Infrastructure Security Standard

This standard sets the requirements necessary to design and implement UofT enterprise computing and network systems that are protected from threats to the confidentiality and integrity of UofT information assets.


Date of Effectiveness	To Be Determined
Standard Owner	Director, Information Security, Information Technology Services
Version	Version 0.5

Summary showing Section Headings

ID	Section Headings	Brief Description
IFS-GN	General
IFS-ND	Network Design
IFS-NC	Network Device Configuration
IFS-FW	Firewalls
IFS-AC	Network Device Access Control
IFS-WS	Wireless Local Area Network (WLAN) Securitytd>
IFS-RA	Employee Remote Access
IFS-SP	External Service Provider / Business to Business (Third Party) Connections
IFS-DC	Network Documentation
IFS-HS	Workstation, Platform, and Host Security
IFS-HA	Workstation, Platform and Host Access Control
IFS-VT	Workstation, Platform, and Host Virtualization
IFS-MC	Malicious Code
IFS-EM	Electronic Messaging Server/Client
IFS-MM	Messaging Middleware
IFS-DS	Directory Services
IFS-PS	Physical Security
IFS-DP	Intrusion Detection and Prevention Systems
IFS-SL	Security Logging

Infrastructure Security Standard Controls

Control ID	Control	Existing	Status	Public	Confidential	Restricted	Effort
IFS-GN	General	Existing	Status	Public	Confidential	Restricted	Effort
IFS-GN-01	The following information must be recorded for all existing and new ITS infrastructure hardware (excluding workstations, IP telephones, and handheld devices): Device/host name. Serial #. IP address. Physical location.	FALSE	Proposed	Required	Required	Required	TBD
IFS-GN-02	Any system, application, or device that is deployed must be secured as defined by published security hardening requirements and must not degrade the security of any other system, application, or device.	TRUE	Approved	Required	Required	Required	TBD
IFS-GN-03	All vendor-supplied defaults, documentation files, and test files must be secured as specified within published security hardening requirements.	TRUE	Approved	Required	Required	Required	TBD
IFS-GN-04	Network devices, platforms, hosts, or workstations must not be newly implemented after the vendor has ceased providing product updates, security patches, or support.	TRUE	Approved	Required	Required	Required	TBD
IFS-GN-05	The implementation of security monitoring tools on network devices, platforms, and hosts, must be considered, and rationale for decisions must be documented.	TRUE	Approved	Recommended	Required	Required	TBD
IFS-GN-06	Based on risk, monitoring tools must be implemented on network devices, platforms, and hosts.	TRUE	Approved	Recommended	Required	Required	TBD
IFS-ND	Network Design	Existing	Status	Public	Confidential	Restricted	Effort
IFS-ND-01	Controls must be in place to ensure that devices connected to the UofT backbone have been approved if they are not contained within an environment where access is protected by two levels of physical security (e.g., data centre).	FALSE	Proposed	Required	Required	Required	TBD
IFS-ND-02	All physical connections to the UofT network from external networks must be approved and documented.	TRUE	Approved	Required	Required	Required	TBD
IFS-ND-03	Within the UofT network, the implementation of segregation must be considered, and rationale for decisions must be documented.	FALSE	Proposed	Required	Required	Required	TBD
IFS-ND-04	All logical connections between trusted (UofT-controlled) networks and un-trusted networks must traverse a firewall	TRUE	Approved	Required	Required	Required	TBD
IFS-ND-05	All instances of network segmentation or zoning must be documented and maintained.	FALSE	Proposed	Required	Required	Required	TBD
IFS-ND-06	Segregation of internal laboratories from the rest of the internal network, and other non-production environments, must be considered, and rationale for decisions must be documented	FALSE	Proposed	Required	Required	Required	TBD
IFS-ND-07	Network management and administration must be conducted using approved management infrastructure	FALSE	Proposed	Required	Required	Required	TBD
IFS-ND-08	Network management and administration must be conducted using secure protocols	TRUE	Approved	Required	Required	Required	TBD
IFS-ND-09	User-based (human) Internet traffic must be routed through approved proxies that are configured to allow only specific ports and protocols	FALSE	Deferred	Not Applicable	Not Applicable	Not Applicable	TBD
IFS-ND-10	Universal Resource Locator (URL) filtering must be implemented for user Internet browsing (e.g. Known Malicious Site Filtering)	FALSE	Deferred	Not Applicable	Not Applicable	Not Applicable	TBD
IFS-ND-11	UofT must ensure the internal network is segregated from the following: Open public networks. (i.e. UofT Backbone) Third party business partners. Connections where UofT does not have physical control over the devices. Inbound customer traffic must be segregated from outbound staff traffic.Universal Resource Locator (URL) filtering must be implemented for user Internet browsing (e.g. Known Malicious Site Filtering)	FALSE	Proposed	Required	Required	Required	TBD
IFS-ND-12	Internal laboratories must be segregated from the rest of the internal network, and other non-production networks, based on risk.	FALSE	Proposed	Required	Required	Required	TBD
IFS-ND-13	Network management and administration must be conducted from designated systems on dedicated LAN segments based on risk.	TRUE	Approved	Required	Required	Required	TBD
IFS-NC	Network Device Configuration	Existing	Status	Public	Confidential	Restricted	Effort
IFS-NC-01	All network ports and services not required for the operation of the network device must be disabled	TRUE	Approved	Required	Required	Required	TBD
IFS-NC-02	Source routing on network devices must be disabled	FALSE	Proposed	Required	Required	Required	TBD
IFS-NC-03	Proxies or firewalls must implement network address translation of internal systems during communication with public internet networks	FALSE	Proposed	Not Applicable	Not Applicable	Not Applicable	TBD
IFS-NC-04	Prior to implementation, copies of network device configurations must be retrieved from the devices and stored on central servers on management LAN segments	TRUE	Approved	Required	Required	Required	TBD
IFS-NC-05	Copies of current network device configurations must be stored in more than one secure facility	FALSE	Proposed	Recommended	Required	Required	TBD
IFS-NC-06	Network devices must only be implemented if all applicable vendor security patches and maintenance updates have been applied	TRUE	Approved	Recommended	Required	Required	TBD
IFS-NC-07	Alerts must be generated when failure conditions occur on network devices.	TRUE	Approved	Recommended	Required	Required	TBD
IFS-FW	Firewalls	Existing	Status	Public	Confidential	Restricted	Effort
IFS-FW-01	Firewalls must implement stateful inspection, also known as dynamic packet filtering	TRUE	Approved	Recommended	Required	Required	TBD
IFS-FW-02	Firewalls must be configured to: Fail closed. Deny by default all inbound and outbound traffic, unless specifically approved based on business need. Divulge no information regarding itself or the UofT network. Serve no additional purpose other than its dedicated function(s).	TRUE	Approved	Required	Required	Required	TBD
IFS-FW-03	Firewall rules must go through the UofT approved change management process prior to any rule changes being implemented	FALSE	Proposed	Required	Required	Required	TBD
IFS-FW-04	Firewalls managed by UofT Technology or UofT’s designated agents must be managed by a single functional group	FALSE	Proposed	Required	Required	Required	High
IFS-FW-05	Firewall rules must not be implemented to permit a combination of any source, any destination, or any port or service	FALSE	Proposed	Required	Required	Required	TBD
IFS-AC	Network Device Access Control	Existing	Status	Public	Confidential	Restricted	Effort
IFS-AC-01	Administrators who are permitted to change the configuration of a network device must not be the same persons approving the change	TRUE	Approved	Required	Required	Required	TBD
IFS-AC-02	Direct console access must be authenticated	FALSE	Proposed	Required	Required	Required	TBD
IFS-AC-03	All remote (non-console) administrator access to network devices must be encrypted	TRUE	Approved	Required	Required	Required	TBD
IFS-AC-04	All remote (non-console) administrator access to network devices must be governed by a centralized authentication service	FALSE	Proposed	Required	Required	Required	TBD
IFS-AC-05	Auxiliary console ports not in use must be disabled	TRUE	Approved	Recommended	Required	Required	TBD
IFS-WS	Wireless Local Area Network (WLAN) Security	Existing	Status	Public	Confidential	Restricted	Impact
IFS-WS-01	Intrusion detection must be implemented on all production WLANs	FALSE	Proposed	Required	Required	Required	TBD
IFS-WS-02	A minimum of two-factor authentication must be used to authenticate wireless clients to the wireless infrastructure	FALSE	Proposed	Required	Required	Required	TBD
IFS-WS-03	Approved encryption must be used during the exchange of authentication credentials, as well as after authentication, to protect data between the WLAN client and the access points	TRUE	Approved	Required	Required	Required	TBD
IFS-WS-04	WLAN clients must be secured as defined by published security hardening requirements	FALSE	Proposed	Required	Required	Required	TBD
IFS-WS-05	Wireless interface cards must only be implemented in infrastructure where their use is approved and the infrastructure is both physically and logically separated from the UofT internal network. Laptops are excluded from this requirement.	FALSE	Proposed	Required	Required	Required	TBD
IFS-WS-06	Workstations (including laptops) must be configured to disable any installed wireless interface cards while physically connected to a LAN using an alternative network interface card	TRUE	Approved	Required	Required	Required	TBD
IFS-WS-07	Hosts must be configured to disable any installed wireless interface cards while physically connected to a LAN using an alternative network interface card.	TRUE	Approved	Recommended	Required	Required	TBD
IFS-WS-08	Servers must not have wireless interface cards, and must be both physically and logically separated from wireless networks.	TRUE	Approved	Required	Required	Required	TBD
IFS-RA	Employee Remote Access	Existing	Status	Public	Confidential	Restricted	Effort
IFS-RA-01	All employee remote access to the UofT network must be authenticated using a centralized access system	TRUE	Approved	Recommended	Required	Required	TBD
IFS-RA-02	Two-factor authentication for employee remote access to the UofT network must be implemented	FALSE	Proposed	Not Applicable	Required	Required	TBD
IFS-RA-03	All remote connections must be encrypted	TRUE	Approved	Required	Required	Required	TBD
IFS-RA-04	Workstations connected remotely to the UofT network must have a personal firewall installed and in operation	TRUE	Approved	Recommended	Required	Required	TBD
IFS-RA-05	Split tunnelling must be disabled on all remote connections.	FALSE	Proposed	Required	Required	Required	TBD
IFS-SP	External Service Provider / Business to Business (Third Party) Connections	Existing	Status	Public	Confidential	Restricted	Impact
IFS-SP-01	A process for granting, changing, and removing physical third party connections to the UofT network must be in place and maintained. All third party network connections must be approved. Third party connections must comply with information security requirements stated in the third party agreement. All new external connections must be approved through discrete projects or as components of projects.	TRUE	Approved	Recommended	Required	Required	TBD
IFS-SP-02	All physical third party network connections to the UofT network must be documented in a list capturing sufficient information to manage the connection, such as: Vendor name and contact information. Serviced D/D/F name and contact information. Date of last review.	TRUE	Approved	Recommended	Required	Required	TBD
IFS-DC	Network Documentation	Existing	Status	Public	Confidential	Restricted	Effort
IFS-DC-01	All existing firewall rules must be documented, capturing sufficient information to manage the firewall, such as: Permitted protocols and their associated ports. Permitted IP addresses (destination and source). The date for the next scheduled annual	FALSE	Proposed	Required	Required	Required	TBD
IFS-DC-02	The following firewall rule information must be documented, capturing sufficient information to manage the firewall, such as: Reason for rule or rule change. Permitted protocols and their associated ports. Permitted IP addresses (destination and source). Application or resource owner requesting rule or rule change. The date for next scheduled annual review.	FALSE	Proposed	Required	Required	Required	TBD
IFS-DC-03	Accurate network documentation must be developed and must include: Network diagrams. Configuration of network devices. Controlling wireless access to the network including: * Placement and configuration of wireless access points. * Methods of limiting access to access points. * Use of encryption to protect confidentiality of wireless transmissions and access to access points. * Detection of unauthorised wireless access points.	TRUE	Approved	Required	Required	Required	TBD
IFS-DC-04	Prior to implementation, network documentation must be developed and must include: Control of wireless access to the network. Placement and configuration of wireless access points. Methods of limiting access to access points. Methods of encryption	TRUE	Approved	Required	Required	Required	TBD
IFS-DC-05	Security hardening requirements for network devices must be developed and implemented and must include: Managing changes to tables and settings in network devices. Restricting access to network devices. Preventing unauthorized updates to routing tables. Allowed network segments and permitted traffic between segments. Alert types that must be generated and captured by network devices, including those for overload and exception conditions.	TRUE	Approved	Required	Required	Required	TBD
IFS-DC-06	An inventory of IP address ownership and use to subnet level must be developed.	TRUE	Approved	Required	Required	Required	TBD
IFS-DC-07	Accurate network documentation must be developed and must include: Network diagrams. Configuration of network devices.	TRUE	Approved	Required	Required	Required	TBD
IFS-HS	Workstation, Platform, and Host Security	Existing	Status	Public	Confidential	Restricted	Effort
IFS-HS-01	Workstations, platforms, and hosts must only be implemented if they have been hardened in accordance with published security hardening requirements	FALSE	Proposed	Required	Required	Required	TBD
IFS-HS-02	Workstations, platforms, and hosts must only be implemented if all applicable vendor security patches and maintenance updates have been applied.	TRUE	Approved	Required	Required	Required	TBD
IFS-HS-03	Platform and host system management and administration must be conducted using approved management infrastructure	TRUE	Approved	Required	Required	Required	TBD
IFS-HS-04	Routing and IP forwarding must be disabled on workstations and host systems with multiple network interface cards	FALSE	Proposed	Required	Required	Required	TBD
IFS-HS-05	Implementations of integrated lights-out management (iLO) and remote power management (RPM) must be managed using approved management infrastructure	TRUE	Approved	Required	Required	Required	TBD
IFS-HS-06	Workstations must be configured to permit only one connection to the UofT network at any time, and must disable all others	TRUE	Approved	Required	Required	Required	TBD
IFS-HS-07	Platform and host system management and administration must be conducted using designated management infrastructure on a dedicated LAN segment./td>	TRUE	Approved	Required	Required	Required	TBD
IFS-HS-08	Alerts must be generated when overload or exception conditions occur on platforms or hosts.	TRUE	Approved	Required	Required	Required	TBD
IFS-HA	Workstation, Platform and Host Access Control	Existing	Status	Public	Confidential	Restricted	Effort
IFS-HA-01	Workstations and hosts must implement encrypted authentication	TRUE	Approved	Required	Required	Required	TBD
IFS-HA-02	Local workstation administrator access must be restricted and granted only after going through a formal approval process	TRUE	Approved	Required	Required	Required	TBD
IFS-HA-03	Remote administrative access to workstations must be encrypted	TRUE	Approved	Required	Required	Required	TBD
IFS-HA-04	Remote (non-console) administrative access to platform and host systems must be encrypted	TRUE	Approved	Required	Required	Required	TBD
IFS-HA-05	The use of system utilities capable of overriding system and application controls must be restricted to only roles that require it	TRUE	Approved	Required	Required	Required	TBD
IFS-HA-06	Administrative access to storage systems must be restricted to storage team personnel	TRUE	Approved	Recommended	Required	Required	TBD
IFS-HA-07	Administrators who are permitted to change the configuration of platform or host systems must not be the same individuals approving the change	TRUE	Approved	Recommended	Required	Required	TBD
IFS-HA-08	Workstations protected by UofT enterprise firewalls must not be directly or indirectly connected to non-UofT networks through modems, DSL routers, or other unauthorized means	TRUE	Approved	Required	Required	Required	TBD
IFS-HA-09	Remote support activities requiring modem access to host computing systems for vendor diagnostics must only be permitted if the connection meets the requirements of the External Service Provider / Business to Business (Third Party) Access section	TRUE	Approved	Required	Required	Required	TBD
IFS-VT	Workstation, Platform, and Host Virtualization	Existing	Status	Public	Confidential	Restricted	Effort
IFS-VT-01	Workstation or host operating systems must only implement virtualization if they have been hardened in accordance with published security hardening requirements.	TRUE	Approved	Required	Required	Required	TBD
IFS-VT-02	The implementation of virtualization on a workstation must not interfere with the security functions of the workstation operating system	TRUE	Approved	Required	Required	Required	TBD
IFS-VT-03	Access to software that creates and maintains virtualization (hypervisor) must be restricted to only those processes and/or personnel requiring access.	TRUE	Approved	Recommended	Required	Required	TBD
IFS-VT-04	The hypervisor must be updated with UofT tested and verified vendor security updates and patches	FALSE	Proposed	Required	Required	Required	TBD
IFS-VT-05	The implementation of a virtual server on a host and its security functions must not interfere with the security functions of any other virtual servers or the host operating system	TRUE	Approved	Recommended	Required	Required	TBD
IFS-MC	Malicious Code	Existing	Status	Public	Confidential	Restricted	Effort
IFS-MC-01	Up-to-date anti-virus software must be installed and enabled on all applicable workstations, platforms and hosts, in accordance with published security hardening requirements	TRUE	Approved	Recommended	Required	Required	TBD
IFS-MC-02	Anti-virus programs must detect and protect against other forms of malware, such as spyware	FALSE	Proposed	Required	Required	Required	TBD
IFS-MC-03	Anti-virus software must be capable of generating audit logs	TRUE	Approved	Recommended	Required	Required	TBD
IFS-MC-04	Privileged access must be required to disable an actively running anti-virus	TRUE	Approved	Required	Required	Required	TBD
IFS-MC-05	The need to deploy additional layers of anti-virus protection for certain services, such as email or web surfing, must be evaluated, and rationale for decisions must be documented	FALSE	Proposed	Required	Required	Required	TBD
IFS-MC-06	Anti-virus software must be centrally managed including the ability to report on out-of-date virus updates.	FALSE	Proposed	Required	Required	Required	TBD
IFS-EM	Electronic Messaging Server/Client	Existing	Status	Public	Confidential	Restricted	Effort
IFS-EM-01	External facing electronic messaging systems must be located in a dedicated network segment that is protected by firewalls at all entry and exit points.	TRUE	Approved	Recommended	Required	Required	TBD
IFS-EM-02	Malware scanning and spam filtering must be implemented.	TRUE	Approved	Recommended	Required	Required	TBD
IFS-EM-03	Service banners of electronic mail protocols (for example SMTP, POP, IMAP) must not report mail server and operating system type and version	TRUE	Approved	Required	Required	Required	TBD
IFS-EM-04	Limitations on the size and types of electronic mail attachments must be implemented	TRUE	Approved	Required	Required	Required	TBD
IFS-EM-05	Electronic mail browser access must be supported only through encrypted channels	TRUE	Approved	Required	Required	Required	TBD
IFS-EM-06	Electronic messaging clients must be updated with tested and verified vendor security patches	TRUE	Approved	Recommended	Required	Required	TBD
IFS-EM-07	Electronic messaging clients must be configured with security features enabled as defined within specific hardening instructions	TRUE	Approved	Recommended	Required	Required	TBD
IFS-EM-08	Anit-spoofing and reputational filtering must be implemented on all externally facing electronic messaging systems	TRUE	Approved	Recommended	Required	Required	TBD
IFS-MM	Messaging Middleware	Existing	Status	Public	Confidential	Restricted	Effort
IFS-MM-01	Based on a documented risk assessment and specified within either a published security hardening requirements or an IRRM (Threat Risk Assessment), messaging middleware must: Authenticate application interfaces before processing requests. Verify that subjects (entities requesting access) are authorized to access the objects (access targets) they request.	TRUE	Approved	Recommended	Required	Required	TBD
IFS-MM-02	Messaging middleware must be capable of handling encrypted data	TRUE	Approved	Recommended	Required	Required	TBD
IFS-MM-03	Changes to existing infrastructure for capacity expansion or hardware replacement/refresh purposes are excluded from the following section of requirements.	FALSE	Proposed	Required	Required	Required	TBD
IFS-DS	Directory Services	Existing	Status	Public	Confidential	Restricted	Effort
IFS-DS-01	Directory service systems must protect access authenticators, both in transit and storage, using appropriate encryption and/or hash mechanisms	TRUE	Approved	Recommended	Required	Required	TBD
IFS-DS-02	Directory service systems must be capable of enforcing access controls across multiple systems	TRUE	Approved	Required	Required	Required	TBD
IFS-DS-03	Access to directory objects must be restricted in accordance with the principle of least privilege	TRUE	Approved	Required	Required	Required	TBD
IFS-PS	Physical Security	Existing	Status	Public	Confidential	Restricted	Effort
IFS-PS-01	ISEA or D/D/F Security must be consulted to determine appropriate locations and protection requirements for all network devices and hosts	FALSE	Proposed	Required	Required	Required	TBD
IFS-DP	Intrusion Detection and Prevention Systems	Existing	Status	Public	Confidential	Restricted	Effort
IFS-DP-01	All Internet facing and extranet networks must have network intrusion detection systems (NIDS) deployed. The need to deploy intrusion detection and prevention systems elsewhere must be evaluated, and rationale for decisions must be documented.	TRUE	Approved	Required	Required	Required	TBD
IFS-DP-02	Where deployed, NIDS and network intrusion prevention systems (NIPS) must be used to monitor network traffic for malicious code or attacks	TRUE	Approved	Required	Required	Required	TBD
IFS-DP-03	NIPS must be capable of automatically responding to potential threats	TRUE	Approved	Required	Required	Required	TBD
IFS-DP-04	NIDS and NIPS must provide alerting to security monitoring personnel	TRUE	Approved	Recommended	Required	Required	TBD
IFS-DP-05	IS must be advised of all planned changes to the network that impact the effectiveness of deployed intrusion detection and prevention systems	FALSE	Proposed	Required	Required	Required	TBD
IFS-DP-06	Where deployed, host intrusion detection systems (HIDS) and host intrusion prevention systems (HIPS) must be used to monitor applications, system files, and other sensitive activities on the host and provide alerting to security monitoring personnel to identify potential compromises.	TRUE	Approved	Recommended	Required	Required	TBD
IFS-DP-07	Intrusion detection and prevention signatures must be updated with UofT-approved signatures prior to implementation	TRUE	Approved	Recommended	Required	Required	TBD
IFS-DP-08	All events generated by intrusion detection and prevention systems must be centrally correlated and monitored	TRUE	Approved	Recommended	Required	Required	TBD
IFS-DP-09	Monitoring procedures must be documented and implemented, including filtering criteria, thresholds and required follow up actions, up to and including UofT incident management processes	TRUE	Approved	Recommended	Required	Required	TBD
IFS-DP-10	The decision to install host intrusion detection systems (HIDS) and intrusion prevention systems (HIPS) must be determined based on risk.	TRUE	Approved	Recommended	Required	Required	TBD
IFS-DP-11	HIDS/HIPS must be used to monitor applications, system files, and other sensitive activities on the host and provide alerting to security monitoring personnel to identify potential compromises.	TRUE	Approved	Required	Required	Required	TBD
IFS-SL	Security Logging	Existing	Status	Public	Confidential	Restricted	Effort
IFS-SL-01	For each security event recorded to a log file, the log file must contain: The specific activity. The date and time stamp. Origin of the activity (e.g., IP address, system). Activity success status.	TRUE	Approved	Recommended	Required	Required	TBD
IFS-SL-02	The storage capacity of log file media must be appropriately provisioned to prevent log media exhaustion	TRUE	Approved	Recommended	Required	Required	TBD
IFS-SL-03	Logging requirements in UofT will be customized to meet each specific technology environment. For each environment, the logging requirements must be identified, risk assessed, and documented within security hardening requirements	TRUE	Approved	Recommended	Required	Required	TBD
IFS-SL-04	Initial logging requirements must be developed and delivered by the Information Security Program Logging workstream in accordance with its approved schedule	FALSE	Proposed	Required	Required	Required	TBD
IFS-SL-05	Logging requirements must consider the following areas based on the capabilities of the specific technology environment, and rationale for decisions must be documented: Access Control Login and logout for all user IDs (e.g., personal, privileged, functional etc.). Password changes and resets. Security administration activities (creation, modification, disabling, and deletion of user IDs, group/role/permission management). Access control list configuration activities (creation, modification, deletion of access control lists to resources managed by the operating system). Event Logging and Auditing Disabling the audit log. Modification of the audit log. Deletion of the audit log. Infrastructure Administration Configuration changes to the operating system (e.g., modifying password policy, enabling network services, clock/time functions, etc.). Software and hardware installation. Data backup and restore. Hardware cryptographic key generation. Hardware key management functions (e.g., cryptographic key change or revocation). Command line function execution (these are specific to each infrastructure class and must be documented in security hardening requirements). Security Software Disabling, modifying or deleting of anti-malware, IDS/IPS, and access control software. Retention Log files must be retained for a period determined by the risk assessment and specified in the hardening requirements. Other Log files must be sent to a logically segregated central logging facility that is capable of protecting the integrity of the logs	TRUE	Approved	Recommended	Required	Required	TBD
IFS-SL-06	Logs must not capture or store: Plaintext passwords. Plaintext PINs. Restricted business information. Personal information.	TRUE	Approved	Required	Required	Required	TBD
IFS-SL-07	Logging requirements in UofT will be customized to meet each specific technology environment. For each environment, the logging requirements must be identified, risk assessed, and documented as a supporting document to this standard—Logging Requirements table.	TRUE	Approved	Required	Required	Required	TBD

Date of Effectiveness

To Be Determined

Standard Owner

Director, Information Security, Information Technology Services

Version

Version 0.5