SDSU Business Services Site Security Policy

SDSU Business Services use computers and electronic data to conduct the majority of its business. Data stored on these computers is vulnerable to a variety of threats and must have adequate safeguards. The policies in this document must be followed in order to maintain data integrity within the SDSU Business Services computer systems.

Passwords

Each computer account needs a password.  Any password that can be easily guessed is a poor password. Some examples of bad passwords are: personal names, dictionary words, phone numbers and short passwords. Most of these passwords can be hacked by programs that use the brute-force method of cracking.

A good password is one that contains both upper and lower case letters and includes digits and punctuation characters as well as letters. Also, the password should be at least 8 characters. Lastly this password should be memorized, not written on a piece of paper next to your computer or left on a text file on your hard drive.

While this may make for a password that is hard to remember, the security gained by using an obscure password is well worth the effort.

Patches

Even if you believe a system to be completely secure, there could be an unknown bug in the operating system that contains a vulnerability. Thus it is crucial to keep every system up to date with the latest patches.  For windows machines (NT, 9x, ME, 2000) this means applying all of the current hotfixes and ensuring that all service packs are up to date.  Also, all software programs on the system should have the most recent patch.

The system administrator should be on the security mailing lists and should regularly check other sources such as the security newsgroups and sites to know of any new vulnerabilities or patches.

Virus Protection

All SDSU Business Services workstations are to have a virus detection program installed. The virus definitions should be up to date and the virus scanner should scan the hard drives at regular intervals. Any viruses found should be eliminated immediately and the source of the virus should be informed.

Network Services

SDSU Business Services computer servers run a variety of network services. Some examples of these are: web servers, file servers and database servers.  These services allow properly authenticated machines to remotely access information on the server.

An improperly configured network service might allow access to resources that should not be accessible. All services must be properly configured to only allow access to certain resources. Also any service that does not use an encrypted method of authentication should not be considered secure as plain text information can easily be sniffed over a network.

Some basic guidelines for setting up network services are: Disable all unnecessary services, enable encrypted authentication and restrict access by ip address.

Auditing

Most systems and services have some form of event logging. For example, UNIX has syslog and NT has the event viewer while many third party programs maintain their own logging. These logs can be helpful in determining any possible hack attempts, software or hardware failures or any other area that could need attention.

All logs must be audited on a regular basis.  Any discrepancies should be noted and if necessary, action should be taken to resolve any problems.