Security of Information Technology Resources
IT-12

IT-12
University Information Policy Office, uipo@iu.edu
Indiana University organizational units (campuses, departments, offices, affiliated agencies, etc.) operating technology resources are responsible for ensuring that those systems are managed securely. This is required for all such systems, but is especially critical for those systems that support vital business functions and/or host sensitive personal or institutional information.
The University Information Technology Policy and Security Offices have the authority (derived from Trustee Resolution of May 2001) to develop and implement policies necessary to minimize the possibility of unauthorized access to Indiana University's information technology infrastructure. This entails establishing security resources, policies, guidelines, and standards, and to provide consulting services, for all Indiana University computer systems, telecommunications, or other information technology resources.
Managers and technicians within functional units are required to report any breaches or possible breaches of the security of Indiana University networks, systems, or data to the University Information Technology Policy Office Incident Response Coordinator, per published procedures. The University Information Technology Policy and Security Offices will assess the situation, and minimally provide advice as to appropriate response and reporting. While circumstances will vary, response will be guided by published general procedures and will be the task of the reporting unit.
The University Information Technology Policy and Security Offices have the authority (derived from Trustee Resolution of May 2001) to assume leadership, responsibility, and control of responses to unauthorized access to Indiana University's information technology infrastructure, unauthorized disclosure of electronic information, and computer security breaches regardless of the Indiana University office involved. These Offices are to draw upon the experience, expertise, and resources of other University offices (including the Office of Internal Audit) where necessary and appropriate. This authority will be exercised if it becomes clear to the IT Policy Officer or Security Officer that the unit responding does not have the means to react appropriately and/or in a timely manner to a specific incident.
Computing and networking and other information technologies have become critical in support of most if not all Indiana University operations. This dependence has resulted in a very large, very diverse, and very complex technology environment, which in turn has resulted in a greater opportunity for intrusion attempts. At the same time, much more data is being stored, accessed, and manipulated electronically, and as the risk to systems increases, the risk of unauthorized disclosure or modification of personal, proprietary, or institutional data is also increased. It is very important that everyone associated with providing and using these technology services is diligent in their administration and responsive to security threats. It is also important that information related to intrusions, attempted intrusions, or other such incidents are shared so the event can be recognized and perhaps avoided elsewhere.
The use of automated scanners and break-in scripts makes it easy for someone to quickly scan entire networks for vulnerable systems. Systems that are not properly secured are likely to be discovered, and they will then be subject to intrusion. Data on vulnerable/exploited systems WILL be compromised, altered, or destroyed. Such systems may be used to compromise or initiate denial of service attacks against other University systems or systems at external sites.
The following are generalized goal-oriented requirements; some may have multiple methods or solutions. Attending to these is important for all systems, but is ABSOLUTELY CRITICAL for those systems that support vital business functions and/or host sensitive personal or institutional information.
(Numbers do not indicate sequence or priority; they merely provide a method to reference specific items.)
For a computer system to be managed securely, functional unit management must:
For a computer system to be managed securely, functional unit technicians must:
Intrusion attempts, security breaches, or other technical security incidents perpetrated against University-owned computing or other information technology resources either attached to an Indiana University-operated telecommunications network or freestanding in a University office must be reported to the Incident Response team. Functional unit managers and/or technicians must:
Upon receiving a report of a security incident, the UIPO Incident Response Coordinator will:
Upon receiving a report of a security incident, the University Information Policy Officer and/or University Information Security Officer will:
The functional unit managing a system that has been compromised is ultimately responsible for making the determination if the system will be only restored and operations resumed, or if pursuit of the perpetrator is feasible and appropriate based on possible continued affect on operations. Such investigation may be requested by law enforcement, and University Counsel must be consulted to see if any such request is legally binding before a contrary decision is made to only recover the system and restore the service.
The functional unit managing a system that has been compromised is responsible for all monetary, staff, and other costs related to investigations, cleanup, and recovery activities resulting from the compromise, response, or recovery.
In order to protect University data and systems, as well as to protect threatened systems external to the University, the University Information Policy Officer or Information Security Officer may place limits or restrictions on technology services provided on or from any University-owned or -managed system and network.
In order to protect University data and systems, as well as to protect threatened systems external to the University, the University Information Policy Officer or Information Security Officer may unilaterally choose to virtually isolate a specific University system from University, campus, or external networks, given:
Reports of security incidents should be sent to it-incident@iu.edu.
Technology policies can be found at the Web site of the University Information Policy Office
Security resources and other security-related materials can be found at the Web site of the University Information Security Office.
The UISO operates during normal business hours. For situations after hours, contact your local campus computing support centers or help desks and ask them to page the UISO, which monitors pages 24x7. A response from UISO should be expected with 15-30 minutes. If other methods fail to reach the UIPO or UISO within 30 minutes, contact the Bloomington Data Center Operators at 812-855-9910 and ask them to page the UISO.
Indiana University Information Technology Resources or systems includes all University-owned computers, peripherals, and related equipment and software; voice communications infrastructure, peripherals, and related equipment and software; data communications infrastructure, peripherals, and related equipment and software; and all other associated tools, instruments, and facilities. Included in this definition are classroom technologies; computing and electronic communication devices and services, including modems; electronic mail; phones; voice mail; facsimile machines, multimedia and hyper media equipment and related supporting devices or technologies. The components may be individually controlled (e.g., assigned to an employee) or shared single-user or multi-user, and they may be stand-alone or networked.
Security breach:
any successful unauthorized access to an Indiana University computer or system or network.
University-owned computing resources
computer and computer-related equipment acquired and maintained all or in part by funds through Indiana University.
Systematic unsuccessful attempts
continual probes, scans, or login attempts, where the perpetrators obvious intent is to discover a vulnerability and inappropriately access that device.
University Information Policy Office (UIPO):
a unit within the Office of the Vice President for Information Technology and Chief Information Officer. The components of the UIPO mission germane to this Policy are to develop technology deployment and usage policies and to provide a technology incident response function.
University Information Security Office (UISO):
a unit within the Office of the Vice President for Information Technology and Chief Information Officer. The mission of the UISO is to provide proactive security analysis, development, education, and guidance related to Indiana University's information asset and information technology environment.
Incident Response Coordinator/team:
a UIPO function that receives, triages, resolves, assigns, and tracks incidents of technology abuse or security breaches for all Indiana University campuses. This staff coordinates with many various University offices as well as with external internet service providers, complainants, and law enforcement. Reports sent to it-incident@iu.edu automatically generate an incident entry in the UIPO database, and are handled by the IRC staff.
Response commensurate with the risk to operations and data:
service manager and technician reaction to a reported security vulnerability should directly correspond to the potential for damage to the local system (or adjacent systems) or inappropriate disclosure or modification of data: