PolyU Computer Systems Security Policy and Guidelines

PolyU Computer Systems Security Policy

(i) Physical Security

Party Responsible

All equipment must be housed in a safe environment, fulfilling the site preparation requirements of the equipment vendor in respect of space, power, heat, floor loading and wiring.

all owners

Access to the Central Computer Room, data communication rooms, safe store and backup media store should be confined to authorized staff who need to perform duties inside such areas.

ITS

Computing equipment installed in open areas should be attended or attached to an immovable object.

all owners

Electrical power protection equipment should be employed as appropriate to suppress surges and reduce static, and battery backup should be provided in the event of power failure to prevent data loss.

all owners

No food, liquid or powdery material should be placed close to computing equipment.

all users

The University's health and safety requirements should be observed.

all users

(ii) Campus Network and Internet Security

		Party Responsible

Security procedures to provide adequate protection against intrusion into the University's computer systems should be implemented, maintained and followed.		ITS/all owners

Network management and security monitoring activities should be conducted on a regular basis. Information such as network traffic and protocol should be logged for detecting violation of the network security policy. Such information, however, should not be tapped for any other purposes.		ITS/all owners

All security control mechanisms should be documented and regularly updated.		all owners

Proper and necessary protection mechanisms including firewall and authentication processes should be implemented for remote connections to safeguard the campus network from external attacks.		ITS/all owners

Any computing equipment that are not the properties of the University and any external links should not be connected to the campus network without the prior permission of ITS.		ITS/all users

The "HARNET Acceptable Use Policy" (details available at http://www.jucc.edu.hk/jucc/haup.htm) should be observed by users of PolyU which is a member of HARNET. Special attention is drawn to the policy that HARNERT is not to be used for commercial purposes, such as marketing, or business transactions between commercial organizations.		ITS/all users

(iii) Operating System Security

Party Responsible

Departments should maintain an up-to-date list of administrators responsible for computer security within their offices.

all owners

Scanning programs should be employed by system administrators to detect security bugs.

all owners

Passwords should be protected by an aging policy and account owners should periodically change their passwords.

all users

All computer accounts must be protected by passwords not easily guessed by others, and which should be changed periodically.

all users

Personal accounts and passwords must not be transferred /disclosed / availed to other users.

all users

Passwords should not be stored or transmitted in plain text form, or embedded in unsecured e-mail.

all users

Users should notify the system administrator if a security violation or failure is discovered or detected.

all users

Accounting, auditing and logging facilities should be adopted to provide cost-effective audit trails.

all owners

(iv) Application System Security

Party Responsible

The system owner must determine the security level required for the various kinds of data stored on the computer system, e.g. personal, departmental, confidential and mission-critical data, etc. The required data security level must be maintained when data are transferred or copied to another system.

ITS/all owners

Administrative rights must be assigned appropriately to authorized persons. Only authorized users are allowed to access the system and the data.

ITS/all owners

Production data or files must only be used on production systems.

ITS/all owners

Confidential data should be protected by passwords, which should be known only to authorized individuals.

ITS/all owners

Passwords should be treated as highly confidential information. They should not be written down or shared with other users. Standards on password length, format and frequency of password change should be enforced.

ITS/all owners

Effective data encryption techniques should be used for storing highly confidential information.

ITS/all owners

Effective mechanism must be adopted to ensure that changes to production programs are authorized, controlled and recorded. Time stamps, logs and audit trails must be employed to record changes.

ITS

Software developers must not access production data without the prior approval of system owners.

ITS

(v) Personal Computer Security

Party Responsible

All personal computer equipment and resources should be adequately protected. Access should be restricted to authorized users only.

all users

Access to data and software on standalone or networked PCs should be properly restricted to authorized users.

all users

Data and programs should be backed up regularly to minimize the impact of file/data loss in case of machine failure.

all users

A combination of preventive and detective measures should be enforced to minimize the risk of data and program damage caused by computer viruses.

all users

Only licensed software should be used on personal computers. It is unlawful to use unlicensed software and staff and students will be personally liable to charges on such offences by the authority.

all users

Security problems should be reported to the system administrators as soon as they are detected.

all users

(vi) Backup and Recovery

Party Responsible

It is essential to maintain backups for data stored on a computer, as bugs, accidents and natural disasters on computer systems are very often unpredictable. System owners must determine their backup requirements, e.g. interval of each backup activity, the number of backup copies required etc.

ITS/all owners

Data backup and restoration should be performed by authorized personnel only.

ITS/all owners

Software and data should be backed up periodically on a transportable media and be stored appropriately (onsite or offsite) to ensure adequate integrity and availability.

ITS/all owners

Data backup and restoration procedures should be subject to periodic test and review. It should not be taken for granted that they are always retractable without failure.

ITS/all owners

A Disaster Recovery Plan for mission critical systems should be in place. Periodical drilling should be performed to ensure the comprehensiveness and practicality of the Plan.

ITS/all owners

To PolyU IT Security Website

		Party Responsible

All equipment must be housed in a safe environment, fulfilling the site preparation requirements of the equipment vendor in respect of space, power, heat, floor loading and wiring.		all owners

Access to the Central Computer Room, data communication rooms, safe store and backup media store should be confined to authorized staff who need to perform duties inside such areas.		ITS

Computing equipment installed in open areas should be attended or attached to an immovable object.		all owners

Electrical power protection equipment should be employed as appropriate to suppress surges and reduce static, and battery backup should be provided in the event of power failure to prevent data loss.		all owners

No food, liquid or powdery material should be placed close to computing equipment.		all users

The University's health and safety requirements should be observed.		all users

		Party Responsible

Departments should maintain an up-to-date list of administrators responsible for computer security within their offices.		all owners

Scanning programs should be employed by system administrators to detect security bugs.		all owners

Passwords should be protected by an aging policy and account owners should periodically change their passwords.		all users
All computer accounts must be protected by passwords not easily guessed by others, and which should be changed periodically.		all users

Personal accounts and passwords must not be transferred /disclosed / availed to other users.		all users

Passwords should not be stored or transmitted in plain text form, or embedded in unsecured e-mail.		all users

Users should notify the system administrator if a security violation or failure is discovered or detected.		all users

Accounting, auditing and logging facilities should be adopted to provide cost-effective audit trails.		all owners

		Party Responsible

The system owner must determine the security level required for the various kinds of data stored on the computer system, e.g. personal, departmental, confidential and mission-critical data, etc. The required data security level must be maintained when data are transferred or copied to another system.		ITS/all owners

Administrative rights must be assigned appropriately to authorized persons. Only authorized users are allowed to access the system and the data.		ITS/all owners

Production data or files must only be used on production systems.		ITS/all owners

Confidential data should be protected by passwords, which should be known only to authorized individuals.		ITS/all owners

Passwords should be treated as highly confidential information. They should not be written down or shared with other users. Standards on password length, format and frequency of password change should be enforced.		ITS/all owners

Effective data encryption techniques should be used for storing highly confidential information.		ITS/all owners

Effective mechanism must be adopted to ensure that changes to production programs are authorized, controlled and recorded. Time stamps, logs and audit trails must be employed to record changes.		ITS



Software developers must not access production data without the prior approval of system owners.		ITS

		Party Responsible

All personal computer equipment and resources should be adequately protected. Access should be restricted to authorized users only.		all users

Access to data and software on standalone or networked PCs should be properly restricted to authorized users.		all users

Data and programs should be backed up regularly to minimize the impact of file/data loss in case of machine failure.		all users

A combination of preventive and detective measures should be enforced to minimize the risk of data and program damage caused by computer viruses.		all users

Only licensed software should be used on personal computers. It is unlawful to use unlicensed software and staff and students will be personally liable to charges on such offences by the authority.		all users

Security problems should be reported to the system administrators as soon as they are detected.		all users

		Party Responsible
It is essential to maintain backups for data stored on a computer, as bugs, accidents and natural disasters on computer systems are very often unpredictable. System owners must determine their backup requirements, e.g. interval of each backup activity, the number of backup copies required etc.		ITS/all owners

Data backup and restoration should be performed by authorized personnel only.		ITS/all owners

Software and data should be backed up periodically on a transportable media and be stored appropriately (onsite or offsite) to ensure adequate integrity and availability.		ITS/all owners

Data backup and restoration procedures should be subject to periodic test and review. It should not be taken for granted that they are always retractable without failure.		ITS/all owners

A Disaster Recovery Plan for mission critical systems should be in place. Periodical drilling should be performed to ensure the comprehensiveness and practicality of the Plan.		ITS/all owners