Information Protection and Security

How are we protecting our infrastructure? (In response to What IT Department Heads Should Be Asking)

Physical

Controlling physical access to offices and computer equipment is the responsibility of management.  Every department should have a plan for managing access to all workspaces and wiring closets to include control of keys and swipe cards.  Periodic inventories should be made of excess keys and control measures need to be in place for the assignment of keys to employees.

Defense in depth

Have enough protection around your critical/confidential data to allow for adequate protection in case of compromise or failure of one defense. Please visit Preparing for Department Security for more information on Defense in Depth. 

Other Internet connected devices

Have an inventory of all hardware connected to RUNet and determine responsibility. In some rare cases there are devices connected to the departmental subnets that may not belong to the department, or, that may have never been inventoried. Assure that all devices are accounted for and maintained for security purposes.

Wireless networks

Wireless networks need special consideration for security and confidentiality of the information seen and transferred on laptops. Please visit the Rutgers University Wireless Networking site for more information.

Inventory

Every good business maintains an equipment inventory. Whether your department is large or small it's a good idea to keep track of a physical inventory for loss, emergency or business continuity. For more information on keeping an inventory please visit Developing a Security Plan for a sample.

Location of installation CDs and back-up tapes

Installation CDs are valuable when an operating system needs to be reinstalled due to a compromise or equipment failure. These CDs should be kept (and move) with the computer, or kept in a central location. The user of the computer and support staff should know the location of the CDs.

The location of back-up media should be known by the IT staff and administration. 

Software
Antivirus software (AV) Malware/Spyware

The university has a site license, including home systems, for McAfee antivirus/antispyware software. See the university's software portal for more information. Every departmental desktop and home equipment connecting to RUNet should have AV installed and configured for “auto-update.”  The university provides a free site license for all home and work computers.

Malware includes Viruses, Worms, Spyware, Adware, Browser hijacking, Web Bugs, and other software. Spyware is programming that can be put into your computer to gather information about you without your knowledge as information to advertisers and other interested parties. Spyware can get in a computer as a software virus, as the result of installing an infected program, a download, or as the result of clicking an option in a pop-up window. 

Patching (Updating operating systems/software)

Software vendors issue patches on a regular basis in response to security flaws as well as to repair software malfunctions in the operating system and application programs. Some updates enhance functionality and performance and others correct deficiencies and security holes.  If you allow software on your systems to become out of date, they become more vulnerable to attacks. Keeping up to date on patches is an (additional) security responsibility. However, patching requires a prudent approach.

Microsoft operating systems beginning with XP and 2000 have automatic patching available. If you have a home system, or handle your own desktop, automatic patching is recommended on a daily basis (checking and downloading patches). Windows automatic update

If you are a system administrator, create a plan for upgrades and set aside funding that will enable you to stay ahead of the threat. If you are using different types of operating systems in your department, you may need to develop different types of patching strategies. Many compromised systems are the result of not keeping patches current. 

* Evaluate the need for a patch. If the patch is for an application or service that is not running on the system, then there is no need to install it. However, operating systems install many features by default, so it is prudent to be aware of exactly what is running on each system.

* Install a patch on a test system prior to installing it on a production system. Patches have been known to crash systems or have unwanted side effects on the application software.

* Even though a patch has worked well on the test system, backup up production systems prior to the installation of a patch. If the worst happens, the system will be recoverable.

Software applications (Microsoft Office, Adobe Acrobat, etc.) also need to be updated with patches.