A. Introduction

Office of Information Technology (OIT) is charged with operating the campus network (UCInet) and maintaining its security. The integrity of UCInet requires that the security of every computing system or device connected to the network be established and maintained. These security guidelines are intended to reduce the frequency and impact of security attacks, viruses and other negative features of the Internet. They apply to all system administrators and others responsible for maintaining systems and devices on UCInet.

Computing systems that host restricted data as defined in University of California Business and Finance Bulletin IS-3 are required to conform to more rigorous security standards. Campus and Medical Center departments, units, or service providers may develop stricter standards or practices as needed. School Computing Coordinators (SCC) or departmental computing support staff should be consulted about local requirements.

B. Requirements For All Computers/Devices Connected to UCInet

1. Computer operating systems must be safely installed.

   To prevent attacks and infections during computer installation, the operating system's firewall must be configured and turned on before connecting the system to the network. After connecting, any available updates to the system should be immediately applied.

2. Security patches must be installed and regularly maintained.

   The operating system and key application software on computers connected to UCInet must have updated security patches installed on a regular basis. Systems (especially end-user desktops) should be configured to have new updates automatically installed as they become available. If this is not possible or not advisable, administrators must keep abreast of new security updates by subscribing to vendor patch update mailing lists or by frequently reviewing the vendor's web site for updates. The release of a new patch is often followed immediately by an exploit for the vulnerability the patch fixes. Applying the patch in a timely manner can prevent serious security compromises.

3. Anti-virus software must be installed and kept up-to-date.

   Anti-virus software must be installed, running, and kept up-to-date on every computing system connected to UCInet. This includes desktop and laptop systems, servers, and other networked devices. The software must be configured to regularly download information about new viruses released onto the Internet. Contact local computing support staff or OIT for more information.

4. Computers must be protected by user IDs and good passwords.

   Access to all UCInet computers must be controlled by user IDs (such as UCInetIDs) and passwords. These may be augmented by other authentication systems (for example, multifactor authentication). In addition:

   • Passwords should be reasonably complex to make them difficult to guess.
   • All default account passwords must be replaced by good, user-specified passwords.
   • Passwords used for privileged access should not be the same as those used for non- privileged access.

   Unauthenticated access is appropriate when computers are provided for "walk-up" public use in the UCI Libraries and similar public locations. Public access systems should be configured to minimize the impact of potential abuse.

5. Physical access to computing systems must be controlled.

   Uncontrolled physical access to a computing system can result in a variety of problems such as identity theft and unauthorized access to, or modification of, important data. Where possible and appropriate, systems should be configured to "lock" and require a user to re-authenticate if left unattended for more than 20 minutes. Physical restraints or locking devices should be used on mobile computing devices (laptops, mobile devices, etc) to prevent theft.

6. Unnecessary network services must be disabled.

   If a service is not necessary for the intended purpose or operation of a network connected system, that service should not be running.

Additional Recommendations for All Computers Connected to UCInet

1. Firewall software supplied with operating systems should be configured and running.

   If supplied with the operating system, firewall software should be configured and running on computers connected to UCInet. Departmental firewalls do not preclude the need for firewall software. They work hand-in-hand to keep unwanted traffic out of systems connected to the network. As stated in B.1, the operating system's firewall must be enabled before connecting the system to the network. Once the operating system installation is complete and all available patches installed, the firewall can be turned off if doing so is deemed necessary to facilitate the system's intended purpose.

2. Anti-Spyware software should be installed and run periodically.

   The regular use of software to identify and remove spyware programs is strongly advised to help maintain the privacy of personal information and Internet use. Regular updates to the anti-spyware program should be applied to ensure that it can detect and remove new spyware software.

C. Additional Requirements for Computers Running Network Services

1. Services hosted on UCInet computers must be protected by good passwords.

   Access to all UCInet network services must be controlled by UCInetID or other user identification and password, or through other authentication systems (for example, multifactor authentication), or a combination thereof.

2. Passwords must be encrypted during authentication.

   Authentication mechanisms that transmit unencrypted IDs and passwords can be monitored across networks. This gives unauthorized individuals the ability to gather the information needed to access UCI services. All authentication mechanisms on UCInet must encrypt passwords and any other secret data (such as biometric information) used to authenticate the user. Insecure services such as telnet, FTP, POP, and IMAP should be replaced by their encrypted equivalents.

3. Systems relaying e-mail must require authentication.

   SMTP e-mail servers on UCInet must require user authentication to relay e-mail messages between correspondents who are not on campus. This authentication requires a user ID and password; authentication via IP address or domain name is not sufficient.

4. Web proxy servers must require authentication.

   Unauthenticated proxy servers give unidentified users the ability to attack systems both on and off campus. Therefore, all proxy servers must require authentication using a user ID and password. Authentication via IP address or domain name is not sufficient. Any proxy server that is accessible off campus must ensure that users meet the requirements used to control access to UCI licensed intellectual property.