| | | | | |
|---|
| Section 4: Risk Assessment & Treatment |
4.1
Assessing Security Risks Identify, quantify, and prioritize risks against criteria for risk acceptance relevant to the organization
• Performed Periodically
• Systematic Approach estimating risks
• Clearly defined scope | PCI is an audit standard and risks are quantified and
prioritized within it Maintain an Information Security Policy 12.2 - Implement a risk-assessment process that:
• Is performed at least annually and upon
significant changes to the environment
(for example, acquisition, merger,
relocation, etc.),
• Identifies critical assets, threats, and
vulnerabilities, and
• Results in a formal, documented analysis
of risk | III.B. Assess Risk | N/A |
| Trustwave PCI Rapid Comply
PCI compliance scanner: pcirapidcomply2.com
used monthly. Server Vulnerability Scans
Servers scanned on a regular basis using Tenable.io vulnerability scanning tool. DLP Compliance DLP Compliance polices (currently active on all LETU O365-enabled accounts)
alert on shared content for users which could compromise compliance with PCI,
GLBA or other Privacy or Financial regulations.
This includes email for users converted to LETU's O365 email platform. Network Compliance
LETU Network Mgmt System is configured to trigger alerts and guidance
on detected issues or vulnerabilities affecting compliance with best practices
or regulatory issues within LETU's network architecture.
These alerts trigger configuration team reviews and modifications as needed.
Title IV: Department of Education Requirements
NIST Framework for Improving Critical Infrastructure Cybersecurity
LETU evaluates internal CyberSecurity measures against NIST Framework v1.1 as part of internal annual CyberSecurity review process |
4.2
Treating Security Risks Before treating, organization must ascertain
ability and level of risk acceptable to an
organization
• Knowing and objectively accepting risk
in accordance with organization risk
tolerance
• Avoiding risk by not engaging in
activities that introduce risk
• Transferring risks to other parties | Protect Cardholder Data 3.4 - Render PAN (Primary Account Number),
at a minimum, unreadable anywhere
it is stored (including on portable digital media,
backup media, in logs)
6 - Develop and maintain secure systems and
applications | III.C. Manage and Control Risk | N/A |
| All data at rest stored using one-way strong
encryption hashes Cardholder Data PAN information is not stored on LETU systems. All external vendors required to comply with PCI DSS standards. LETU Maintains PCI Compliant status. MFA
Mandatory multi-factor authentication for all LETU employees eliminates threat of single-factor password compromises.
|
| Section 5: Security Policy |
5.1
Information Security Policy Information security policies should be
sponsored/approved by management,
published to all employees and relevant
external parties
Include within:
• Definition of information security,
objectives, scope, and importance
• Statement of management intent,
supporting goals and principles
• Framework for setting control
objectives and controls | Maintain an Information Security Policy 12.4 - Ensure that the security policy and procedures
clearly define information security responsibilities for
all employees and contractors 12.5.1 - Establish, document, and distribute security
policies and procedures | II.A. Information
Security Program
II.B. Objectives
III.A. Invoice Board
of Directors | N/A | Security f. Information Security policy | LETU Information Security Compliance Reference LETU Information Security Compliance Reference reviewed by Information Security office annually and employees reminded annually. Title IV: Department of Education Requirements |
| Section 6: Organization of Information Security |
6.1
Internal Organization A management framework should be
established to initiate and control the
implementation of information security
within the organization | Maintain an Information Security Policy 12.4 - Ensure that the security policy and procedures
clearly define information security responsibilities for
all employees and contractors. 12.5.1 - Establish, document, and distribute security
policies and procedures | II. A. Information
Security Program
II.B. Objectives
III. A. Involve the
Board of Directors
III.C. Manage and
Control Risk
III.F. Report to the
Board | 3.1.4 Separate the duties of individuals
to reduce the risk of malevolent activity
without collusion 3.6 Incident Response 3.14 System and Information Integrity |
| LETU Information Security Compliance Reference LETU Information Security Compliance Reference reviewed by Information Security office
annually and employees reminded annually.
Security Awareness Program: Cardholder Data Title IV: Department of Education Requirements
|
6.2
External Parties To maintain the security of information and
information processing facilities that are
accessed, processed, communicated to, or
managed by external parties | Maintain an Information Security Policy 12.8.2 - Maintain a written agreement that includes an
acknowledgement that the service providers are
responsible for the security of cardholder data the
service providers posess | III.C. Manage and
Control Risk
III.D. Oversee
Service Provider
Arrangements | 3.1.1 Limit information system access
to authorized users, processes acting
on behalf of authorized users, or
devices (including other information
systems) 3.1.2 Limit information system access to
the types of transactions and functions
that authorized users are permitted to
execute |
| Statements of Service Provider Compliance: PCI |
| Section 7: Asset Management |
7.1
Responsibility for Assets All assets should be accounted for and have
a nominated owner | Maintain an Information Security Policy 12.3.4 Labeling of devices with owner, contact
information, and purpose | N/A | 3.1.21 Limit use of organizational portable
storage devices on external information
systems 3.4.1 Establish and maintain baseline
configurations and inventories of
organizational information systems
throughout their life cycle 3.4.2 Establish and enforce security
configuration settings for information
technology products employed in
organizational information systems 3.9 Personnel Security |
| Card Devices
Physical labeling and annual inspection of card devices for payment card industry cards. Network Equip All LETU network equipment physically tagged and inventoried for tracking purposes. System Center Configuration Manager
Used to tattoo funding agent responsible for asset
and to inventory asset information to central database |
7.2
Information Classification Information should be classified to indicate
the need, priorities and expected degree of
protection
• Define an information classification
scheme | Implement Strong Access Control Measures 7.1 - Limit access to system components and cardholder
data to only those individuals whose job requires
such access.
7.2 - Establish an access control system for system
components with multiple users that restricts access
based on a user’s need to know and is set to "deny
all" unless specifically allowed. | PII (Personal Indentifying Information) is protected here. | 3.8 Media Protection 3.13.1 Monitor, control, and protect
organizational communications at the
external boundaries and key internal
boundaries of the information systems |
| Datacenter Security Measures
All LETU Datacenters containing protected information are secured by
proximity-based card access control systems with highly restrictive
access configurations as well as video security coverage with archival
review capabilities. Access to all LETU Datacenters is extremely limited.
More information is available in the
LETU Datacenter Security Guidelines document.
Network ACLs
Network Access Control lists (ACLs) are used to restrict access to systems based
on IP, port or other network characteristic and is used to restrict access to
locations from which access is expected to originate.
Security Groups
Security Groups are used to restrict access to specific content on a per-user
basis as authorized by the primary owner of the data or content. Data Classification Standard
http://www.letu.edu/start/publications/policy/upps/dataclassification.pdf
|
| Section 8: Human Resources Security |
8.1
Prior to Employment To ensure that employees, contractors and
third party users understand responsibilities,
and are suitable for their roles; reduce the
risk of theft, fraud, and or misuse of facilities/
resources | Maintain an Information Security Policy 12.7 - Screen potential employees prior to hire to
minimize the risk of attacks from internal sources. | III.C. Manage and
Control Risk | 3.9.1 Screen individuals prior to authorizing
access to information systems containing CUI |
| Human Resources Background checks are performed on all new-hires
|
8.2
During Employment To ensure that employees, contractors and
third party users are aware of information
security threats and concerns, their
responsibilities and liabilities, and are
equipped to support security policy in the
course of their normal work | Maintain an Information Security Policy 12.6 - Implement a formal security awareness program
to make all employees aware of the importance of
cardholder data security. | III.C. Manage and
Control Risk | 3.2 Awareness and Training 3.6 Incident Response | Systems Development and Change Management c. Policies regarding system development, program change Security i. Procedures for issuing and suspending user access | New-Hire training
IT orientation with all new employees to brief them on
cybersecurity best practices DLP Compliance DLP Compliance polices (currently active on all LETU O365-enabled accounts)
alert on shared content for users which could compromise compliance with PCI,
GLBA or other Privacy or Financial regulations.
This includes email for users converted to LETU's O365 email platform. Self-Phishing Campaigns Quarterly self-phishing conducted with email training
sent to all employees Annual PCI training
Yearly PCI training emailed to employees directly involved
in credit card processing Program Change
IT Directors review training needs during annual performance reviews. Employees offered training as new software is made available Annual Re-Authorization
Each year access rights are periodically reviewed by every supervisor and must be reauthorized to maintain those rights for the upcoming year |
8.3
Termination or Change of Employment To ensure that employees, contractors and
third party users exit an organization or
change employment in an orderly manner | Implement Strong Access Control Measures 9.3 - Immediately revoke access for any terminated
users Maintain an Information Security Policy 12. Maintain a policy that addresses information
security for employees and contractors | N/A | 3.9.2 Ensure that CUI and information systems
containing CUI are protected during and after
personnel actions such as terminations
and transfers | Security i. Procedures for suspending and closing user accounts | Account Automation
In-house programmatic account access control used to
disable accounts keyed off an employee's separation date
in an HR database
Separation Process
Human Resource notifications to IT trigger a specific review
of each separation, tracked using our WIT request system
for additional specific review of the security and other IT
needs related to each separation. |
| Section 9: Physical and Environmental Security |
9.1
Secure Areas To prevent unauthorized physical
access, damage, and interference to the
organization’s premises and information
• Critical or sensitive information
processing facilities should be housed
in secure areas
• Protection provided should be
commensurate with the identified risks | Implement Strong Access Control Measures 9. Restrict physical access to cardholder data | III.C. Manage and
Control Risk | 3.10 Physical Protection | Security j. Physically restrict access to key components | Datacenter Security Measures
All LETU Datacenters containing protected information are secured by
proximity-based card access control systems with highly restrictive
access configurations as well as video security coverage with archival
review capabilities. Access to all LETU Datacenters is extremely limited. The Data Center has its own environmental control (AC) as well as Uninterruptible Power Supply (UPS). Fire extinguishers are present in both data centers. Email alerts go out with detection of excessive heat
More information is available in the
LETU Datacenter Security Guidelines document. |
9.2
Equipment Security To prevent loss, damage, theft or
compromise of assets and interruption to
the organization’s activities | Implement Strong Access Control Measures 9.1.3 - Restrict physical access to wireless access points,
gateways, and handheld devices | III.C. Manage and
Control Risk | 3.7 Maintenance 3.8 Media Protection 3.10.6 Enforce safeguarding measures for
CUI at alternate work sites (e.g., telework sites)
|
| Locked AP cabinets
Wireless Access Points located in locked enclosures Unauthorized WAP detection
Detection and Identification of
Unauthorized Wireless Access Points (WAPs) Datacloset Security Measures All LETU Dataclosets are secured with a non-general-
master keyset and most are additionally secured by
proximity-based electronic locking systems.
Datacenter Security Measures All LETU Datacenters containing protected information are secured by
proximity-based card access control systems with highly restrictive
access configurations as well as video security coverage with archival
review capabilities. Access to all LETU Datacenters is extremely limited.
More information is available in the
LETU Datacenter Security Guidelines document. |
| Section 10: Communications and Operations Management |
10.1
Operational Procedures & Responsibilities Responsibilities and procedures for
the management and operation of all
information processing facilities should be
established
• Segregation of duties should be
implemented | 6.4.1 - Separate development/test and production
environments | III.C. Manage and
Control Risk | 3.4.3 Track, review, approve/disapprove,
and audit changes to information systems 3.4.5 Define, document, approve, and enforce
physical and logical access restrictions associated
with changes to the information system |
| LETU Production/Test Architecture
LETU maintains specific testing environments separate from the production environment
as necessary for the secure evaluation of development or updated code/configs on both
LETU virtual server hosting systems and network architecture. Access lists and secured credentials limit access to both production and testing environment resources to authorized users. Title IV: Department of Education Requirements |
10.2
Third-Party Service Delivery Management Validate the implementation of agreements,
monitor compliance, and manage changes
to ensure that all services delivered meet
requirements set out in agreements | Maintain an Information Security Policy 12.8.2 Maintain a written agreement that includes
acknowledgement that the service providers are
responsible for the security of cardholder data the
service providers posses. | III.D. Oversee Service Provider
Arrangements | N/A |
| Statements of Service Provider Compliance: PCI |
10.3
System Planning and Acceptance To minimize the risk of systems failures
• Advanced planning and preparation
are required to ensure availability and
adequate capacity of resources
• Operational requirements of new
systems should be established,
documented, and tested | Maintain a Vulnerability Management Program 6. Develop and maintain secure systems and
applications
Regularly Monitor and Test Networks
11. Regularly test security systems and processes | III.C. Manage and
Control Risk | N/A |
| Trustwave PCI Rapid Comply PCI compliance scanner: pcirapidcomply2.com
used monthly. Server Vulnerability Scans
Public-facing servers scanned annually using
https://www.ssllabs.com/ssltest tool. DLP Compliance DLP Compliance polices (currently active on all LETU O365-enabled accounts)
alert on shared content for users which could compromise compliance with PCI,
GLBA or other Privacy or Financial regulations.
This includes email for users converted to LETU's O365 email platform. Network Compliance
LETU Network Mgmt System is configured to trigger alerts and guidance
on detected issues or vulnerabilities affecting compliance with best practices
or regulatory issues within LETU's network architecture.
These alerts trigger configuration team reviews and modifications as needed. Data Loss Preventation Guidelines |
10.4
Protection Against Malicious & Mobile Code Precautions are required to prevent and detect the introduction of malicious code
and unauthorized mobile code | Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and
applications | III.C. Manage and
Control Risk | 3.2 Awareness and Training 3.14.2 Provide protection from malicious code at appropriate
locations within organizational information systems 3.14.3 Monitor information system security alerts and
advisories and take appropriate actions in response 3.14.4 Update malicious code protection mechanisms
when new releases are available 3.14.5 Perform periodic scans of the information system
and real-time scans of files from external sources as files
are downloaded, opened, or executed |
| System Center Endpoint Protection Protects against malicious code for managed endpoints;
new definitions are automatically downloaded daily and
real-time protection is enabled on all managed clients along
with daily quick-scans and weekly full-scans
|
10.5
Back-up To maintain the integrity and availability
of information and information processing
facilities | Implement Strong Access Control Measures 9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 10. Track and monitor all access to network resources
and cardholder data Maintain an Information Security Policy 12. Maintain a policy that addresses information
security for employees and contractors | III.C. Manage and
Control Risk | 3.8.9 Protect the confidentiality of
backup CUI at storage locations | Operations h. Recorded data remains complete and accurate | Veeam Disaster recovery for all managed virtual servers Backup Exec
Disaster recovery for additional agent-managed servers \\letnet.net\fs\backup Backups Disaster recovery for non-agent, *nix-based and other systems Off-site Regularly rotated Off-site vault storage of backup media |
10.6
Network Security Management To ensure the protection of information
in networks and the protection of the
supporting infrastructure | Build and Maintain a Secure Network 1. Install and maintain a firewall
2. Do not use vendor-supplied defaults for system
passwords and other security parameters Maintain a Vulnerability Management Program 5. Use and regularly update anti-virus software
6. Develop and maintain secure systems and
applications | III.C. Manage and
Control Risk | 3.1.2 Monitor and control remote
access sessions 3.1.13 Employ cryptographic mechanisms
to protect the confidentiality of remote
access sessions 3.1.14 Route remote access via
managed access control points 3.1.16 Authorize wireless access prior
to allowing such connections 3.1.17 Protect wireless access using
authentication and encryption 3.7.5 Require multifactor authentication to
establish nonlocal maintenance sessions via
external network connections and terminate
such connections when nonlocal maintenance
is complete 3.13 System and Communications Protection | Security h. Network security restricts access to financial systems | Gateway Security
LETU networks are secured with access control lists (ACLs) ACLs that greatly restrict access to all LETU MFA
Mandatory multi-factor authentication for all LETU employees eliminates threat of single-factor password compromises.
System Center Configuration Manager
Inventory and manage technology assets throughout
lifecycle to ensure security System Center Endpoint Protection
Protects against malicious code for managed endpoints
|
10.7
Media Handling To prevent unauthorized disclosure,
modification, removal or destruction of
assets, and interruption to business activities
• Media should be controlled and
physically protected
• Appropriate operating procedures
should be established to protect,
documents, and computer media | Protect Cardholder Data 3. Protect stored data
4. Encrypt transmissions of cardholder data and
sensitive information across public networks Implement Strong Access Control Measures 7. Restrict access to data by business need-to-know
9. Restrict physical access to cardholder data Regularly Monitor and Test Networks 11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information
security for employees and contractors | III.C. Manage and
Control Risk | N/A |
| Protect Stored Cardholder Data Encrypt transmission of cardholder data
across open, public networks Mobile Device Encryption
All mobile devices have encrypted hard drives per
LETU policy:
http://www.letu.edu/start/publications/policy/upps/mobile-encryption.pdf |
10.8
Exchange of Information To maintain the security of information and
software exchanged within an organization
and with any external entity | Build and Maintain a Secure Network 1. Install and maintain a firewall
Protect Cardholder Data:
4. Encrypt transmissions of cardholder data and
sensitive information across public networks Implement Strong Access Control Measures 7. Restrict access to data by business need-to-know Implement Strong Access Control Measures 8. Assign a unique ID to each person with computer
access Maintain an Information Security Policy 12. Maintain a policy that addresses information
security for employees and contractors | III.C. Manage and
Control Risk | 3.1.15 Authorize remote execution of
privileged commands and remote access
to security-relevant information 3.1.16 Authorize wireless access prior
to allowing such connections 3.1.17 Protect wireless access using
authentication and encryption 3.13 System and Communications Protection |
| Unique IDs
Each user has a unique SIS ID and username Role-Based Access
Each employee given access and appropriate permissions
only to systems to which they need those specific rights Customer request system allows supervisors to request permissions their employees need. Data Loss Prevention (DLP)
|
10.9
Electronic Commerce Services To ensure the security of electronic
commerce services, and their secure use | Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to
protect data
2. Do not use vendor-supplied defaults for system
passwords and other security parameters Protect Cardholder Data 4. Encrypt transmissions of cardholder data and
sensitive information across public networks Maintain a Vulnerability Management Program 6. Develop and maintain secure systems and
applications | III.C. Manage and Control Risk | N/A | Operations l. Ensure third-party services are secure | Trustwave PCI Rapid Comply
PCI compliance scanner: pcirapidcomply2.com
used monthly. Qualys SSL Labs
Server security scanner: https://www.ssllabs.com/ssltest
used annually Encrypt transmission of cardholder data across open, public networks Vendor Guidelines
Established guidelines in place when selecting on-premise or cloud-hosted vendor applications. Contracts for these vendors are reviewed by CIO and CFO with questions specific to risks, security controls, and other guideline-based information. This policy is contained in the Acceptable Use for Technology Systems. Acceptable Use for Technology Systems http://www.letu.edu/start/publications/policy/letu-policy-handbook.pdf
Data Loss Prevention (DLP)
|
10.10
Monitoring To detect unauthorized information
processing activities including review of
operator logs and fault logging
• Systems should be monitored and
information security events should be
recorded
• Organization should comply with all
relevant legal requirements applicable
to monitoring and logging
• System monitoring should be used
to check the effectiveness of controls
adopted and to verify conformity to
access policies | Implement Strong Access Control Measures 8.1.1 Assign a unique ID to each person with computer
access Regularly Monitor and Test Networks 10. Track and monitor all access to network resources
and cardholder data | III.C. Manage and Control Risk | 3.3 Audit and Accountability | Operations n. Procedures for job scheduling, processing, error monitoring, system availability | Unique IDs
Each user has a unique SIS ID and username Role-Based Access
Each employee given access and appropriate permissions
only to systems to which they need those specific rights Customer request system allows supervisors to request permissions their employees need. Technical Monitoring
Many systems in place including central log aggregation, monitoring solutions, and custom scripts. Email/text alerts generated upon threshold for any monitor |
| Section 11: Access Control |
11.1
Business Requirement for Access Control Access to information, information
processing facilities, and business processes
should be controlled based upon business
and security requirements.
• Access controls should take account
policies for information dissemination
and authorization | Implement Strong Access Control Measures 8.1.1 Assign a unique ID to each person with computer
access Maintain an Information Security Policy 12. Maintain a policy that addresses information
security for employees and contractors | III.C. Manage and
Control Risk | 3.1 Access Control |
| Unique IDs
Each user has a unique SIS ID and username Data Classification Standard
http://www.letu.edu/start/publications/policy/upps/dataclassification.pdf
|
11.2
User Access Management Formal procedures to control the allocation
of access rights to information systems and
services | Implement Strong Access Control Measures 7. Restrict access to data by business need-to-know
8.1.1 Assign a unique ID to each person with computer
access | III.C. Manage and
Control Risk | 3.1 Access Control 3.4.5 Define, document, approve, and enforce
physical and logical access restrictions associated
with changes to the information system 3.5 Identification and Authentication | Entity-Level Controls b. Segregation of responsibilities to prevent subversion of critical processes | Unique IDs
Each user has a unique SIS ID and username Role-Based Access
Each employee given access and appropriate permissions
only to systems to which they need those specific rights Customer request system allows supervisors to request permissions their employees need. Segregation of Responsibilities
Personnel are prohibited from engaging in user activities, initiating transactions, or changing master files. IT personnel prevented from having access to liquid assets such as check signing approval or credit approval. eBridge Access |
11.3
User Responsibilities To prevent unauthorized user access, and
compromise or theft of information and
information processing capabilities | Build and Maintain a Secure Network 2. Do not use vendor-supplied defaults for system
passwords Implement Strong Access Control Measures 8.1.1 Assign a unique ID to each person with computer
access Maintain an Information Security Policy 12. Maintain a policy that addresses information
security for employees and contractors | III.C. Manage and
Control Risk | N/A |
| Non-Default Credentials
Passwords for built-in accounts never left at default Data Classification Standard
http://www.letu.edu/start/publications/policy/upps/dataclassification.pdf
LetNet Guest Wireless Account Creation Guest account policies direct use of specific individual account information for each guest.
|
11.4
Network Access Control Ensure that appropriate interfaces and
authentication mechanisms to networked
services are in place | Build and Maintain a Secure Network 2. Do not use vendor-supplied defaults for system
passwords Implement Strong Access Control Measures 8.1.1 Assign a unique ID to each person with computer
access | IlI.C. Manage and
Control Risk | 3.1.9 Provide privacy and security notices
consistent with applicable CUI rules 3.1.16 Authorize wireless access prior
to allowing such connections 3.1.20 Verify and control/limit connections to
and use of external information systems |
| Non-Default Credentials
Passwords for built-in accounts never left at default Data Classification Standard
http://www.letu.edu/start/publications/policy/upps/dataclassification.pdf
LetNet Guest Wireless Account Creation Guest account policies direct use of specific individual account information for each guest. |
11.5
Operating System Access Control To prevent unauthorized access to operating
systems
Some methods include: ensure quality
passwords, user authentication, and
the recording of successful and failed
system accesses, providing appropriate
authentication control means | Build and Maintain a Secure Network 2. Do not use vendor-supplied defaults for system
passwords Implement Strong Access Control Measures
8.1.1 Assign a unique ID to each person with computer
access Monitor and Test Networks 10. Track and monitor all access to network resources
and cardholder data | III.C. Manage and
Control Risk | 3.1.8 Limit unsuccessful logon attempts 3.4.5 Define, document, approve, and enforce
physical and logical access restrictions associated
with changes to the information system | Security g. Financial operating systems appropriately secured | Non-Default Credentials
Passwords for built-in accounts never left at default Data Classification Standard
http://www.letu.edu/start/publications/policy/upps/dataclassification.pdf
LETNET Domain Password Requirements Last 24 unique password history enforced
Annual password change (Faculty/Staff)
7 character minimum
Complexity requirement: 3/4 character groups (Upper, Lower, Number, Symbol)
Non-reversible password hash encryption
Account lockout after 5 invalid logon attempts within 15 mins
Audits for all failed logon events |
11.6
Application and Information Access Control• To prevent unauthorized access
to information held in application
systems
• Security facilities should be used to
restrict access to an within application
systems
• Logical access to application software
and information system functions | Build and Maintain a Secure Network 1. Do not use vendor-supplied defaults for system
passwords Maintain a Vulnerability Management System
6. Develop and maintain secure systems and
applications Implement Strong Access Control Measures 8.1.1 Assign a unique ID to each person with computer
access | III.C. Manage and
Control Risk | 3.1.21 Limit use of organizational portable
storage devices on external information
systems 3.4.5 Define, document, approve, and enforce
physical and logical access restrictions associated
with changes to the information system 3.5 Identification and Authentication |
| Unique IDs
Each user has a unique SIS ID and username Role-Based Access
Each employee given access and appropriate permissions
only to systems to which they need those specific rights |
11.7
Mobile Computing and Teleworking To ensure information security when using
mobile computing and teleworking facilities | Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to
protect data Build and Maintain a Secure Network 2. Do not use vendor-supplied defaults for system
passwords and other security parameters Implement Strong Access Control Measures 8. Assign a unique ID to each person with computer
access | III.C. Manage and
Control Risk | 3.1.12 Monitor and control remote
access sessions 3.1.13 Employ cryptographic mechanisms
to protect the confidentiality of remote
access sessions 3.1.14 Route remote access via
managed access control points 3.1.15 Authorize remote execution of
privileged commands and remote access
to security-relevant information 3.1.18 Control connection of mobile devices 3.1.19 Encrypt CUI on mobile devices 3.10.6 Enforce safeguarding measures for
CUI at alternate work sites (e.g., telework sites) |
| Unique IDs
Each user has a unique SIS ID and username Role-Based Access
Each employee given access and appropriate permissions
only to systems to which they need those specific rights Firewall
OS-level firewalls enabled on each client along with hardware firewalls
at edge of LETU network Mobile Device Encryption
All mobile PCs required to have full-disk encryption:
http://www.letu.edu/start/publications/policy/upps/mobile-encryption.pdf |
| Section 12: Information Systems Acquisition, Development and Maintenance |
12.1
Ensure that security is an integral
part of information systems Security should be built into operating
systems, infrastructure, business
applications, off the shelf products, and user-
developed applications | Maintain a Vulnerability Management Program 6. Develop and maintain secure systems and
applications | N/A | 3.1.20 Verify and control/limit connections to
and use of external information systems 3.13 System and Communications Protection |
| Trustwave PCI Rapid Comply PCI compliance scanner: pcirapidcomply2.com
used monthly. Server Vulnerability Scans
Public-facing servers scanned annually using
https://www.ssllabs.com/ssltest tool. DLP Compliance DLP Compliance polices (currently active on all LETU O365-enabled accounts)
alert on shared content for users which could compromise compliance with PCI,
GLBA or other Privacy or Financial regulations.
This includes email for users converted to LETU's O365 email platform. Network Compliance
LETU Network Mgmt System is configured to trigger alerts and guidance
on detected issues or vulnerabilities affecting compliance with best practices
or regulatory issues within LETU's network architecture.
These alerts trigger configuration team reviews and modifications as needed. |
12.2
Correct Processing in Applications To prevent errors, loss, unauthorized
modification or misuse of information in
applications | Maintain a Vulnerability Management Program 6. Develop and maintain secure systems and
applications | III.C. Manage and
Control Risk | N/A |
| Trustwave PCI Rapid Comply PCI compliance scanner: pcirapidcomply2.com
used monthly. Server Vulnerability Scans
Public-facing servers scanned annually using
https://www.ssllabs.com/ssltest tool. DLP Compliance DLP Compliance polices (currently active on all LETU O365-enabled accounts)
alert on shared content for users which could compromise compliance with PCI,
GLBA or other Privacy or Financial regulations.
This includes email for users converted to LETU's O365 email platform. Network Compliance
LETU Network Mgmt System is configured to trigger alerts and guidance
on detected issues or vulnerabilities affecting compliance with best practices
or regulatory issues within LETU's network architecture.
These alerts trigger configuration team reviews and modifications as needed. |
12.3
Cryptographic Controls• To protect the confidentiality,
authenticity or integrity of information
by cryptographic means
• Policy should be developed on the use
of cryptographic controls
• Key management should be in place to
support cryptographic techniques | Protect Cardholder Data 3. Protect stored data
4. Encrypt transmission of cardholder data and
sensitive information across public networks | III.C. Manage and
Control Risk | 3.1.13 Employ cryptographic mechanisms
to protect the confidentiality of remote
access sessions 3.1.17 Protect wireless access using
authentication and encryption 3.13.8 Implement cryptographic mechanisms
to prevent unauthorized disclosure of CUI
during transmission 3.13.10 Establish and manage cryptographic
keys for cryptography employed in the
information system 3.13.11 Employ FIPS-validated cryptography when
used to protect the confidentiality of CUI
|
| Remote Services for Remote offices and Employees protected by mandatory Encryption [ref] All data at rest on mobile or physically insecure devices stored using one-way strong encryption hashes Kerberos Policy
Kerberos tickets are enforced for domain clients through Group Policy
which ensures: 600 minute service ticket lifetime; 10 hour user ticket
lifetime; 5 minute tolerance for computer clock synchronization Certificate Authority
On-campus domain certification authority handles automatic certificate
management on domain-joined clients |
12.4
Security of System Files To ensure security of system files through
the control of access to system files and
program source code | Build and Maintain a Secure Network 2. Do not use vendor-supplied defaults for system
passwords and other security parameters | III.C. Manage and
Control Risk | N/A |
| Non-Default Credentials
Passwords for built-in accounts never left at default |
12.5
Security in Development and Support
ProcessesProject and support environments should be
strictly controlled | Maintain a Vulnerability Management Program 6. Develop and maintain secure systems and
applications | N/A | 3.1.14 Route remote access via
managed access control points 3.4.3 Track, review, approve/disapprove,
and audit changes to information systems 3.4.4 Analyze the security impact of changes
prior to implementation 3.12 Security Assessment
| Systems Development and Change Management d. Acquiring, implementing, integrating, and maintaining IS applications e. Acquiring, implementing, integrating, and maintaining infrastructure | Role-Based Access
Each employee given access and appropriate permissions
only to systems to which they need those specific rights Change Management
IT Business Systems team receives notifications of patches and hotfixes, and reviews related release notes. This team then requests approval from change management team for a time to perform updates. Full databases and system backups are done nightly. Tape rotation method is used to allow complete recovery. Complete backups are performed prior to any new or updated application being deployed. |
12.6
Technical Vulnerability Management To reduce risks resulting from exploitation
of published technical vulnerabilities
• Technical vulnerability management
should be effective, systematic, and
repeatable | Maintain a Vulnerability Management
Program 5. Use and regularly update antivirus software
6. Develop and maintain secure systems and
applications | III.C. Manage and
Control Risk | 3.11 Risk Assessment |
| System Center Endpoint Protection
Protects against malicious code for managed endpoints and new
definitions are automatically downloaded daily RSS/Web Lists
RSS, mailing lists, and forums are used to keep apprised of newly published
vulnerabilities. Manual patches are tracked through collaborative
spreadsheets until stakeholders have verified each affected endpoint has
been patched Trustwave PCI Rapid Comply
PCI compliance scanner: pcirapidcomply2.com
used annually Qualys SSL Labs
Server security scanner: https://www.ssllabs.com/ssltest
used annually
|
| Section 13: Information Security Incident Management |
13.1
Information Security Incident Management To ensure information security events and
weaknesses associated with information
systems are communicated in a manner
allowing timely corrective action to be taken
• Formal event reporting and escalation
procedures should be in place | Maintain a Vulnerability Management Program 6. Develop and maintain secure systems and
applications Regularly Monitor and Test Networks 11. Regularly test security systems and processes
Maintain an Information Security Policy:
12. Maintain a policy that addresses information
security for employees and contractors | III.C. Manage and
Control Risk | 3.1.1 Limit information system access
to authorized users, processes acting
on behalf of authorized users, or
devices (including other information
systems) 3.1.2 Limit information system access to
the types of transactions and functions
that authorized users are permitted to
execute 3.1.3 Control the flow of CUI in
accordance with approved authorizations | Operations m. Process for identifying and resolving incidents | Data Classification Standard
http://www.letu.edu/start/publications/policy/upps/dataclassification.pdf Communication Policy
Defines response expectations for various incidents:
Communication Policy Incident Log
Incident Log Department of Ed Notification Special notification requirement for Title IV data breach. |
13.2
Management of Information Security
Incidents and Improvements • To ensure a consistent and
effective approach is applied to the
management of information security
incidents | Maintain an Information Security Policy 12. Maintain a policy that addresses information
security for employees and contractors | III.C. Manage and
Control Risk | 3.1.1 Limit information system access
to authorized users, processes acting
on behalf of authorized users, or
devices (including other information
systems) 3.1.2 Limit information system access to
the types of transactions and functions
that authorized users are permitted to
execute 3.1.3 Control the flow of CUI in
accordance with approved authorizations 3.3 Audit and Accountability 3.6 Incident Response | Security f. Information Security policy | Communication Policy
Defines response expectations for various incidents:
Communication Policy Data Classification Standard
http://www.letu.edu/start/publications/policy/upps/dataclassification.pdf |
| Section 14: Business Continuity Management |
14.1
Information Security Aspects
of Business Continuity Management To counteract interruptions to business
activities and to protect critical business
processes from the effects of major failures
or disasters and to ensure their timely
resumption | Maintain an Information Security Policy 12. Maintain a policy that addresses information
security for employees and contractors | III.C. Manage and
Control Risk | 3.1.1 Limit information system access
to authorized users, processes acting
on behalf of authorized users, or
devices (including other information
systems) 3.1.2 Limit information system access to
the types of transactions and functions
that authorized users are permitted to
execute 3.1.3 Control the flow of CUI in
accordance with approved authorizations 3.8.9 Protect the confidentiality of
backup CUI at storage locations | Entity-Level Controls a. Plans that align business objectives with IT strategies | Data Classification Standard
http://www.letu.edu/start/publications/policy/upps/dataclassification.pdf Business Objective Alignment
IT-related risks communicated through IT personnel and brought to the attention of CIO. Action plans with due dates are implemented for recovery. Users required to sign confidentiality agreements before any access to administrative software is granted. |
| Section 15: Compliance |
15.1
Compliance with Legal Requirements To avoid breaches of any law, statutory,
regulatory or contractual obligations, and
of any security requirements | Maintain an Information Security Policy 12. Maintain a policy that addresses information
security for employees and contractors | III.C. Manage and
Control Risk
III.F. Report to the
Board | 3.3.8 Protect audit information and audit tools
from unauthorized access, modification, and
deletion 3.3.9 Limit management of audit functionality
to a subset of privileged users 3.8.9 Protect the confidentiality of
backup CUI at storage locations |
| Data Classification Standard
http://www.letu.edu/start/publications/policy/upps/dataclassification.pdf This wiki page reviewed by Information Security office
and emailed out as a reminder to all employees annually Department of Ed Notification Title IV: Department of Education Requirements
|
15.2
Compliance with Security Policies and
Standards, and Technical Compliance To ensure compliance of systems with
organizational security policies and
standards | Regularly Monitor and Test Networks 10. Track and monitor all access to network
resources and cardholder data
11. Regularly test security systems and processes Maintain an Information Security Policy 12. Maintain a policy that addresses information
security for employees and contractors | III.C. Manage and
Control Risk
III.E. Adjust the
Program
III.F. Report to the
Board | N/A |
| Data Classification Standard
http://www.letu.edu/start/publications/policy/upps/dataclassification.pdf Trustwave PCI Rapid Comply
PCI compliance scanner: pcirapidcomply2.com
used monthly. Qualys SSL Labs
Server security scanner: https://www.ssllabs.com/ssltest
used annually Protect Stored Cardholder Data Encrypt transmission of cardholder data
across open, public networks |