ECRC Privacy and Security Subcommittee, DTC and TIF-S Recommendations for Five Central Security Program Initiatives
ECRC Subcommittee Web Application Vulnerability Scanning
DTC (6/1/0)
TIF (23/3/0)
All campus unit Web applications hosting data protected by law and/or policy will be subject to Web application vulnerability scanning. Web sites hosting information for which unauthorized alteration could damage university reputation, present life/safety risks or increase university liability are also required to be subject to Web vulnerability scans. The security program will acquire/support effective Web
application vulnerability scanning systems. There will be no campus unit use charge for accessing Web application vulnerability scanning systems. The security program will provide use specifications for dynamic
application versus application code vulnerability scanning. If an application test or development environment is required to conduct scanning, the campus unit hosting the Web content is responsible to work with central security staff to conduct the scan(s). Units will provide developers to assist in Web application vulnerability scanning. ITPS resources, if needed by the campus unit, will be available to assist in scanning and/or configuring a virtualized test environment for scans. Campus unit application owners are responsible for timely vulnerability mitigation.
The campus central security program will offer training and guidance for use of Web application vulnerability scanning tools. The central security program will also offer instruction for secure coding for Web applications to campus Web developers.
The central security program should evaluate cost benefit of use Web application firewalls to provide additional privacy and security protection for Web applications and Web sites.
DTC members endorsed the
recommendations from TIF, as outlined to the right and ranked Web application vulnerability scanning the #1 central IT security measure. Highlights from the discussion:
Clarify/prioritize which Web apps fall under the scope of this
recommendation – e.g., anything with data restricted by policy (PII, FERPA, etc.); public-facing
applications/systems; etc. Set up a pilot or proof-of-concept
project to assess whether the current Web app vulnerability scanning tool/policy can be successful if applied broadly
Ensure sufficient staff resources (e.g., Omen’s time) are allocated in support of the scanning service
Offer training to departments, including on how to interpret scanning results and remediation measures
Change ‘cost sharing” to “effort sharing” between IET and campus departments
Revise third bullet in TIF’s recommendation to read “IET is requested to maintain the expertise to assist units with vulnerability evaluation of Web applications."
o
Continue providing a Web application vulnerability scanning service.o
In consultation with the campus technical community, outline the minimumrequirements for the environment in which Web application development work is done (i.e. separate test and production
environments, secure coding practices, source code vulnerability scanning, etc.).
o
Maintain the expertise to assist units with final vulnerability evaluation of any Webapplication before the application becomes "live".
o
Use the team of Web Application Scanning Experts to assist campus Web developers with:
Setting up an environment for secureWeb application development
Training on coding practices and tools for scanning source and completed Web applications
Scanning and assistance with remediation of Web vulnerabilities discovered through the scanning and other processes --- remediation responsibility is of the unit.o
Code scanning must complement staticscanners, with trained staff to provide code scanning service.
Costs associated with these services are born jointly by IET and campus units developing Web applications.
Personal Identity Information Scanning
DTC (6/0/0)
TIF (23/1/2)
University owned data with content protected by law and/or policy,
whether residing of university-owned or personally owned computers,
must be protected from unauthorized access. Computers with restricted
university data will be scanned and such information protected from
unauthorized access. Where scanning is not possible or restricted data
must reside on the computer, whole disk encryption will be installed on
the university-owned or personally owned computer. The initial priority
for PII scanning and PII data protection will be university owned
computers.
The security program will initiate a campus information awareness
campaign regarding PII protection.
The central security program will work with the campus technical
community to identify those areas of high risk (including faculty
administered systems) that have not completed recent scanning and
assist with PII scanning and remediation. Units must scan computing
systems with a higher risk of PII storage (e.g., computers used for
personnel administration) annually to ensure PII is protected from
unauthorized access. As appropriate, use of whole disk encryption may
be used to mitigate risks where PII data retention on portable devices is
required.
The central security program will provide assistance to perform PII
scanning in FY12-13. Thereafter, PII scanning assistance will be
performed by unit staff or conducted by ITPS staff on a recharge basis
for units.
DTC members unanimously
endorsed the recommendations
from TIF, as outlined on the right,
and ranked personal identity
information the #2 central IT
security measure. Highlights from
the discussion:
Why are there still so many
sources of PII data across
campus? IET should work with
system owners to remove the
PII data
Which devices should be
scanned for PII (e.g., it’s
impossible to scan personal
devices every time they connect
to the campus network); broad
agreement that all
university-owned devices should be
scanned for PII.
Questions to ECRC P&S
Subcommittee
Does university owned data on
personal devices represent a
risk that must be controlled?
Work with the campus technical
community to identify those areas of high
risk (including faculty administered
systems) that have not completed recent
scanning and assist with PII scanning and
remediation. IET will perform this
campus-wide high-risk clean-up once, and
then maintain the expertise to assist (with
charge-back) those units that continue to
struggle with performing their own
scanning and remediation regularly.
Expand on the existing information
campaign to the general campus to
enlighten faculty/students/staff of what
PII is, and the dangers of storing it. The
campaign should follow the general effort
currently underway to improve the
campus communities' awareness of
smartphone security.
If campus risk managers and the campus
technical community determine that the
steps outlined above still leave an
unacceptable exposure for the campus, a
more restrictive policy, potentially
including exclusion of systems from
network access, should be explored.
The required scanning and remediation
Campus Vulnerability Scanning
DTC (5/0/0)
TIF (26/0/0)
All campus unit VLANs will be subject to centrally
administered vulnerability scanning conducted over
the network. Campus units are responsible for
responding to scanning system alerts/warnings.
Units must provide staff to respond to
alerts/warning or engage ITPS recharge assistance
for such support.
The central security program will assist campus
units to configure unit VLAN firewalls to support
daily network vulnerability scans.
The campus Computer Vulnerability Scanning
Policy, PPM310-021, will be updated to include a
provision for senior administrators to exempt a
VLAN under their purview from network
vulnerability scans. Such exemptions will be
reviewed by the campus IT Security Coordinator. If
this review indicates the exemption may present
excessive university risk, the exemption will be
forwarded to the ECRC Privacy and Security
Subcommittee for evaluation. The subcommittee
may raise exemption approval to the ECRC.
DTC members endorsed the recommendation from
TIF, as outlined to the right, and ranked campus
vulnerability scanning the #4 central IT security
measure.
Identify campus unit VLAN firewalls that are
blocking participation in the Secalert. Once
identified, IET will work with each campus unit
to determine any technical/business justification
for non-participation. IET will provide technical
assistance to those units that need help
unblocking Secalart scans. Justification for
Secalert bypass must be approved by the
campus unit senior administrator in consultation
with the campus IT Security Coordinator.
Justification will be filed with the campus IT
Security Coordinator and reviewed on an annual
basis.
Revise campus policy 310-021, Campus
Vulnerability Scanning Policy to reflect the policy
change for bypass approval.
VLAN Firewalls
DTC (5/0/0)
TIF (26/0/0)
The campus technical community, in consultation with IET, will
identify those VLANS that currently have no VLAN firewall or a
poorly supported VLAN firewall. VLAN administrators are
required to install and maintain effective ingress and egress
rules on VLAN firewalls per campus policy. The security
program will identify solutions for improperly firewalled
VLAN's (including hardware, software, maintenance, policy
management, etc.). The security program will consult with
campus VLAN firewall administrators to implement a VLAN
firewall and, where needed, provide one-time VLAN firewall
hardware subsidization. On-going costs of VLAN firewall
support is the responsibility of campus units.
If the campus unit VLAN administrator is unable to comply
with campus Cybersafety requirements for use of VLAN
firewalls, the security program will work with the unit
administrators (i.e. MSO, Chair) to understand the firewall
requirements and the long-term costs. If all other measures
fail to bring the VLAN into CyberSafety compliance, the central
security program will implement a VLAN firewall with a
standard ruleset on behalf of the unit. The installation expense
will be covered by the security program; however,on-going
firewall maintenance will be recharged to the campus unit (up
to $700 per month). Campus units without VLAN firewalls, or
approved exceptions, will be subject to disconnection from the
campus network.
DTC members unanimously
endorsed the recommendations
from TIF, as outlined below, and
ranked VLAN firewalls the #3
central IT security measure.
No ingress/egress traffic should be
permitted to campus unit VLANs
without a VLAN firewall.
o
The campus technical community, in consultation with IET, should work to identify those VLANS that currently either have no firewall or have a poorly supported firewall. VLAN administrators are required to install and maintain ingress and egress VLAN firewalls as part of CyberSafety policy.o
Identify solutions for these improperly firewalled VLAN's (including hardware, software, maintenance, rules management, etc.).o
Consult with the VLAN firewall administrators and share the one-time cost of implementing proper firewall solutions with the effected campus unit. On-going costs of VLAN maintenance and programming will be born by the effected campus unit. If the VLAN administrator is unable to comply with Cybersafety requirements, IET will work with the Unit Administrators (i.e. MSO, Chair) on understanding the requirements and the long-term costs. If all other measures fail to bring the VLAN into CyberSafety compliance, IET is authorized to implement a VLAN firewall with a standard ruleset without the unit's permission (at campus expense), and start charging the VLAN owner for on-going firewall maintenance. The time-frame between initial contact with the unit and forced compliance should be set (90-days was suggested).o
In consultation with the campus technical community, continue to explore more robust, central firewall solutions. As the costs of these solutions decreases to make them an affordablereplacement for the current VLAN-by-VLAN firewall solutions, IET is requested to pilot a solution both within IET and with at least three campus units to determine the feasibility of more central firewall deployment and management. Any solution must include the ability for local firewall administrators to make immediate changes to firewall rules to respond to the immediate needs of their local environment.
System Integrity Monitoring
DTC (6/0/0)
TIF (25/1/0)
A centrally managed Security Information and
Event Management (SIEM) system will greatly
enhance the campus capability to provide real-time
security analysis, alerts and take preventive action
in response to malicious activity and/or attacks on
campus network, computers or data. These alerts
will reduce campus incident exposure to
privacy/security breaches. The subcommittee
acknowledges that units participating in a centrally
managed SIEM solution will meet the Cyber-safety
audit log security requirements defining log use,
inspection, analysis and retention.
In consultation with the campus technical
community, requirements for a SIEM system will be
developed and released for acquisition in FY12-13.
The initial priority for SIEM deployment will be for
log management within IET systems with
subsequent expansion to campus unit logging
systems in FY13-14.
Tripwire will continue to be licensed for campus
unit use.
DTC members unanimously endorsed the
recommendation from TIF, as outlined to the right,
and ranked system integrity management the #4
central IT security measure.
In consultation with the campus technical
community, evaluate Security Information Event
Management (SEIM) systems. If a system is
chosen for campus use, it should integrate with
FLOW data from the campus network routers,
collect and analyze "syslog" files from IET and
campus unit servers, and send alerts to
interested parties when automated analysis
determines a potential threat.
Work with the ECRC P&S Subcommittee to
determine if unit use of the chosen SEIM system
precludes the unit's "log file monitoring"
Cyber-safety requirement.
Individual Cost Estimates for Recommended Five Central Security Program Initiatives (new labor adjusted to start 10/2012)
Security service Service Upgrade One-time
FY12-13 Ongoing FY12-13 One-time FY13-14 Ongoing FY13-14
Network and Host Vulnerability Scanning
All campus unit VLANs will be subject to centrally administered vulnerability scanning conducted over the network. Campus units are responsible for responding to scanning system alerts/warnings. Units must provide staff to respond to alerts/warning or engage ITPS recharge assistance for such support.
The central security program will assist campus units to configure unit VLAN firewalls to support daily network vulnerability scans.
The campus Computer Vulnerability Scanning Policy, PPM310-021, will be updated to include a provision for senior administrators to exempt a VLAN under their purview from network
vulnerability scans. The campus IT Security Coordinator will review such exemptions. If this review indicates the exemption may present excessive university risk, the exemption will be forwarded to the ECRC Privacy and Security Subcommittee for evaluation. The subcommittee may raise exemption
approval to the ECRC. $0 $0 $0 $0
System Integrity Monitoring and Reporting
A centrally managed Security Information and Event Management (SIEM) system will greatly enhance the campus capability to provide real-time security analysis, alerts and take preventive action in response to malicious activity and/or attacks on campus network, computers or data. These alerts will reduce campus incident exposure to privacy/security breaches. The subcommittee acknowledges that units participating in a centrally managed SIEM solution will meet the Cyber-safety audit log security requirements defining log use, inspection, analysis and retention. In consultation with the campus technical community, requirements for a SIEM system will be developed and released for acquisition in FY12-13. The initial priority for SIEM deployment will be for log management within IET systems with subsequent expansion to campus unit logging systems in FY13-14.
Web Application Vulnerability Scanning
All campus unit Web applications hosting data protected by law and/or policy will be subject to Web application vulnerability scanning. Web sites hosting information for which unauthorized alteration could damage university reputation, present life/safety risks or increase university liability are also required to be subject to Web vulnerability scans. The security program will acquire/support effective Web application vulnerability scanning systems. There will be no campus unit use charge for accessing Web application vulnerability scanning systems.
The security program will provide use specifications for dynamic application versus application code vulnerability scanning. If an application test or development environment is required to conduct scanning, the campus unit hosting the Web content is responsible to work with central security staff to conduct the scan(s). Units will provide developers to assist in Web application vulnerability scanning. ITPS resources, if needed by the campus unit, will be available to assist in scanning and/or configuring a virtualized test environment for scans.
Campus unit application owners are responsible for timely vulnerability mitigation.
The campus central security program will offer training and guidance for use of Web application vulnerability scanning tools. The central security program will also offer instruction for secure coding for Web applications to campus Web developers.
The central security program should evaluate cost benefit of use Web application firewalls to provide additional privacy and security protection for Web applications and Web sites.
$146,188 $12,500 $0 $29,875 Network Traffic Control In/Out of unit VLANs (Campus Unit VLAN Firewall Management)
The campus technical community, in consultation with IET, will identify those VLANS that currently have no VLAN firewall or a poorly supported VLAN firewall. VLAN administrators are required to install and maintain effective ingress and egress rules on VLAN firewalls per campus policy. The security program will identify solutions for improperly firewalled VLAN's (including hardware, software, maintenance, policy management, etc.). The security program will consult with campus VLAN firewall administrators to implement a VLAN firewall and, where needed, provide one-time VLAN firewall hardware subsidization. On-going costs of VLAN firewall support is the responsibility of campus units.
If the campus unit VLAN administrator is unable to comply with campus Cybersafety requirements for use of VLAN firewalls, the security program will work with the unit administrators (i.e. MSO, Chair) to understand the firewall requirements and the long-term costs. If all other measures fail to bring the VLAN into CyberSafety compliance, the central security program will implement a VLAN firewall with a standard ruleset on behalf of the unit. The security program will cover the installation expense; however, on-going firewall maintenance will be recharged to the campus unit (up to $700 per month). Campus units without VLAN firewalls, or approved exceptions, will be subject to
Personal Identity Information (PII) Scanning
University owned data with content protected by law and/or policy, whether residing of university-owned or personally university-owned computers, must be protected from unauthorized access. Computers with restricted university data will be scanned and such information protected from unauthorized access. Where scanning is not possible or restricted data must reside on the computer, whole disk encryption will be installed on the university-owned or personally owned computer. The initial priority for PII scanning and PII data protection will be university owned computers.
The security program will initiate a campus information awareness campaign regarding PII protection.
The central security program will work with the campus technical community to identify those areas of high risk (including faculty administered systems) that have not completed recent scanning and assist with PII scanning and remediation. Units must scan computing systems with a higher risk of PII storage (e.g., computers used for personnel administration) annually to ensure PII is protected from unauthorized access. As appropriate, use of whole disk encryption may be used to mitigate risks where PII data retention on portable devices is required.
The central security program will provide assistance to perform PII scanning in FY12-13. Thereafter, PII scanning assistance will be performed by unit staff or conducted by ITPS staff on a recharge basis for units.
PII scanning and whole disk encryption software will be acquired/supported by the central security
program. $303,250 $5,000 $0 $110,790
Total for Five Initiatives
$867,250 $42,500 $201,790 $277,455 Base Security
Program $0 $1,354,898 $0 $1,387,970
