Authentication and Accounts
All university computers, servers, network devices, and network applications must have some form of authentication system using a strong password or certificate. All users should use authentication when accessing these resources and sessions should be closed when not in use. Systems and services should use authorization groups/roles to control access level.
Encryption must be utilized for all user logins, especially if the system/service is being accessed from outside IUP (over the Internet).
Sharing of user credentials (username and password), not changing default passwords, or using blank passwords is strictly prohibited. All systems, network devices, and network applications should use unique, strong, complex, passwords. A strong password should be at least fifteen (15) characters long and should include numbers and non-alphanumeric characters. Passwords should be regularly changed and not reused.
Passwords should be changed immediately if they are accidentally exposed or suspected to be compromised. Passwords should be changed immediately on the effective date when an administrator leaves the university, or a position in the university that required use of the password.
Secure System Setup
Many security vulnerabilities exist in default installations of operating systems such as Windows and Linux. Newly installed systems placed on the IUP network before they are properly secured and hardened are a security risk, and can often results
in the system becoming compromised. A compromised system will need to be re-installed and properly secured before placing it back on the IUP network.
Many exploits use vulnerabilities found in unneeded or unused features in various computer software. Most exploits are created to compromise as many systems as possible, relying on systems with default configurations and/or systems with various
features turned on by default. Minimizing the default configuration can limit exposure to automated brute-force hacker scripts/kits, worms, and attacks on unknown vulnerabilities.
Uninstalling unused software eliminates exposure to vulnerabilities since the potentially vulnerable software is no longer present. Some components are often unable to be uninstalled, such as network services. You can disable unneeded network
services to eliminate their potential abuse and exposure of vulnerabilities.
All system setup and configuration should be documented as it plays an important role in a system’s lifecycle and security. Systems should be setup with a standardized configuration and security policy. Changes made to the configuration and security
of a system after initial setup should also be documented.
Software and Updates
Backup and Recovery