









Study with the several resources on Docsity
Earn points by helping other students or get them with a premium plan
Prepare for your exams
Study with the several resources on Docsity
Earn points to download
Earn points by helping other students or get them with a premium plan
Community
Ask the community for help and clear up your study doubts
Discover the best universities in your country according to Docsity users
Free resources
Download our free guides on studying techniques, anxiety management strategies, and thesis advice from Docsity tutors
Encryption. Process of converting data into an unintelligible form except to holders of a specific cryptographic key. • Information System.
Typology: Study notes
1 / 17
This page cannot be seen from the preview
Don't miss anything!
Last Reviewed: April 2018
UCLA Extension’s information security policy ensures that its critical operations, assets and customers are properly protected. Due to the increasing value of the data we collect, store and process, we are committed to its protection, the enforcement of applicable regulatory guidelines and routine assessment of security risks.
This policy applies to all employees, vendors and business partners with whom data is shared or to whom data is accessible. This policy mandates employment of daily operational security procedures.
This policy ensures compliance with applicable laws and standards, protects the University from liability and protects the confidentiality, integrity and availability of our information systems, data and network resources.
A copy shall be provided to contractors, vendors, service providers and business partners who have access to data. Third party persons (i.e. vendors, service providers) who do not comply with this policy may be subject to appropriate actions as defined in their contractual agreements.
Per Payment Card Industry (PCI) Data Security Standards (DSS) this policy must be substantively reviewed annually by the managing cashier in Student & Alumni Services Department and the Director of Information Technology Services (ITS). Revisions driven either by security incidents discovered during the year or by revisions and updates to the card industry’s data security standards will be proposed to the Dean for incorporation and approval.
This policy meets the requirements for having a policy on Information Security as required by the PCI DSS. This policy will be superseded by any provision of UC or UCLA policy or California law regarding information security should any conflict be found and amended as needed to align with these higher authorities.
Logical access to information systems and media containing sensitive data will be denied until specifically authorized by appropriate personnel. Appropriate information system owners and/or data custodians or their designated delegates will define and approve logical access to Extension’s information systems and media containing sensitive data.
Logical access to Extension’s information systems and media is provided only to those having a need for specific access in order to accomplish a legitimate task and must be based on the principles of need to know and least possible privilege.
Extension supports a formal, documented user-management process which enables the controlled addition, change and termination of logical access rights on information systems, data and network resources. The process is capable of granting different levels of access to information systems, data and network resources. An automated access control system is in place to control access to information systems.
A unique user name will be used by all persons accessing Extension information systems and media containing sensitive data. Along with the unique user name, a password is required.
Multi-factor authentication will be used by employees, contractors, service providers and vendors for remote access to Extension’s information systems and media containing sensitive data. Extension employees will also use multi-factor authentication for UCLA Logon (Bruin Online). Extension employees who telecommute must take all precautions necessary to secure any and all sensitive data in their homes and prevent unauthorized access to any Extension information systems or data.
Vendor maintenance accounts and ports on Extension information systems that contain sensitive data must be disabled until the specific time they are needed by the vendor. After appropriate use by the vendor, they must again be disabled. All vendor access shall be monitored while in use.
Group, shared or generic accounts or passwords may not be used on Extension information systems that store, process or transmit sensitive data. The following requirements must be met for passwords on such systems:
Extension employees must not use passwords that are also used for non- Extension accounts, such as accounts for Federal Government systems (e.g. SEVIS) also employed in the course of business.
Activation of information system locking software or log off will occur when a user session on an Extension information system is inactive for more than 15 minutes.
User identity will be appropriately verified before any password, which enables access to an Extension information system or network resource, is reset.
User accounts that are inactive for more than 90 days on information systems that store, process or transmit sensitive data must be disabled or removed. Annually, appropriate system owners and/or data custodians or their designated delegates will review and verify logical access rights to information systems and media containing sensitive data. Such rights will be revised as necessary. Inactive accounts over 90 days old will be either removed or disabled.
Extension employees and contractors experiencing a change in status (e.g. termination, position change) will have their logical access rights promptly reviewed, and if necessary, modified or revoked.
At least annually, Extension directors and managers will review all of its physical areas that must be protected from unauthorized physical access. The assessment must take into consideration areas where sensitive data is stored, processed, or transmitted as well as the location of any supporting assets or critical infrastructure.
Extension’s information systems and electronic and non-electronic media containing sensitive data must be located in physically secure areas (“limited access area”). Information systems located in unrestricted, public access areas must be physically secured to prevent theft.
Access to limited-access areas must be denied until specifically authorized by appropriate personnel. Such access must be provided only to those having a need for specific access in order to accomplish a legitimate task and must be based on the principles of need to know and least possible privilege. Access privileges to limited access areas must be reviewed at least annually.
UCLA Extension will ensure that all personnel are provided with sufficient training and supporting reference materials to enable them to appropriately protect information systems, network resources, and data. Security information and awareness is provided via web-based training, instructor-led training, memos and periodic meetings.
Security information and awareness training will include but is not limited to:
Employee technologies, i.e. remote-access technologies, wireless technologies, removable electronic media, laptops, tablets, PDAs. Email and internet usage, that access sensitive data will only be used by personnel if the following controls are in place:
When payment card data is remotely accessed, the data will not be copied, moved, or stored onto local hard drives or removable electronic media unless explicitly authorized for a defined business need.
Remote access sessions to information systems containing sensitive data must be disconnected after twenty (20) minutes of inactivity. Remote access technologies used by vendors or business partners to access information systems containing sensitive data must be turned off when not in use.
Departments that must keep and store sensitive data will do so to the minimum necessary required for business, legal and/or regulatory purposes. Full social security numbers required for tuition payment reporting to the Internal Revenue Service will be retained only for the period that a taxpayer may file an amended return to either the State of California or the federal government. When no longer required for such purposes, sensitive data on information systems or on electronic and non-electronic media must be appropriately disposed. The following disposal methods will be used:
Sensitive data electronic media and information systems must be securely and thoroughly erased before such items can be re-used.
Information systems and electronic and non-electronic media that contain sensitive data must be inventoried and audited on a quarterly basis to ensure that the stored data does not exceed defined data retention requirements.
Electronic storage of any credit/payment card information is prohibited.
Cryptographic keys must be securely stored and comply with the following key management procedures:
Strong cryptography must be used whenever sensitive data is sent via end-user messaging technologies (e.g., email, instant messaging, chat).
ITS will deploy anti-virus software on its information systems commonly affected by malicious software. Such software must be capable of detecting, removing and protecting against all known types of malicious software including spyware and adware.
Anti-virus software must be kept actively running and capable of generating audit logs. Anti-virus software must be enabled for automatic updates and conduct periodic scans.
ITS will have a formal, documented process for regularly identifying and prioritizing relevant and necessary security and functional patches for its information systems and applications that process, transmit or store sensitive data. ITS may use a risk based approach for prioritizing security patch installations. All critical new security patches must be applied within one (1) month of release. A process will be developed to identify and assign a risk ranking (based on security best practices such as CVSS) to newly discovered security vulnerabilities.
ITS must develop and implement a formal, documented change control process for information system and software configuration changes. The process must include:
Only properly authorized persons may make an emergency change to information systems, data or network resources. Such emergency changes must be appropriately documented and promptly submitted, after the change, to ITS’s normal change management process.
ITS will have and maintain documented standards for its firewalls and routers. Such standards must include:
Extension’s firewalls must perform stateful inspection and must restrict connections between untrusted networks (i.e. the Internet) and information systems that process, transmit or store sensitive data. The firewalls will prohibit direct access from the Internet to such information systems, must restrict inbound and outbound traffic to that which is documented as necessary for organizational purposes, and explicitly deny all other traffic.
Configuration files on routers must be secured and regularly synchronized.
A firewall(s) must be installed between any wireless networks and information systems that process, transmit or store sensitive data. Such firewalls will deny or control traffic from any wireless networks to these information systems.
Outbound traffic from payment card applications will be sent to IP addresses within a DMZ; such traffic will not be sent directly to the Internet. Inbound Internet traffic to payment card applications must be limited to IP addresses within the DMZ.
All databases that store sensitive data will be placed in the internal network(s) and be segregated from any DMZ.
For each of the above events, the following must be recorded:
Logs and audit trails on information systems that store, process or transmit sensitive data must be reviewed daily. Such logs and audit trails will be monitored by file integrity or change detection software. Log reviews will include intrusion detection and authentication, authorization and accounting (AAA) servers.
Information generated by logging and monitoring controls implemented on information systems, data and network resources will be protected from unauthorized access. Access to such information will be limited to only those individuals with a need-to-know. Such information must be promptly backed up to a centralized log server and/or media that is difficult to alter. Logs for external-facing technologies (i.e., firewalls, DNS, email) must be promptly copied onto a log server on the internal network. Unless otherwise restricted by law, audit and log file information must be retained for at least one year, with 3 months of log file information being immediately restorable.
UCLA Extension must synchronize with at least one of the following UCLA Campus time servers:
time1.ucla.edu - 164.67.62.194 (stratum 1) time2.ucla.edu - 164.67.62.212 (stratum 1) time3.ucla.edu - 164.67.62.198 (stratum 2) time4.ucla.edu - 164.67.62.213 (stratum 2)
When Extension develops software applications that store, process or transmit sensitive data, such applications will be developed using a formal, documented software development life cycle and be based on information security best practices.
Security patches and system and software configuration changes on developed applications must be tested before being deployed. Testing must include at least:
ITS will have separate development, test and production environments for developed applications that process, transmit or store sensitive data. There must be clear separation of duties between the three environments. Real sensitive data must not be used or must be sanitized for testing or development of developed applications.
Test data and accounts must be removed before developed applications are placed into the production environment. Custom code used in internally developed applications must be reviewed for vulnerabilities before the code is used in the production environment.
Applications developed by ITS that process, transmit or store sensitive data must be based on secure coding best practices such as the Open Web Application Security Project (OWASP) guidelines, SANS CEW Top 25 or CERT Secure Coding. Internally developed Web applications must be protected against the following vulnerabilities:
ITS will annually, or after any significant changes to its information technology environment, perform internal and external penetration tests of its information systems that process, transmit or store sensitive data. The penetration tests will include both network and application layer tests.
At least quarterly, a wireless analyzer will be used at the Extension Administration Building and at metro centers to identify all wireless devices in use or a wireless IDS/IPS must be deployed which is capable of identifying all wireless devices in use at facilities and alerting appropriate personnel upon discovery of devices.
ITS will conduct appropriate quarterly external vulnerability scans against all of its information systems that are Internet reachable. ITS will also run quarterly internal vulnerability scans against all of its information systems that process, transmit or store sensitive data. All internal and external scans must be run until passing results are obtained, or all “High” vulnerabilities are resolved (identified during patch management risk ranking process).
Per its risk assessment, ITS will implement and maintain network IDS, host based IDS and/or IPSs to monitor all traffic to information systems that process, transmit or store sensitive data. IDS/IPS signatures must be kept up-to-date at all times and configured to alert personnel of suspected compromise.
ITS will deploy file integrity monitoring software on its information systems that process, transmit or store sensitive data. The software must perform critical file comparisons at least weekly.
If UCLA Extension shares sensitive data with service providers, it will do so in a manner that conforms to UCLA’s management practices and policy governing service contracts as well as UCLA Extension, requiring:
This policy will be publically listed. Questions and comments are welcome by the Extension Director of ITS, (310) 825-4281.
See also: