CLAS Security Policy

Introduction

As part of its educational mission, the University of Colorado Denver, College of Liberal Arts and Science (CLAS), acquires, develops, and maintains data and information, computers, computer systems and networks. These information technology (IT) resources are intended for university-related purposes, including direct and indirect support of the university's instruction, research and service missions; university administrative functions; student and campus life activities; and the free exchange of ideas within and among the university community and the wider local, national, and world communities.

This policy applies to all people who maintain, manage and use CLAS IT resources and to all uses of those resources, whether on campus or from remote locations and is based on APS 6005. This policy is intended to help protect network confidentiality, integrity, availability, accountability, and assurance.  Additional policies may govern specific computers, computer systems or networks provided or operated by all specific University of Colorado Denver, College of Liberal Arts and Science (CLAS) and subsidiary units of the college.

This policy provides guidelines for information technology (IT) security regarding media sanitization, access control, inventory, physical security to protect, prevent or reduce the risk of loss, theft, damage, unauthorized access and manipulation of data and computing device in the College of Liberal Arts and Sciences (CLAS) at the University of Colorado Denver.

Each department, program, administrative unit, computer lab, and affiliated business unit in CLAS may extend this policy with supplementary policies and guidance for their specific environment.

APPLICABILITY

This policy applies to all departments, administrative units, computer labs, and other affiliated business units in CLAS that use IT resources to perform their academic activities and business functions.

The intent of this document is to formalize and define the responsibility students, staff and faculty have to ensure the University of Colorado Denver, CLAS human and computing resources and assets are physically safe, secure, reliable and available for intended use.

This document needs to be a living document, where new methods of security are brought forth to deal with new threats to the University of Colorado Denver informational technology infrastructure and content.

CLAS IT Governance

CLAS IT Committee Governance Roles and Responsibilities were reviewed by the CLAS IT Committee on October 10, 2016. The CLAS dean empowered committee members with sufficient authority to direct practices and ensure aligned behavior amongst college organizations through communication of policy via the college website as policy is developed.

CLAS Bylaws Excerpt

This excerpt is from the CLAS Bylaws of April 24, 2016 (page 15):

i. Composition:

• five voting rostered faculty members (one from each division plus one at large)
• one voting student
• one non-voting staff representative with IT expertise
• one non-voting representative of the Dean’s Office

If a committee member does not meet regularly with the committee, the chair shall declare the seat vacant, and the associate dean responsible for elections shall arrange for a temporary appointment from the appropriate constituency and division until a replacement can be elected. The definition of regular attendance will be determined by the committee.

ii. Procedures:

• At or before the first meeting of the fall semester a chairperson shall be elected from among the rostered faculty members of the committee. The term of office for the chairperson shall be one year beginning on the date of the first meeting of the fall semester.
• A committee quorum shall consist of at least half of the voting members of the committee. The chairperson should vote only in the event of tie. The chair or a committee member may request that a vote be taken by secret ballot when deemed desirable to do so.

iii. Functions:

• To monitor actions of and to liaison with campus and system IT offices and to represent the college concerns to those offices.
• To advise the college regarding IT needs.
• To advise the college regarding the college computer labs.
• To respond to other IT needs as they arise.

CLAS IT Committee Governance Roles and Responsibilities:

1. Review on a regular basis CLAS IT resource policies and procedures to ensure alignment with changes in IT security and in the general IT environment. This would include review of IT policy and procedure drafts provided by the CLAS IT Professionals Advisory Group (ITAG). Recommend changes as needed to ensure policies and procedures are kept current.
2. Provide the Dean with recommendations on College policies and procedures, in collaboration with ITAG. The committee is expected to inform the goals and objectives of CLAS IT service provisioning in support of the university and college mission.
3. Oversee the proper use of College IT resources. This would include establishing risk-based guidelines to address vulnerabilities and threats to critical CLAS IT services and to communicate college-level risk tolerance and CLAS IT resource security strategy.
4. Remove access to IT resources from any employee of the College for non-compliance with CLAS IT policy and procedure.
5. Direct practices and ensure aligned behavior amongst college organizations through communication of policy via the CLAS IT-Support website as policy is developed.
6. Work with CLAS Faculty and Staff to bring important College IT issues to the ITAG and the Dean.

CLAS System Administrator(s), Lan Admin(s), Data Management Roles

System Administrator and Lan Admin in this document refers to anyone who manages computer systems and provides IT service(s).

From: https://www.cu.edu/ope/policy-resources-and-tools and APS 6005:

IT Service Provider - Any person that designs, builds, implements, supports, or provides an IT service to other University employees, students, or affiliates, using a University IT resource. Examples of IT service providers include: website administrators, workstation support staff, server administrators, software programmers, application developers, data network technicians, user account administrators, and computer center personnel.

Based on the above definition, CLAS and many of the CLAS staff provide IT Services, and as providers of IT Services, CLAS must adhere to APS 6005 .

Data Governance APS 6010 also defines these roles:

• Data Owners are accountable for managing, protecting, and ensuring the integrity and usefulness of university data. Data owners have the primary responsibility to ensure the university is following its policies and is in compliance with federal and state laws and regulations. Data owners, in consultation with the Council of Data Owners, shall identify the criticality and sensitivity of data. Data owners typically are associated with the business functions of an organization rather than technology functions. Data owners are appointed by the President, Chancellors or their delegates and are typically an administrative officer of the University or departmental director. The President or Chancellor may choose to not identify a Data owner for certain data types given risk decisions or administrative, research, or academic needs.

• Data Custodians typically have control over a data asset's disposition, whether stored (at rest), in transit, or during creation. Custodians will often have modification or distribution privileges. Data custodians carry a significant responsibility to protect data and prevent unauthorized use. Data custodians are often data providers to data users. Data owners or data stewards may also exercise custodial roles and responsibilities. Data custodians typically are associated with IT units within the university, either central IT organizations or IT offices within academic and administrative units.

• Data Stewards will often have data custodial responsibilities, but are distinguished from custodians by delegated decision-making authority regarding the data. Data stewards may represent data owners in policy discussions, architectural discussions, or in decision-making forums. Data stewards actively participate in processes that establish business-context and quality definition for data elements. Data stewards are more likely to be associated with business functions than IT functions.

• To the degree that a data user creates university data and/or controls the disposition of university data, he or she has responsibility for the custodial care of that data. Data users share responsibility in helping data stewards and custodians manage and protect data by understanding and following the IT and information security policies of the university related to data use.

• Council of Data Owners: The Council of Data Owners advise the President and Chancellors that the University is taking appropriate measures to ensure data quality and ensure compliance with relevant regulations and policies. The Council will work to consensus to resolve conflicts where data overlaps between multiple data owners. Council members consist of data owners appointed by the President and Chancellors. Where data owners are distributed to the campuses a single representative shall be appointed and may rotate bi-annually. Legal Counsel and the Chief Information Security Officer shall be ex officio members of the Council.

The System Administrator(s) and Lan Admin(s) is (are) responsible for (but not limited to):

• Risk assessment
• Network intrusion detection
• Maintaining operation center contact information
• Working with staff to resolve exposures and reduce potential exposures
• Maintaining CLAS Security Policy (this document)
• Organizing security training events within the realm of CLAS
• Ensuring data is stored according to data classification

The System Administrator must coordinate within CLAS various IT security responsibilities, including but not limited to monitoring, documenting, reporting, and correcting the cause of security breaches, establishing minimum security standards for the installation and configuration of IT resources, maintaining the operating systems, reviewing account termination, maintaining a change log and other security functions. 

The System Administrator must coordinate and collaborate outside of CLAS with OIT and other IT groups to ensure a secure and robust computing environment in support of the CLAS mission. Examples of these activities include but are not limited to policy development, educational and awareness campaigns, dissemination of current risk information, resolution of IT security and performance issues, development of services, student/faculty/staff support and penetration testing.

The System Administrator must help ensure that CLAS complies with the University of Colorado - Denver guidelines for Information Systems' Appropriate Use Policy (AUP) listed at: - UC Denver Information Systems' Appropriate Use Policy (AUP).

CLAS must help ensure that APS 6005 is understood, applied and revisited regularly (no less than annually).

Related Policies, Procedures, Guidelines and Resources

All CLAS security measures must comply with federal and state laws, university rules and policies, and the terms of applicable contracts including software licenses. 

Examples of applicable laws, rules and policies include, but are not limited to:

• Administrative Policy Statements (APS) 6001 – Providing and Using Information Technology
• Administrative Policy Statements (APS) 6005 – IT Security Program Policy
• Administrative Policy Statements (APS) 6005 – IT Security Program Policy Summary
• University of Colorado, Office of Information Security – Highly-Confidential & Highly Critical System Information Security Standard -- NEED LINK
• University of Colorado, Office of Information Security – Baseline Information Security Standard Document Download
• University of Colorado Denver | Anschutz Medical Campus Administration Policy – Acceptable Use of Information Technology Resources -- NEED LINK
• NIST Special Publication 800-12 Introduction to Computer Security: The NIST Handbook
• NIST Special Publication 800-14 Generally Accepted Principles and Practices for Securing Information Technology Systems
• NIST Special Publication 800-61 Computer Security Incident Handling Guide
• NIST Special Publication 800-123 Guide to General Server Security
• The OWASP Application Security Code of Conduct for Educational Institutions
• Colorado Computer Crime
• Laws of libel, privacy, copyright
• The Digital Millennium Copyright Act of 1998
• The Computer Fraud and Abuse Act
• University of Colorado: Officer and University Staff Handbook
• Helpful Information for LAN Admins, 2015.

CLAS Security Policy General Rules

Media Sanitization

1. Disposal of computing device and storage media: Computing device, storage media (e.g., Hard Disk Drives, CD-ROMs, memory sticks, tapes, cartridges, etc.), and network equipment shall be purged of all data so that information is not readable and recoverable or be destroyed before disposal or release of them.
2. Donation of computing device, storage media, and network equipment: When computing equipment and storage media are donated within the College, all information also shall be purged to prevent unauthorized information access.
3. OIT Hard Drive Crushing: When data needs to be destroyed, follow these instructions from OIT for Hard Drive Crushing.

Access Control

CLAS relies on OIT authentication systems (AD, etc.) to authorize users of the University of Colorado Denver computing resources. In cases of unique CLAS IT Services, the user should refer to relevant policies pertaining to those areas (i.e. Lab policies).

1. Use the Principle of Least Privilege: All access to information data and systems shall be allowed in the principle of the least privilege: need to know and share.
2. Disable or Limit Root or Administrative Account Remote Access: Default local system administrator account shall be disabled for remote login. Default (factory) passwords changed.
3. Removal of Unnecessary Account and Group Membership: Obsolete or redundant accounts and group membership shall be removed when the user leaves, graduates, or terminates enrollment.
4. Disable Unnecessary System Function: Unnecessary system features, services, and ports shall be disabled or removed.
5. Change Default Password: All default passwords in the system settings that the manufacturer or vendor provide shall be changed or disabled.
6. Audit System and User Events: All system and user events and actions shall be audited periodically.
7. OWASP Access Control Cheat Sheet
8. Access Control in Software Development
9. OWASP Cheat Sheet Collection
10. University of Colorado Denver Data Center OIT Data Center Policy

Filter Notification

1. CLAS staff will be notified prior to or concurrent with the application of a filter.
2.  Notification attempts will be made to staff and/or affiliated users, or their designees, directly by word of mouth, email, and phone in that order.
3. An effort will be made to avoid disruption of service in cases not involving outgoing attacks.

(Currently all network traffic into CLAS is filtered at the gateway(s) and/or firewall(s). We need more information about the topology of the University of Colorado Denver's network.)

IT Inventory

1. Device Inventory: All authorized and unauthorized devices shall be identified and unauthorized ones shall be removed from the network. Authorized devices shall be tracked throughout their life cycle in the network. Deploy automated asset inventory tool if needed.
2. Software Inventory: Devise the list of authorized software and version and remove unnecessary, obsolete and unauthorized software applications. Deploy software inventory system if needed.
3. Monitoring network: Active Directory shall be monitored on a regular basis to identify unauthorized device.
4. Master Image: Standard secure configuration of the system is recommended. Standardized images shall represent hardened versions of software installed on the system, and it shall be updated when the changes of security configuration are made.

IT Acquisition and Purchasing

1. IT Acquisition and Purchasing: Purchases of IT hardware, software, systems shall comply with OIT and the University of Colorado Denver policy --(No campus-level link). CU System APS 6005 - Section 3, II. Policy Statement, Pat D.].
2. Standards for promoting security controls in Contracts, RFPs, and other service arrangements - The purpose of this document is to provide guidelines for ensuring adequate security controls in the acquisition and renewal process of new products and services for the university.
3. Continuity of Operations: Sustainable and secure operational continuity needs to be evaluated with these types of purchases.
4. Inventory: Purchases of IT hardware, software, systems shall be inventoried delivery, into systems established by CLAS.

Managed Hosts

1. The System Administrator(s)/Lan Admin(s) must maintain contact information for all clients and users managing hosts on their network. Systems developed by CLAS should ensure that services can be accessed only by authorized users, and that files and resources should only be modified according to the intent of their owners.
2. Secure encrypted authentication and communication such as SSH is required; the days of using clear text protocols such as FTP or Telnet are over. Clear text passwords using the httpd protocol should migrate to using SSL/TTL (current and strong encryption) on web servers in the very near future and development from the date of the approval of this document forward is encouraged.
3. Public-facing hosts need to meet or exceed current University of Colorado Denver vulnerability and penetration testing.
4. Host-based firewalls are encouraged.  The System Administrator will try to offer various services to improve IT security including port, address and protocol filters, etc. 
5. External Network Connections-System Administrators will coordinate the establishment of all external network connections on Managed Hosts.  As every external network connection is potentially an entry point for intruders, System Administrators must have access to documentation of all external network connections in their unit.

Unmanaged Hosts

1. Unmanaged hosts are hosts that are not managed by CLAS such as personal laptops, computers, mobile devices and other devices not listed as a Critical IT Resource. The responsibility of the System Administrator for unmanaged hosts begins/ends at the wall plate/wireless access point? 
2. Host-based firewalls are encouraged.  The System Administrator will try to offer various services to improve IT security including port, address and protocol filters, etc. 
3. The System Administrator has the responsibility to identify a user at a given address at any given time.  In response to an incident, the System Administrator must be able to instigate disruption of service to the user and/or address.  The System Administrator also has the responsibility to coordinate the notification to the user and ensure that the incident is resolved.  The user of the unmanaged host must comply with the University of Colorado Denver guidelines for Information Systems' Appropriate Use Policy (AUP) listed at: - UC Denver Information Systems' Appropriate Use Policy (AUP).

Authentication, Authorization and Audits

1. When technically possible, an audit trail must be implemented to track any device connected to the CLAS network and the associated users.  The System Administrator should have access to records of the hardware address, the host IP address, and the primary user for every IT resource in CLAS.
2. When technically possible - if a device is public or accessed by multiple users, authentication and logging must be employed to identify users.  There must be documented proof the time stamps in the logs are synchronized with UTC.
3. Access Control (above).

Risk Assessment

1. The System Administrator(s) and Lan Admin(s) will develop Business Continuity Plans based on Business Impact Analysis.
2. The System Administrator(s) and Lan Admin(s) will conduct a comprehensive risk analysis of security threats to IT resources for CLAS on a regular, periodic schedule. 
3. Risk analysis may include port scans, vulnerability scans, policy compliance, best practices compliance, network management surveys, on-site audits and other procedures as needed to thoroughly assess risk.  System Administrators and/or Lan Admin(s) will be notified of scans of their network.  Efforts will be made to notify them prior to the scan as circumstances allow.  It is a violation of this policy to knowingly and intentionally subvert risk assessment.  Based on the risk analysis results, the System Administrator(s) and Lan Admin(s) must ensure that measures are taken to address security weaknesses. Filter notification will follow the procedures outlined in the Filter Notification section above.

Training and Security Awareness

1. ITAG must ensure that all users within CLAS are aware of, have access to, and comply with the University of Colorado Denver IT policy, standards and training.
2. ITAG should help to ensure that all people who maintain or manage IT resources within their unit are aware of, have access to, and comply with the University of Colorado Denver guidelines for Information Systems' Appropriate Use Policy (AUP) listed at: - UC Denver Information Systems' Appropriate Use Policy (AUP).
3. Regular email communications will be sent to faculty and staff, at a minimum of once an academic year, making them aware of current college IT policy and practices.
4. CLAS Annual Security Email sent February 28, 2017
5. Also see: University of Colorado Security Awareness and Training

Encryption tools

1. Laptop/Desktop Encryption - The University of Colorado Denver, requires all laptops and mobile devices containing PHI (Private Data) be encrypted. ENCRYPTION SOFTWARE, and the System Administrator(s)/Lan Admin(s) must ensure that this policy is followed.

1. Encrypted Email - The University of Colorado - Denver provides encrypted email. Email between staff at the University of Colorado Denver (those with a @ucdenver.edu suffix) is automatically encrypted. If you need to encrypt email to someone outside the ucdenver system, add ENCRYPT, SAFEMAIL or SECURE to the subject line. More information can be found in the following link to SENDING ENCRYPTED EMAIL - SENDING ENCRYPTED EMAIL.

CLAS Physical Access Security Policy:

(Data management, document classifications, backups)

Introduction

Purpose

This policy defines the requirements for the protection of CLAS Information Technology data and computing devices from security threats. It supports to prevent or reduce the risk of loss, theft, damage, unauthorized access, or manipulation of our college logical and physical assets that disrupt our teaching and researches and other business activities.

Applicability

This policy applies to all departments, administrative units, computer labs, and affiliated organizations in CLAS that use information technology resources to create, store, access or manage computing equipment and data to perform its academic and business functions.

Policy Statement

Data and Application Security

1. All users shall protect data that is created, processed, stored, transmitted, or discarded in a manner compliant with current OIT data classifications, and keep critical computing programs up to date.
2. Data Inventory: All data including the data supported by custodians (system administrators) shall be documented, categorized and updated annually according to OIT data classification policy (Highly Confidential, Confidential, and Public information).
3. Assigning Data Security Level: All data including the data managed by custodians shall be assigned to a security classification level according to the most sensitive content in the data.
4. Protection of Highly Confidential Data: Highly confidential data shall not be stored on the workstation and mobile computing device and media including but not limited to laptops, tablets, smartphones, flash drives, CD, CVD, etc. unless justified for business purposes and adequately secured by strong system password and encryption program.
5. Business-Critical Programs: All departments, labs, and other business units shall categorize business-critical programs and document them.
6. Data Sharing and Access: Data sharing and access permission shall be granted on the principle of the minimum and the least privilege.
7. Data Retention: Data owners shall provide data custodians (system administrator) data retention schedule and legal requirements related to the data.
8. Saving Highly Confidential Data on workstations or mobile device: Highly confidential data shall not be stored on the workstation or mobile computing device (laptop, smartphone, flash drives, backup disks, etc.) unless justified for business purpose and adequately secured by an encryption program.
9. Media Handling and storage: Electronic storage media (e.g., CD-ROMs, memory sticks, disk drives, tapes, cartridges, etc.) shall be appropriately protected from loss and unauthorized access. Any media that is used to store highly confidential and confidential data shall be stored in a secure location where access is restricted to authorized personnel only.
10. Screen Lock or Use of Screen Saver: Sensitive data shall not be kept in plain sight when not in use or when computers are left unattended. Lock the screen or set screen saver with password protection.
11. Password and Encryption: Users must set up secure system password according to OIT password policy and standards to protect data, and use screen saver password option that works when users are away from the computer for a prolonged period of time. Maximum 15 minute is recommended. Contact Office of Information Technology (OIT) help desk if the password is compromised.
12. No Web Browser Password: Users who handle confidential and sensitive data and use critical programs shall not allow Web browser to save their password.
13. Data Protection for HIPAA, FERPA, Frequent Travelers: Users who have confidential and sensitive data in their mobile devices including but not limited to laptops, tablets, and smartphones shall protect contents of data using system password and encryption. Visit Encryption Software.
14. Data Backup: All data shall be backed up on a regular basis using appropriate media and kept in a safe place including but not limited to servers, desktops, and laptops, tablets and smartphones. Confidential and sensitive data shall not use USB Flash drives, CD or DVD (further details shall be documented in Disaster Recovery Section).
15. Cloud Storage Usage: Cloud storage shall not be used for data that is classified as confidential and sensitive information unless the vendor or service is approved by OIT. Cloud computing also needs an exit plan to prepare disengaging the service. OIT Approved Applications and Cloud Services.
16. Mobile Devices: Mobile devices are generally vulnerable to loss and theft. Users shall always use password and encryption, and avoid saving sensitive data on mobile equipment.
17. Confidential and Sensitive Data Delivery: Wrong mail and email address can lead to the public exposure of confidential and sensitive data. Mail and Email delivery of data shall use “Unauthorized use notice” warning banner.
18. Data Exchange Using Portable Storage Media: All confidential and sensitive data exchanged and transferred using removable storage media like USB Flash drives, diskettes, CD/DVD, Tape, etc. shall be protected by password and encryption
19. Data Transport and Shipping: All data containing confidential and sensitive information to be transported and shipped to a destination outside the college shall be securely packaged.
20. Business Critical Program Management: All business critical programs shall be managed with their information regarding license, vendor, technical support contact, etc.
21. Separation of Business Critical Programs and Email/Web Searching Device: Most virus infection and malware programs comes from Email or Internet access. Computing devices containing highly confidential data and hosting critical programs shall be separated from Email and Web searching device.
22. Security Vulnerability Scanning: All public-facing, production web hosting systems and servers shall be scanned regularly (every 30 days or less) or when significant changes are made to the system or server. CLAS also recommends this for internal servers.
23. Firewall: All settings for Firewall in the campus workstations under UCDENVER Domain shall be set automatically by OIT policy. Personally owned computers that connect to our network shall be configured appropriately by the device owners.(The UCDENVER domain == The University of Colorado Denver network and devices connected to it.) Computers and other devices connecting from campus go through this network when connecting from campus. The meaning of configured appropriately by the device owners is that the owners apply the same practices on personal equipment as they do University of Colorado Denver equipment. For example, have up-to-date security patches or encrypted hard drives when manipulating University of Colorado Denver data.
24. Program Upgrades and Patches: All critical programs shall be upgraded and patched with the latest release with its operating system to prevent or minimize data processing fault and security issues.
25. Antivirus Program: Computing equipment shall install Antivirus program and update it with the latest patches. Antivirus programs are provided and updated by OIT for the Windows and Apple OS X operating systems. Linux systems are encouraged to use open source antivirus programs. CLAS employees are responsible for updates and patches on a regular basis. Users who connect their personal computers to our school network must install antivirus program and update it with the latest patches on a regular basis. Additionally, in the absence of a BYOD (Bring your own device policy), CLAS cannot recommend policy for iOS, Android or other platforms at this time.
26. Personal Equipment and Software: Personal equipment and software shall not be used to handle, or create, process, access and store CLAS confidential and sensitive information, unless it can meet the requirements of the sections 23, 24 and 25.
27. Data Wiping and Disposal: All storage media containing confidential and sensitive information including but not limited to hard drives, USB drives, and smartphones shall be deleted and disposed by OIT policy and the related project rules and procedures.
28. Awareness and Training: Training or Email notice about security policy, procedures and practices shall be provided to users on a regular basis.
29. Use of the University Email: All CLAS students, faculty, and staff shall use their official university email account to conduct official university business. . There are certain features of the University email, such as encryption, which makes using the University system a better choice. An example of this is, although an email may be spoofed, is to prevent spearphising. I will probably respond to an email from an ucdenver.edu address, as I am fairly assured of it’s origination. As for Yahoo, Gmail, Hotmail etc. users do not have that confidence. There is also the issue of where the data is stored, and certain programs and grants restrict email to stateside datacenters. Google does not do this and thus users could be in violation of guidelines and rules of their system or grant if using those services. Additionally, users need to be assured that encryption transverses the systems as email bounces from server to server, and this is usually out of the realm of average users. Further information can be found in APS 6002.

Physical and Environmental Security

All CLAS information and technology equipment should have appropriate physical and environmental security controls applied commensurate with the risk categorization level.

1. Office Doors: All office doors shall remain locked after office hours or when offices are unattended.
2. Servers and Data Center: Servers shall be kept in Data Center or separate room from office with adequate cooling, UPS and fire-suppression system. Access should be controlled with door Key or Access Control Cards in the principle of the minimum level and least privilege. Refer to OIT Data Center Policy.
3. Workstations: Unauthorized access shall be controlled by attendant, door key or cable lock.
4. Laptops: Users shall not leave the laptop unattended to prevent unauthorized use and theft, and are recommended to set up screen saver password to protect data. When the office is unattended, its door shall remain locked. Generally physical cable locks are recommended if the laptop has sensitive data.
5. Disabling USB Ports and CD ROM: All storage media in servers, desktops, laptops, and all other mobile devices including but not limited to tablets, smartphones, and USB drives shall be protected from the loss and manipulation. Physical access limitation measures are required. Devices containing highly confidential data shall consider disabling USB ports and other removable media access.
6. Remote Access to CLAS Systems: All remote users connecting to our CLAS system shall install operating system security patches and antivirus program with its latest updates and follow CLAS security policy, rules and procedures, and use current OIT VPN software.
7. Supporting Utility Failure: All users shall be aware that failures of electric power, heating and air-conditioning systems, water, sewage, and other utilities can cause service interruption and may damage system hardware.
8. Plumbing Leaks: Plumbing problem can disrupt service and endanger system hardware. The location of plumbing lines and its shutoff valves shall be identified.
9. System Inventory: All equipment and software inventory shall be documented and updated annually or when significant changes occur.
10. Awareness and Training: Regular security awareness training or email notice shall be provided to users on a regular basis.

Reporting Lost or Stolen Data and Devices

Data and Device owners or managers who handle confidential and sensitive information shall report stolen, lost data and device to Dean’s Office and OIT.

Labs

Above Physical Security policy covers CLAS managed student labs. Since function and purpose does vary from lab to lab, CLAS ITAG is developing a general lab policy, with addition policy (for example, the FAST_Lab), being developed for the differentiating needs of the labs.

More about CLAS Labs can be found here: Lab Information, Policies, Resources and Locations

 

Data Backups, Classifications & Impacts

Personal Backups:

CLAS IT highly recommends having a personal data backup plan, and familiarizing yourself with policies governing data storage. At the University of Colorado Denver, faculty, staff and students have a 1 Tb OneDrive for Business, which can be used to store public, confidential, highly confidential and ePHI data (see below for more information).

• OneDrive for Business information - http://www.ucdenver.edu/about/departments/WebServices/Email/Cloud/Pages/OneDrive.aspx
• OneDrive for Business HIPAA compliance statement. - https://www1.ucdenver.edu/docs/default-source/offices-oit-documents/how-to-documents/onedrive-staying-secure.pdf?sfvrsn=668bb7b8_4
• OneDrive-restrictions and limitations when you sync files and folders

Offsite IT Recovery

CLAS need more exploration and information. The goal is to establish warm site on Anschutz campus.

(directly from: Data Classifications & Impact)

Data Classifications

Initial baseline classification of data elements is shown below. The exact data elements in each category will be based upon the decision made by the data and business process owners. Payment Card Industry Data (PCI) should be handled according to CLAS Payment Card Industry (PCI) Policy.

HIGHLY CONFIDENTIAL INFORMATION:

This category includes data elements that require protection under laws, regulations, contracts, relevant legal agreements and/or require the institution to provide notification of unauthorized disclosure/security incidents to affected individuals, government agencies or media.

This information is only for the “eyes of the authorized individuals” in any form including paper or electronic. This information is prohibited from being (1) transmitted or stored without encryption. (2) Handled on networks or systems without appropriate firewall, monitoring, logging, patching, anti-malware and related security controls.

Documented Data Retention policy is required for handling Highly Confidential information.

The users should contact their IT Security office to ensure protection of data if compensating controls are used to secure the data in place of the above mentioned controls.

The following are the examples of common data types under the “Highly Confidential” information category:

• Protected health information
• Social security numbers
• Payment card numbers
• Financial account numbers: including university account numbers, student account numbers, and faculty and staff direct deposit account numbers
• Driver's license numbers
• Health insurance policy ID numbers
• Level 4 and 5 of Student Data (SSN, NID, Financial Aid (except work study), loan and bank account numbers, health information, disability, race, ethnicity, citizenship, legal presence, visas, religion)

 

CONFIDENTIAL INFORMATION:

This category includes data elements not usually disclosed to the public but are less sensitive than Highly Confidential data. If a legally required and applicable, Colorado Open Records Act (CORA) request is submitted, these records may be released. This information is protected by (1) Ensuring authenticated access on a need to know basis (2) Not using any electronic mediums and services (Emails, file shares, etc.) other than those provided or approved by the institution to transmit/store data (3) Storage on machines with latest anti-virus, security updates installed and residing on networks that have appropriate security controls in-place (Firewalls, monitoring, logging).

The following are the examples of common data elements under the confidential information category:

• Faculty and staff personnel records, benefits, salaries, and employment applications
• Admission applications
• University insurance records
• Donor contact information and non-public gift amounts
• Fundraising information
• Non-public policies
• Internal memos and email, and non-public reports
• Purchase requisitions, cash records, budgetary plans
• Non-public contracts
• University and employee ID numbers
• Level 2 and 3 of Student Data (Military status, veteran's status, GPA, probation, suspension, COF, service indicators, all non-directory data not listed, work study information, gender, birth date, dorm, emergency info, student ID, UUID, residency)

 

PUBLIC INFORMATION:

• Any information on University websites to which the data owner allows access without authentication
• ​Information made freely available through the institution print material
• Directory information

Impact

The impact levels are defined as HIGH, MODERATE, and LOW.

the University of Colorado uses the following as guides for defining impact:

• Financial – direct or indirect monetary costs to the institution where liability must be transferred to an organization which is external to the campus, as the institution is unable to incur the assessed high end of the cost for the risk; this would include for e.g. Use of an insurance carrier
• Reputation – when the impact results in negative press coverage and/or major political pressure on institutional reputation on a national or international scale
• Safety – when the impact places campus community members at imminent risk for injury
• Legal – when the impact results in significant legal and/or regulatory compliance action against the institution or business.

HIGH

The potential impact is high if the loss of confidentiality, integrity, or availability could be expected to have a severe or catastrophic adverse effect on organizational operations, organizational assets, or individuals. A severe or catastrophic adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (1) cause a severe degradation in or loss of mission capability to an extent and duration that the organization is not able to perform one or more of its primary functions; (2) result in major damage to organizational assets; (3) result in major financial loss; or (4) result in severe or catastrophic harm to individuals involving loss of life or serious life threatening injuries.

MODERATE

The potential impact is moderate if the loss of confidentiality, integrity, or availability could be expected to have a serious adverse effect on organizational operations, organizational assets, or individuals. A serious adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (1) cause a significant degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is significantly reduced; (2) result in significant remediation cost to the university

LOW

The potential impact is low if the loss of confidentiality, integrity, or availability could be expected to have a limited adverse effect on organizational operations, organizational assets, or individuals. A limited adverse effect means that, for example, the loss of confidentiality, integrity, or availability might: (1) cause a degradation in mission capability to an extent and duration that the organization is able to perform its primary functions, but the effectiveness of the functions is noticeably reduced; (2) result in minor damage to organizational assets; (3) result in minor financial loss; or (4) result in minor harm to individuals.

The definitions are provided only as guides and should not be considered without the context of the broader environment. While making the impact determinations, it is important to realize that the value of an information type may change during its life cycle. So, information subtypes may include the relevant statements. For example, consider the case of contracts as an information type. The sub types could be Contracts-initial discussion, Contracts-finalized, Contracts-terminated and all these subtypes may have different impact levels for the security categories.

CLAS Payment Card Industry (PCI) Policy:

(Data management in a PCI environment, special requirements and training)

Introduction

Purpose

This policy, in development and based on a template from the University of Colorado Denver, defines the requirements for the protection of CLAS PCI data and computing devices from security threats. It also provides information about business processes, internal controls and incident response.

Applicability

This policy applies to all departments, administrative units, computer labs, and affiliated organizations in CLAS that process PCI data to perform its academic and business functions.

Resources

Template

Template from the University of Colorado Denver - Treasury Card Security Policy Template

University of Colorado OIT Data Center Policy

University of Colorado Denver Data Centers'" OIT Data Center Policy

Security Incident Response Planning

(Security Incident Response -- CLAS Business Continuity Framework)

Purpose

This policy is to establish computer security incident response capabilities and handle incidents efficiently and effectively. This policy provides guidelines for incident handling, especially for identifying and responding to each incident appropriately.

Applicability

This policy applies to all departments, administrative units, computer labs, and other affiliated business units in CLAS that use IT resources to perform its academic activities and business functions.

1. CLAS will refer to and comply with the CU System Security Incident Response Procedure.
2. CLAS will also refer to National Institute of Standards and Technology (NIST) Special Publication 800-61, Computer Security Incident Handling Guide.

All CLAS staff must immediately notify the CLAS Deans Office, the CLAS System Administrator(s) and Lan Admin(s), and OIT of security incidents in their unit involving threats to other IT resources.  System Administrators must immediately notify OIT involving copyright violations or unauthorized privileged access.  Law enforcement should be notified of incidents involving threat to property or life, damages in excess of $10,000, pornography or terrorism.  The System Administrator(s) and Lan Admin(s) should consult with the Dean and/or other administration of CLAS to determine if law enforcement should be notified.  Other incidents should be reported according to the judgment of the CLAS Deans, System Administrator(s) and Lan Admin(s).

The System Administrators may coordinate with OIT to apply filters to block compromised services and/or hosts that present a definitive danger to the rest of the network.  Filter notification will follow the procedures outlined in the Filter Notification section above. 

Common Attack Vectors

National Institute of Standards and Technology (NIST) categorized incidents that can occur in countless ways as follows:

• External/Removable Media: An attack executed from removable media (e.g., flash drive, CD) or a peripheral device.
• Attrition: An attack that employs brute force methods to compromise, degrade, or destroy systems, networks, or services.
• Web: An attack executed from a website or web-based application.
• Email: An attack executed via an email message or attachment.
• Improper Usage: Any incident resulting from violation of an organization’s acceptable usage policies by an authorized user, excluding the above categories.
• Loss or Theft of Equipment: The loss or theft of a computing device or media used by the organization, such as a laptop or smartphone.
• Other: An attack that does not fit into any of the other categories.

Events and Incidents

NIST defined events and incidents, and provided incident examples as follows: An event is any observable occurrence in a system or network. Events include a user connecting to a file share, a server receiving a request for a web page, a user sending email, and a firewall blocking a connection attempt. Adverse events are events with a negative consequence, such as system crashes, packet floods, unauthorized use of system privileges, unauthorized access to sensitive data, and execution of malware that destroys data. A computer security incident is a violation or imminent threat of violation of computer security policies, acceptable use policies, or standard security practices.

Examples of incidents are:

• An attacker commands a botnet to send high volumes of connection requests to a web server, causing it to crash.
• Users are tricked into opening a “quarterly report” sent via email that is actually malware; running the tool has infected their computers and established connections with an external host.
• An attacker obtains sensitive data and threatens that the details will be released publicly if the organization does not pay a designated sum of money.
• A user provides or exposes sensitive information to others through peer-to-peer file sharing services.

Signs of an Incident

According to NIST, signs of an incident fall into one of two categories: precursors and indicators. A precursor is a sign that an incident may occur in the future. An indicator is a sign that an incident may have occurred or may be occurring now.

Examples of precursors are:

• Web server log entries that show the usage of a vulnerability scanner.
• An announcement of a new exploit that targets a vulnerability of the organization’s mail server.
• A threat from a group stating that the group will attack the organization.

While precursors are relatively rare, indicators are all too common.

Some examples are:

• A network intrusion detection sensor alerts when a buffer overflow attempt occurs against a database server.
• Antivirus software alerts when it detects that a host is infected with malware.
• A system administrator sees a filename with unusual characters.
• A host records an auditing configuration change in its log.
• An application logs multiple failed login attempts from an unfamiliar remote system.
• An email administrators sees a large number of bounced emails with suspicious content.
• A network administrator notices an unusual deviation from typical network traffic flows.

Sources identifying Precursors and Indicators

According to NIST, there are so many different resources which identify precursors and indicators, such as network traffic monitoring program IDPSs and SIEMs, Antivirus and antispam software, file integrity checking software, Operating system, service and application logs, etc., and people, like users, system administrators and others from within the organization may report signs of incidents. We, in a college level, have very limited resources, such as personnel and their expertise, equipment, and programs to prevent, detect, analyze, and recover the computer security intrusion. We need to work closely with Office of Information Technology (OIT) Security Team.

Incident-Related Data Elements

When serious incidents happen to our CLAS systems, we should gather information about the attacks and keep forensic evidence. According to NIST, basic elements to be collected when the incident happened are as follows:

Contact Information for the Incident Reporter

Contact Information for the Incident Reporter

Name
Role
Organizational unit (e.g. department) and affiliation
Email address
Phone number
Location (e.g., mailing address, office room number)

Incident Details

1. Status change date/timestamps (including time zone): when the incident started, when the incident discovered/detected, when the incident was reported, when the incident was resolved/ended, etc.
2. Physical location of the incident
3. Current status of the incident (e.g., ongoing attack)
4. Source/cause of the incident (if known), including hostname and IP address
5. Description of affected resources (e.g., networks, hosts, applications, data), including systems’ hostnames, IP addresses, and function
6. If known, incident category, vectors of attack associated with the incident, and indicators related to the incident (traffic patterns, registry keys, etc.)
7. Prioritization factors (functional impact, information impact, recoverability, etc.)
8. Mitigating factors (e.g., stolen laptop containing sensitive data was using full disk encryption)
9. Response actions performed (e.g., shut off host, disconnected host from network)
10. Other organizations contacted (e.g., software vendor)

General Comments

Incident Reporting

• If you think that a workstation or server has been compromised, do not perform any further actions on the system in question, such as turning the system off or removing it from the network. This could result in the contamination or deletion of forensic evidence.
• Contact the IT Security Operations Group through the IT Services Help Desk at 303-724-HELP and report the incident.
• Inform your supervisor or system administrator of the situation in CLAS, and document what you observed (See above incident-related data elements). This information will be helpful to the IT Security Operations Group during their investigation.

Incidents involving Law Enforcement

Network hardware, software or data may be considered evidence.  Care must be taken to preserve evidence.  Follow instructions from law enforcement to preserve evidence.  A public records request, subpoena, search warrant or other official request must be issued before data is released to law enforcement.  The CLAS Dean should be notified of incidents involving law enforcement.

Incidents not involving Law Enforcement

Compromised hosts should be backed up.  They must be assessed completely and, when appropriate, removed from the network immediately.  Compromised hosts must be reformatted, rebuilt, resolved and patched before reconnecting them to the network. 

Virus Protection

A number of strategies and technologies can be used to protect against computer viruses and worms. As some of these technologies rely on characteristics of known viruses, it is the responsibility of CLAS staff to ensure up-to-date protection on the technologies they manage. Virus protection should encompass a comprehensive approach including file and print servers; email, web, and news servers; and workstations. CLAS staff are responsible for virus protection on their desktop and laptop computers and other network devices, and virus protection software is available from OIT at (add link(s)). System Administrators and software developers are encouraged to build virus protection into applications and to automate virus protection schemes on critical IT devices.

Software Installations

The System Administrator(s) and Lan Admin(s) have the responsibility to request the removal of software that does not comply with licensing agreements, copyright law and CLAS security policy, but it is the responsibility of the user to comply with licensing agreements and copyright law as defined in the General Rules section of this document.

Disaster Recovery and Business Continuity

CLAS maintains a sister document to this security policy, the CLAS Business Continuity Plan. There must be written plans detailing procedures for various disaster scenarios, both natural and man-made. To guard against disaster, critical IT resources must be preserved against loss or corruption by appropriate backup procedures and mirrored offsite. User computers (desktops, laptops and other devices) need to have appropriate backup strategies and need to be on file with the System Administrator.

Enforcement

The CLAS Dean empowered committee members with sufficient authority to direct practices and ensure aligned behavior amongst college organizations through communication of policy via the college website as policy is developed. CLAS It Governance Meeting, October 10, 2016

CLAS and the University of Colorado Denver may suspend, block or restrict access to CLAS resources, CLAS staff, and/or units independent of such procedures, when it reasonably appears necessary to do so in order to protect the integrity, security, or functionality of CLAS or other University of Colorado Denver IT resources or to protect the university from liability.

Violations will be handled through the university disciplinary procedures applicable to the relevant unit or employee. 

CLAS and the University of Colorado Denver may also refer suspected violations of applicable law to appropriate law enforcement agencies. 

Questions Regarding This Policy

The Dean of the College of Liberal Arts and Sciences (CLAS) is responsible for this policy. The Dean or designee must approve any exception to this policy or related procedures. Questions shall be directed to the Associate Dean of the College of Liberal Arts and Sciences (CLAS).