Best practices for securing information systems at IU

• Overview
• Policies, procedures, standards, and guidelines
• Vulnerability scanning and mitigation
• Encryption
• Firewalls
• Authentication
• Incident response
• Limit access and function
• Training and awareness

---

Overview

Following are recommendations from the University Information Security Office (UISO) for following best practices to secure information systems at Indiana University.

Policies, procedures, standards, and guidelines

• Have a unit representative engaged in the Cyber Risk Mitigation Responsibilities (IT-28) process (aka "continuous engagement"), and ensure that representative briefs other local UITS support people in your unit on the current state of relevant systems, desired state, and gaps between states.
  • Use centralized IU services when possible.
  • Continually assess and mitigate risk.
• Adopt a framework (for example, NIST CSF, Trusted CI) for prioritizing and applying IT standards.
• Get familiar with other IU IT policies, procedures, standards, and guidelines. Adopt appropriate procedures and standards for implementing security controls. Note that IT-12 is being revised and may soon articulate standards-based controls.

Vulnerability scanning and mitigation

• Implement automated vulnerability scanning (for example, Qualys); for more, see How to use Qualys and About vulnerability scanners.
• Install OS updates promptly.
• Prioritize vulnerability mitigation:
  • Mitigate higher-risk vulnerabilities before lower-risk vulnerabilities.
  • Consider the CIS Controls when first prioritizing the implementation of security controls.
• Document vulnerability mitigations and accepted risk.

Encryption

• Encrypt data at rest with a broadly accepted encryption algorithm; for more, see About data encryption. Note that data in the Intelligent Infrastructure (II) is considered encrypted at rest.

  Alternatively, if more comprehensive encryption is not practical or required, encrypt databases, tables, or cells.

• Encrypt data in transit with secure protocols; for more, see About data encryption.
• Maintain updated data-flow diagrams which clearly show whether institutional data is encrypted at rest and in transit.

Firewalls

• Use an available enterprise-level firewall between your systems and the internet.
• Implement a web app firewall (WAF), if applicable.

Authentication

• Use enterprise-level authentication services (for example, Active Directory or CAS/IU Login; also see Integrate IU Login with a web application).
• Implement multi-factor authentication (for example, Duo) for local, remote, SSH, and web application logins. Also see Integrate Duo with an application.

Incident response

• Publish administrator contact and support information in One.IU for each system to facilitate incident response.
• Encourage staff members to quickly report security incidents.

Limit access and function

• Consider using single-service servers.
• Implement role-based access controls (RBAC).

Training and awareness

• Encourage staff to take appropriate training.
• Ensure applications are developed with secure coding practices.
• Take advantage of resources to efficiently secure research. See SecureMyResearch.