration to protect against known vulnerabilities and to advise Data Trustees/Steward of unencrypted storage of highly sensitive/confidential data (e.g. SS#). For example, a system integrity check, using an appropriate tool, may be run as frequently as current standards recommend checking for system integrity. Sensitive or critical systems will be scanned as frequently as current standards recommend. Due to the complex nature of various vulnerabilities, central scanning should be used where possible, and a notification mechanism developed to propagate vulnerability information to data trustees/owners and ITS staff for appropriate remediation. - Network Security Checking
- Network vulnerability scans are conducted periodically on systems that are essential to supporting a process that is critical to WSSU business and annually on all other systems. Appropriate tools to scan the network and to report vulnerabilities will be identified by OIT and will be updated periodically to ensure that recently discovered vulnerabilities are included in any scans.
- The vulnerability scanning process is followed and tested at all times to minimize the possibility of disruption to WSSU networks by such reviews. Reports of exposures to vulnerabilities will be forwarded to the ISeCS Program Team for review.
- The use of network vulnerability scanning tools by anyone other than, or authorized by, OIT ISO personnel is prohibited. Researchers and students performing vulnerability testing as a function of their research or coursework must receive OIT authorization and make arrangements to ensure that scans are limited to their own systems or systems that have been assigned to them. Any vulnerability scanning from the Internet must be conducted exclusively by appropriately authorized and trained organizations.
- Penetration and Intrusion Testing
- All production computing systems that provide campus information to external parties, either directly or through another service that provides information externally (such as the World Wide Web), may be subjected to penetration analysis and testing. It may be necessary for another campus organization, a suitably qualified State evaluation team or an authorized third-party to attempt a live test to validate potential vulnerabilities. Such analysis and testing will be used to determine if:
- The application may be changed by anyone while in production
- An authorized user may access the application and cause it to perform unauthorized tasks
- An unauthorized user may access, destroy or change any data
- An unauthorized user may access the application and cause it to take inappropriate action.
- Only authorized administrators may perform penetration testing, and the system owner or her/his designate must approve each test. Any other attempts to perform such tests or to determine how a system may change or behaves under abnormal circumstances, whether successful or not, will be deemed an unauthorized access attempt and will result in disciplinary or legal action.
- All production computing systems that provide campus information to external parties, either directly or through another service that provides information externally (such as the World Wide Web), may be subjected to penetration analysis and testing. It may be necessary for another campus organization, a suitably qualified State evaluation team or an authorized third-party to attempt a live test to validate potential vulnerabilities. Such analysis and testing will be used to determine if:
- Host Scanning
- Information systems audit considerations
Audit processes should be implemented in a secure manner and as efficiently as possible while minimizing any disruption to business operations.