BP 8106 System Configuration

Statement of purpose

PCC’s Information Security Policies support the following goals:

  1. Promote a “security is everyone’s responsibility” philosophy to assist PCC in meeting its business and legal commitments.
  2. Ensure that PCC complies with all applicable laws and regulations.
  3. Ensure the integrity, reliability, availability, and superior performance of IT resources.
  4. Ensure that users are protected from data breach and cybercrime.
  5. Ensure that use of IT resources is consistent with the principles and values that govern the use of other college facilities and services.
  6. Prevent unauthorized disclosure of controlled sensitive data.
  7. Prevent disruption of the learning experience.
  8. Ensure the college is protected from financial, legal, regulatory, and reputational harm.
  9. Ensure that IT systems are used for their intended purposes.
  10. Establish processes for addressing policy violations and sanctions for violators.

Any computing device is subject to vulnerabilities in its operating system, hardware and/or configuration. Manufacturers publish recommended configurations, as well as periodic patches and upgrades to address discovered vulnerabilities. This policy seeks to ensure that PCC IT support staff are aware of these requirements and maintain all computing devices current with published versions, patches, configurations, and industry best practices.

Scope statement

This policy applies to all IT resources. Accountable and responsible individuals are the Information Security team, IT operational support personnel, network support management and staff and third party support personnel.

Policy summary

All servers, network devices and other computing devices on PCC networks, whether managed by employees or third parties, shall be built and deployed in accordance with current, documented System Configuration Standards.

This policy shall be subject to and superseded by applicable regulations and laws.

Policy

General compliance
  1. All computing systems, including virtual servers or appliances, shall be designated for a single, primary purpose where possible (e.g., web servers, database servers, and DNSs will be implemented on separate servers).
  2. Information Security configuration standards shall be established in accordance with the industry best practices, as well as applicable laws and regulations whenever regulatory data is processed by the computing system..
  3. All systems, prior to deployment in the production environment, shall conform to PCC’s Information Security configuration standards.
  4. PCC shall conduct internal and external network vulnerability scans at least quarterly and following any significant change in the network or security environment.
  5. PCC shall conduct external penetration tests at both the application and network layers annually or following any significant change in the network or security environment.
  6. All potential vulnerabilities identified through vulnerability scans and penetration tests will be communicated to appropriate personnel within PCC for assessment and remediation.
  7. Remote access to PCC computing systems shall be implemented in accordance with PCC Remote Access Standards (below) and in such a way as to reduce that no additional risk is placed on the PCC network environment.
  8. PCC shall follow industry best practices to prevent unauthorized modification of critical systems, configurations or content of system files and to ensure time synchronization across all enterprise systems.
  9. Members of the Information Security Program shall stay apprised of security issues and vulnerabilities applicable to PCC computing systems and communicate to appropriate parties.
  10. PCC’s security and system configuration standards shall be updated to reflect measures required for protection from any newly discovered vulnerability.
  11. All security patches, hot fixes, and service packs shall be tested and installed on applicable systems within one month of vendor release.
  12. Critical systems, such as servers, shall be scanned periodically and appropriate configuration hardening applied.
  13. The CISO shall coordinate an annual formal risk assessment process that identifies any existing or new threats and vulnerabilities to ensure PCC assets are adequately protected.
  14. Critical system configurations, baselines, and Information Security configuration standards, shall be kept in a well documented format. Changes to configurations of critical systems shall be logged, monitored, and audited on an annual basis.
Specialized configurations
  1. Configurations for specialized purposes shall be documented and reviewed by Information Security (examples of specialized purposes include specialized classroom labs, physical equipment connected to computer systems, etc).
  2. Configuration owners and technology partners in these areas shall be identified in documentation and coordinate with the IT department to keep systems updated to the standards outlined in policy.
Mobile and remote access security
  1. All computers and laptops used for remote access to the PCC environment via the Internet shall have CISO-approved software installed and activated, as follows:
    1. Personal firewall software shall be enabled;
    2. Anti-virus software shall be installed, active and up-to-date;
    3. PCC’s authentication solution with VPN client software capable of supporting user’s requirements shall be enabled.
    4. VPN shall be used for all remote administration.
  2. All remote access to the PCC network involving public networks such as the Internet, shall be authenticated via a strong authentication scheme.
  3. All remote VPN access technologies shall be configured to automatically disconnect sessions after a defined period of inactivity.
  4. All vendor VPN remote access accounts shall be used solely for the purpose of vendor maintenance and support and must remain disconnected and/or disabled until required.
  5. The CISO shall approve activation and track deactivation of remote access paths and accounts.
  6. Vendor maintenance accounts, systems, and access paths shall be disabled immediately after contract end or vendor use instance.
  7. Vendor connections shall be reviewed quarterly to ensure terminations are appropriately scheduled and applied.

Exemptions

None.

Exceptions

Exceptions to this policy must be pre-approved in writing by the Chief Information Security Officer (CISO) / Director of Infrastructure Services.

Policy violation

  1. Violation of this policy may result in disciplinary action in accordance with PCC People, Strategy, Equity and Culture (PSEC) and/or Student Conduct guidelines.
  2. PCC reserves the right to report security violations or compromises to the appropriate authorities. This may include reporting violations of Federal, State, and local laws and regulations governing computer and network use, or required accreditation reporting.
  3. Anyone who violates this policy may be held liable for damages to PCC assets, including but not limited to the loss of information, computer software and hardware, lost revenue due to disruption of normal business activities or system down time, and fines and judgments imposed as a direct result of the violation.
  4. PCC reserves the right to deactivate any User’s access rights (whether or not the User is suspected of any violation of this policy) when necessary to preserve the integrity of IT Resources.

Complaint procedures

Report non-security-related violations (such as receipt of inappropriate content, other People, Strategy, Equity and Culture (PSEC) policy violations, general college policy violations, or regulatory compliance violations) to a supervisor, PSEC, or EthicsPoint.

Report information security and general technical policy violations to the IT Service Desk at 971-722-4400 or servicedesk@pcc.edu, or contact the CIO or CISO.

Governing standards, policies, and guidelines

  • US Dept of Education: Guidance Letter – Protecting Student Information
  • US Dept of Education: Family Educational Rights and Privacy Act (FERPA)
  • US Dept of Homeland Security: Federal Information Security Management Act (FISMA)
  • Gramm-Leach-Bliley Act (GLBA)
  • FTC Red Flags Rule
  • Health Insurance Portability and Accountability Act (HIPAA)
  • International Organization for Standardization (ISO)
  • National Institute Standards and Technology (NIST)
  • Payment Card Industry Data Security Standard (PCI DSS)
  • Sarbanes-Oxley (SOX) for Colleges and Universities

Definitions

  • Access Control List (ACL)
    A technical form of access control.

    • An ACL is a set of rules in a network device, such as a router, that controls access to segments of the network. A router with ACLs can filter inbound and/or outbound network traffic similar to a firewall, but with less functionality.
  • Application
    (aka Application Software) A computer program that is designed to perform a specific set of functions.

    • D2L is an application designed to support online learning. Microsoft Word is an application designed for word processing.
  • Authentication
    Any process by which a system verifies the identity of a user who wishes to access it.

    • Since access control is normally based on the identity of the user who requests access to a resource, authentication is essential to effective security. For example, when someone logs into myPCC, the user-ID and password entered authenticates that the person logging in is the owner of the account.
  • Baseline
    A defined description of the attributes and configuration of a system, at a point in time, which serves as a basis for defining change
  • Chief Information Officer (CIO)
    Senior manager of the Information Technology (IT) Department and a member of Cabinet.

    • At PCC, the CIO is responsible for all technology, with the exception of:
      • Online Learning (Academic Affairs)
      • Some specialized technology that supports CTE or other engineering programs (e.g. software that supports machine labs, specialized dental technology, etc.)
      • Some technology that supports auxiliary services (e.g. Point of Sale systems in the cafeterias and bookstores)
  • Client
    In a network – A desktop computer or workstation that is capable of obtaining information and applications from a server. For example, all classroom computers are clients of the servers that apply security patches to them.
  • Controlled Sensitive Data (CSD)
    A general categorization that is used in PCC’s Information Technology (IT) policies (primarily the Information Security Policy and the Acceptable Use Policy) to represent all confidential and private information governed by those policies.

    • CSD includes: PII, PHI, HIPAA, FERPA, regulated, private, personal, or sensitive information for which PCC is liable if publicly disclosed.
  • Critical Systems
    Information technology assets, damage to or prying with which will result in MAJOR or CRITICAL impact to availability, integrity, and/or confidentiality of PCC data and network infrastructure.
  • Cybercrime
    Criminal activity or a crime that involves the Internet, a computer system, or computer technology.
  • Domain Name Server (DNS)
    The Internet’s equivalent of a phone book.

    • DNS maintain a directory of domain names and translate them to Internet Protocol (IP) addresses so that specific computers can be identified and have messages delivered to them (think of a postman knowing how to deliver a letter to the correct house).
  • File Integrity Monitoring (FIM)
    A way of checking that a file has not been interfered with or corrupted.

    • An internal control or process that performs the act of validating the integrity of operating system and application software files using a verification method between the current file state and a known good baseline. This comparison method often involves calculating a known cryptographic checksum of the file’s original baseline and comparing with the calculated checksum of the current state of the file.
  • Firewall
    Technology that acts as a gatekeeper to prevent malicious traffic from entering a network. The moat around a castle that only allowed entry via a drawbridge acted as an early physical version of a firewall.

    • A network security system that monitors and controls the incoming and outgoing network traffic, usually based on predetermined security rules.
  • Hardware
    The collection of physical components that constitute a computer system (a desktop computer, a server in a datacenter, a network switch, a printer, etc.)
  • Health Insurance Portability and Accountability Act (HIPAA)
    A federal government regulation to which PCC is required to adhere and that imposes strict information security requirements regarding the protection of medical records.

    • Enacted by the United States Congress and signed by President Bill Clinton in 1996. Title I of HIPAA protects health insurance coverage for workers and their families when they change or lose their jobs. Title II of HIPAA, known as the Administrative Simplification (AS) provisions, requires the establishment of national standards for electronic health care transactions and national identifiers for providers, health insurance plans, and employers.
  • Hot Fix
    A hotfix or quick-fix engineering update (QFE update) is a targeted emergency software deployment.

    • Hot Fixes are applied to quickly solve a problem (e.g. a software bug) that is seriously impacting normal operations. Typically, they are replaced by better engineered and fully tested patches or new version releases.
  • IT Resource
    (At PCC) All Information Technology (IT) resources that are the property of PCC and include, but are not limited to, all network-related systems; business applications; network and application accounts; administrative, academic and library computing facilities; college-wide data, video and voice networks; electronic mail; video and web conferencing systems; access to the Internet; voicemail, fax machines and photocopiers; classroom audio/video; computer equipment; software and operating systems; storage media; Intranet, VPN, and FTP.

    • IT Resources include resources administered by IT, as well as those administered by individual departments, college laboratories, and other college-based entities.
  • Information Security Manager (ISM)
    (aka Associate CISO) Manager of the PCC Information Security team, reporting to the CIO and/or CISO.
  • Network
    (In IT) The technology that carries messages between one computer and another.

    • A network is a primary component of technology infrastructure and consists of hardware (e.g. routers, switches) that control and direct traffic; transport technologies (e.g. cables, fibre, wireless radio waves) that transport messages from Point A to Point B; and standards (e.g. Internet Protocol, Ethernet) that facilitate a common understanding of the messages being sent and how they are to be processed.
    • End points (or nodes) on a network are the senders and receivers of the messages and are usually computers (e.g. servers, desktops, laptops) – but can also be technology such as machine controllers, audio/visual devices, etc.
    • The Internet of Things (IoT) largely replaces people interacting across a network with machines and other technology devices interacting across a network, often using artificial intelligence (AI).
  • Network Layer
    A technical definition for the part of a network that is involved in data transmission.

    • The third level of the Open Systems Interconnection Model (OSI Model) and the layer that provides data routing paths for network communication. Data is transferred in the form of packets via logical network paths in an ordered format controlled by the network layer.
  • Network Time Protocol (NTP)
    Maintains consistent timekeeping in a network to synchronize all the network components

    • A networking protocol for clock synchronization between computer systems over packet-switched, variable-latency data networks. In operation since before 1985, NTP is one of the oldest Internet protocols in current use.
  • Network Topology
    The arrangement of the various elements (links, nodes, etc.) of a communication network.

    • Essentially, it is the structure of a network and may be depicted logically or physically – much like a house can be described in architectural blueprints or by physically inspecting the building.
  • Payment Card Industry Data Security Standard (PCI DSS)
    (Commonly just PCI) A data security standard that promotes the safety of credit card holder data across the globe.
  • Penetration (Pen) Test
    Testing a computer system, network, or Web application to find vulnerabilities that an attacker could exploit.
  • Port
    (In IT) The end point of a network message. If network addresses are like a street address, port numbers are like suite or room numbers. Access to a network or computing resource can be controlled by identifying what messages are permitted to pass through a specific port.

    • A network port is a process-specific or application-specific software construct serving as a communication endpoint, which is used by the Transport Layer protocols of Internet Protocol suite, such as User Diagram Protocol (UDP) and Transmission Control Protocol (TCP).
  • Production Environment (PROD)
    The technology environment where software and other products are actually put into operation for their intended uses by end users.

    • This is a highly controlled and monitored environment and separate from the development, test, or other environments where software is not intended for production use.
  • Security Patch
    A fix for a known security threat.

    • The application of software or operating-system code that is intended to correct a vulnerability to hacking or viral infection.
  • Server
    Hardware: a powerful computer designed for running enterprise applications, usually located in a datacenter.

    • Software: a computer program that accepts and responds to requests made by another program (known as a Client).
  • Service Pack
    A software update from a manufacturer, consisting of requested enhancements and fixes for known bugs.
  • Software
    A set of instructions that tells a computer what to do.

    • Computer software is generally constructed as programs (applications) written in a specific language designed to run on computer hardware. Most common softwares are applications for business and personal use. More specialized computer software runs the operating systems of computers, operates machinery, creates artificial intelligence in robots, controls scientific instruments, etc.
  • System
    (In Information Technology [IT]) A computer system consists of hardware components that work with software components to achieve a defined outcome.

    • The main software component that runs on a system is an operating system that manages and provides services to other programs that can be run in the computer. Computer systems may also include peripheral devices such as printers, A/V equipment, operating machinery, etc.
  • Third Party
    (In Information Technology [IT]) A vendor. Can be applied to any vendor (“third party provider”), but mostly used regarding “vendor software” to distinguish it from software developed “in house.”
  • User
    Any person who makes any use of any PCC IT resource from any location (whether authorized or not).
  • Virtual Private Network (VPN)
    A dedicated, secure connection between a client computer and a computer network. Usually used to support secure “remote access” to a network (e.g. working from home).

    • A VPN provides a secure communication channel over the Internet between a remote device (e.g. home computer) and PCC’s internal network. The VPN requires authentication to set up the channel and encrypts all traffic flowing through the channel.

Responsible executive

Chief Information Officer

Responsible officer

Chief Information Security Officer (CISO), Director of Infrastructure Services, Director of Application Services, Director of Client Services

Responsible office

IT Information Security, IT Infrastructure Services Division, IT Application Services Division, IT Client Services Division

Last revision date

09-09-2024