PROPOSED NEW RULE: RULE 08.00.16 - NC State University Security Standards for Sensitive Data and Systems

Rationale: NC State University REG 08.00.02 - Computer Use Regulation requires authorized users to take appropriate security precautions to protect and secure data residing in or on assigned university accounts or other university and non-university IT Resources. IT Resources include, but are not limited to, University machines, systems or storage devices, or non-university machines, systems or storage devices that may contain the University’s records/data. In order to comply with REG 08.00.02 Computer Use Regulation and ensure appropriate security protections are in place, NC State University has adopted the following Rule which all users, System Administrators, Data Trustees, Data Stewards, and/or Data Custodians (including third party service providers) are required to follow.

Consultation Process:

2/29/16VC for IT (Dr. Hoit) authorized and approvedreview of PRR

See below [Relevant NCSU administrative body] review, if applicable

See below [Relevant NCSU committee or other body] review, if applicable

3/15/16General Counsel final review, if changes have been made

3/29/16Executive Officers, or official with delegated authority to review PRR

8/08/16University Council (notification), if applicable (PRR Administrator will complete)

NA Board of Trustees (approval/notification), if applicable (PRR Administrator will complete)

Review Status
Committee Name / Anticipated Date of Review / Date of Review / Date of Second Review
OIT S&C Staff / November - December 2014
PCI Core Project Team / Feb 4, 2015
OIT Shared Services Review/Discussion / May 11, 2015
May 20, 2015
June 1, 2015 - Final session
SCGS Security Technology Working Group / July 2015 / September 1-30, 2015 / October 28, 2015
SCGS Policy & Compliance Working Group / Introduced January 22, 2015
July 2015 / September 1-30, 2015 / October 22, 2015
SCGS Implementation Strategy Working Group / July 2015 / September 1-30, 2015 / N/A
SCGS / July 2015 / September 1-30, 2015 / November 5, 2015
ITSAC-EAS / August 2015 / September 1-30, 2015 / November 4, 2015
ITSAC-CAS / August 2015 / September 1-30, 2015 / December 3, 2015
ITSAC-Infrastructure / August 2015 / September 1-30, 2015 / October 19, 2015
ITSAC-Academic Technology / N/A / September 1-30, 2015 / November 9, 2015
ITSAC-Research Computing / September 1-30, 2015 / N/A
Campus IT Directors / August 2015 / September 1-30, 2015 / November 17, 2015 / January 19, 2016
AD Policy / September 1-30, 2015 / December 18, 2015
Realm Linux Services / September 1-30, 2015 / November 13, 2015
Mac Policy / September 1-30, 2015 / November 10, 2015
ITSAC / September 1-30, 2015 / February 2016
Final Approval - Marc Hoit & ITLC / February 2016

Authority: Issued by the Vice Chancellor for Information Technology

History: First Issued:

Related Policies:

REG 01.25.12 - University Record Retention and Disposition Regulation

REG 04.00.07 - Developing Business Continuity and IT Disaster Recovery Plans

REG 07.40.01 - Disposal of University Property

REG 07.40.02 - Reporting Misuse of State Property

RUL 08.00.14 - System and Software Security Patching Standard

Contact:

DRAFT 1/12/2016

NC State University Security Standards
for Sensitive Data and Systems

Table of Contents

  1. Scope
  2. Exception Process
  3. Definitions
  4. Implementation Timeline
  5. Enforcement
  6. Identification and Authentication
  7. Acceptable Technology Use
  8. Physical Security
  9. Configuration Management
  10. Software Development Lifecycle
  11. Media Protection
  12. Audit and Accountability
  13. Contingency Planning
  14. External Service Providers
  15. Wireless Usage
  16. Encryption

S1. Scope

These standards apply to all system components included in or connected to the sensitive data environment (SDE). The SDE is comprised of people, processes and technologies that store, process, or transmit sensitive (“purple” or “red”) University data (See definition in S3. ). System components may include, but are not limited to:

●Systems that provide security services (for example, authentication servers), facilitate segmentation (for example, internal firewalls), or may impact the security of (for example, name resolution or web redirection) the SDE.

●Virtualization components such as virtual machines, virtual switches/routers, virtual appliances, virtual applications/desktops, and hypervisors.

●Network components including but not limited to firewalls, switches, routers, wireless access points, network appliances, and other security appliances.

●Server types including but not limited to web, application, database, authentication, mail, proxy, Network Time Protocol (NTP), and Domain Name System (DNS).

●Applications including all purchased and custom applications, including internal and external (for example, Internet) applications.

●Any other component or device located within or connected to the SDE.

NC State University REG 08.00.02 - Computer Use Regulation requires authorized users to take appropriate security precautions to protect and secure data residing in or on assigned university accounts or other university and non-university IT Resources. IT Resources include, but are not limited to, University machines, systems or storage devices, or non-university machines, systems or storage devices that may contain the University’s records/data. In order to comply with REG 08.00.02-Computer Use Regulation and ensure appropriate security protections are in place, NC State University has adopted the following Rule which all users, System Administrators, Data Trustees, Data Stewards, and/or Data Custodians (including third party service providers) are required to follow.

Back to top

S2. Exception Process

Any exceptions to these standards must be reviewed by Office of Information Technology (OIT) Security & Compliance (S&C). S&C may consult with appropriate data stewards in determining if an exception can be granted. Exception requests should clearly document the reason the standard cannot be implemented (e.g., a technical limitation), as well as appropriate compensating controls that will be put in place to achieve the security goal of the standard.

S3. Definitions

Cardholder Data Environment (CDE) - The SDE (sensitive data environment) used primarily for sensitive credit card-related data.

Connected Systems - All systems that can directly affect sensitive data within the SDE.

Remote Administration - System administration from outside the SDE.

Sensitive Data - All data classified as “purple” or “red.” See Determining the sensitivity level for Shared Data to assess your data classification.

Sensitive Systems - All systems that store, process, or transmit sensitive data.

Sensitive Data Environment (SDE) - Collection of computer systems and associated infrastructure devices, facilities, and people that support the storage, processing, or transmission of sensitive data.

Back to top

S4. Implementation Timeline

Data stewards and/or custodians or their delegates should immediately begin implementing controls to ensure compliance with this standard where possible. However, multiple operational changes, processes and tools need to be identified and implemented to support overall university compliance. As such, OIT Security & Compliance will develop an implementation timeline for this standard by December 31, 2016 and communicate to appropriate stakeholders. Following the development of the implementation plan, the necessary processes and tools to support university-wide compliance will be identified and implemented accordingly.

S5. Enforcement

NC State University REG 08.00.02 - Computer Use Regulation requires authorized users to take appropriate security precautions to protect and secure data residing in or on assigned university accounts or other university and non-university IT Resources. IT Resources include, but are not limited to, University machines, systems or storage devices, or non-university machines, systems or storage devices that may contain the University’s records/data. In order to comply with REG 08.00.02-Computer Use Regulation and ensure appropriate security protections are in place, NC State University has adopted this Rule which all users, System Administrators, Data Trustees, Data Steward , and/or Data Custodians (including third-party service providers) are required to follow.

Back to top

S6. Identification and Authentication

S6.1. Purpose

Section 6 outlines requirements for all accounts, whether user or system administrator, with access to the SDE.

S6.2. Scope

Section 6 applies to all non-consumer users or system administrators with access to the SDE or connected systems. System accounts are considered Special IDs. Special IDs are not subject to password change rules such as password change frequency and account lockout. See theData Sensitivity Framework for examples of sensitive data elements.

S6.3. Standard Details

S6.3.1. Privileged Technical, Functional, and End User Access Management

S6.3.1.1.An access control system must be in place.

S6.3.1.2. Access to data must be restricted on a least privilege and “need to know” basis.

S6.3.1.3. Authorization for access to data must be approved by the appropriate Data Steward or his/her

delegate.

S6.3.2. Identification and Authorization

S6.3.2.1. User accounts must use unique identifiers.

S6.3.2.2. Group or shared accounts must not be used.

S6.3.2.3. User identity must be verified prior to both allowing access and permitting the identity to make any additions, deletions or modifications.

S6.3.3. Password Management

All account passwords must adhere to the Password Standard.

S6.3.4. Account Management

S6.3.4.1.Users must acknowledge understanding of privilege levels and security roles annually.

S6.3.4.2. All user accounts must be disabled after not more than six failed login attempts. Automatic re-enable after 30 minutes is acceptable where supported.

S6.3.4.3. Vendor accounts must only be enabled when needed and disabled immediately after use. (See Section S7.3.1.4.)

S6.3.5. Access Termination

A process must exist to immediately disable and/or remove accounts that are no longer needed. Periodic review of user account privileges must be performed according to the schedule in Table 1 below. The account review consists of system owner and/or management evaluation of user accounts to determine if they are still needed and have the appropriate access.

Table 1.
Security Requirement / User Accounts Reviewed / Inactive Accounts Disabled
CDE and Connected Systems / 90 days / 90 days
Other SDE and Connected Systems / 90 days / 90 days

Back to top

S7. Acceptable Technology Use

S7.1. Purpose

REG 08.00.02 - Computer Use Regulation andPOL 08.00.01 - Computer Use Policy provide overall requirements for acceptable use of computing resources at NC State. The purpose of Section 7 is to detail acceptable use of university information technology (IT) resources within SDEs and Connected Systems.

S7.2. Scope

Section 7 applies to all systems within the SDE or connected systems. Section 7 applies to any individuals who will be accessing any systems or devices with the SDE or connected systems, without exception.

S7.3. Standard Details

S7.3.1. Security of Sensitive Information

S7.3.1.1. An inventory of hardware and software shall be maintained and kept up to date.

S7.3.1.2. All sensitive data processing shall be performed within the SDE.

S7.3.1.3. Copying, moving or storage of sensitive data to unauthorized systems is prohibited.

S7.3.1.4. Vendor access to systems within the SDE or connected systems shall only be enabled when needed and immediately disabled after use.

S7.3.1.5. Unencrypted sensitive data may not be sent through unsecure messaging systems such as email or instant messaging (IM).

S7.3.1.6. Password management must adhere to the NC State UniversityPassword Standard, with SDE privileged users considered A4/P4.

S7.3.1.7. All computing devices that have security logging capabilities must have sufficient OS level auditing turned on to facilitate tracking of user accounts in the event of a security breach or other events.

S7.3.1.8. University-approved anti-virus software must be installed and definitions kept up to date for all computers within the SDE or connected systems.

S7.3.1.9. All computing devices in the SDE or connected systems must be logically identified and/or labeled, defining owner, contact information, and purpose.

S7.3.2. Approval to Use Technology

Written approval must be obtained from relevant Data Stewards or their delegates, after consultation with OIT Security & Compliance, before the use of any technology that stores, processes or transmits sensitive data. Disagreements between data stewards must be addressed according to the REG 08.00.03 - Data Management Procedures Section 3.1.3.

S7.3.3. Usage Standards for Specific Technologies

S7.3.3.1 Devices

All network devices, operating systems, applications, databases, remote access technologies, wireless technologies, desktops, mobile devices (such as laptops, cell phones, or tablets) within the SDE:

S7.3.3.1.1. Must be configured and used according to business needs.

S7.3.3.1.2. Must be appropriately hardened and secured in accordance with university standards and industry best practices for applicable business requirements.

S7.3.3.1.3. Shall not be added to or removed from the SDE, or modified (See Section S9.3.2.4) without approval from the relevant Data Steward(s) after consultation with OIT Security & Compliance.

S7.3.3.1.4. Shall not be installed in the SDE or connected systems without proof of purchase and licensing rights.

S7.3.3.1.5. Shall be used by all users for approved business reasons (e.g. Web browsing is not a typical business use of a SDE server).

S7.3.3.1.6. Users must protect laptops, cell phones and other devices used to store, process or transmit sensitive data from loss or theft. Users must report loss or theft of laptops, cell phones or other devices in accordance with REG 07.40.02 - Reporting Misuse of State Property.

S7.3.3.2. Remote Administration

Remote Administration (See definition in S3) within the SDE or connected systems must be conducted as follows:

S7.3.3.2.1. Automatic disconnect of remote sessions after at least 30 minutes of inactivity.

S7.3.3.2.2. Activation of remote access technologies used by vendors will occur only when needed by vendors.

S7.3.3.2.3. Vendor remote access must be immediately deactivated after use.

S7.3.3.2.4. Users are prohibited from copying, moving, or storing sensitive data to local or removable storage unless they have obtained approval from the relevant Data Steward(s) after consultation with OIT Security & Compliance.

S7.3.3.2.5 Two-factor authentication is required for privileged users to administer the SDE or connected systems.

S7.3.3.3. Connection Activities

S7.3.3.3.1. Connections from the SDE to the Internet must be conducted by means of university-approved technologies and resources only.

S7.3.3.3.2. No insecure ports, protocols or services, such as FTP, Telnet, or HTTP are to be used for communicating with the SDE without documented business justification for their use. (See Section S9.3.1.1.6.)

S7.3.3.4. Management Approval Processes for Technology Use

All technical staff, including but not limited to system administrative users, programmers/developers, end users, and database administrators must obtain approval from the relevant Data Steward(s) or their delegates, after consultation with OIT Security & Compliance, before they are authorized to use any technology in the SDE or connected systems.

Back to top

S8. Physical Security

S8.1. Purpose

Section 8 outlines the physical and environmental controls required to protect facilities that house systems that store, process, or transmit sensitive data, as well as protection of the systems themselves.

S8.2. Scope

Section 8 applies to all facilities that host systems that store, process, or transmit sensitive university data, and the systems themselves.

S8.3. Standard Details

S8.3.1. Access

All SDE and connected systems equipment must be maintained in a secure environment:

S8.3.1.1. Only authorized personnel may be allowed physical access to the SDE and connected systems facilities and devices.

S8.3.1.2. The SDE and connected systems facilities must control authorized users’ access via lock and key, electronic access device, or other physical security controls that have been approved (refer to REG 04.05.03 - Electronic Security Management System (SMS)), after consultation with OIT Security & Compliance.

S8.3.1.3. Visitors must be badged or given a physical token, such as a visitor pass, that distinguishes

them from employees. This token must expire at the end of the visit. Visitors should be escorted by authorized personnel for the duration of the visit. Visitors without appropriate badging should be escorted out of the facility and the access attempt should be logged or reported to appropriate authorities such as Campus Police.

S8.3.1.4. Physical access to wireless access points, wall outlets, and network devices within the SDE

connected systems networks (including virtual networks) shall be restricted.

S8.3.1.5. Unless in use, switch and router ports within the SDE and connected systems networks must be

disabled.

S8.3.1.6.Ingress and/or egress logs showing access to the SDE and connected systems facilities must be retained according to REG 01.25.12 - University Record Retention and Disposition Regulation. (See log retention requirements in Sections 12.3.3. and 12.3.4. )

S8.3.1.7.Physically secure all paper and electronic media that contain sensitive data.

S8.3.2. Video Surveillance

S8.3.2.1.All video surveillance, recording, and monitoring must be in compliance with University Rule RUL 05.06.03 Close Circuit Television (CCTV).

S8.3.2.2.Use access control vestibules, cameras or other electronic controls to protect SDE and Connected Systems facilities. Surveillance equipment must monitor entrance and exit points and be protected from tampering or disabling.

S8.3.2.3. OIT Security & Compliance will perform periodic testing to ensure the integrity of the camera system and recordings.

S8.3.2.4. Camera footage shall be retained as shown in the Table 2 below:

Table 2.
Security Requirements / Camera Recording Review Frequency / Camera Recording Storage
PCI-DSS / Monthly / At least 90 days
Other SDE / At least quarterly or ongoing based on risk / At least 90 days

Back to top

S9. Configuration Management

S9.1. Purpose

Section 9 establishes a baseline security configuration for hardware and operating systems for the SDE and connected systems.

S9.2. Scope

Section 9 applies to all hardware devices and operating systems within the SDE and connected systems.

S9.3. Standard Details

S9.3.1. Documentation

S9.3.1.1. Configurations of the network and system devices for the SDE and connected systems must be

standardized and documented, including at a minimum:

S9.3.1.1.1. Addressing all known security vulnerabilities.

S9.3.1.1.2 Documented business justification for any security features implemented to compensate for any insecure services, daemons, or protocols. (See Section S7.3.3.3.2.)

S9.3.1.2. Network and system device documentation details shall include:

S9.3.1.2.1. Primary system user (particularly for end-point systems)

S9.3.1.2.2. Device names

S9.3.1.2.3. IP address(es)

S9.3.1.2.4. MAC addresses where applicable

S9.3.1.2.5. Serial numbers where applicable

S9.3.1.2.6. Description

S9.3.1.2.7. Department, college or unit

S9.3.1.2.8. Personnel responsible for management of the device

S9.3.1.3. Data flow diagrams are required for sensitive data flow within the SDE and connected systems

environment, between the SDE and external systems, and between connected systems and other systems.

S9.3.1.4. Network diagrams are required showing separation of traffic between the SDE and connected

systems.

S9.3.1.5. All services, protocols and ports allowed must be documented including a justification of business need.