IT Security
IT Security is all about CIA that is:
Confidentiality – as the ICT Service Team, We endeavor to ensure that work information is only accessible to you and those you collaborate with.
Integrity – we seek to ensure that the information available remains in it’s actual state without tampering.
Availability – we ensure that work information is always accessible to the user if and when it is needed.
All users of the University’s ICT resources must be authorized to access the appropriate systems and their resources. Access is controlled and monitored in accordance with University Statutes. The elements involved in controlling and monitoring access include identification, authorization and authentication.
1.1 Identification
- All system users are assigned unique IDs (i.e. Username/PIN and passwords) to use in accessing the University’s systems and applications.
- User IDs (i.e. Username/PIN and passwords) Must Not be shared.
- Users are responsible for maintaining the security of their IDs and all activity occurring under those IDs (i.e. Username/PIN and passwords). IDs (i.e. Username/PIN and passwords) are issued in accordance with approved standards.
- In special circumstances, temporary generic accounts may be approved by the ICT Director or delegate.
1.2 Authorization
- Every user shall require authorization before using any ICT resources. This authorization shall be obtained through written authority by the ICT resource owner or head of department and will be implemented by the ICT Custodian by issuing the user a user name and password and facilitating access to the resources so authorized.
- No one shall use any University ICT resource without proper authorization. Users shall not assist, encourage, or conceal from authorities any unauthorized use, or attempt at unauthorized use, of any of the University’s ICT resources.
- Users shall not disclose any information which may lead to compromise in the security of the University’s ICT resources. Security includes the integrity, confidentiality and availability of the University’s ICT resources. Specifically, users shall not disclose their user names and passwords to any person whether authorized or not, nor obtain any other person’s password by any unauthorized means whatsoever. Access credentials (i.e. Username, passwords, Tokens, Cards, PINs etc.) are issued in accordance with approved standards.
- A user shall not misrepresent his or her identity or relationship to the University when obtaining or using University ICT resources.
1.3 Authentication
- Authentication ensures an identity. Each ID (i.e. Username) requires a technique, usually a password, for validating identity.
- Standards apply to all systems requiring authentication.
1.4 Account Management
- System custodians must be authorized by the system owner before giving users access to a system. This advice must include the respective access levels for each user.
- System Custodians must determine who should be able to get network access from off campus or remote locations. (For example through Virtual Private Networks)
- At a minimum, a quarterly review of all system access levels of users should be carried out. The System Custodians should ensure any non-compliance as a result of this activity is addressed as a matter of priority. All records of non-compliance must be kept until all matters arising from non-compliance have been resolved.
- When employees terminate employment or change positions within the University, Human Resource Office should effect the necessary changes by advising the ICT system custodians to modify access rights and privileges of affected users in the appropriate system.
- This is important in ensuring proper segregation of duties within University systems.
1.5 Privileged Users Access
- Certain system users have high-level access rights, enabling them to access any data stored on the University’s ICT systems. These staff members can be generically termed as System Administrators.
- Staff with high-level access rights should abide by a high Code of Ethics.
- The ICT Department should constantly review access rights for System Administrators
- System Administrators found guilty of breaching security are subject to disciplinary action in accordance with the University Statutes and Regulations.
1.6 Contractors, Vendors & Third party access
- Contractors, Vendors and third-party access are permitted only if authorized by the Systems Owner and agreed by System Custodian.
- These parties must comply with access control standards which require, at a minimum, that a unique user ID (i.e. username) identify each user. This ensures that only authorized individuals receive access to systems.
- All temporary accounts should have an expiration date based on contract completion date.
1. Server & System Backup
- All critical University information must be backed up on a regular basis. Frequency of backup is determined by the frequency with which the data changes and the effort required to recreate the information if lost.
- Standards apply to the backup of data from all University systems.
2. Personal Computer and Mobile Device Backup
- All critical University information should be stored on centrally maintained corporate networked disk storage.
- Any other data stored on desktops, laptops and other mobile devices becomes the responsibility of the user to ensure it is backed up on a regular basis.
- Frequency of backup is determined by the frequency with which the data changes and the effort required to recreate the information if lost.
3. Recovery
- All backups of critical data must be tested periodically to ensure that they support full system recovery.
- System Administrators must document all restore procedures and test these on a regular basis, at least semi-annually.
- Backup media must be retrievable within 24 hours, 365 days a year.
- Standards apply to the recovery of data from all University systems.
4. Off-Site Storage
- Off-site is synonymous with “out of the building”.
- The off-site storage location must provide evidence of adequate fire and theft protection and environmental controls.
- A formal Service Level Agreement (SLA) must exist with the off-site storage provider when one exists and a site visit should be undertaken on a bi-annual basis.
- Where this service is provided within the organization, the site should be visited monthly and at a minimum quarterly.
5. Data Retention
- Owners of University data are responsible for defining and documenting the length of time data must be retained.
- The retention period, legal requirements, responsible parties, and source of legal requirement should be specified.
- System Administrators or other parties as may be specified are responsible for ensuring that these requirements are adhered to.
6. Business Continuity
- As part of the Information Services Risk Management Framework, Business Continuity and Disaster Recovery Plans should be prepared and tested for all of the University’s major systems.
- The testing strategy to be implemented will be influenced by the importance of the system to the University’s business operations and the ability to recover the system within agreed time frames (that is, recovery point objective, RPOs and recovery time objectives, RTOs)
- A copy of each plan should be stored offsite in a secure manner to ensure that the plan can be implemented in the case of a disaster.
- A review of any major disruption to information services should be undertaken to identify the cause of the disruption and where appropriate adjust the plan and/or procedures to minimise the risk of the event occurring again.
7. Security
All major information assets must be accounted for and have a nominated custodian who is responsible for the implementation and management of this policy in relation to those assets.
- Data Security and Classification
- Different types of data require different levels of security. The University classifies data into various categories which in general are : Public, Proprietary and Restricted. It is the System Custodian’s responsibility to establish authentication and authorization guidelines for custodial data. Please note that:
- Public data can generally be made available or distributed to the general public;
- Proprietary data is for internal University use and not for external distribution; and
- Restricted (moderately to highly sensitive) data is to be used only by individuals who require it in the course of performing their University responsibilities, or data, which is protected by local or country legislation. Restricted data can only be deleted with the permission of the System Owner
- Staff should be aware of their legal and corporate responsibilities concerning inappropriate use, sharing or releasing of information to another party. Any third party receiving proprietary or restricted information must be authorized to do so and that individual or their organization should have adopted information security measures, which guarantee confidentiality and integrity of that data.
- Different types of data require different levels of security. The University classifies data into various categories which in general are : Public, Proprietary and Restricted. It is the System Custodian’s responsibility to establish authentication and authorization guidelines for custodial data. Please note that:
- Security Standards for different ICT Resources do apply.
To report any incidences that go against CIA, please contact us at support@strathmore.edu
© 2023 Strathmore University ICT Services
CONTACT US
Central Building
support@strathmore.edu
Ext 2236, 2251, 2157, 2437
+254 703 034000/236