Access control (Physical)
Access control to all secure facilities (examples include data centers, telecommunications demarc facilities, and infrastructure/wiring closets) is accomplished using physical keys and key cards. Access control provisioning (granting/revocation, modifications) is handled by Facility Services.
Access to the network, both privately and publicly, is controlled and managed with multiple elements. This includes (for both external and internal access) redundant firewalls, redundant intrusion prevention systems, and network ACLs. Logging is done via a central logging system, and logs are continuously monitored by Network Operations staff for unusual or undesirable events/activity. Access profiles are audited daily, during routine management tasks, and formally during scheduled system audits.
To deter eavesdropping and tampering, mechanisms and systems which transmit or receive credentials or other sensitive data via the network (examples include My Valley, Banner, Moodle, Groupware) employ encryption for establishing secure channels during communication. Systems which cannot perform encryption are restricted to proxied communication through other systems which implement encrypted communication on behalf of them.
Virus and Spam Protection
To reduce the impact of virus or malware infections, anti-virus software is installed on all workstations and servers, and signatures are updated daily. Additionally, email is scanned for viruses/malware, and messages identified as such are quarantined.
To reduce the impact of spam, phishing, etc., a number of anti-spam techniques are employed. An email firewall performs a number of preliminary tests and checks to deter botnets, zombies, etc., before accepting messages. Once accepted, a content filtering system (using techniques including rule based classification and bayesian filtering) processes and scores messages, then tags them prior to delivery into appropriate mailboxes.
A local update server is used for aggregation and approval of available updates.
Workstations: software updates are reviewed monthly, and approved updates are retrieved from the update server and applied.
Servers: prior to schedule maintenance periods, software updates are reviewed and approved. Approved updates are then applied during the scheduled maintenance period. Scheduling and installation of security updates or other updates to address particularly significant vulnerabilities outside of scheduled maintenance periods are handled on a case by case basis.
To reduce the possibility of a compromise in media data integrity, IT staff are trained in maintaining and securing electronic media, through proper handling, use, and storage. Removable electronic media (tapes, optical media, flash media, etc) is stored on site in a fire resistant, locked, file cabinet. Additionally, an off site storage vendor is used, to provide for a disaster recovery mechanism. Off site media is rotated on a two week interval.