MUSC Information Security Standards: System Security

Author: Richard Gadsden
Contact: gadsden@musc.edu
Version: 0.1
Date: 11 May 2005
Status: DRAFT

Contents

1. Purpose and Scope

These standards apply to all computing systems that are connected to MUSC's network. The purpose of these standards is to document the minimum security requirements for all network-connected systems, including servers, workstations, laptops, PDAs, and any other network-attached computing or networking device or appliance.

2. Applicable MUSC Policies

3. Standards

3.1. Introduction

Before any system may be connected to MUSC's campus network, an Owner must be designated for the system. The designated Owner of the system must ensure that the system is configured and maintained in accordance with the general security standards for all MUSC systems, presented in 3.2. General System Security Standards, and the applicable platform-specific security standards, presented in 3.3. Platform-Specific System Security Standards.

In addition, if the system is a workstation or other end-user computing device, then the Owner must meet all information security policies and standards for workstation owners, including the responsibilities and standards set for workstation owners in the the MUSC Policy: Information Security - Workstation Use and the MUSC Information Security Standards: Workstation Security.

In addition, if the system is used to store protected information, then the Owner must meet all information security policies and standards established by MUSC for systems that house protected information.

3.2. General System Security Standards

These general standards apply to all systems that are connected to MUSC's network:

  • Software vulnerabilities that could allow a system to be compromised must be addressed, through the timely application of patches, configuration changes, or other recommended workarounds for known software vulnerabilities.
  • Unnecessary software should not be installed on a system. The software that is installed on a system should be the minimum software necessary for that system to perform its intended and authorized function(s).
  • Unnecessary software services should not be run, especially services that are remotely accessible over the network. System services that are not needed should be disabled, and prevented from automatically starting up.
  • Anti-virus software must be installed and used, and procedures for regular signature updates must be maintained, on all systems that are vulnerable to known threats of compromise or infection by malicious software (viruses, worms, trojans, and other malware).
  • The principle of least privilege should be followed when granting rights and privileges to user accounts. To prevent elevated privileges from being accidentally misused or intentionally exploited, they should not be granted until the point in time when actually needed, and then dropped or revoked immediately thereafter.
  • All user, administrator, system, and built-in accounts must be assigned good passwords, to prevent compromise by brute-force password guessing attacks. Blank passwords, easily guessed passwords, and default passwords assigned by hardware or software vendors, are all equally unacceptable.
  • Procedures for backup and recovery of data and system files should be implemented, maintained and periodically tested, as needed to meet all business requirements, and any policy or regulatory requirements.
  • Shared systems must have access control mechanisms (technical and/or physical) to ensure that only authorized users can gain access to the system, and that each user's access is limited to the resources and services he is authorized for on the system.
  • Shared systems must have the capability to log basic information about user access and system events, and the logs must be monitored for evidence of intrusion or attempts at unauthorized access.
  • Shared systems must maintain a working and accurate system clock, so that all system log entries are recorded with correct timestamps.