• No results found

Summary of Technical Information Security for Information Systems and Services Managed by NUIT (Newcastle University IT Service)

N/A
N/A
Info
Download
Protected

Academic year: 2021

Share "Summary of Technical Information Security for Information Systems and Services Managed by NUIT (Newcastle University IT Service)"

Copied!
5
0
0

Loading.... (view fulltext now)

Download now ( 5 Page )

Full text

(1)

Page 1 of 5

v1.5 / July 2014

Introduction

This document provides a summary of technical information security controls operated by Newcastle University’s IT Service (NUIT). These information security controls apply to all NUIT managed systems and services.

1. Information security policy

Operation of all NUIT managed systems and services is governed through Newcastle University’s Information Security Policy. This policy is available to download from:

http://www.ncl.ac.uk/itservice/policies

2. Information security training

All NUIT employees must attend and complete information security training that is delivered by the NUIT Information Security Team.

Information security training is delivered to the wider University community by the NUIT Information Security Team and is managed through the Staff Development Unit.

3. Information security guidance

NUIT regularly publishes and updates information security guidance on the University’s web site. This guidance is targeted at all members of the wider University community and is available to download from: http://www.ncl.ac.uk/itservice/security

4. Physical security

All NUIT managed information systems and services are located in the secure NUIT data centre. Access to the NUIT data centre is restricted to authorised personnel only. All access is logged through the electronic door entry system. Door access is controlled using ID cards that are unique to each member of NUIT. All visitors to NUIT are required to report to the NUIT Service Desk.

The data centre’s air temperature and humidity is controlled and monitored to prevent overheating and damage to critical NUIT managed ICT equipment using a HVAC (Heating, Ventilation and Air Conditioning) System.

(2)

Page 2 of 5

v1.5 / July 2014

The NUIT data centre is alarmed and monitored by CCTV. The alarm and CCTV are connected to Newcastle University’s security office. The security office will immediately investigate suspicious activity upon detection. The security office has a radio link to Northumbria Police.

5. Servers

All NUIT managed servers are hardened in compliance with vendor recommendations. All servers are in receipt of the latest security updates. All Windows servers run antivirus software.

6. Workstations

All NUIT managed desktop PCs run Windows 7 and are hardened in compliance with Microsoft recommendations. All workstations run antivirus software and are in receipt of the latest security updates.

7. Laptops

All NUIT issued laptops are AES-256 encrypted using Microsoft Bitlocker and are hardened in

compliance with Microsoft recommendations. All laptops run antivirus software and are in receipt of the latest security updates.

NUIT recommend that the storage of sensitive and confidential data on laptops is risk assessed and authorised by the relevant manager such as the data owner.

8. Tablets

NUIT has produced guidance that shows users how they can secure and encrypt the most common types of tablet computer. This guidance is available to download from:

http://www.ncl.ac.uk/itservice/security/encryption/encryptionprocedures

NUIT recommend that the storage of sensitive and confidential data on tablets is risk assessed and authorised by the relevant manager such as the data owner.

9. Portable storage devices

(3)

Page 3 of 5

v1.5 / July 2014

NUIT recommend that the storage of sensitive and confidential data on portable storage devices is risk assessed and authorised by the relevant manager such as the data owner.

10. Email

All NUIT managed email is encrypted between the client and the server on the internal network. NUIT can provide software and documented procedures for sharing encrypted data by email with external parties.

NUIT recommend that the emailing of sensitive and confidential data is risk assessed and authorised by the relevant manager such as the data owner.

11. File System Access Control Lists (ACLs)

All NUIT managed servers, workstations and laptops run file systems that support ACLs.

12. User access control

All user access to NUIT managed information systems and services is controlled through Active Directory. All users are assigned a UID (User Identification) that is unique to them. Password complexity is enforced through group policies. Access to all data stored on the NUIT file-store is controlled using permissions.

13. Remote access

Off-site access to NUIT managed systems and services is through the Remote Access System. The remote access system uses an encrypted HTTPS connection that is verified using an SSL certificate provided by a recognised certificate authority. All logons to the Remote Access System are logged.

NUIT recommend that all remote access to sensitive and confidential data is risk assessed and authorised by the relevant manager such as the data owner.

14. Network security

(4)

Page 4 of 5

v1.5 / July 2014

Traffic flows are monitored for network activity (egress and ingress) that may be attributed to malicious software and other forms of malicious activity. Traffic flows that are believed to be malicious are terminated.

The private network is segregated from the public network using Network Address Translation and Access Control Lists for traffic management and filtering. The private network is further segregated into wired and wireless security domains, each using different private IP address ranges. All private IP addresses in use across the University consist of non-routable IP addresses as defined through RFC1918. Further segregation of network traffic is achieved through the use of VLANs and sub-netting.

Access to the wireless network is through a RADIUS authentication system that is interfaced to the campus Active Directory. The wireless connection is encrypted using WPA2 Enterprise.

15. Information security management

The security of all NUIT managed information systems and services have recently been subject to independent external auditing. The recommendations from this audit form the basis of an on-going programme of work to ensure that information risk is continuously assessed and mitigated.

NUIT has a dedicated Information Security Team, which includes a member who is trained in ISO/IEC 27001:2005 and ISO/IEC 27001:2013 auditing, and is also a certified PCI-SSC ISA (Internal Security Assessor). An internal information security risk assessment is completed every three months. The findings of this risk assessment are subject to review by the NUIT Information Security Forum and form the basis of a risk treatment plan. This risk treatment plan is a key part of an on-going quality assurance process to ensure that technical and non-technical information security risks are correctly mitigated through the identification, implementation and continued improvement of NUIT managed information security controls.

16. Forensic readiness

System level and user activity logs are generated for all critical parts of the NUIT managed ICT infrastructure. These logs form a key part of the University’s programme of forensic readiness.

(5)

Page 5 of 5

v1.5 / July 2014

17. Disaster recovery

All data stored on the NUIT file-store is backed-up on a regular basis to a tape library and an adjacent file-store located in a secure DR (Disaster Recovery) data centre. This ensures that all data can be recovered in the event of a disaster.

18. Secure data disposal

NUIT has a contract with a specialist data disposal company to ensure the secure disposal of old hard disk drives that have been used in NUIT managed ICT equipment.

19. Security incident response

All security incidents reported to NUIT are managed through the NUIT incident response process.

20. Campus Code of Connection

References

Download now ( PDF - 5 Page - 224.62 KB )

Related documents

ADTTFFATATDFFTFTAATADTAFTAFDFTDDTAFDFFADFFDDAATFFDATDDFTAAAAAFAFT

As you may recall, last year Evanston voters approved a referendum question for electric aggregation and authorized the city to negotiate electricity supply rates for its residents

Erlangen,

Abbildung 52 Select and Modify MS Project XML Export Template - Custom Field Mapping Resource Assignments.... This document gives an overview of import and export functionality

NEW COLLEGE OXFORD LAY CLERKS TERMS & CONDITIONS Revised February 2021

Lay clerks are expected to discuss with the Organist any commitments which would make them unavailable for tours, concerts and recordings, and to give him suitable advance notice

Yost_unc_0153D_18953.pdf

ELECTRON DYNAMICS FROM FIRST-PRINCIPLES QUANTUM THEORY: ELECTRONIC STOPPING AND WANNIER FUNCTION PROPAGATION..

Emissions Trading Scheme Review Committee

Westpac supports the early introduction of a robust emissions trading scheme with the option of scaling up New Zealand’s response over time in line with global policy developments

Spatial Attention and the Effects of Frontoparietal Alpha Band Stimulation.

Furthermore, participants received transcranial alternating current stimulation (tACS) over the right frontal and parietal cortex, which oscillated coherently in-phase within the

Pay-Per-Click(PPC) Training

12 on-demand training videos from leading industry experts 6 months of access that lets you watch & re-watch classes. Instant E-Training is a recommended training provider

mini 3 THE ULTIMATE POST-WORKOUT CLEANSE FOR A FRESH, HEALTHY GLOW

Operation is subject to the following two conditions: (1) This device may not cause harmful interference, and (2) this device must accept any interference received,