Effective: July 1, 2001
The purpose of this policy is to clearly define requirements for owners and overseers of University of Virginia network-connected devices to close security gaps. It also describes loss of network access for noncompliance, as well as an exception process.
Those responsible for devices connected to the University of Virginia network must ensure that key security vulnerabilities are eliminated from these devices.
Although the rapid growth of legitimate new uses of the Internet is quite welcomed, this growth has at the same time increased the opportunities and temptations for misuse of the Internet resource. Security breaches at highly visible computing sites have become commonplace today, and universities are favorite targets for attacks. Critical university computing resources, such as research, patient care, and student data, are at risk, and university computing devices are being commandeered by cybercriminals to launch attacks on corporations and other entities outside the university.
While it is not possible to anticipate and intercept all attacks - cybercriminals are continuously devising new ways to wreak havoc - there are specific steps that can be taken to significantly reduce vulnerability. These steps are effective, however, only if they are taken for all devices on the University of Virginia's network. The saying that "we are only as strong as our weakest link" most definitely applies in this case.
Key security gaps that need to be closed may vary depending upon the type of device. Some examples follow.
- All device owners should ensure passwords used on their devices are not easily guessable by attackers.
- Owners of personal computers should install and run anti-virus software on these devices and apply updates from the software vendor as they become available.
- Owners of personal computers and servers should apply security-related updates to the operating system running on their devices as these updates become available from operating system vendors. Examples of a few operating systems found at UVa are Windows 2000, Windows NT, and Red Hat Linux.
- Owners of UNIX and Linux servers should switch off unneeded services to eliminate the risk of these being exploited.
- Owners of wireless access points and/or routers must insure that these devices do not allow unauthorized access to the University network.
It is important to note that the above are examples only and do not represent a complete list of known security vulnerabilities.
Vulnerabilities that are considered "key" will change over time as new threats and risks surface. Information Technology Services (ITS) and Health Systems Computing Services (HS/CS) maintain a current list of key vulnerabilities and steps required to close the vulnerabilities. Device owners/overseers are responsible for staying apprised of changes to this list and acting promptly to address any new security gaps defined.
ITS and HS/CS wish to work in partnership with owners and overseers in fulfilling the responsibilities outlined in this policy. A "Frequently Asked Questions" document is available to answer questions about the policy and provide guidance on obtaining advice or help.
This policy applies to anyone in the university community owning or overseeing the use of a computing device of any type connected to the University of Virginia network, including but not limited to:
- ITS or HS/CS, if the devices are under ongoing support contracts with these organizations;
- Faculty, staff, students, and other individuals who have devices connected to UVa's network, even if those devices were acquired personally, i.e. not with university or grant funds;
- UVa department heads, even in cases where vendor owned and/or managed equipment is housed in departments;
- Research project Principal Investigators, if their projects use devices connected to UVa's network.
If no one claims responsibility for a device, the UVa department head for the department in which the device resides will be presumed to be responsible by default.
This policy is especially focused on individuals responsible (as defined above) for devices that serve more than one user. It should be noted, however, that the required actions outlined in this policy are appropriate and must be undertaken by those responsible for ingle-user devices as well. When devices are used for university business, compliance will be verified by the University's Audit Department during routine audits.
In cases where University network resources and privileges are threatened by improperly maintained computing devices, ITS and HS/CS may act on behalf of the University to eliminate the threat by working with the relevant device owner or overseer to quickly close security holes. In circumstances where these collaborative efforts fail or there is an urgent situation requiring immediate action and leaving no time for collaboration, the device may be disconnected from the network by ITS or HS/CS (which department depends upon the location of the device). Reference the procedure for revoking network access of connected equipment for more specific information.
Requests for exceptions to this policy should be made in writing (hard copy or email) to the VP/CIO. An exception may be granted if it is clear that the benefits to the University of the vulnerable device far outweigh the risks, as judged by the VP/CIO.
Source of Policy:
Written by the Office of the VP/CIO and approved by the University of Virginia President's Cabinet
Revisions: Review Frequency: Yearly by the Office of the VP/CIO