Responsibilities for Computing Devices Connected to the University of Virginia Network

Policy Guide—May 11, 2006

Use this document to help you and your department secure your computing assets. The policy guide is also available for download in the following formats: PDF | Microsoft Word

1.0 Introduction

Benefits of the Internet are being realized today in all facets of our lives, and use is continuing to grow at a rapid pace. Accompanying that welcomed growth, however, are increasing opportunities and temptations for misuse of the Internet resource, and these are being taken advantage of in a big way. Computer attacks are increasing and doing more harm than ever before. In 2005, the damaging effects of malware had a total cost of $14.2 billion worldwide.

Universities are unfortunately favorite targets of computer attackers. Critical University computing resources, such as research, patient, and student data, are at risk, and University computers (both single user workstations and servers) are being taken over by cybercriminals and used as platforms to attack other universities, corporations, government agencies and other entities. The consequences of not addressing this problem can be loss of staff productivity, loss of assets, a tarnished reputation, and litigation.

While it may never be possible to intercept all attempts of attacks—new forms of attack are being devised every day—there are steps that can be taken at the University of Virginia to significantly reduce vulnerabilities. Because an attacker can seize a vulnerable device and use it to launch an attack on others, it is important that everyone owning or overseeing the use of a computing device connected to the University's network assume responsibility for securing that device. We can only be as strong as our weakest link.

The University has put a policy (see Appendix I) in place that defines requirements for device owners and overseers to close security gaps. The policy stipulates that when University network resources and privileges are threatened by an improperly maintained computing device, the Information Technology and Communication (ITC) Department and Health Systems Computing Services (HS/CS) may act on behalf of the University to remove the threat by working with the device owner or overseer to quickly close security holes. In an emergency or when collaboration fails, the device may be disconnected from the network until security vulnerabilities are addressed.

ITC and HS/CS have developed this policy guide and a website of helpful information and guidance for addressing this policy. They also offer services device owners and overseers may find valuable.

2.0 Role of Deans, Department Heads, and Principal Investigators

Because of their leadership positions and control over resources, deans, department heads and Principal Investigators (PIs) can play a critical role in the successful implementation of this policy. Specifically, they can use their influence to:

  • Make computer security a staffing and funding priority. Additionally, PIs can specify the cost associated with security as a direct cost in grant proposals.
  • Change attitudes and behaviors within the units they lead by communicating the importance of addressing security vulnerabilities and by requiring all staff members to be responsible and accountable for the security of their network-connected devices.
  • Ensure units acknowledge that administering servers takes specialized skills and have only qualified people do this work.
  • Ensure device owners and overseers in their units take swift action should a security breach occur and seek help from ITC or HS/CS if needed.

3.0 Role of ITC and HS/CS

ITC and HS/CS are responsible for closing security gaps on all devices they own themselves and manage for others through service contracts. These departments also employ intrusion detection systems at the outside perimeter of the University network and special purpose firewalls in various locations that help reduce some threatening network traffic. In addition, ITC and HS/CS fill a pivotal role in providing services that aid other university departments in carrying out their responsibilities for the policy. These services are listed below and described in greater deal in Appendix IV.

ITC and HS/CS Services That Can Be Leveraged Secure Devices:

  • A web site containing current information on security best practices and on known vulnerabilities and ways to eliminate them is maintained.
  • Alerts of dangerous new computer viruses and instructions for protecting devices from them are sent to appropriate mail lists and posted on the University and ITC web sites as they occur.
  • Various contract services are available for shared central hardware/software use and for installation and/or ongoing support of department-owned computers.
  • Secure standard software configurations are available through ITC's Desktop Computing Initiative and Premium Desktop offerings and through HS/CS' Desktop Standard.
  • Site licenses for various security tools are provided.
  • Education and training opportunities that incorporate security topics into broader curricula are offered. In addition, ITC and HS/CS operate programs that help departmental computing support staff gain skills and knowledge necessary to provide effective technical support for their departments.
  • ITC offers a consulting service that assists departments with the development and implementation of technology plans, including requirements for technical skills and staffing.
  • ITC and HS/CS serve as points of contact and sources of advice when a department's computer is attacked.

4.0 Options for Securing Computer Devices

Strategies and staffing currently employed for addressing security may be adequate in some departments and programs; however, new approaches are likely to be needed in many areas. Security needs and strategies for addressing them can vary widely depending upon the number of computing devices, the device types, the purposes for which those devices are used, the technical skills levels of existing staff, and other factors. While there is no single solution that can be recommended, there are basic rules of thumb that can be used in determining an appropriate course of action. This section provides guidance to deans, department heads, and PIs on the basic ongoing security activities required, rules of thumb regarding time and skill needs, and options available for acquiring these services.

In most departments a combination of single-user PCs and Macs and multi-user servers are deployed. While there are a few similarities in the actions required to secure single-user computers and multi-user servers, the degrees of complexity are quite different. For this reason guidance is provided on each separately.

4.1 Single-user PCs and Macs

4.1.1 Needed Actions for Securing Single-user PCs and Macs

Keeping single user PC and Mac machines secure requires that the following set of actions be performed on those devices on an ongoing basis. (The complete list of these settings with explanatory details can be found at Quick Tips for Personal Computers.)

Important note to Health System employees: If your device is managed by Health Systems Computing Services, actions d through i are handled by HS/CS staff members. Actions a, b and c are the responsibility of individual device owners.

4.1.2 Time Commitment for Securing Single-user PCs and Macs

The time required to keep a PC or Mac secure varies widely depending upon how the device is used, the technical skills of the person doing the work, the level of vulnerabilities and hacker activity at a given point of time, and other factors. A rule of thumb, however, is that it will take between 30 to 90 minutes per device per month to accomplish needed actions. An economy of scale does apply. The amount of time required per device goes down as the number of similarly configures devices managed by a single person goes up. Desktop workstations can be centrally managed given the appropriate level of skill of the system administrator. Factors that influence the decision to centrally manage computers include the following: number of computers, sensi tivity of data, and propriety for the user culture. Note that the time commitment should be less for HS/CS customers using the HS/CS Desktop Management service.

4.1.3 Technical Skills for Securing Single-user PCs and Macs

The skills of a technical professional are not necessarily required to carry out the actions described for single-user PCs and Macs; however, the device user does need to have more than a basic understanding of the operating system and other software running on the device. For example, a person performing the actions must be comfortable with the technical jargon often used by software manufacturers to describe security vulnerabilities and software updates to address them. As important as the skill level, the person must also have the time and commitment to accomplish needed actions.

4.1.4 Possible Strategies for Securing Single-user PCs and Macs

It is important to understand that securing single-user PCs and Macs is an ongoing process. New vulnerabilities are constantly being identified, and it is important to stay vigilant and take appropriate actions as needed. Possible strategies that can be taken to install secure systems in the first place and to keep them secure after installation are described briefly below. Additional information may be found in:

Strategies for installing secure single-user devices:

Select standard Desktop Computing Initiative (DCI) devices - The DCI Program offers acquisition options and installation services for standard models of single-user PC and Mac computers. DCI computers are delivered configured to work in the U.Va. environment and are pre-loaded with a standard suite of software and basic applications. Security vulnerabilities known at the time a DCI device is acquired are addressed before delivery; however, department and program heads need to employ strategies to keep the device secure after installation.

Use ITC's Premium Desktop configuration for Windows-based devices - For those with computer needs not met by the standard models available through the DCI Program, ITC offers customizable, modular, and secure Windows XP desktop configurations with a standard suite of software and basic applications. As with the DCI devices, strategies to keep Premium Desktop configurations secure after they are installed are also needed.

Use HS/CS Desktop Standard - HS/CS administrative customers should follow HS/CS desktop standard for hardware and software.

Strategies for maintaining secure single-user PC and Mac devices:

HS/CS Desktop Management System - Hospital departments may use the HS/CS systems management system, which provides many benefits in terms of timely and consistent desktop support. This service is mandated for all IHMS users.

Train existing staff person(s) - ITC offers training for U.Va. personnel who have the time, ability and interest to learn basic computer skills, including those needed to secure PCs and Macs. See Appendix VI for training sources

Share skilled person with another department - Departments/programs with few PCs and Macs may be able to work out an arrangement whereby a skilled person is shared across multiple departments/programs.

Contract for maintenance services with an outside firm - There are firms in the Charlottesville are that offer full maintenance services for PCs and Macs, including keeping devices secure. Quality of service varies, so it is important to check references before signing a contract.

4.2 Servers

4.2.1 Needed Actions for Securing Servers

All actions required to keep single-user PCs and Macs secure also apply to servers. The work is much more complex, however, because multiple users could be affected by every action, servers often utilize more software (and can, therefore, have more vulnerabilities) than single-user devices, and other factors. There are also additional actions needed, which vary widely depending upon the function of the server. There are, for example, special considerations for servers used to host websites, mail services, and other functions. These special considerations are too detailed to mention here, but are explained at the Community Security Baseline.

4.2.2 Time Commitment for Securing Servers

The time required to keep a server secure varies widely depending upon how the device is used, the number of people using it, the age of the software on it, the technical skills of the person doing the work, the level of vulnerabilities and hacker activity at any given point of time, and other factors. A rule of thumb, however, is that it will take 16 or more hours per server per month to accomplish the needed actions. An economy of scale does apply. The amount of time needed per server goes down as the number of similarly configured servers managed by a single person goes up.

4.2.3 Technical Skills for Securing Servers

A person who is well trained and experienced in computer system administration is needed to accomplish the work associated with securing servers. Indeed, assigning someone who does not have the necessary knowledge and skills can do more harm than good. In addition to appropriate technical skills, the person must also have the time and commitment to accomplish needed actions.

4.2.4 Possible Strategies for Securing Servers

As with single-user devices, securing servers is an ongoing process. New vulnerabilities are constantly being identified, and it is important to stay vigilant and take appropriate actions as needed. Possible strategies that can be taken to install secure servers in the first place and to keep them secure after installation are described briefly below. Additional information may be found in:

Strategies for installing secure servers:

Contract for use of centralized shared servers instead of purchasing servers - As an alternative to purchasing a departmental server, departments make take advantage of ITC Premium Server service, which provides hardware, software, and file space. ITC staff time to administer and maintain the server, including addressing security vulnerabilities, is included in the contract. HS/CS offers a similar service to hospital departments with its file and print (Super) servers.

Contract with ITC or HS/CS to install servers - ITC and HS/CS staff are available to install and make secure servers purchased by departments they support. It is critical that strategies to keep the servers secure on an ongoing basis also be employed. See Appendix IV for more information.

Strategies for maintaining secure servers:

Contract with ITC or HS/CS to maintain the servers - ITC provides operating systems support, file system backups, and operational support on an annual fee basis for Unix, Linux, and Windows-based servers. Additionally, services are available at an hourly rate installation of operating system upgrades and other services that can help maintain the security of servers. HS/CS offers similar services for servers owned by departments in the hospital. See Appendix IV for more information.

Share skilled system administrator with another department - If the number and complexity of the servers is low, departments may find it feasible to share a skilled system administrator.

Hire a system administrator - Recommended hiring criteria is provided in Appendix VI for departments wishing to hire a permanent, full-time system administrator for their departments.

Train existing, technical savvy staff person(s) - Some firms in Charlottesville and Piedmont Virginia Community College offer training on system administration, and many good certification programs are available from national security organizations. See Appendix V for training sources.

Contract with an outside firm for maintenance services - There are firms in the Charlottesville are that offer maintenance services for servers, including keeping these devices secure. Quality of service varies, so it is important to check references before signing a contract.

APPENDICES

© 2008 by the Rector and Visitors of the University of Virginia.

The information contained on the University of Virginia’s Department of Information Technology and Communication (ITC) website is provided as a public service with the understanding that ITC makes no representations or warranties, either expressed or implied, concerning the accuracy, completeness, reliability or suitability of the information, including warrantees of title, non-infringement of copyright or patent rights of others. These pages are expected to represent the University of Virginia community and the State of Virginia in a professional manner in accordance with the University of Virginia’s Computing Policies.