Good afternoon, all.

 

As promised, I am trying to keep everyone informed of policy updates, so this month I would like to talk about two of those policies. The updates are listed as sub-bullet points, where necessary.

 

First, UTIA IT0132 - Identification and Authentication Policy​ was updated in February. This policy covers how the Institute manages user access and authentication for all Institute-owned IT assets (“IT assets” for the remainder of this email). Here are the main points to remember:

  • This policy applies to all who use our IT assets.
  • Added contractors and visiting researchers to the scope.
  • IT assets must be protected from unauthorized used, which could lead to the modification, disclosure, or destruction of the asset and data contained on that asset.
  • Having a unique login is necessary for each IT asset.
  • Access to IT assets is authorized based on the principle of least privilege, or having only the access needed to perform your job duties.
  • It is preferred that you always use the OIT-assigned NetID when using IT assets, but is required when accessing IT assets classified as moderate, high, or business critical.
  • Access to IT assets will be disabled immediately upon termination, transfer, or change in job duties.
  • Added to “immediately notify” when these things occur.
  • Strong passwords must be used and must never be shared.
  • Updated the complexity requirements for passwords based on OIT’s requirement changes with 2FA.

 

Next UTIA IT01xx - Media Protection Policy was updated in May. This policy discusses repurposing and destruction of media, including special instructions for media with sensitive data, for securing the confidentiality of the Institute’s data from unauthorized access and disclosure throughout the lifetime of the media. The key points are:

  • The policy applies to using, protecting, and sanitizing media.
  • Added “using” under the objective.
  • Users of any IT asset must use individual login accounts.
  • Users must be given access based on a need-to-know basis.
  • No group access will be allowed without prior approval.
  • Data stored on IT assets must be properly backed up.
  • Computers that are repurposed and given from one user to another must be wiped and reimaged with a clean copy of the Operating System.
  • Changed contact for this from “appropriate IT representative” to “OIT HelpDesk.”
  • Any computer being removed from usage must have any software licensed on the old computer transferred to the new computer.
  • For IT assets going to Surplus, have the drive wiped so it will be cleared of all Institute data prior to Surplus reselling the computer.
  • If any IT asset’s drive must be destroyed, notify Surplus on the appropriate form and the drive will be irrevocably destroyed.
  • Destroy all paper media after the appropriate retention period has expired.
  • The Institute restricts the use of personally-owned IT assets for accessing sensitive data on any Institute-owned IT asset classified as moderate, high, or business critical.
  • Added this under the “Media Use” control.

 

You have probably noticed some similarities in these two policies. NIST 800-53 lists the controls to be used in our policies, since we use their framework. The overlapping controls do help, especially when it comes to remembering even the most basic of the controls.

 

If you have any questions about these policies, or any of our other IT Security policies or procedures, please contact me any time.

 

Thank you for all you do!

 

Sandy