|
|---|
| Table of Contents |
|---|
| outline | true |
|---|
| style | none |
|---|
| type | list |
|---|
|
|
The University of California is committed to high standards of excellence for protection of information assets and information technology resources that support the University enterprise. The University processes, stores, and transmits an immense quantity of electronic information to conduct its academic and business functions. Without the implementation of appropriate controls and security measures, these assets are subject to potential damage or compromise to confidentiality or privacy, and the activities of the University are subject to interruption. Stewardship and Accountability
Everyone has a responsibility to protect information and individuals are held accountable.
Risk Management
Information must not be stored without understanding and formally mitigating or accepting the risk.
Business Ownership
Information security is owned by all levels of the organization, not just IT. Senior managers are involved in determining and accepting information security risk. Defense In Depth
Where one control would be reasonable, more controls that approach risks in different fashions are better. Controls, when used in depth, can make severe vulnerabilities extraordinarily difficult to exploit and thus unlikely to occur A system should employ multiple levels of defence such that a single breach of one sub-system does not expose the entire system directly to an attacker.
Least Privilege Access
The principle of least privilege recommends that accounts have the least amount of privilege required to perform their business processes.
Segmentation
Areas of risk must be separated by strongly defined and protected technical, logical, and physical segmentation and compartmentalization.
Segregation of Duties
A key control is separation of duties. Certain roles have different levels of trust than normal users. In particular, administrators are different to normal users A user, system or process should only be granted the minimum set of privileges they require to perform their designated job.
Segmentation
Sub-systems should be partitioned logically and isolated using physical devices and/or security controls
Segregation of Duties
No single individual should have the power to effect change of a critical control process, system or transaction. In general, administrators should not be users of the application.
Accountability
All actions exceeding a specified risk threshold should be undeniably traceable to an initiating user, process or system.
Do Not Trust Services
Many departments utilize the processing capabilities of third party partners, who more than likely have differing security policies and posture than you. Therefore, implicit trust of externally run systems is not warranted. All external systems should be treated in a similar fashion.
Simplicity
Attack surface area and simplicity go hand in hand. System administrators, developers, and IT staff should avoid the use of complex architectures when a simpler approach would be faster and simpler.
Systems or sub-systems outside the bounds of a secure environment must never be trusted implicitly
Simplicity
Minimise the complexity and therefore potential points of failure, security breaches and obscurity of the system
Reuse
Existing security controls should be given preference over custom solutions
Secure Default
The default settings for each component or sub-system should be the most secure settings
Information Security decision making is guided by documented policies.
See more: Information Security and Privacy Policies
Information Security roles must be formally defined and individuals must be assigned to fulfill those roles.
See more: Roles and Responsibilities
Data must be formally inventoried and assigned a risk classification.
See more: Data Classification
The critical component to implenting information security is performing risk assessment on all information and infrastructure assets.
See more: Risk Management
Each risk classification has a baseline of controls for risk mitigation. These controls must be modified based on individual system risks.
See more: Information Security Controls |