This document summarizes changes since version 1.0, dated 01 Nov 07, of the IT Security Requirements. Minor textual corrections and clarifications are not noted here.
*** Changes in Version 1.2 (17 Oct 08)
** Baseline Requirements
* B. All Computers
- In B.1, the requirement that systems be patched within five business days has been changed to seven days. This is to accommodate areas that patch/reboot systems on a particular day of the week. A new subpoint explicitly excludes off-line systems from this requirement.
- B.6 now refers to "anti-malware software" rather than "anti-virus and anti-spyware software." A suggestion has been added about also running such software on Linux desktops and laptops.
* C. Specific to Desktops and Laptops
- Item C.1 about file sharing has been rephrased to make it clear that all file access on an individual's system must be password protected, including read-only and write-only directories.
* D. Specific to Application and File Servers
- A suggestion has been added about keeping servers, especially those not limited to local users, on a segregated network.
* E. Specific to Public Workstations and Kiosks
- Item E.4 has been rephrased to require that public systems where users can write files be restored to a known, clean state between individual sessions. Previously, it referred to "a full system rebuild." An equivalent change was made in item C.2 regards shared and loaner systems.
*** Changes in Version 1.1 (23 Sep 08)
** Baseline Requirements
* B. All Computers (pp.1&2)
- A new subpoint to item (3), about system accounts needing strong passwords, notes that Policy 5.8 mandates that one's NetID password can only be used in conjunction with the central authentication infrastructure.
- Item (6), about running anti-virus/spyware software, now states that this is required for all Windows and Macintosh systems. Previously, it just said "where applicable."
* F. Network Security (p.3)
- The passage about using Rover-Secure or an equivalently secure departmental wireless system when conducting university business has been deleted. This makes little sense given that we don't otherwise require encryption when no Confidential data is being transmitted.
- Added is the suggestion, also found in the Confidential requirements, of putting systems that don't require off-campus connectivity into 10 space.
** Confidential Data Requirements
* A. Confidential Data Classification (p.1)
- Since the Confidential requirements are to be the place where we officially specify what data elements fall under this classification, this topic has been fleshed out and given it its own heading.
* C. Encryption Standards (p.2)
- Although some examples are cited, the requirements do not precisely specify what constitutes a sufficient level of encryption where this is called for to protect Confidential data, nor do we feel this would be feasible. A new section here outlines our approach to approving an encryption implementation for such use, with a pointer to a web page where we will go into more detail and list products that are and are not approved. This site should be up soon, and we will be adding items as queries come in.
- The statements, in three places, about the password-locking feature in Word and Excel not being sufficient to encrypt Confidential data have been modified to say that Office 2007 does offer appropriately strong encryption.
* F. Specific to Desktops and Laptops (p.3&4)
- Item (1) has been modified to say that the account used for daily operations must be configured either to not allow software install or to require entering the account password. Without this second option, we felt the requirement was too restrictive.
- The suggestion about not creating any user accounts that allow installs has been slightly reworded.
- Item (4), about where encryption is required, now explicitly cites PDAs and smart phones as examples of portable devices.
* G. Specific to Application and File Servers (p.5)
- An new item (3) specifies that Confidential data should be removed from files servers when not longer needed on an operational basis. And likewise, where feasible, from databases and the like. There was already a similar statement under "Specific to Desktops and Laptops."
- The suggestion about implementing a formal change management process has been deleted.
* H. Network Security (p.5)
- Item (2) about using RedRover-Secure or a secure departmental wireless service has been rephrased to state that authentication and encrypted transmission are required for the latter.
* J. Additional Encryption Requirements (pp.5&6)
- A note about Dropbox as a secure mechanisms for exchanging files has been added to item (1), about Confidential data needed to be encrypted when transmitted via email.
- A new item (2) forbids transmission of confidential data via IM or SMS, with a note that this would be permissible if encrypted but encryption not available in the standard offerings used by most people.
