Draft Security Plan Template

brokenroomNetworking and Communications

Nov 21, 2013 (4 years and 1 month ago)

71 views

Draft
Security Plan Template

July 13
th
, 2005

I. Introduction

I
I. Scope

III
. Roles

IV. Inventory

An inventory of all systems
used on the
network, and any systems that

access, store, or manipulate
restricted

data, must be kept up to date. This inventory w
ill include, at a minimum: system name,
serial number, network hardware address (wireless and wired), IP address or DHCP status, physical
location, and assigned user.

V
. Security Patches

Applying security patches in a timely fashion is required under the
current
Minimum Standards for
Security of Berkeley Campus Networked Devices
.



What procedures are in place to ensure that no systems are put on line for which security
support is not available?



What procedures are in place to ensure that
system administrato
rs will be aware of security
patches as they become available?



What procedures are in place to ensure that these patches will be tested and deployed as
quickly as possible?

V
I
. Host Based Security Software

The current
Minimum Standards for Security of Ber
keley Campus Networked Devices

requires
anti
-
virus software and host based firewall software

on all systems for which such software is listed
on the Approved Software website (
http://secur
ity.berkeley.edu/approved.software.html
).



What procedures are in place to ensure that these tools are install
ed

on all applicable
systems
?



What procedures are in place to ensure that this software is properly configured and kept up
to date?

VI
I
. Access Co
ntrol

All systems except those that are intentionally publicly accessible must authenticate individual
users by means of passwords or other secure authentication processes (e.g. biometrics or Smart
Cards). Furthermore, privileges and access rights should
be assigned based on function

and
business need
-
to
-
know criteria.

Activity logs should also be kept regarding any activity involving
restricted data.



How is access controlled?



How are privileges and access rights assigned?



How is temporary access handled?



How is access revocation handled?



How are activity logs handled?



Any email relays or proxy services must also require authentication.

VII
I
.

Network Security

Information traversing the campus network and the wider internet can be easily monitored. It is
t
herefore required that restricted information and authentication information (such as passwords) be
encrypted as it moves across the network. In addition, it is highly recommended that, where
appropriate, firewalls and other
technologies are used to segme
nt and restrict access to parts of your
network.



What is you network topology? Provide a graphic network map.



How are systems that
manipulate or store restricted data protected from other systems?



What technologies are used to ensure that no restricted da
ta or authentication information
traverses the network unencrypted?

IX
. Encryption

Whenever restricted data is stored on any device that could be susceptible to loss or theft, it must be
encrypted.



What technology is being used to encrypt restricted data o
n

such devices?



What recovery measures are in place in case the primary key for encrypted data is lost?

X. Disposal

Whenever any device is disposed of it must be properly purged of any restricted data.

X
I. Physical Security

Restricted data should be store
d on secure servers in dedicated computer rooms with restricted
access. Desktop computers should be locked to furniture or the building in which they are located.
All computers should be configured to be easily or automatically locked when left unattende
d.



What physical security
measures

are in place for
servers with restricted data?



What physical security measures are in place for other systems?



Are screen locks used?

X
II
. Access Monitoring and Auditing

Audit facilities in systems should
be activated wh
erever feasible.
Audit logs for high
-
risk systems
should be configured so they are difficult to alter (such as writing to write
-
once media regularly or
copying to remote systems with limited access).

Whenever feasible, audit records should track the
spec
ific user responsible for all accesses to
restricted

data.

Audit logs for firewalls or systems with
confidential or financial data should be reviewed for anomalies by qualified systems administrators
daily.

X
I
II. Intrusion Testing and Reaction

All secur
ity systems and proce
sses should be tested regularly.



How will staff test basic unauthorized access scenarios and how often?



How will the network be scanned for vulnerabilities and how often?



How will new applications and code be reviewed before going into

production?



Will intrusion detection be deployed?



Who will respond to security incidents and how will they be handled?

XIV. Training

How will staff be trained in these procedures?

X
V. Plan Compliance

How will compliance with this plan be verified and how
often?

XVI. Other Important Documents

This plan has been developed in accordance with several governing policies and guidelines.



University of California Business and Finance Bulletin IS
-
3 (Electronic Information
Security)



Campus Information Technology Se
curity Polic
y



Minimum Security Standards for Networked Device




Payment Card Industry Security Standard (PCI)



University of California, Berkeley Policy on Data Management, Use, and

Protection