Information Security Best Practices | Information Systems & Computing

Overview

The Office of Information Security (OIS) has published several best practices for common IT environments/scenarios that the University encounters. These best practices are recommended to be implemented regardless of the sensitivity of the data, as these best practices represent the minimum security posture. These security controls are considered voluntary at this time.

Penn IT staff members are encouraged to evaluate the technical environment to determine whether it meets these recommendations and to prioritize system-implementation efforts by risk level. As the field of Information Security is constantly evolving, these best practices may be updated over time.

All of the recommendations will be considered for future inclusion in official University IT Policy.

If you have any questions regarding these best practices, you may email OIS at security@isc.upenn.edu.

Application

Application Best Practices
Definition: An application is defined as software running on a server that is network accessible, including mobile applications.
Standard	Recommendation	Resource
Critical Components	If there is sensitive data, register the host and application in Critical Components to ensure regular vulnerability scanning starting before rollout. For web applications, scan with a web application vulnerability scanner.	Critical Components WebInspect
Secure Coding	Follow secure coding best practices, such as OWASP (for web applications) and implement a SDLC (Software Development Life Cycle) whenever possible. A SDLC should include regular regression testing, code review, security as a design requirement; and use of a framework.	OWASP (See Quick Download section) CERT (See coding standards for C, Android, C++, Java, and Perl) Join Developer SIG Developer SIG Code Contributions Developer SIG Slack Channel
Sensitive Data	Consider your use of sensitive data - if you must store it, use encryption in transit and at rest.	IT Security Policy Consult ISC Information Security (security@isc.upenn.edu) about alternatives to handling sensitive data.
Patching	Security patches must be applied on a timely basis.	IT Security Policy University Computing Policies
SPIA	Conduct SPIA (Security and Privacy Impact Assessment), including inventory of applications, libraries on which they depend, application contacts/developers, data classifications, and data volume estimates. Consider any policy or legal implications as appropriate, consulting others as needed.	SPIA
Account Review	Review accounts & privileges regularly.	PennGroups where possible, or equivalent control http://www.upenn.edu/computing/penngroups/
Credential Management	Follow secure password handling practices for passwords used by the application, and wherever possible, use campus authentication system for user passwords.	Strong password recommendations for PennKeys https://weblogin.pennkey.upenn.edu/changepassword Best Practices for passwords handling in applications https://www.isc.upenn.edu/security/password-handling Penn WebLogin http://www.upenn.edu/computing/weblogin/ Two-Step Verification https://www.isc.upenn.edu/how-to/two-step-faq#Two-Step-Verification-FAQ

Endpoint

Endpoint Best Practices
Definition: Any laptop, desktop or mobile operating system.
Standard	Recommendation	Resource
Security Patching	Apply security patches within seven days of being published. Use a supported OS version.	Penn Endpoint Management Service (PennEM) https://www.isc.upenn.edu/endpoint-management Configure OS to perform automatic updates.
Whole Disk/Device Encryption	Run native encryption as available on newer devices.	InfoSec encryption recommendations https://www.isc.upenn.edu/security/encryption
Backups	Backup user data daily.	Secure Remote Backup http://www.upenn.edu/computing/isc/lts/srb/srbfaq.html
Access Control	Always use a password or a PIN on the device. Set the device to lock the screen automatically when not in use.	Computer Security Policy http://www.upenn.edu/computing/group/npc/approved/20100308-computersecurity.html
Malware Protection	Run anti-malware/anti-virus software.	CrowdStrike https://www.isc.upenn.edu/how-to/crowdstrike
Configuration Management	Use an endpoint management solution selected and supported at the school or center level.	IBM Endpoint Management https://www.isc.upenn.edu/endpoint-management Absolute Data & Device Security (DDS) http://cms.business-services.upenn.edu/computerstore/component/sobi2/?catid=192
Secure Deletion	Erase or destroy storage media before recycling or donating devices.	Secure Data Deletion https://www.isc.upenn.edu/secure-data-deletion

Accordion title

Accordion content.

Server

Server Best Practices
Definition: A server is defined as a host that provides a network accessible resource.
Standard	Recommendation	Resource
Physical security	Physical controls to prevent unauthorized access. Server hardware placed inside data centers wherever possible.	ISC Hosting https://www.isc.upenn.edu/hosting Facilities Managed Computing https://upenn.app.box.com/v/FMChangeRequestInstructions
Multi-Factor Login	Multi-factor authentication required when logging into servers with privileged account access.	Two-Step Verification https://www.isc.upenn.edu/two-step-verification
Patching	Patches to vulnerabilities applied promptly after they have been made available.	IBM Endpoint Management http://www.upenn.edu/computing/isc/lts/PennEM/index.html
Credential management	Credentials reviewed periodically. Group password management used for all shared credentials. Credential lifecycle management applied.	LastPass Premium at Penn https://www.isc.upenn.edu/news-announcements/lastpass-premium-now-available-penn-community
Secure Disposal	Hard drives and writeable media used on servers follow secure destruction/deletion upon disposal.	Secure Data Deletion https://www.isc.upenn.edu/secure-data-deletion
Inventory	Inventory created, maintained, and periodically reviewed regarding system hardware, applications/software in use, data classification, and any regulated data present on the server (HIPAA, PCI, FERPA, etc).	IBM Endpoint Management http://www.upenn.edu/computing/isc/lts/PennEM/index.html Identity Finder https://www.isc.upenn.edu/how-to/identity-finder
Network firewall	Host-based network filtering (e.g. firewall) configured. Hardware firewall used wherever possible.
Centralized logging	Security-relevant events, including privileged access, are logged to a separate system.	Security Logging Service https://www.isc.upenn.edu/security-logging-service
Vulnerability management	Servers regularly scanned with a vulnerability scanner. Findings resolved as soon as practicable. Continuous monitoring used wherever possible.	Nessus Vulnerability Scanner https://www.isc.upenn.edu/vulnerability-scanning-service
SysAdmin Training	SAs trained with the tools and procedures required to implement the items listed in this standard. University policy, as well as prohibited behaviors covered.
Host integrity	Host integrity maintained through some combination of antivirus, anti-malware, rootkit detection, and file integrity monitoring, configured with external alerting whenever possible (see Centralized Logging).	OSSEC https://ossec.github.io/
Least privilege	Admin/user accounts, processes, and applications limited to the most restrictive set of resources necessary. Periodic review of privileges.

Logging

Logging Best Practices
Definition: If you have a need to log the security events taking place on one of your hosts, use these best practices to determine what events to collect and how to collect them.
Standard	Recommendation	Resource
Storage	Move event logs off of the machine that generates them and onto a centralized storage solution on a regular basis. Restrict access to that storage solution and the event logs to just those with a need to review the event logs.	Splunk: https://www.isc.upenn.edu/security-logging-service EventSentry: www.eventsentry.com Tripwire: www.tripwire.com
Retention	Conduct a risk analysis of your systems and their data, and choose a retention period that's right for you. Be aware that retaining too much data may put you at risk, and retaining too little data may be of insufficient utility for detecting problems.
Ensure Events are Time-based	All logs compliant with these best practices will record the time at which an event transpired on a system.	PennNet NTP Service: https://www.isc.upenn.edu/how-to/network-time-protocol-ntp
Ensure Log Record Event Origin	All logs compliant with these best practices will record a host identifier (e.g. domain name, IP address) on which an event took place.
Ensure User Events Record Account Name	All logs compliant with these best practices will record the system account name under which an event took place, where relevant.
End-user workstation	At a minimum, log authentications (both local and remote). Log creation of user accounts. Log privilege escalation. If the system allows it, log the enabling and disabling of accounts. If the system supports it, log the changing of passwords on user accounts.
Server	At a minimum, log authentications (both local and remote) at the platform and to authenticated applications running on the server. Log creation of user accounts. Log privilege escalation. If the system allows it, log the enabling and disabling of accounts. If the system supports it, log the changing of passwords on user accounts.
Hardware firewall	At a minimum, log authentications (both local and remote) to the device's control plane. Log creation of user accounts. Log privilege escalation. If the system allows it, log the enabling and disabling of accounts. If the system supports it, log the changing of passwords on user accounts.
Other Devices	At a minimum, log authentications (both local and remote) to the device's control plane. Log creation of user accounts. Log privilege escalation. If the system allows it, log the enabling and disabling of accounts. I If the system supports it, log the changing of passwords on user accounts.
Establish Your Baseline	For each event type being logged, review your logs to determine what "normal" behavior looks like for your systems. Document this behavior as what you expect your systems to do.
Monitor & Alert	Through manual or automated review, compare your system's event logs against your established baseline on a regular basis. Where behavior deviates from what you expect, investigate and remediate its cause.	Splunk: https://www.isc.upenn.edu/security-logging-service

Secure Disposal

Secure Disposal Best Practices
Digital Media
Standard	Recommendation	Resource
Hard Drives	- If the hard drive is fully encrypted, destroying the encryption key will render the data unrecoverable - Secure wipe with a single pass of data over the entire disk - Degauss and/or physical destruction by shredding	NIST 800-88 : http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf Overwriting Hard Drive Data: The Great Wiping Controversy:https://link.springer.com/chapter/10.1007/978-3-540-89862-7_21
SDDs	- If the drive was encrypted prior to adding data, destroying the encryption key will render the data unrecoverable - If drive manufacturer includes secure ATA erase, this will be a good course of action to render the data unrecoverable - Physical Destruction by shredding	NIST 800-88 :http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf ATA Secure Erase:https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase
Optical Disks	Physical destruction by shredding
Portable devices (ie: smartphones)	Use manufacturer methods to implement perform a factory hard reset.	Apple:https://support.apple.com/en-us/HT201351 Android:http://www.androidcentral.com/how-factory-reset-android-phone
Magnetic media (ie: tapes)	- If encrypted, destroying the encryption key will render the data unrecoverable - Secure wipe with a single pass of data over the entire tape - Degauss and/or physical destruction by shredding"
Resources
Example tools for overwriting spinning disk drives	DBAN - http://dban.org Eraser - https://eraser.heidi.ie Apple Disk Utility- https://support.apple.com/kb/PH22241?viewlocale=en_US&locale=en_US
Campus disposal resources	University Records Center -http://www.archives.upenn.edu/urc/urc.html ISC's Drive Degausser and Crusher -https://www.isc.upenn.edu/how-to/secure-drive-disposal ISC Security's Secure Deletion Information - https://www.isc.upenn.edu/secure-data-deletion
Recycling services	Electronics: Elemental, Inc - http://eleminc.com/	CellPhones: Gazelle.com - https://www.gazelle.com/ sellcell.com - https://sellcell.com