Guidelines for IT Custodians
IT Custodians are responsible for the acquisition, maintenance and operations of all University IT—including workstations, servers, web applications, cloud-based services etc.
This guideline provides practical tips for all IT Custodians in order to secure their IT systems and reduce risks of security compromises and data breaches. If you are unsure of anything, please contact the IT Security team at firstname.lastname@example.org.
The responsibilities of IT Custodians can be summarised as follows:
- Secure the IT systems under your management by implementing controls and processes using this guideline, following this guideline and/or by consulting Technology's Risk & Security team.
- Respond to requests from Technology's Risk & Security team to address known security issues in a timely fashion.
- Report actual or suspected security incidents, as well as any known security risks to Technology's Risk & Security team.
- Comply with the IT Acceptable Use and Security Policy, the IT Acceptable Use Procedures, and the IT Security Procedures, as well as this guideline.
Does your IT application store, process or transmit Class 3 data? If yes, it should have extra countermeasures in place to protect the confidentiality of the data. Class 3 refers to sensitive data such as private information related to people, or top-secret data such as defence research. Refer to Classifying and Protecting Information guidelines for detailed definitions and examples of Class 3 data, and requirements for protecting them.
Third party hosting
Patching and updating
Account, password and privilege management
If you have a fully customised IT system that you have developed yourself or outsourced to a third party, then implementing security into the program code and keeping it free of vulnerabilities is your responsibility.
Can you be confident that your application is not vulnerable to buffer overflows, XSS, SQL Injection, Directory Traversal, and other common attack vectors?
Here are some tips for developing secure software:
- Follow a secure coding and secure development standard that considers, for example, the OWASP Guide.
- Implement sound input validation and filters that only accepts legitimate user inputs and forbids potentially malicious inputs.
- Ensure Class 3 data is encrypted during transmission and storage
- Implement strict authentication, session management and access controls
- Make use of code audit tools or ask an independent person to perform a code review.
- Engage the Risk and Security team to perform an independent review of security, including vulnerability assessment and penetration testing.
- Follow a sound change management process so that code changes are thoroughly tested before "go-live" to prevent vulnerable code from being introduced into the production environment.
The Risk & Security team can provide training to developers on the basic concepts of secure application development upon request.
Despite having followed all of the advice presented in preceding sections, black-box testing is still an important part of security especially if you handle sensitive data. Black-box testing is a kind of assessment where the tester wears the bad guy's hat and use real hacker techniques to try to break into your system. This helps to reveal holes that may have been missed through other activities.
If you would like a black-box assessment performed on your IT system, please contact Risk & Security team. We can usually provide this service free of charge depending on availability of resources.
Backup and disaster recovery
- Is your IT system or application critical to your research or your business area?
- How long can you continue your work with the system being unavailable?
- What are the cost associated with extended downtime or permanent loss of data?
- Are there legal or policy requirements for data retention?
Based on your answers, IT custodians should develop a strategy for data backup, retention, and recovery. Having a proper recovery plan ahead of time can save you time and money.
Think before you decide to make your application accessible to the internet, as exposing it to public network means anyone on the internet can have a go at attacking your system, making it more likely to become compromised.
If the system is only used by the University community, keep it within the University network and require VPN remote access or ADAPT remote desktop before gaining access.
Note also that Information Technology and Digital Services can implement segmented network control if required, so that your application can be accessed from only certain network sources, either internally or from the internet.