This table outlines security requirements and recommendations for hosting University of Waterloo data with respect to the security classifications outlined in the Policy 46.
- General security
- Physical security
- Network security
- System Security
- Database Security
- Application server security
- Application security requirements
General security
All security classifications
- All users are assigned a unique ID. The uwuserid is used unless it is technically prohibitive to do so.
- A password, passphrase, token, or asymmetric encryption key is used to authenticate users.
- The University password policy is followed.
Confidential information
- Audit trails are maintained so that individual accountability can be established.
- A change management process is in place for all components of the secure hosting facility.
- Development/Testing environments are used, and isolated from production environments.
Physical security
All security classifications
- The hosting facility has physical security controls such as badge readers or lock and key.
- Backup media is stored in a physically secure location which is in a different building from where the hosting facility is located.
- No network jacks, for the network servicing the secure hosting facility, are publicly accessible.
Confidential information
- A procedure is in place to help all personnel distinguish between employees, visitors, and students.
- The hosting facility is being monitored using devices such motion detectors, and video cameras.
- Electronic media is destroyed in accordance with electronic media disposal guidelines.
Restricted information
- Where standard RFID readers and tokens are used, two-factor authentication (token+PIN) is needed to gain access to the hosting facility.
Network security
All security classifications
- Domain Name System (DNS) records must be kept current - this includes contact information.
Restricted information
- The network servicing the secure hosting facility is isolated from other networks using a stateful firewall. The stateful firewall restricts inbound and outbound traffic to that which is necessary.
- Network security controls must be in place to prevent direct access of information, on a file or database server, to and from untrusted networks.
System security
All security classifications
- The default administrative (superuser) account has a strong password or is disabled.
- Login accounts have strong passwords.
- All remote administrative access is encrypted.
- All interactive logins to the system are logged.
- The network services provided by the host are limited to those required. This is accomplished by a combination of disabling unneeded services and host-based network access controls.
- The host is running an operating system version actively supported by the operating system's vendor.
- A patch management strategy is in place. Critical security patches are installed as soon as possible.
- A backup strategy is in place.
Confidential information
- Installed software are limited to what are needed.
- Active processes are limited to what are needed.
- The system clock is synchronized with a trusted time source.
- System logs are sent to a remote log server, and the logs are reviewed regularly.
Restricted information
- No server provides more than one of the following functions: Administration, Teaching, Research.
- Direct interactive access, from networks outside of the secure hosting environment, to shared/system/application accounts is prohibited.
Database security
A Database normally means 'RDBMS server', but also includes other database systems, such as LDAP servers and certificate servers.
All security classifications
- The database software runs with reduced privileges on the system.
- Database users/roles with superuser privileges have a strong password set.
- Access controls on the database schema are restricted to those users/roles that need access.
- The database user/role used by the application is granted only the database privileges necessary for the application to function.
- A backup strategy is in place.
Confidential information
- The database logs errors to a remote log server and the logs must be reviewed regularly.
Application server security
Application Server means any software system that provides a service over the network. This typically means web and email servers, but could include others.
All security classifications
- Weak encryption ciphers are disabled.
- Unnecessary modules/plugins are disabled.
- SSL version 2 is disabled.
- The SSL/TLS certificate used by the web server for the application is approved by Information Systems & Technology (IST).
- Error handling is set-up in such a way so that names of internal database objects are not revealed to the end user.
Confidential information
- If users are authenticated to the site, then passwords are not stored in clear-text.
- The application logs to a remote log server. The logs are reviewed regularly.
- Locally written application is formally reviewed and tested before going into production.
Application security requirements
All security classifications
- The application runs with the minimal system privileges necessary.
- The application uses a trusted filesystem PATH.
- The application validates the use of secure communications (SSL/TLS).
- The application validates all user input, to prevent injection and cross-site scripting.
- The application manages sessions securely, through mechanisms such as session timeouts and logout functions.
Jason Testart - 30 Sep 2011