System Security

RATIONALE

System security encompasses all facets of accessing information assets.  From authentication, to software updates, anti-virus protection, and modifications - security is a key component to a device operating at its optimum.  These best practices help to mitigate various security concerns.

Best Practice:  Use Change Management Procedures
When changes are to be made to a system, it is a best practice to utilize change management methodologies to help elminate unexpected issues.  Utilize a test system with an identical setup as the production system to test changes before implementation into the production system.  This can apply to system updates (such as patches) or any system code or feature change.  Apply the updates to the test environment first, then test the system usage and if all goes well, apply the updates to the production system.  This will allow the system administrator to build an estimation to downtime necessary for the system update and for steps to be done for the update to be applied, as well as identify any issues that might need to be mitigated before implemented into production.
Best Practice:   Utilize system logs for audit trails
Knowing what changes are made to the university information assets, who made those changes, and when those changes were made are important steps in maintaining the confidentiality, integrity, and availability of the information assets.  To assist in this effort, an audit trail of system activity should be maintained for each system, for each type of user, including system administrators.  This information must be reviewed regularly. 

To help with the log management, common security practices include the use of a log aggregation solution and deploying a security information and event management (SIEM) tool.  Aggregating all system logs into one solution, and utilizing features such as monitoring and alerting for anomalies in the logs can help identity problems quicker for system administrators.

Best Practice:   Utilize data classification
Identifying the type of data collected, stored, and transmitted will help in identifying controls to be utilized to secure the information assets of an institution.  Some data must be classified as confidential due to federal regulations, while other data might be classified public or directory information.  Security controls utilized will be stronger for confidential data than those for public information.  Data classification can help institutions to prioritize security efforts.

Best Practice:  Vendors must follow the institution's policies and standards
There are times when an institution contracts with a third party or vendor to provide services to the university.  The vendor should comply to the same commitment of security to the institution's information assets as the institution's employees.  The institution's commitment to the confidentiality, integrity, and accessibility of their information assets must extend to any and all information that a third party or vendor may access or manage.  Vendor agreements should be managed to include these standards.

Best Practice:   Implement and follow patch management strategy
All software requires regular maintenance to maintain its peak functionality.  As technology manufacturers are made aware of problem areas in their product(s), they release a patch, update, or service pack. These ‘patches’ can range from fixing simple cosmetic problems (low impact) to resolving an issue that would allow full control of the system from an unauthorized source (critical impact).  An institution should deploy a process for patch management on critical infrastructure and services.


UNL GUIDELINES
The University of Nebraska-Lincoln has several resources that support the use of these best practices:
UNL requires the use of the VPN before connecting to an office computer, and some information systems.  For more information, check out Use VPN for Remote Desktop access. 
UNL utilizes Splunk for log aggregation and SIEM.  For information about utilizing Splunk, contact the security office
For UNL's data classification guidelines, go to UNL Data Classification.