Office of the CIO

Office of the CIO and Associate Vice-Principal (Information Technology Services)
Office of the CIO and Associate Vice-Principal (Information Technology Services)

Electronic Information Security Guidelines (EISG)

These guidelines, published in March 2009, were developed with the input and support of the Senate Information Technology Committee and the Security Community of Practice. The guidelines will continue to evolve as new risks emerge.

These guidelines are intended to:

  1. help the Queen’s University community understand the risks inherent in using and managing electronic information; and
  2. recommend measures and practices that can help to safeguard the security of information in electronic form.
Applicable To Category Title
Department Heads Systems & Applications D1. System Assessments
Department Heads Systems & Applications D2. Permissions
Department Heads Confidentiality Agreements E1. Queen's Employee Requirements
Department Heads Confidentiality Agreements E2. Third-party Requirements
Information Stewards Systems & Applications D2. Permissions
Principal Investigators Systems & Applications D1. System Assessments
Principal Investigators Systems & Applications D2. Permissions
Principal Investigators Confidentiality Agreements E1. Queen's Employee Requirements
Principal Investigators Confidentiality Agreements E2. Third-party Requirements
System Administrators Servers & Network C2. Active Services and Open Ports
System Administrators Servers & Network C3. Backups
System Administrators Servers & Network C4. Firewalls
System Administrators Servers & Network C5. Remote Access
System Administrators Servers & Network C6. Physical Location of Network Devices
System Administrators Servers & Network C1. Physical Location of Servers
All Users Laptop & Desktop A1. Antivirus and Anti-Spyware
All Users Laptop & Desktop A2. Security Updates and Patches
All Users Laptop & Desktop A3. File Sharing and Remote Access
All Users Laptop & Desktop A4. Secure Data Deletion and Destruction
All Users Laptop & Desktop A5. Encryption
All Users Laptop & Desktop A6. Physical Computer Locking
All Users Laptop & Desktop A7. Account Passwords
All Users Passwords B1. NetID Password Hijacking
All Users Passwords B2. Sharing Your Personal NetID Password
All Users Passwords B3. Password Changes
All Users Security Incidents F1. Actual or Suspected Unauthorised Access
All Users Peripherals G1. Multifunction Devices
All Users Laptop & Desktop A8. Operating System Accounts

Additional Information

These guidelines are provided to assist in planning and operational decision-making. In some cases it may be difficult to alter system planning and implementation decisions to comply with these guidelines. Where there is risk that personal and confidential information or systems security may be compromised, modifications will be necessary.

Either the head of the department or the principal investigator of a research group will be responsible for ensuring that all employees are aware of and are working within policy and recommended practices for safeguarding personal and confidential information.

EISG Reference Materials (PDF*, 531 KB)

Questions?

Please contact the Information Systems Security Office.

Guidelines

A1. Antivirus and Anti-Spyware

All computers connected to the University network should have up-to-date antivirus and anti-spyware software installed and running at all times. Scans should be run weekly.

How

Visit the Antivirus Software Page for instructions on how to install current antivirus software.

Additional Information

Software viruses and spyware can allow unauthorized access to information stored on a computer. Viruses can also take control of a computer and use the computer to attempt to compromise other computers it has access to (such as a server). Spyware developers seek to harvest personal information, user IDs (e.g. NetIDs) and passwords without your consent.

Queen’s has a campus-wide license agreement for antivirus software. Every employee and student is entitled to obtain and use a copy.

A2. Security Updates and Patches

All computers connected to the University network should have security patches and other critical software maintenance applied as promptly as possible. Server administrators and computer lab administrators should ensure that they are following a patch management schedule.

How

Consult the help files that are provided with your operating system or application for guidance on how to download and apply security updates and patches.

Additional Information

The industry regularly discovers security vulnerabilities in computer operating systems (e.g., Macintosh OS, Microsoft Windows, various Linux distributions, etc.). The vendors address these weaknesses through security patches released through their websites.

Users should configure operating systems and applications to automatically download and install security patches and other critical updates as they become available, or ensure that they apply them manually as part of a regular system maintenance program.

A3. File Sharing and Remote Access

Any file sharing or remote access software should be configured to allow only secure access to files required for University business.

How

Consult the help files that are provided with your operating system or application for guidance on how to configure it for secure sharing and access.

Additional Information

File sharing software (e.g., Limewire, BitTorrent) can make portions (or even all) of one's hard drive accessible to anyone on the Internet. Similarly, FTP server software running on a computer can be used to gain unauthorized access to sensitive data on that computer.

A4. Secure Data Deletion and Destruction

Computer storage media (hard drives, CDs, tapes, etc.) should be disposed of in a secure manner. Before re-selling, donating or giving away a computer or storage device, all personal and confidential information (refer to the Data Classification Scheme) must be deleted using a secure deletion process.

How

ITServices offers a secure hard drive destruction and disposal service, and a secure hard drive data deletion service.

For portable media (DVDs, CDs, USB keys) physically destroying the media beyond repair is required.

A5. Encryption

Where there is any risk that data, especially personal or confidential information (refer to the Data Classification Scheme), may be accessible by unauthorized individuals, lost or intercepted, the data should be encrypted.

Examples include data:

  • stored on a computer connected to the Internet;
  • stored on a computer used by multiple people or accessible by passers-by;
  • stored on a laptop computer, PDA or smart-phone that is carried out of a secure area;
  • stored on a USB key/drive, CD or DVD that is carried out of a secure area;
  • sent as an attachment to an e-mail message; and
  • transmitted over an unsecure wireless network.

Additional Information Links

Help & Support

Please contact the IT Support Centre by calling 613-533-6666 during regular business hours or by filling out the online help form.

A6. Physical Computer Locking

All computers should be secured with a physical locking device when left unattended.

How

Locks can be purchased from any computer supply store.

A7. Account Passwords

All accounts should be secured with a strong password, including the main Administrator account on Windows computers, which is blank by default. Computers should be configured to require a password when use is resumed after a period of inactivity.

How

The IT Support Centre will assist you in setting a password for your account in Windows and Macintosh operating systems. They will also help you set a screensaver password, which will automatically lock your computer after a specified period of inactivity. If you use a different operating system, consult the help files that are provided with your operating system for guidance on how to set a password.

In some departments it may be necessary to contact your ITAdmin Representative to set up or change your password.

Additional Information

Examples of accounts that this guideline encompasses include:

  • NetID
  • Computer user accounts
  • Computer administrator accounts
  • Miscellaneous application logins

A8. Operating System Accounts

Separate user accounts not belonging to the administrator group should be created for day-to-day use for each user.

How

The IT Support Centre will assist you in creating user accounts in Windows and Macintosh operating systems. If you use a different operating system, consult the help files that are provided with your operating system for guidance on how to create a user account.

In some departments it may be necessary to contact your ITAdmin Representative to create a user account.

Additional Information

Accounts that are part of the administrator group should only be used for activities such as:

  • installing and configuring software;
  • changing system settings; and
  • setting up other accounts.

B1. Account Hijacking

If you believe that your Queen's NetID is being used by an unauthorized person or that the password associated with it has become known to an unauthorized person, you should change your NetID password immediately and report the breach to ITServices.

How

  1. To change your NetID password, please visit the Manage My Profile page.
  2. Report the breach in one of the following ways:

B2. Sharing Your Personal NetID Password

Never disclose your personal NetID password.

Additional Information

Passwords associated with your Queen's Network Identity (NetID) should not be shared with others, written down in one's work area, or stored on one's computer in unencrypted form. This also applies for passwords used to access any other systems which contain or provide access to personal and confidential information (refer to the Data Classification Scheme).

Sharing your NetID password is a violation of the Queen's University Electronic Information Security Policy Framework.

B3. Password Changes

Passwords for systems which contain or provide access to personal and confidential information (refer to the Data Classification Scheme)should be changed every 6 months.

How

To change your NetID password, please visit the Manage My Profile page.

To change other passwords, consult the help files that are provided with your operating system or application for guidance.

If you have any further questions, contact the IT Support Centre.

C1. Physical Location of Servers

All critical servers and their storage devices should be in a location that is accessible only to authorized individuals with appropriate keys or access privileges.

Additional Information

ITServices offers a server hosting service which is in full compliance with this guideline. Please visit the Server Hosting page for more information.

C2. Active Services and Open Ports

Prior to putting a server into production, the system administrator should ensure that only the necessary ports are open and that only required internet services are enabled. System administrators should also regularly review the server's configuration.

How

Consult the help files that are provided with your operating system for guidance.

C3. Backups

All critical servers should be backed up on a regular basis. All backups should be stored in a separate secure location.

How

Consult the help files that are provided with your operating system for guidance.

Why

Backups are critical in the event of a hardware malfunction such as a hard drive failure, but can also prove invaluable if the data is somehow corrupted. It is important to have the data stored in a physically separate location than the server in the event that a catastrophe (e.g., fire) strikes the main server. Having the backup in a secure area is just as important as having the server in a secure area.  The theft of a backup would expose the same amount of data as the theft of the server itself.

When

Full backups should be performed once a week. Incremental backups should be performed daily between each full backup.

Additional Information

ITServices provides backup services for both Windows and Solaris servers. Server administrators can contact the IT Support Centre or the ITServices Main Office to request a consultation regarding server backups.

C4. Firewalls

All servers which store or process personal and confidential information (refer to the Data Classification Scheme) should be protected behind a firewall that uses an intrusion detection and prevention system.

Additional Information

Protecting sensitive information, particularly personal and confidential information, requires multiple levels of security. Firewalls that use an intrusion detection and prevention system provide added protection to detect and prevent unauthorized access and other forms of attack.

Prior to deploying a server which will store, process or provide access to personal and confidential information, system administrators should consult with ITServices about firewall and IDS/IPS protection alternatives.

C5. Remote Access

Off-campus remote administration access to critical servers must be available only through encrypted and secure connection methods (e.g., SSH, SSL/VPN).

How

Consult the help files that are provided with your operating system for guidance.  

Why

Any connection to a Queen's server that is initiated from off-campus will travel through networks that are not controlled by Queen's. These networks may have malicious users capturing information that passes through them. If the data that passes through these networks is not encrypted, a malicious user can capture all the passed data (including your username and password) and read it just as easily as reading a Word document.

C6. Physical Location of Network Devices

All network components (switches, hubs, routers, etc.) should be in a location that is accessible only to authorized individuals with appropriate keys or access privileges.

Why

A malicious user with access to such network components may be able to capture all the information (including usernames and passwords) passed through the device, or circumvent network level access restrictions.

Additional Information

Ensure that such network components are in a location that is accessible only to authorized individuals (e.g., technical staff in the department or designated ITServices employees) with appropriate keys or access privileges. Do not leave any equipment unattended in an open office area or in an office when you are not there. Wherever possible, network components should be located in designated communications closets or rooms.

D1. System Assessments

Any new system or application which will be connected to the Queen's network should be subjected to a systems assessment prior to being put into production.

How

Please contact the Information Systems Security Manager.

D2. Permissions

All users of a system should be given access only to the functions that are required for their job. Users that no longer require access to the system should have their permissions revoked immediately. An annual review should be performed to verify and correct all permissions.

How

Consult the help files that are provided with your operating system or application for guidance.

Additional Information

  • If the application supports it, use groups to manage permissions. Create groups by functional area (Faculty, Staff, Students) or by access level (i.e. Readers, Editors, System Administrators). Assign or remove individuals from groups, without having to change any of the pre-existing group permissions.
  • If the application supports it, use dynamically created groups available through tools like LDAP or Active Directory. Groups in these tools are updated by the group's owner (i.e. Human Resources).
  • If the application has hierarchical-based access, then 2 principles will minimize permission changes, especially if groups are used. First, the top level of hierarchy should be accessible to everyone who needs access with the least set of permissions possible (i.e. Read-Only). Second, subsequent layers in the hierarchy should reduce the audience, but increase the access or permissions allowing work to be done (i.e. Read/Write/Delete).
  • If you have been delegated Administrator permissions, do not extend this to anyone other than someone assigned to back you up.

E1. Queen's Employee Requirements

All employees whose position at the University requires that they have access to personal and confidential information (refer to the Data Classification Scheme) should be required to sign a statement of confidentiality and non-disclosure.

How

Department heads and principal investigators should have such employees review and sign the appropriate Confidentiality and Non-Disclosure Agreement(s).

E2. Third-Party Requirements

All parties who will have access to the University's personal and confidential information (refer to the Data Classification Scheme) should be required to sign a confidentiality and non-disclosure agreement before they are given access.

How

Department heads and principal investigators should have such third parties review and sign the appropriate Confidentiality and Non-Disclosure Agreement(s).

F1. Actual or Suspected Unauthorised Access

Any member of the Queen's community who discovers or suspects that personal and confidential information (refer to the Data Classification Scheme) has been stolen, exposed to unauthorised access, or is somehow vulnerable, should report such situations to Information Technology Services without delay.

How

Follow the process described for Reporting Security Issues.

G1. Multifunction Devices

These guidelines document the security requirements for the following networked devices:

  • Printers
  • Scanners
  • Copiers
  • Faxes
  • MFDs*

* An MFD is sometimes called a multifunction printer (MFP) or all-in-one (AIO) device, and typically incorporates printing, copying, scanning, and faxing capabilities. For the purposes of these guidelines, we will refer to all of the devices listed above as MFDs.

It is assumed that networked campus MFDs are likely to handle some amount of personal, confidential, and/or operationally-sensitive University information. These guidelines are required to protect that information.

The Information Systems Security Office derived this list from government and industry documents, with a particular focus on configuration issues that are unique to the computing environment at Queen's University.

Because management interfaces for MFDs vary, even within the same product line, these guidelines provide general best practices. In order to implement them, consult your MFD’s documentation or the vendor.

Installation/Configuration Guidelines

  1. Change the factory default password that controls device configuration. (See website page on Choosing a Strong Password for additional information.)
  2. Assign an IP address. (Contact your ITAdmin Rep for assistance, and be sure to specify it is for a network printer, copier or MFD.)
  3. If hard disk functionality is enabled, configure the device to remove spooled files, images, and other temporary data using a secure overwrite between jobs.
  4. Use secure communications (such as HTTPS) to access web-based device configuration pages.
  5. Disable all protocols other than IP printing, if they are not being utilized.
  6. Upgrade to patched firmware when it becomes available from the vendor.

Note: Both Seaway Solutions (Xerox) and the OT Group (Canon) will follow the above mentioned configuration guidelines.

Decommissioning Guideline

All Multifunction Devices with hard drives must have their hard drives securely erased when removed from service and when storage components are replaced. A certificate of erasure must be supplied to Strategic Procurement Services (SPS).

  • Both Seaway Solutions (Xerox) and the OT Group (Canon) will follow the necessary erasure protocols and provide a certificate of erasure to SPS whenever they decommission a leased device.
  • If you own a networked MFD with a hard drive that is not leased through one of the University's enterprise agreements, ITServices offers a Hard Drive Destruction and Disposal service which can assist in the proper disposal of hard drives.

Physical Location

If your device contains a hard drive, you should choose its location carefully:

  • Where possible, try to locate it in an area that has little or no public access during business hours, and is locked down during non-business hours.
  • If your device is in a public area (e.g. a library), it may be necessary to lock the device to prevent access to the hard drive inside it.

Additional Information

Please see the following pages for further information:

The EDUCAUSE & Internet2 Higher Education Information Security Council (HEISC) has gathered resources on this topic and developed a list of suggested steps to take when securing campus copiers, printers, or other multifunction devices:

References

Questions?

Please contact the Information Systems Security Office.


* PDF files can be read for free using Adobe Acrobat Reader.