|Title:||System and Application Security Policy|
|Policy Owner:||Information Technology Services / Chief Information Security Officer|
|Applies to:||All students, faculty, and staff|
|Campus Applicability:||All campuses except UConn Health|
|Effective Date:||August 30, 2021|
|For More Information, Contact||UConn Information Security Office|
|Contact Information:||email@example.com or firstname.lastname@example.org|
To ensure the security of university data by establishing requirements for the proper maintenance and oversight of systems and applications used by university constituents.
This policy applies to all individuals responsible for operating or overseeing any University system or application, whether on premise or in the cloud.
ITS: Information Technology Services
SaaS: Cloud-based service that is delivered via the web based on either a monthly or annual subscription
PaaS: Cloud-based service that provides a platform allowing for the development of software using an established framework to improve development time and management of cloud services
PII (Personally Identifiable Information): Information that either singularly or in conjunction with other data elements could reasonably lead to the identification of specific individuals
The proper maintenance and review of systems and applications is critical to protecting the data they store or process. While requirements may vary as to the administration and operation of any system or application, the following are required of any individual responsible for a system or application related to the University of Connecticut’s computing environment, whether on-premise or in the cloud.
All systems supporting any aspect of the University must have an identified owner and responsible party for ensuring the controls specified in this document. For a system that is fully cloud-based, a UConn faculty or staff member is responsible for overseeing that the following controls are appropriately applied and adhered to by the cloud provider.
System and Application Security
All software and services used to process University of Connecticut information are subject to an Information Security review and sign off prior to their purchase or development. Information Security reviews will evaluate specific risks and controls available and necessary based on the information being processed. The system owner will be responsible for the deployment of the agreed upon security controls prior to enabling the production capability of the system or application.
Only necessary software should be loaded on systems, and old versions of software removed. The use of web browsers should be limited to the management of the system only.
Access to information in the possession of or under the control of the University of Connecticut must be provided on a need-to-know basis. Information must be disclosed only to individuals who have a legitimate and approved business need for information. Information may only be used for its intended purpose, and other uses of university information without the approval of the data owner is not allowed.
Patching and Maintenance
All individuals, including faculty, staff, or students, who have taken on or been assigned the responsibility of managing any system or application attached to the University of Connecticut network or any cloud system that holds a relationship to the University of Connecticut or holds University of Connecticut data, must ensure the timely implementation of operating systems and application patches to provide for the confidentiality, integrity, and availability of said systems or data. The ongoing maintenance of applications and the application of software updates is an activity that must be regularly scheduled on a minimum quarterly basis. ITS and many other parts of the University maintain systems to simplify the patching of operating systems.
Cloud-based SaaS and PaaS systems typically remove the requirement for patching and maintenance, as the responsibility for this is handled by the vendor.
University of Connecticut Information Technology Services (ITS) provides centralized user identity and access management that supports identity validation and access management (IAM) using a NetID and password. Systems and applications that rely on the University IAM platform for authenticating individual access rights can forgo the need for user management outside that of assigning any roles within the system or application, as necessary.
Systems and applications that do not use the central IAM solution must have a written plan and designated individual responsible for the creation, modification, and deletion of user IDs. User IDs, including student accounts, must be reviewed when faculty, staff, or students separate from the University at least annually. This includes a process for ensuring the secure creation of passwords and a secure password reset process for validating an individual’s identity prior to resetting the password.
Systems where individuals have access to a significant amount of the PII of other constituents, including students, faculty, staff, alumni, and vendors, or significant amounts of regulated data should leverage multi-factor authentication wherever possible.
Auditing of Systems and Application Logs
System and application logs should be reviewed for inappropriate access on a regular basis (at least monthly) or via automated systems capable of detecting misuse through the analysis of frequent password failures, geographic anomalies, or inappropriate access attempts. ITS maintains a centralized logging and reporting platform, which can assist in the analysis of large amounts of data often associated with system and application logs.
System and Application Lifecycle Management
Any system or application that is no longer supported by the vendor or is replaced by newer technology should be decommissioned as soon as possible. The proper update of systems and applications is critical to protecting the confidentiality, integrity and availability of the system or application and its data. The decommissioning process must include the proper retirement of any physical hardware or virtual images and the proper destruction of any media (e.g., hard drives, tapes, etc.) that may have data. Cloud services that are decommissioned should ensure the proper handling of any data (return and/or destruction) in the cloud vendor’s possession as part of the contract cancellation.
Protection of Regulated Data
Certain classes of information stored within University of Connecticut systems and applications have additional regulatory requirements associated with their storage and/or transmission. This data includes but is not limited to: Personally Identifiable Information (PII), including certain combinations of data regarded as sensitive PII; Personal Health Information (PHI), Payment Card Industry (PCI) information, or any information subject to the Family Educational Rights and Privacy Act (FERPA). The University must also comply with any additional protections of information or datasets contractually required by other agencies or organizations.
All suspected policy violations, system intrusions, and other conditions that might jeopardize University of Connecticut information or information systems must be immediately reported to the Information Security Office.
Systems and applications that do not follow the standards set forth in this policy may be administratively shut down or have access restricted to on-campus or individual personnel only. Systems maintained at the departmental or individual level may incur costs in association with enabling the proper protections or in the event of data exposure.
Violations of this policy may result in appropriate disciplinary measures in accordance with University By-Laws, General Rules of Conduct for All University Employees, applicable collective bargaining agreements, and the Student Code.
Questions about this policy or suspected violations may be reported to any of the following:
Office of University Compliance – https://compliance.uconn.edu (860-486-2530)
Information Technology Services Tech Support – https://techsupport.uconn.edu (860-486-4357)
Information Security Office – https://security.uconn.edu
Policy created: August 30, 2021 [Approved by President’s Senior Team]