Software Licensing

Installing unlicensed software on departmental computers exposes the University to possible penalties from software vendors and could result in fines, penalties, or possible litigation having financial and reputational impacts for the University. Departments are expected to employ an effective software management process which includes:

  • Maintaining documentation supporting the purchase of software
  • Associating each software license to a particular machine
  • Ensuring that licenses are purchased prior to installing software
  • Maintaining a software inventory and license additions, deletions, or expirations
  • Removing demonstration, trial, or test copies of software within the specified time-frame when the software is not purchased.

Sharing of ID’s and Passwords

Never share network or application ID’s and passwords. These are used to identify system users and provide a trail of each user’s activity. Sharing these compromises security on multiple levels. First, it could provide access to data that the individual using the credentials is not authorized to access. Second, it could facilitate the breakdown in proper segregation of duties to allow the inappropriate individual to perform a responsibility that conflicts with their own. Third, system audit trails will not reflect who is actually executing activities; rather they will reflect that they are being performed by you. This includes fraudulent transactions and inappropriate access to records. The more individuals you share your credentials with, the more risk you expose yourself to.

Terminating Systems Access

It is increasingly important to ensure that employee access to systems is terminated in a timely manner, particularly as systems shift to web-based applications. In order to facilitate a process that ensures appropriateness of access, consider using a checklist of systems access granted to departmental employees. Use the same list to remove or update access when the employee leaves, transfers to a new School or Center, or is assigned new responsibilities.

Mission Continuity

Penn’s Mission Continuity program is an institution-wide effort, designed to ensure that protocols and procedures exist to allow you to resume operations after unexpected interruptions (such as a fire, flood, or other cause of interruption in operations). As part of Penn’s Mission Continuity program, Schools, Centers and departments are responsible for developing mission continuity plans and recording them online using special software tailored for Penn, called Risk Cloud.

When compiling your mission continuity plan consider the following types of data that will allow you to effectively respond to events:

  • Contacts
  • Call lists
  • Critical processes and owners
  • Building / facility information
  • Necessary equipment / supplies
  • Key technology and system applications
  • Vital documents
  • Key supplier contact information

Further examples and a more detailed checklist are available as part of the reference material for the Risk Cloud training program. Also, completing the Pre-Planning Questionnaire will also help to structure your thinking about this information.

Once plans have been formalized, test the plans annually to ensure that they are current and sufficient to resume key business processes in a reasonable timeframe. This can be accomplished through the performance of a tabletop exercise which includes such activities as calling the call tree to make sure the listing and numbers are accurate and personnel are responsive, testing remote access connections, backup restoration capabilities, etc.).

For more information please visit Penn’s Mission Continuity web site at http://www.upenn.edu/missioncontinuity.

Data Backup & Recovery

Replication of data (especially critical data) and documentation is a prerequisite for any type of recovery. Develop a formal backup and tape rotation schedule in order to ensure expedient system and data recovery. This schedule should define a procedure for performing and storing backup media at an environmentally safe and secure off-site location.

Specifically, two copies of full backups should be retained. One copy should remain on-site for system interruptions due to hardware failures and data corruption, and one copy should be moved off-site to address server room disasters. We recommend that a full data backup be rotated off-site weekly. A backup of the operating system should be made after each successful upgrade and rotated to off-site storage.

Other methods for backup and off-site storage are available – for example, ISC’s Back-IT-UP service. Additional information regarding this service can be found at: https://www.mr.isc-seo.upenn.edu/Pages/BIU.aspx. Another alternative is to partner with a third party vendor that specifically provides data backup and off-site storage, such as VRI or Iron Mountain.

Whether using the University’s Back-IT-UP service or another third party vendor, ensure that a contract and service level agreement are in place. Agreements should be reviewed and, if required, contracts should be provisioned to ensure confidentially of critical data. Further detail about evaluating third party vendors can be found on OACP’s Privacy web site at /privacy/penndata/evaluating-third-parties/.

IT Asset Inventory

Efficient and effective computing inventory and software management processes to ensure that servers, desktops, workstations and other computing equipment are appropriately accounted for are critical to any organization. Failure to properly track computing inventories significantly increases financial, compliance and operational risks.

Create a formalized computing asset and software asset inventory process. Ensure that critical applications maintained by departmental personnel are adequately documented and maintained. This inventory process and documentation facilitates disaster recovery and business continuity planning and operational efficiencies. Develop maintenance procedures to ensure the inventory reflects current operations on an on-going basis. Consider utilizing scanning tools, such as BigFix, Track-It, Audit Wizard, Apple Remote Desktop etc., to facilitate effective and efficient maintenance of hardware and software inventories.

Web Application Security

The use of web applications has increased significantly as organizations try to find innovative ways to interact with users and customers. The increasing number of computer break-ins, the amount of critical data captured, processed, stored and transmitted across networks, and the rules concerning privacy and protection of personal information requires having effective controls in place for managing and administering network security and applications. Management has a responsibility to ensure that users are aware of the latest web application security vulnerabilities, verify that web developers are using secure coding techniques, securely configure web servers, periodically monitor the effectiveness of web application security processes and controls, and verify that user access to the web application is appropriate. It is critical that web applications are secure from the latest web application and web server security vulnerabilities and that only authorized individuals have access to the application.

Create a process to scan web applications or perform code reviews periodically to identify vulnerabilities and errors in code followed by appropriate resolution of any confirmed vulnerabilities and errors. The Open Web Application Security Project (OWASP) is an excellent resource who is focused on improving the security of software. Visit their site at https://www.owasp.org.

Looking for an automated commercial scanning tool that you can run against your web applications to identify vulnerabilities within and free of charge? OACP has licensed HP WebInspect to provide just such a service for the Penn Community. Our license allows us to scan any machine owned by the University or Penn Medicine. If you would like more information and to schedule a scan, please contact IT Audit at /contact-us/.

Employee Turnover Checklist

Begin planning the employee’s separation and preparing the exiting process and exit interview as soon as you find out that a staff member is leaving. It is the responsibility of the supervisor/business administrator to manage this turnover or exit process. The online Human Resources Policy Manual should be used as the primary tool to use to guide this process. These policies are located at https://www.hr.upenn.edu/myhr/resources/policy/termination. An individual separating from the University is responsible for returning University owned equipment and materials. These may include any purchasing cards, library materials, research notes, keys, identification cards and other University property to his/her business administrator or immediate supervisor. Any personal accounts must be settled with the University.

Removing terminated employee’s access to systems and applications typically requires coordination from Human Resources, the supervisor/business administrator, and IT. Applicable user access forms should be completed to disable or remove the staff member’s access from systems and applications in a timely manner. View an example of an employee exit checklist.

Patching Systems

Administrators should ensure that security patches are up-to-date for systems, applications, and infrastructure. In addition to increased downtime and costs, poor IT patch management increases the likelihood of security vulnerabilities being present that could be exploited to gain unauthorized access to systems, applications, and infrastructure.

To the extent possible, patches should be tested in a test/staging environment first before being deployed into the production environment to verify that patches “behave” appropriately in your environment.

Because patches affect production, they should be viewed as a “change” and follow your organization’s structured change management process.

Spyware, Adware and Malware

Adware is the common name used to describe software that is given to the user with advertisements embedded in the application. Many software developers offer their software as “sponsored” freeware (adware) until the end-user pays for the software and the ads should disappear. Adware sometimes is used to describe a form of spyware that collects information about the user in order to display advertisements in the Web browser. Spyware collects information about you and the ways in which you use your computer. Unfortunately, some of this tracking can become intrusive and move into the spyware category causing privacy and security concerns.

These forms of spyware falls into the general category of malware. Malware is generally software that you don’t want on your computer and in a generic sense, refers to software that was written with malicious intent and performs its actions without the user’s permission. Some examples of these include viruses, worms, Trojans, adware, spyware, browser hijackers, toolbars, searchbars, packet-capturing programs, keystroke loggers and password crackers.

To limit your exposure to this type of software described, make sure you use the firewalls and anti-virus software approved by your unit. Keep the virus definitions up-to-date by setting the automatic updates to run daily. There are numerous spyware detection/removal software available and should be used in coordination with your local support provider if you think your computer has been compromised. If downloading these free tools, confirm you are downloading from a legitimate site.

The SANS Institute (SysAdmin, Audit, Network, Security) have defined the following “quick wins” for the quickest way to defend ourselves against these types of attacks:

  • Monitor workstations, servers, and mobile devices for irregular activity
  • Ensure systems are up-to-date and use auto-update features
  • Disable all auto-run features
  • Configure automated scanning
  • Require and enforce software installation testing and validation prior to production
  • Educate users
  • Employ anti-malware software
  • Block dangerous attachments at e-mail gateways

Server Security

“Monitor, detect, analyze, protect, report, and respond against known vulnerabilities, attacks, and exploitations” and “continuously test and evaluate information security controls and techniques to ensure that they are effectively implemented”. This statement summarizes the 2009 US Senate Homeland Security and Government Affairs Committee in drafting the U.S. ICE Act of 2009 as a mandate for federal agencies. This guiding principle is a best practice to be followed. To maintain security of servers (or any device) connected to the network, run the latest version, have up-to-date patches, and confirm it is properly configured before connecting to the network.

Insufficient configuration controls can lead to security and availability exposures that may permit unauthorized access to systems and data. Manage server configurations by hardening server security using industry best practices for the server type to eliminate security holes. Common configuration mistakes include:

  1. Leaving default settings on deployed servers
  2. Leaving unnecessary services activated.
  3. Leaving default passwords on deployed servers.
  4. Building too many security roadblocks into the patch remediation path.

The organization should develop server configuration manuals to instruct IT on how to configure new servers added to the IT environment, thereby promoting consistency, standardization, and adequate security across the IT environment.

The SANS Institute (SysAdmin, Audit, Network, Security), have defined the following “quick wins” for the quickest way to ensure configuration issues for creating secure systems:

  • Create a secure system image
    • Document security settings
    • Approved by change control board
    • Registered with central image library
    • Update image based on new threats
    • Validate integrity of master image
    • Remove unnecessary accounts and services
  • Manage image
    • Properly validate and secure images
    • Negotiate contracts to have image preloaded
    • Complement existing security devices
    • Document any deviations
  • Assessment programs
    • Validate number of systems properly configured
    • Provide compliance charts to executives
    • Track measureable improvements
    • Re-image compromised systems