This table outlines security requirements and recommendations for hosting University of Waterloo data with respect to the security classifications outlined in the Policy 46.

General security

All security classifications

  • All users are assigned a unique ID. The uwuserid is used unless it is technically prohibitive to do so.
  • A password, passphrase, token, or asymmetric encryption key is used to authenticate users.
  • The University password policy is followed.

Confidential information

  • Audit trails are maintained so that individual accountability can be established.
  • A change management process is in place for all components of the secure hosting facility.
  • Development/Testing environments are used, and isolated from production environments.

Physical security

All security classifications

  • The hosting facility has physical security controls such as badge readers or lock and key.
  • Backup media is stored in a physically secure location which is in a different building from where the hosting facility is located.
  • No network jacks, for the network servicing the secure hosting facility, are publicly accessible.

Confidential information

  • A procedure is in place to help all personnel distinguish between employees, visitors, and students.
  • The hosting facility is being monitored using devices such motion detectors, and video cameras.
  • Electronic media is destroyed in accordance with electronic media disposal guidelines.

Restricted information

  • Where standard RFID readers and tokens are used, two-factor authentication (token+PIN) is needed to gain access to the hosting facility.

Network security

All security classifications

  • Domain Name System (DNS) records must be kept current - this includes contact information.

Restricted information

  • The network servicing the secure hosting facility is isolated from other networks using a stateful firewall. The stateful firewall restricts inbound and outbound traffic to that which is necessary.
  • Network security controls must be in place to prevent direct access of information, on a file or database server, to and from untrusted networks.

System security

All security classifications

  • The default administrative (superuser) account has a strong password or is disabled.
  • Login accounts have strong passwords.
  • All remote administrative access is encrypted.
  • All interactive logins to the system are logged.
  • The network services provided by the host are limited to those required. This is accomplished by a combination of disabling unneeded services and host-based network access controls.
  • The host is running an operating system version actively supported by the operating system's vendor.
  • A patch management strategy is in place. Critical security patches are installed as soon as possible.
  • A backup strategy is in place.

Confidential information

  • Installed software are limited to what are needed.
  • Active processes are limited to what are needed.
  • The system clock is synchronized with a trusted time source.
  • System logs are sent to a remote log server, and the logs are reviewed regularly.

Restricted information

  • No server provides more than one of the following functions: Administration, Teaching, Research.
  • Direct interactive access, from networks outside of the secure hosting environment, to shared/system/application accounts is prohibited.

Database security

A Database normally means 'RDBMS server', but also includes other database systems, such as LDAP servers and certificate servers.

All security classifications

  • The database software runs with reduced privileges on the system.
  • Database users/roles with superuser privileges have a strong password set.
  • Access controls on the database schema are restricted to those users/roles that need access.
  • The database user/role used by the application is granted only the database privileges necessary for the application to function.
  • A backup strategy is in place.

Confidential information

  • The database logs errors to a remote log server and the logs must be reviewed regularly.

Application server security

Application Server means any software system that provides a service over the network. This typically means web and email servers, but could include others.

All security classifications

  • Weak encryption ciphers are disabled.
  • Unnecessary modules/plugins are disabled.
  • SSL version 2 is disabled.
  • The SSL/TLS certificate used by the web server for the application is approved by Information Systems & Technology (IST).
  • Error handling is set-up in such a way so that names of internal database objects are not revealed to the end user.

Confidential information

  • If users are authenticated to the site, then passwords are not stored in clear-text.
  • The application logs to a remote log server. The logs are reviewed regularly.
  • Locally written application is formally reviewed and tested before going into production.

Application security requirements

All security classifications

  • The application runs with the minimal system privileges necessary.
  • The application uses a trusted filesystem PATH.
  • The application validates the use of secure communications (SSL/TLS).
  • The application validates all user input, to prevent injection and cross-site scripting.
  • The application manages sessions securely, through mechanisms such as session timeouts and logout functions.

 Jason Testart - 30 Sep 2011