Applications Minimum Standards

Picture

Patching

Check with the National Vulnerability Database to determine the risk and proceed accordingly

Read More

low or medium or high risk

Picture

Vulnerability Scans

Monthly scans of applications to check for issues and classify application. e.g.Qualys

Read More

low or medium or high risk

Movie

Secure Software Development

Include security as a design requirement. Review all code and correct identified security flaws prior to deployment using tools like klokworks.

Read more

low or medium or high risk

Movie

Credentials access control

Audit existing accounts and privileges quarterly. Enforce password complexity and change periodically(max. 6 months) with no repetitions in the past 5 changes

low or medium or high risk

Movie

Backup

Backup application data at least weekly. Encrypt backup data in transit and at rest

Read more

medium or high risk

Movie

Authentication

Two-step authentication is required for all interactive user and administrator logins to Moderate and High Risk systems. e.g google autheticator , yubico

Read more

medium or high risk

Movie

Centralized Logging

Forward logs to a remote log server. University Systems service is recommended

Read more

medium or high risk

Movie

Dedicated Admin Workstation

All administrative tasks to be done from a privileged work station dedicated for admin controls

Read more

medium or high risk

Picture

Dedicated Admin Keys

Require a physical key to authenticate to systems with high risk such as financial information.

high risk

Back to Top

Endpoints Minimum Standards

Picture

Patching

All high severity patches are to be applied within seven days of publish and other patches in 90 days. The patches and vulnerabilities are based on the National Vulnerability Database. This is required for endpoints with all risk types.

Read Paper

low or medium or high risk

Picture

Whole Disk Encryption

The Endpoints must be configured with disk encryption to prevent the theft of data using hardware vulnerabilities.

low or medium or high risk

Movie

Configuration Management

Install configuration management tools to the endpoint to automatically update patches and updates to the endpoint.

Read more

low or medium or high risk

Movie

Inventory

Maintain a list of network and node configuration information. Review and update the records every quarter.

low or medium or high risk

Movie

Malware Protection

Install antivirus and anti malware on all endpoints.eg. malwarebytes and avira

Read more

low or medium or high risk

Movie

Backups

Backup user data daily. Encrypt and backup the data and keep it in transit and at rest.

Read more

low or medium or high risk

Movie

Dedicated Admin Machines

All Admin accounts can be accessed through the dedicated machines for admin tasks only. This gives a degree of control over the admin related tasks. It is a must for high risk endpoint.

Read more

low or medium or high risk

Movie

Dedicated Admin Workstation

All administrative tasks to be done from a privileged work station dedicated for admin controls

low or medium or high risk

Picture

Bluetooth

Require employees to disable Bluetooth on endpoints with access to medium and high risk.

medium or high risk

Back to Top

Servers Minimum Standards

Picture

Patching

Based on National Vulnerability Database (NVD) ratings, apply high severity security patches within 7 days of publish and all other security patches within 90 days.

Read Paper

low or medium or high risk

Picture

Vulnerability Scans

Perform monthly scan via Acunetix Web Vulnerability Scanner and Burp Suite. Remediate high severity within 7 days of discovery.

low or medium or high risk

Movie

Backups

To maintain a backup service through Tivoli Storage Manager (TSM) system all 24 hours a day and 365 days a year. Encrypt the backup data in transit and at rest.

Read more

low or medium or high risk

Movie

Firewall

Enable host-based Symantec Endpoint Protection (ESP) and permit the minimum necessary services.

low or medium or high risk

Movie

Authentication

Require two factor or multi-factor authentication for interactive user and administrative banner logins.

Read more

medium or high risk

Picture

Centralized Logging

Forward logs to a remote log server. University System service recommended.

Read more

low or medium or high risk

Movie

Sysadmin training

Attend at least one University of Victoria Information Security Advanced Workshop training course semi-annually.

Read more

medium or high risk

Picture

Regulated data controls

Implement PCI DSS, PIPEDA, FIPPA, and other security controls as applicable.

high risk

Back to Top

Speed up risk classification: Is it low, medium or high risk?

Use a supervised machine learning model to find out. In particular, a multiclass neural network can be trained to determine the probability that a given piece of data or service or unit is low, medium, or high risk. This is not meant to replace human judgement but to enhance it.

One such model is described in Fig. 1 below. Whether something is high or low or medium risk depends largely on the department that deals with it, whether there is more than one department involved, whether its disclosure would impact the organization in a negative manner, and so on. This information can be used to predict the probability that a given piece of data or service or unit is low, medium, or high risk.



Speed up incident response: Is it a security incident or just an event?

Use a supervised machine learning model to find out. In particular, a binary linear classifier can be trained to determine the probability that a given event is an incident. This is not meant to replace human judgement but to enhance it.

This is better than having a database of incidents because as this database keeps growing then so would the computational needs to traverse it, and so time gets wasted. A pretrained machine learning model produces a result instantenously.



Back to Top

About Our Team and Project

About Us

We are a team of information security professionals currently working on completing our Master of Engineering in Information Security and Telecommunications. This is our proposal for minimum security standards for the University of Victoria. We all contributed equally to this project. We all like Indian cousine even though not all of us are from India. Below is a selfie of us arranged in alphabetical order without actually trying to accomplish this because we're that cool. From left to right: Alice Irankunda, Aman Kaur, Ishu Tiwari, Marina Danchovsky Ibrishimova, Raghav Aridhasan.

Overall Recommendations

1. Create fun posters, workshops and involve multidisciplinary UVic students

2. Reduce data risk classification from 4 to 3 simple categories: Low, Medium, High

3. Create a machine learning model for data risk classification.

4. Get a third party to asses current situation.

5. Replace library desks with ones that allow for more privacy

6. Require a physical key to authenticate to systems with high risk data:

7. Create a minimum standards website that is easily accessible and interactive for quick reference

Back to Top

References

[1] Uit.stanford.edu. (2018). Risk Classifications | University IT. [online] Available at: https://uit.stanford.edu/guide/riskclassifications [Accessed 9 Apr. 2018].

[2]https://www2.gov.bc.ca/assets/gov/british-columbians-our-governments/services-policies-for-government/policies-procedures/information-security-policy/isp.pdf. (2018). Retrieved 09 April 2018

[3] (2018). Uvic.ca, Retrieved 9 April 2018, from https://www.uvic.ca/universitysecretary/assets/docs/policies/IM7800.pdf

[4] Fusion. (2018). Business Impact Management Guide. [online] Available at: https://www.fusionrm.com/bim-guide?utm_source=ppc&utm_campaign=2018_02_bim_a&gclid=EAIaIQobChMIxLX9tYbz2wIVAtlkCh26FgsEEAAYASAAEgJw8_D_BwE [Accessed 20 Jun. 2018].

[5] Ben Seri and Gregory Vishnepolsky. (2017) The dangers of Bluetooth implementations: Unveiling zero day vulnerabilities and security flaws in modern Bluetooth stacks. http://go.armis.com/hubfs/BlueBorne%20Technical%20White%20Paper-1.pdf?t=1529966573964 [Accessed 20 Jun. 2018]

[6] www2.gov.bc.ca. (2018). Information Security Policy - Province of British Columbia. [online] Available at:https://www2.gov.bc.ca/gov/content/governments/services-for-government/policies-procedures/information-security-policy [Accessed 27 Jun. 2018].

[7] RSA fraud Report Q1 2018, [online] Available at: https://www.rsa.com/content/dam/premium/en/report/rsa-fraud-report-q1-2018.pdf [Accessed 20 Jun. 2018].

[8]https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/ [Accessed 21 July. 2018]

Back to Top