Prioritized Information Security Guidance

G5 - Prioritized Information Security Guidance

Information Security Services (ISS) ">
Guideline ID 5
Guideline status Reviewed
Guideline description Prioritized information security guidance and best practices
Guideline owner Information Security Services (ISS)
Guideline contact Jason Testart

Table of Contents

Changes

This document is subject to change and review at least annually.

Prioritized Information Security Guidance

  1. Maintain up-to-date scope, inventories and documentation for your environments, systems and websites.
  2. Apply security patches regularly, use anti-virus/anti-malware threat protection software and perform vulnerability scans regularly.
  3. Ensure secure access and authentication by using single sign-on and strong passwords that adhere to the Password Standards. Use multi-factor authentication and strong access controls such as limiting privileged access. Immediately revoking access when the access is no longer needed.
  4. Use security configuration hardening, firewalls, monitoring, isolation and segmentation, and strong encryption such as AES-256 or better to protect data at rest.
  5. Protect data in transit (in motion) by using secure protocols/methods with strong encryption such as TLS 1.2 or better and conform with the Secure Data Exchange Guideline.
  6. Use a secure systems development lifecycle when developing applications, systems or websites.
  7. Physically protect data/media at all times. Securely sanitize and dispose of all data/media according to the Electronic Media Disposal Guideline.
  8. Ensure the availability of information by having appropriate business continuity and disaster recovery plans.
  9. Enable and use multi-factor authentication for your email account. Never send highly restricted information by email. See Secure Data Exchange Guideline for more information when communicating by email.
  10. Participate in Cyber Security Awareness and report any information security breaches through the University's Information Security Breach Response Procedure.

Document history

Date Revision summary
2019-07 Initial version

Reviews

Date Reviewed by

2019-07

Information Security Services (ISS)