---

Home Page

• About
  • Overview
  • Mission Statement
  • Facilities & Resources
  • Equipment
  • Usage & Benefits
  • Publications & Acknowledgements
  • Personnel
  • Using our Facilities
• AccessBCF
  • Access Our Services
  • Accounts
  • Policies
  • Custom Services
  • BCF Events
  • Education & Training
• FAQs
• Services
  • Our Services
  • Analysis Support
  • Microarray Processing
  • BCF Software
  • Computing Evaluation
  • Custom Programs
  • Education & Training
  • Experimental Design
  • High Performance Computing
  • Image Processing
  • Molecular Modeling
  • Prototyping
• Resources
  • BCF Resources
  • BioDesk
  • FAKtory
  • GCG Help
  • Local
  • Public
  • Software
  • Links
• Online Tools
  • Automated Entrez Queries
  • BioMail
  • Sequence Transfer Tools
  • Sequence Conversion
  • Shuffle Sequence
  • Clean Sequence
• ContactBCF

Arizona Research Labs Security Standards for Networked Devices

 

1. Overview

The use of networked devices has become a part of everyday life within the University of Arizona, and the sharing of sensitive data has become commonplace. Securing these devices is necessary to ensure the confidentiality, integrity, and availability of university resources. As users of these devices, it is important for each one of us to understand and contribute to the overall security of the University of Arizona network. For clarification regarding any of these standards, please contact ARL support staff (http://support.arl.arizona.edu/).

2. Purpose

The following minimum standards were developed to assist Arizona Research Labs affiliates to secure, manage, and maintain university-networked devices. Divisions and individuals are encouraged to maintain stricter limits where practical or required. These standards should not be used to reduce the level of security that may already exist.

3. Scope

These security standards apply to all devices connected to the university network or using an arizona.edu domain or IP address for the origination of electronic communications traffic. Devices may include computers, printers, or network appliances. This also includes devices situated behind firewalls or NAT devices that are connected to the university network or are using a VPN.

4. Standards

4.1. Software patch updates

All networked devices must have all patches installed that address security vulnerabilities as soon as possible; waiting for breaks in the academic schedule is not appropriate. Exceptions may be made for patches that compromise the usability of critical applications. Computer overseers are responsible for creating and enforcing procedures that ensure operating systems are kept current.

4.2. Anti-virus software

All computers connected to the university network must have anti-virus software installed and running, and must check for updates at least daily. The minimum standard for anti-virus software is to meet or exceed the effectiveness of software site-licensed by the university. Network devices found to have transmitted a virus are subject to removal from the network. Computer overseers are responsible for creating and enforcing procedures that ensure anti-virus software is run at regular intervals and computers are verified to be clean.

4.3. Host-based firewall software

The university site-licensed host-based firewall, or equivalent measures must be used to protect any computer which is capable of running said software. Overseers of all other systems are encouraged to seek out and follow the advice of ARL support staff regarding the use of host-based firewalls.

4.4. Passwords

All networked devices with access to university resources shall require passwords or another secure authentication system (e.g. biometrics, Smart Cards). This standard applies to all Arizona Research Labs affiliates, including contractors, vendors and visiting scholars, with access to those resources. Arizona Research Labs account owners have a responsibility to construct, secure, and maintain their passwords. All university-affiliated passwords shall meet or exceed the requirements specified by the campus Center for Computing and Information Technology (CCIT). Guidelines on how to construct a "safe" password can be found on the campus Information Security and Privacy website.

Password "cracking" tools may be employed by ARL support staff on a periodic basis to ensure compliance.

A handy tool for generating passwords can be found here (use the "Word-like" option for easier to remember passwords).

4.5. Account Management

All networked devices with access to Arizona Research Labs resources shall implement the following account management practices where possible:

• Accounts should be configured to lock after repeated login failures.
• Accounts should be deactivated after separation of affiliation.
• Accounts should be assigned to a single individual. Group accounts should be affiliated with a responsible individual.
• Accounts should be created with the minimum amount of access necessary to fulfill the needs of the account holder. Access requirements should be reviewed for changes regularly.

4.6. Encrypted authentication

All network devices should use only encrypted authentication mechanisms. In particular, historically insecure services such as Telnet, FTP should be replaced by their encrypted equivalents (e.g. SSH, SFTP, SCP).

4.7. Session Controls

Where possible and appropriate, devices must be configured to "lock" or logoff and require a user to re-authenticate if left unattended. The following time limits are recommended maximums:

• Category Time Action
• Private Office Workstation 20 minutes Lock
• Cubicle/Shared-Office Workstation 15 minutes Lock
• Multiple-User Workstation 10 minutes Lock / (Logoff)*
• Monitored Computer Lab 10 minutes Lock / (Logoff)*
• Public Use Computer Lab 5 minutes Logoff
• Research Lab Workstation 15 minutes Lock
• Data Collection Devices 5 minutes Lock
• Physically Secured Servers 10 minutes Lock
• Physically Accessible Servers 5 minutes Lock

* At divisional discretion

4.8. Physical security

Mission-critical systems and regulatory-protected data must be located in a locked location accessible only to authorized personnel.

4.9. Services and Protocols

Services or protocols which are not necessary to the operation of a device should be disabled or removed. Assistance identifying services running on a device may be obtained by contacting ARL Support staff (http://support.arl.arizona.edu/) or the University of Arizona SIRT (https://www.sirt.arizona.edu/).

5. Recourse for Non-Compliance

Compromised network devices will be disconnected from the network. Action may be taken to restrict or remove network access of vulnerable devices if such action is determined to be in the best interests of Arizona Research Labs. For assistance in resolving compromises or vulnerabilities, ARL Support staff, SIRT, or other technical support.

6. Related Documents

Other Security Standards are available at

http://security.arizona.edu/

Guidelines, Policies and Procedures are available at

http://security.arizona.edu/policies-guidelines.html

 

Explore

• Using our standard services
• Using custom services
• Using our resources
• Letters of support
• Publishing data
• Acceptable Use of Computers and Networks at the U of A
• Data Storage and Backup Policies
• ARL Securities Standards for Networked Devices

::Highlights::

BCF News & Events

Microarray Analysis

BCF Software Demo Page

BCF Workshops

::Shortcuts::

BCF HOME

BioDesk **

Biotechnology Resource Scheduler

BCF Software Tutorials

Project Collaboration Request Form

::Biotechnology::

BIOTECH HOME

Education & Training

Biotech Outreach

Biotech Workforce Development

ARLDB Personnel

Research Groups

::Core Facilities::

Biotechnology Computing Facility

Biotechnology Imaging Facilities

Biological Magnetic Resonance Facility

Cytometry Core Facility

Genomic Analysis & Technology Core

Proteomics Analysis Laboratory

::ARL::

Arizona Research Laboratories

ARL Support Site

ARL Payroll & Personnel System

Copyright © 2008 The University of Arizona