Overview
The Office of Information Security (OIS) has published several best practices for common IT environments/scenarios that the University encounters. These best practices are recommended to be implemented regardless of the sensitivity of the data, as these best practices represent the minimum security posture. These security controls are considered voluntary at this time.
Penn IT staff members are encouraged to evaluate the technical environment to determine whether it meets these recommendations and to prioritize system-implementation efforts by risk level. As the field of Information Security is constantly evolving, these best practices may be updated over time.
All of the recommendations will be considered for future inclusion in official University IT Policy.
If you have any questions regarding these best practices, you may email OIS at security@isc.upenn.edu.
Application Best Practices |
||
Definition: An application is defined as software running on a server that is network accessible, including mobile applications. |
||
Standard |
Recommendation |
Resource |
Critical Components |
If there is sensitive data, register the host and application in Critical Components to ensure regular vulnerability scanning starting before rollout. For web applications, scan with a web application vulnerability scanner. |
Critical Components |
Secure Coding |
Follow secure coding best practices, such as OWASP (for web applications) and implement a SDLC (Software Development Life Cycle) whenever possible. A SDLC should include regular regression testing, code review, security as a design requirement; and use of a framework. |
OWASP (See Quick Download section) |
Sensitive Data |
Consider your use of sensitive data - if you must store it, use encryption in transit and at rest. |
Computer Security Policy |
Patching |
Security patches must be applied on a timely basis. |
Computer Security Policy |
SPIA |
Conduct SPIA (Security and Privacy Impact Assessment), including inventory of applications, libraries on which they depend, application contacts/developers, data classifications, and data volume estimates. Consider any policy or legal implications as appropriate, consulting others as needed. |
|
Account Review |
Review accounts & privileges regularly. |
PennGroups where possible, or equivalent control |
Credential Management |
Follow secure password handling practices for passwords used by the application, and wherever possible, use campus authentication system for user passwords. |
Strong password recommendations for PennKeys |
Endpoint Best Practices |
||
Definition: Any laptop, desktop or mobile operating system. |
||
Standard |
Recommendation |
Resource |
Security Patching |
Apply security patches within seven days of being published. Use a supported OS version. |
Penn Endpoint Management Service (PennEM) |
Whole Disk/Device Encryption |
Run native encryption as available on newer devices. |
InfoSec encryption recommendations |
Backups |
Backup user data daily. |
Secure Remote Backup |
Access Control |
Always use a password or a PIN on the device. Set the device to lock the screen automatically when not in use. |
Computer Security Policy |
Malware Protection |
Run anti-malware/anti-virus software. |
CrowdStrike |
Configuration Management |
Use an endpoint management solution selected and supported at the school or center level. |
IBM Endpoint Management https://www.isc.upenn.edu/endpoint-management Absolute Data & Device Security (DDS) http://cms.business-services.upenn.edu/computerstore/component/sobi2/?catid=192
|
Secure Deletion |
Erase or destroy storage media before recycling or donating devices. |
Secure Data Deletion |
Server Best Practices |
||
Definition: A server is defined as a host that provides a network accessible resource. |
||
Standard |
Recommendation |
Resource |
Physical security |
Physical controls to prevent unauthorized access. Server hardware placed inside data centers wherever possible. |
ISC Hosting |
Multi-Factor Login |
Multi-factor authentication required when logging into servers with privileged account access. |
Two-Step Verification |
Patching |
Patches to vulnerabilities applied promptly after they have been made available. |
IBM Endpoint Management |
Credential management |
Credentials reviewed periodically. Group password management used for all shared credentials. Credential lifecycle management applied. |
LastPass Premium at Penn |
Secure Disposal |
Hard drives and writeable media used on servers follow secure destruction/deletion upon disposal. |
Secure Data Deletion |
Inventory |
Inventory created, maintained, and periodically reviewed regarding system hardware, applications/software in use, data classification, and any regulated data present on the server (HIPAA, PCI, FERPA, etc). |
IBM Endpoint Management Identity Finder |
Network firewall |
Host-based network filtering (e.g. firewall) configured. Hardware firewall used wherever possible. |
|
Centralized logging |
|
|
Vulnerability management |
|
|
SysAdmin Training |
|
|
Host integrity |
|
|
Least privilege |
Admin/user accounts, processes, and applications limited to the most restrictive set of resources necessary. Periodic review of privileges. |
Logging Best Practices |
||
Definition: If you have a need to log the security events taking place on one of your hosts, use these best practices to determine what events to collect and how to collect them. |
||
Standard |
Recommendation |
Resource |
Storage |
Move event logs off of the machine that generates them and onto a centralized storage solution on a regular basis. Restrict access to that storage solution and the event logs to just those with a need to review the event logs. |
|
Retention |
Conduct a risk analysis of your systems and their data, and choose a retention period that's right for you. Be aware that retaining too much data may put you at risk, and retaining too little data may be of insufficient utility for detecting problems. |
|
Ensure Events are Time-based |
All logs compliant with these best practices will record the time at which an event transpired on a system. |
PennNet NTP Service: https://www.isc.upenn.edu/how-to/network-time-protocol-ntp |
Ensure Log Record Event Origin |
All logs compliant with these best practices will record a host identifier (e.g. domain name, IP address) on which an event took place. |
|
Ensure User Events Record Account Name |
All logs compliant with these best practices will record the system account name under which an event took place, where relevant. |
|
End-user workstation |
At a minimum, log authentications (both local and remote). Log creation of user accounts. Log privilege escalation. If the system allows it, log the enabling and disabling of accounts. If the system supports it, log the changing of passwords on user accounts. |
|
Server |
At a minimum, log authentications (both local and remote) at the platform and to authenticated applications running on the server. Log creation of user accounts. Log privilege escalation. If the system allows it, log the enabling and disabling of accounts. If the system supports it, log the changing of passwords on user accounts. |
|
Hardware firewall |
|
|
Other Devices |
|
|
Establish Your Baseline |
|
|
Monitor & Alert |
|
Secure Disposal Best Practices |
||
Digital Media |
||
Standard |
Recommendation |
Resource |
Hard Drives |
- If the hard drive is fully encrypted, destroying the encryption key will render the data unrecoverable - Secure wipe with a single pass of data over the entire disk - Degauss and/or physical destruction by shredding |
|
SDDs |
- If the drive was encrypted prior to adding data, destroying the encryption key will render the data unrecoverable |
|
Optical Disks |
Physical destruction by shredding |
|
Portable devices (ie: smartphones) |
Use manufacturer methods to implement perform a factory hard reset. |
|
Magnetic media (ie: tapes) |
- If encrypted, destroying the encryption key will render the data unrecoverable |
|
Resources |
||
Example tools for overwriting spinning disk drives |
DBAN - http://dban.org |
|
Campus disposal resources |
|
|
Recycling services |
|
|