Standards and Guidelines for School-Based Systems
Version 1
TABLE OF CONTENTS
- School-Based Computer Systems.
- Definition.
- Management of School-Based Systems.
- Security Responsibilities.
- Physical Security.
- Physical Access.
- User Access.
- Fire Detection and Control.
- Business Continuity.
- Data Integrity.
- Password Aging.
- Documentation.
- Definition.
"School-Based" systems are non-strategic servers (i.e. not desktops) that are
the responsibility of Departments, Schools, Offices, or Units (DSOU’s).
- Management of School-Based Systems.
Responsibility for the management and operation (i.e. custodianship) of school-based
systems resides with the DSOU that owns the system.
- Security Responsibilities.
The day-to-day managers of school-based systems must:
- Be thoroughly familiar with the University IT Security Policy in
its entirety.
- Ensure compliance to this policy by all of its users.
- Report any serious breaches of security to ITS.
- Physical Security.
The following standards of physical security of school-based platforms must be met:
- Premises must be physically strong and free from unacceptable risk from
flooding, vibration, dust, etc.
- There must not be an inordinate amount of combustible material (e.g. paper)
stored in the same room as the computer system.
- Air temperature and humidity must be controlled to within acceptable
limits.
Computing equipment should be electrically powered via UPS to provide the following:
- Minimum of 15 minutes’ operation in the event of a power blackout.
- Adequate protection from surges and sags.
- Trigger an orderly system shutdown when deemed necessary.
- Physical Access.
- There must be procedures in place to assure that only authorized staff enter the
premises.
- User Access.
New userid’s should be handled as follows:
- Written application must be submitted on an official form.
- The application form must have been signed by someone in authority
(e.g. Dean, ITLO).
- The applicant must present suitable personal identification.
- The new userid and password must be given orally to the
applicant, unless special delivery has been authorized due to special
circumstances (e.g. applicant is overseas).
- If the Operating System supports a password aging facility then it should be
set to force password change on the first login.
- Fire Detection and Control.
- There should be smoke and thermal detectors on the premises.
- Underfloor areas should have smoke and water detectors.
- Business Continuity.
There should be a Business Continuity evaluation along the following lines:
- A determination the maximum time of not having the service(s) provided
by the system that can be tolerated.
- An identification of all of the threats to the system such as:
- Hardware Failure.
- Electrical Power Failure.
- Fire.
- Formulation of Contingency Plans for restoring services within the
acceptable time.
ITS can give advice on risk management and contingency planning.
- Data Integrity.
- Security backups of all data should be made at least once per working day.
- The backup regime should meet the following criteria:
- Enable recovery to at least the start of business on any
weekday of a failure.
- Provide at least one more level of backup to a previous time, to cover
the case of the failure of the primary backup media.
- There should be offsite storage of security backup media to enable a full
data recovery to no earlier than one working week.
- There should be an audit of security backup media at least once every six
months.
- Password Aging.
If the Operating System provides the facility, automatic Password Aging should be
enforced. The life of a password should be no less than six months and no more than
12 months.
- Documentation.
Procedures reflecting these policies be documented in the site Operations instructions.
|
|
