STANFORD UNIVERSITY

SECURE COMPUTING

ISO Secure Computing Guidelines

Security Guidelines

The Stanford Information Security Office (ISO) has compiled this guide to provide the university community with an overview of the practices that comprise an effective and appropriate security program for Administrative Systems and those other systems that process, store, or have access to Restricted data. If the systems that you are responsible for, design, administer, or use fall into these categories, please ensure that they comply with the following guidelines.

Data Flow and Architecture

  • Networks and applications should be documented, including diagrams indicating the data flow through the applications, e.g., what connections are initiated or accepted, what services are supported, what data is transferred, using which credentials, etc.

Build and Maintain a Secure Network

  • Firewalls should be used to protect the network and limit traffic to the minimum which is required to conduct business.
  • Egress and ingress filters should be installed on all border routers to prevent impersonation with spoofed IP addresses.
  • All routers, switches, wireless access points, and firewalls themselves should be secured and conform to documented security standards.
  • Web server front ends located on publicly reachable network segments should be separated from the internal network by a firewall.
  • Restricted information should be stored on hosts located on the internal network and protected by a firewall.
  • Changes to the firewall should require authorization and the changes should be logged.

Build and Maintain Secure Systems andApplications

  • Software and application development processes should be based on an industry best practice and have information security included throughout the software development life cycle (SDLC) process.
  • Development, testing, and production systems should be updated with the latest security-related patches released by the vendors.
  • A virus scanner should be installed and regularly updated on all machines.
  • The minimum services required to conduct business should be configured on all systems.
  • If production data is used for testing and development purposes, Restricted data should be sanitized before usage.
  • All changes to the production environment and applications should be formally authorized, planned, and logged before being implemented.
  • Guidelines commonly accepted by the security community (such as the Open Web Application Security Project) should be taken into account in the development of Web applications.
  • When authenticating over the Internet, the application should be designed to prevent malicious users from trying to determine existing user accounts.
  • Restricted data stored in cookies should be secured and encrypted.
  • Controls should be implemented on the server side to prevent SQL injection and other bypassing of client side-input controls.

Do not use vendor-supplied defaults for system passwords and other security parameters

  • Each mobile computer with direct connectivity to the Internet should have a personal firewall, anti-virus software, and all current patches installed.
  • Review all vendor default security settings on production systems, and change, where necessary, to reflect University security policy.
  • Change or disable all vendor-supplied default accounts and passwords on production systems.
  • Change all wireless technology vendor default settings (i.e. WEP keys, SSID, passwords, SNMP community strings, consider disabling SSID broadcasts).
  • If wireless technology is used, implement Wi-Fi Protected Access (WPA) technology for encryption and authentication.
  • Harden all production systems (servers and network components) by removing all unnecessary services and protocols installed by the default configuration.
  • Use secure, encrypted communications for remote administration of production systems and applications.

Protect stored data

  • Restricted data should be securely disposed of when no longer needed, in accordance with University record retention policy.
  • Do not use personally identifiable information (such as social security numbers) as a key in Stanford systems.
  • Restricted data stored in databases, logs, files, backup media, etc. should be stored securely, for example, by means of encryption, scrambling, or truncation.
  • Sensitive data (such as social security numbers) should be sanitized before being logged.

Encrypt transmission of sensitive information when it is transported over insecure networks

  • Transmissions of Restricted data should be encrypted over public networks through the use of 128-bit SSL or other industry acceptable methods.
  • Wireless communication should be encrypted using Wi-Fi Protected Access (WPA), VPN, or 128-bit SSL.

Implement Strong Access Control Measures

  • Access to Restricted data should be restricted to a need-to-know basis.
  • All users should be required to authenticate using, at a minimum, a unique username and password.
  • Any employees, administrators, or third parties accessing the network remotely via remote access software (such as PCAnywhere, dial-up, or VPN) should have that software configured with a unique username and password and ensure that encryption and other security features are turned on. Passwords on network devices and systems should be encrypted.
  • When an employee leaves the University, their employee user accounts and passwords should be immediately revoked. All user accounts should be reviewed on a regular basis to ensure that malicious, out-of-date, or unknown accounts do not exist.
  • All accounts that are not used for a lengthy amount of time (inactive accounts) should be automatically disabled after a pre-defined period.
  • Accounts used by vendors for remote maintenance should be enabled only during the time needed.
  • Group, shared, or generic accounts and passwords are prohibited.
  • Strong passwords are required.
  • Password-based authentication should be protected from brute-force and dictionary attacks by mechanisms such as automatic account lockout and exponential backoff.
  • Physical access to computing facilities where Restricted data are processed should be protected by multiple physical security controls (such as badges, escorts, or mantraps) to prevent unauthorized individuals from gaining access.
  • Wireless access to Restricted data via access points, gateways, and handheld devices should be restricted.
  • Equipment (such as servers, workstations, laptops, and hard drives) and media containing Restricted data should be physically protected against unauthorized access.
  • Procedures should be in place to handle secure distribution and disposal of backup media (tapes, CDROMs) and other media ("retired" disk drives) containing Restricted data.
  • All media devices that store Restricted data should be inventoried and securely stored.
  • Restricted data should be deleted or destroyed before it is physically disposed of (for example, by shredding paper, or degaussing backup media, or physically destroying hard disks).

Regularly Monitor and Test Networks, Systems, and Applications

  • Track and monitor all access to network resources and Restricted data.
  • All access to Restricted systems, including root/administration access, should be logged.
  • Access control logs should contain successful and unsuccessful login attempts and access to audit logs.
  • All critical system clocks and times should be synchronized, and logs should include date and time stamp.
  • Firewalls, routers, wireless access points, and authentication server logs should be monitored for unauthorized activity.
  • Audit logs should be regularly backed up, secured, and retained for the amount of time consistent with University records retention policy for Restricted data.
  • A vulnerability scan or penetration test should be performed on all Internet-facing applications and systems before they go into production and periodically thereafter.

Maintain a policy that addresses information security

  • Policies for access control, application and system development, operational, network and physical security, should be formally documented and disseminated to all system owners, developers, implementors, administrators, and users (including vendors, contractors, and business partners).
  • System users should be required to sign an agreement verifying they have read and understood the security policies and procedures.
  • Security incidents involving Restricted data should be reported to to the Information Security Office in accordance with Administrative Guide 67.
  • Wireless technology access to the network should be limited to authorized devices.

Need More Information?

Contact the Information Security Office regarding security issues with Stanford computers or network resources.

Last modified Wednesday, 08-Feb-2006 02:48:53 PM

Stanford University Home Page