This standard sets the requirements necessary to design and implement UofT enterprise computing and network systems that are protected from threats to the confidentiality and integrity of UofT information assets.
Date of Effectiveness |
To Be Determined |
|
Standard Owner |
Director, Information Security, Information Technology Services |
|
Version |
Version 0.5 |
Summary showing Section Headings
ID | Section Headings | Brief Description |
IFS-GN | General | |
IFS-ND | Network Design | |
IFS-NC | Network Device Configuration | |
IFS-FW | Firewalls | |
IFS-AC | Network Device Access Control | |
IFS-WS | Wireless Local Area Network (WLAN) Securitytd> | |
IFS-RA | Employee Remote Access | |
IFS-SP | External Service Provider / Business to Business (Third Party) Connections | |
IFS-DC | Network Documentation | |
IFS-HS | Workstation, Platform, and Host Security | |
IFS-HA | Workstation, Platform and Host Access Control | |
IFS-VT | Workstation, Platform, and Host Virtualization | |
IFS-MC | Malicious Code | |
IFS-EM | Electronic Messaging Server/Client | |
IFS-MM | Messaging Middleware | |
IFS-DS | Directory Services | |
IFS-PS | Physical Security | |
IFS-DP | Intrusion Detection and Prevention Systems | |
IFS-SL | Security Logging |
Infrastructure Security Standard Controls
Control ID | Control | Existing | Status | Public | Confidential | Restricted | Effort |
---|---|---|---|---|---|---|---|
IFS-GN | General | Existing | Status | Public | Confidential | Restricted | Effort |
IFS-GN-01 | The following information must be recorded for all existing and new ITS infrastructure hardware (excluding workstations, IP telephones, and handheld devices):
|
FALSE | Proposed | Required | Required | Required | TBD |
IFS-GN-02 | Any system, application, or device that is deployed must be secured as defined by published security hardening requirements and must not degrade the security of any other system, application, or device. | TRUE | Approved | Required | Required | Required | TBD |
IFS-GN-03 | All vendor-supplied defaults, documentation files, and test files must be secured as specified within published security hardening requirements. | TRUE | Approved | Required | Required | Required | TBD |
IFS-GN-04 | Network devices, platforms, hosts, or workstations must not be newly implemented after the vendor has ceased providing product updates, security patches, or support. | TRUE | Approved | Required | Required | Required | TBD |
IFS-GN-05 | The implementation of security monitoring tools on network devices, platforms, and hosts, must be considered, and rationale for decisions must be documented. | TRUE | Approved | Recommended | Required | Required | TBD |
IFS-GN-06 | Based on risk, monitoring tools must be implemented on network devices, platforms, and hosts. | TRUE | Approved | Recommended | Required | Required | TBD |
IFS-ND | Network Design | Existing | Status | Public | Confidential | Restricted | Effort |
IFS-ND-01 | Controls must be in place to ensure that devices connected to the UofT backbone have been approved if they are not contained within an environment where access is protected by two levels of physical security (e.g., data centre). | FALSE | Proposed | Required | Required | Required | TBD |
IFS-ND-02 | All physical connections to the UofT network from external networks must be approved and documented. | TRUE | Approved | Required | Required | Required | TBD |
IFS-ND-03 | Within the UofT network, the implementation of segregation must be considered, and rationale for decisions must be documented. | FALSE | Proposed | Required | Required | Required | TBD |
IFS-ND-04 | All logical connections between trusted (UofT-controlled) networks and un-trusted networks must traverse a firewall | TRUE | Approved | Required | Required | Required | TBD |
IFS-ND-05 | All instances of network segmentation or zoning must be documented and maintained. | FALSE | Proposed | Required | Required | Required | TBD |
IFS-ND-06 | Segregation of internal laboratories from the rest of the internal network, and other non-production environments, must be considered, and rationale for decisions must be documented | FALSE | Proposed | Required | Required | Required | TBD |
IFS-ND-07 | Network management and administration must be conducted using approved management infrastructure | FALSE | Proposed | Required | Required | Required | TBD |
IFS-ND-08 | Network management and administration must be conducted using secure protocols | TRUE | Approved | Required | Required | Required | TBD |
IFS-ND-09 | User-based (human) Internet traffic must be routed through approved proxies that are configured to allow only specific ports and protocols | FALSE | Deferred | Not Applicable | Not Applicable | Not Applicable | TBD |
IFS-ND-10 | Universal Resource Locator (URL) filtering must be implemented for user Internet browsing (e.g. Known Malicious Site Filtering) | FALSE | Deferred | Not Applicable | Not Applicable | Not Applicable | TBD |
IFS-ND-11 | UofT must ensure the internal network is segregated from the following:
|
FALSE | Proposed | Required | Required | Required | TBD |
IFS-ND-12 | Internal laboratories must be segregated from the rest of the internal network, and other non-production networks, based on risk. | FALSE | Proposed | Required | Required | Required | TBD |
IFS-ND-13 | Network management and administration must be conducted from designated systems on dedicated LAN segments based on risk. | TRUE | Approved | Required | Required | Required | TBD |
IFS-NC | Network Device Configuration | Existing | Status | Public | Confidential | Restricted | Effort |
IFS-NC-01 | All network ports and services not required for the operation of the network device must be disabled | TRUE | Approved | Required | Required | Required | TBD |
IFS-NC-02 | Source routing on network devices must be disabled | FALSE | Proposed | Required | Required | Required | TBD |
IFS-NC-03 | Proxies or firewalls must implement network address translation of internal systems during communication with public internet networks | FALSE | Proposed | Not Applicable | Not Applicable | Not Applicable | TBD |
IFS-NC-04 | Prior to implementation, copies of network device configurations must be retrieved from the devices and stored on central servers on management LAN segments | TRUE | Approved | Required | Required | Required | TBD |
IFS-NC-05 | Copies of current network device configurations must be stored in more than one secure facility | FALSE | Proposed | Recommended | Required | Required | TBD |
IFS-NC-06 | Network devices must only be implemented if all applicable vendor security patches and maintenance updates have been applied | TRUE | Approved | Recommended | Required | Required | TBD |
IFS-NC-07 | Alerts must be generated when failure conditions occur on network devices. | TRUE | Approved | Recommended | Required | Required | TBD |
IFS-FW | Firewalls | Existing | Status | Public | Confidential | Restricted | Effort |
IFS-FW-01 | Firewalls must implement stateful inspection, also known as dynamic packet filtering | TRUE | Approved | Recommended | Required | Required | TBD |
IFS-FW-02 | Firewalls must be configured to:
|
TRUE | Approved | Required | Required | Required | TBD |
IFS-FW-03 | Firewall rules must go through the UofT approved change management process prior to any rule changes being implemented | FALSE | Proposed | Required | Required | Required | TBD |
IFS-FW-04 | Firewalls managed by UofT Technology or UofT’s designated agents must be managed by a single functional group | FALSE | Proposed | Required | Required | Required | High |
IFS-FW-05 | Firewall rules must not be implemented to permit a combination of any source, any destination, or any port or service | FALSE | Proposed | Required | Required | Required | TBD |
IFS-AC | Network Device Access Control | Existing | Status | Public | Confidential | Restricted | Effort |
IFS-AC-01 | Administrators who are permitted to change the configuration of a network device must not be the same persons approving the change | TRUE | Approved | Required | Required | Required | TBD |
IFS-AC-02 | Direct console access must be authenticated | FALSE | Proposed | Required | Required | Required | TBD |
IFS-AC-03 | All remote (non-console) administrator access to network devices must be encrypted | TRUE | Approved | Required | Required | Required | TBD |
IFS-AC-04 | All remote (non-console) administrator access to network devices must be governed by a centralized authentication service | FALSE | Proposed | Required | Required | Required | TBD |
IFS-AC-05 | Auxiliary console ports not in use must be disabled | TRUE | Approved | Recommended | Required | Required | TBD |
IFS-WS | Wireless Local Area Network (WLAN) Security | Existing | Status | Public | Confidential | Restricted | Impact |
IFS-WS-01 | Intrusion detection must be implemented on all production WLANs | FALSE | Proposed | Required | Required | Required | TBD |
IFS-WS-02 | A minimum of two-factor authentication must be used to authenticate wireless clients to the wireless infrastructure | FALSE | Proposed | Required | Required | Required | TBD |
IFS-WS-03 | Approved encryption must be used during the exchange of authentication credentials, as well as after authentication, to protect data between the WLAN client and the access points | TRUE | Approved | Required | Required | Required | TBD |
IFS-WS-04 | WLAN clients must be secured as defined by published security hardening requirements | FALSE | Proposed | Required | Required | Required | TBD |
IFS-WS-05 | Wireless interface cards must only be implemented in infrastructure where their use is approved and the infrastructure is both physically and logically separated from the UofT internal network. Laptops are excluded from this requirement. | FALSE | Proposed | Required | Required | Required | TBD |
IFS-WS-06 | Workstations (including laptops) must be configured to disable any installed wireless interface cards while physically connected to a LAN using an alternative network interface card | TRUE | Approved | Required | Required | Required | TBD |
IFS-WS-07 | Hosts must be configured to disable any installed wireless interface cards while physically connected to a LAN using an alternative network interface card. | TRUE | Approved | Recommended | Required | Required | TBD |
IFS-WS-08 | Servers must not have wireless interface cards, and must be both physically and logically separated from wireless networks. | TRUE | Approved | Required | Required | Required | TBD |
IFS-RA | Employee Remote Access | Existing | Status | Public | Confidential | Restricted | Effort |
IFS-RA-01 | All employee remote access to the UofT network must be authenticated using a centralized access system | TRUE | Approved | Recommended | Required | Required | TBD |
IFS-RA-02 | Two-factor authentication for employee remote access to the UofT network must be implemented | FALSE | Proposed | Not Applicable | Required | Required | TBD |
IFS-RA-03 | All remote connections must be encrypted | TRUE | Approved | Required | Required | Required | TBD |
IFS-RA-04 | Workstations connected remotely to the UofT network must have a personal firewall installed and in operation | TRUE | Approved | Recommended | Required | Required | TBD |
IFS-RA-05 | Split tunnelling must be disabled on all remote connections. | FALSE | Proposed | Required | Required | Required | TBD |
IFS-SP | External Service Provider / Business to Business (Third Party) Connections | Existing | Status | Public | Confidential | Restricted | Impact |
IFS-SP-01 | A process for granting, changing, and removing physical third party connections to the UofT network must be in place and maintained.
|
TRUE | Approved | Recommended | Required | Required | TBD |
IFS-SP-02 | All physical third party network connections to the UofT network must be documented in a list capturing sufficient information to manage the connection, such as:
|
TRUE | Approved | Recommended | Required | Required | TBD |
IFS-DC | Network Documentation | Existing | Status | Public | Confidential | Restricted | Effort |
IFS-DC-01 | All existing firewall rules must be documented, capturing sufficient information to manage the firewall, such as:
|
FALSE | Proposed | Required | Required | Required | TBD |
IFS-DC-02 | The following firewall rule information must be documented, capturing sufficient information to manage the firewall, such as:
|
FALSE | Proposed | Required | Required | Required | TBD |
IFS-DC-03 | Accurate network documentation must be developed and must include:
|
TRUE | Approved | Required | Required | Required | TBD |
IFS-DC-04 | Prior to implementation, network documentation must be developed and must include:
|
TRUE | Approved | Required | Required | Required | TBD |
IFS-DC-05 | Security hardening requirements for network devices must be developed and implemented and must include:
|
TRUE | Approved | Required | Required | Required | TBD |
IFS-DC-06 | An inventory of IP address ownership and use to subnet level must be developed. | TRUE | Approved | Required | Required | Required | TBD |
IFS-DC-07 | Accurate network documentation must be developed and must include:
|
TRUE | Approved | Required | Required | Required | TBD |
IFS-HS | Workstation, Platform, and Host Security | Existing | Status | Public | Confidential | Restricted | Effort |
IFS-HS-01 | Workstations, platforms, and hosts must only be implemented if they have been hardened in accordance with published security hardening requirements | FALSE | Proposed | Required | Required | Required | TBD |
IFS-HS-02 | Workstations, platforms, and hosts must only be implemented if all applicable vendor security patches and maintenance updates have been applied. | TRUE | Approved | Required | Required | Required | TBD |
IFS-HS-03 | Platform and host system management and administration must be conducted using approved management infrastructure | TRUE | Approved | Required | Required | Required | TBD |
IFS-HS-04 | Routing and IP forwarding must be disabled on workstations and host systems with multiple network interface cards | FALSE | Proposed | Required | Required | Required | TBD |
IFS-HS-05 | Implementations of integrated lights-out management (iLO) and remote power management (RPM) must be managed using approved management infrastructure | TRUE | Approved | Required | Required | Required | TBD |
IFS-HS-06 | Workstations must be configured to permit only one connection to the UofT network at any time, and must disable all others | TRUE | Approved | Required | Required | Required | TBD |
IFS-HS-07 | Platform and host system management and administration must be conducted using designated management infrastructure on a dedicated LAN segment./td> | TRUE | Approved | Required | Required | Required | TBD |
IFS-HS-08 | Alerts must be generated when overload or exception conditions occur on platforms or hosts. | TRUE | Approved | Required | Required | Required | TBD |
IFS-HA | Workstation, Platform and Host Access Control | Existing | Status | Public | Confidential | Restricted | Effort |
IFS-HA-01 | Workstations and hosts must implement encrypted authentication | TRUE | Approved | Required | Required | Required | TBD |
IFS-HA-02 | Local workstation administrator access must be restricted and granted only after going through a formal approval process | TRUE | Approved | Required | Required | Required | TBD |
IFS-HA-03 | Remote administrative access to workstations must be encrypted | TRUE | Approved | Required | Required | Required | TBD |
IFS-HA-04 | Remote (non-console) administrative access to platform and host systems must be encrypted | TRUE | Approved | Required | Required | Required | TBD |
IFS-HA-05 | The use of system utilities capable of overriding system and application controls must be restricted to only roles that require it | TRUE | Approved | Required | Required | Required | TBD |
IFS-HA-06 | Administrative access to storage systems must be restricted to storage team personnel | TRUE | Approved | Recommended | Required | Required | TBD |
IFS-HA-07 | Administrators who are permitted to change the configuration of platform or host systems must not be the same individuals approving the change | TRUE | Approved | Recommended | Required | Required | TBD |
IFS-HA-08 | Workstations protected by UofT enterprise firewalls must not be directly or indirectly connected to non-UofT networks through modems, DSL routers, or other unauthorized means | TRUE | Approved | Required | Required | Required | TBD |
IFS-HA-09 | Remote support activities requiring modem access to host computing systems for vendor diagnostics must only be permitted if the connection meets the requirements of the External Service Provider / Business to Business (Third Party) Access section | TRUE | Approved | Required | Required | Required | TBD |
IFS-VT | Workstation, Platform, and Host Virtualization | Existing | Status | Public | Confidential | Restricted | Effort |
IFS-VT-01 | Workstation or host operating systems must only implement virtualization if they have been hardened in accordance with published security hardening requirements. | TRUE | Approved | Required | Required | Required | TBD |
IFS-VT-02 | The implementation of virtualization on a workstation must not interfere with the security functions of the workstation operating system | TRUE | Approved | Required | Required | Required | TBD |
IFS-VT-03 | Access to software that creates and maintains virtualization (hypervisor) must be restricted to only those processes and/or personnel requiring access. | TRUE | Approved | Recommended | Required | Required | TBD |
IFS-VT-04 | The hypervisor must be updated with UofT tested and verified vendor security updates and patches | FALSE | Proposed | Required | Required | Required | TBD |
IFS-VT-05 | The implementation of a virtual server on a host and its security functions must not interfere with the security functions of any other virtual servers or the host operating system | TRUE | Approved | Recommended | Required | Required | TBD |
IFS-MC | Malicious Code | Existing | Status | Public | Confidential | Restricted | Effort |
IFS-MC-01 | Up-to-date anti-virus software must be installed and enabled on all applicable workstations, platforms and hosts, in accordance with published security hardening requirements | TRUE | Approved | Recommended | Required | Required | TBD |
IFS-MC-02 | Anti-virus programs must detect and protect against other forms of malware, such as spyware | FALSE | Proposed | Required | Required | Required | TBD |
IFS-MC-03 | Anti-virus software must be capable of generating audit logs | TRUE | Approved | Recommended | Required | Required | TBD |
IFS-MC-04 | Privileged access must be required to disable an actively running anti-virus | TRUE | Approved | Required | Required | Required | TBD |
IFS-MC-05 | The need to deploy additional layers of anti-virus protection for certain services, such as email or web surfing, must be evaluated, and rationale for decisions must be documented | FALSE | Proposed | Required | Required | Required | TBD |
IFS-MC-06 | Anti-virus software must be centrally managed including the ability to report on out-of-date virus updates. | FALSE | Proposed | Required | Required | Required | TBD |
IFS-EM | Electronic Messaging Server/Client | Existing | Status | Public | Confidential | Restricted | Effort |
IFS-EM-01 | External facing electronic messaging systems must be located in a dedicated network segment that is protected by firewalls at all entry and exit points. | TRUE | Approved | Recommended | Required | Required | TBD |
IFS-EM-02 | Malware scanning and spam filtering must be implemented. | TRUE | Approved | Recommended | Required | Required | TBD |
IFS-EM-03 | Service banners of electronic mail protocols (for example SMTP, POP, IMAP) must not report mail server and operating system type and version | TRUE | Approved | Required | Required | Required | TBD |
IFS-EM-04 | Limitations on the size and types of electronic mail attachments must be implemented | TRUE | Approved | Required | Required | Required | TBD |
IFS-EM-05 | Electronic mail browser access must be supported only through encrypted channels | TRUE | Approved | Required | Required | Required | TBD |
IFS-EM-06 | Electronic messaging clients must be updated with tested and verified vendor security patches | TRUE | Approved | Recommended | Required | Required | TBD |
IFS-EM-07 | Electronic messaging clients must be configured with security features enabled as defined within specific hardening instructions | TRUE | Approved | Recommended | Required | Required | TBD |
IFS-EM-08 | Anit-spoofing and reputational filtering must be implemented on all externally facing electronic messaging systems | TRUE | Approved | Recommended | Required | Required | TBD |
IFS-MM | Messaging Middleware | Existing | Status | Public | Confidential | Restricted | Effort |
IFS-MM-01 | Based on a documented risk assessment and specified within either a published security hardening requirements or an IRRM (Threat Risk Assessment), messaging middleware must:
|
TRUE | Approved | Recommended | Required | Required | TBD |
IFS-MM-02 | Messaging middleware must be capable of handling encrypted data | TRUE | Approved | Recommended | Required | Required | TBD |
IFS-MM-03 | Changes to existing infrastructure for capacity expansion or hardware replacement/refresh purposes are excluded from the following section of requirements. | FALSE | Proposed | Required | Required | Required | TBD |
IFS-DS | Directory Services | Existing | Status | Public | Confidential | Restricted | Effort |
IFS-DS-01 | Directory service systems must protect access authenticators, both in transit and storage, using appropriate encryption and/or hash mechanisms | TRUE | Approved | Recommended | Required | Required | TBD |
IFS-DS-02 | Directory service systems must be capable of enforcing access controls across multiple systems | TRUE | Approved | Required | Required | Required | TBD |
IFS-DS-03 | Access to directory objects must be restricted in accordance with the principle of least privilege | TRUE | Approved | Required | Required | Required | TBD |
IFS-PS | Physical Security | Existing | Status | Public | Confidential | Restricted | Effort |
IFS-PS-01 | ISEA or D/D/F Security must be consulted to determine appropriate locations and protection requirements for all network devices and hosts | FALSE | Proposed | Required | Required | Required | TBD |
IFS-DP | Intrusion Detection and Prevention Systems | Existing | Status | Public | Confidential | Restricted | Effort |
IFS-DP-01 | All Internet facing and extranet networks must have network intrusion detection systems (NIDS) deployed. The need to deploy intrusion detection and prevention systems elsewhere must be evaluated, and rationale for decisions must be documented. | TRUE | Approved | Required | Required | Required | TBD |
IFS-DP-02 | Where deployed, NIDS and network intrusion prevention systems (NIPS) must be used to monitor network traffic for malicious code or attacks | TRUE | Approved | Required | Required | Required | TBD |
IFS-DP-03 | NIPS must be capable of automatically responding to potential threats | TRUE | Approved | Required | Required | Required | TBD |
IFS-DP-04 | NIDS and NIPS must provide alerting to security monitoring personnel | TRUE | Approved | Recommended | Required | Required | TBD |
IFS-DP-05 | IS must be advised of all planned changes to the network that impact the effectiveness of deployed intrusion detection and prevention systems | FALSE | Proposed | Required | Required | Required | TBD |
IFS-DP-06 | Where deployed, host intrusion detection systems (HIDS) and host intrusion prevention systems (HIPS) must be used to monitor applications, system files, and other sensitive activities on the host and provide alerting to security monitoring personnel to identify potential compromises. | TRUE | Approved | Recommended | Required | Required | TBD |
IFS-DP-07 | Intrusion detection and prevention signatures must be updated with UofT-approved signatures prior to implementation | TRUE | Approved | Recommended | Required | Required | TBD |
IFS-DP-08 | All events generated by intrusion detection and prevention systems must be centrally correlated and monitored | TRUE | Approved | Recommended | Required | Required | TBD |
IFS-DP-09 | Monitoring procedures must be documented and implemented, including filtering criteria, thresholds and required follow up actions, up to and including UofT incident management processes | TRUE | Approved | Recommended | Required | Required | TBD |
IFS-DP-10 | The decision to install host intrusion detection systems (HIDS) and intrusion prevention systems (HIPS) must be determined based on risk. | TRUE | Approved | Recommended | Required | Required | TBD |
IFS-DP-11 | HIDS/HIPS must be used to monitor applications, system files, and other sensitive activities on the host and provide alerting to security monitoring personnel to identify potential compromises. | TRUE | Approved | Required | Required | Required | TBD |
IFS-SL | Security Logging | Existing | Status | Public | Confidential | Restricted | Effort |
IFS-SL-01 | For each security event recorded to a log file, the log file must contain:
|
TRUE | Approved | Recommended | Required | Required | TBD |
IFS-SL-02 | The storage capacity of log file media must be appropriately provisioned to prevent log media exhaustion | TRUE | Approved | Recommended | Required | Required | TBD |
IFS-SL-03 | Logging requirements in UofT will be customized to meet each specific technology environment. For each environment, the logging requirements must be identified, risk assessed, and documented within security hardening requirements | TRUE | Approved | Recommended | Required | Required | TBD |
IFS-SL-04 | Initial logging requirements must be developed and delivered by the Information Security Program Logging workstream in accordance with its approved schedule | FALSE | Proposed | Required | Required | Required | TBD |
IFS-SL-05 | Logging requirements must consider the following areas based on the capabilities of the specific technology environment, and rationale for decisions must be documented: Access Control
Event Logging and Auditing
Infrastructure Administration
Security Software
Retention
Other
|
TRUE | Approved | Recommended | Required | Required | TBD |
IFS-SL-06 | Logs must not capture or store:
|
TRUE | Approved | Required | Required | Required | TBD |
IFS-SL-07 | Logging requirements in UofT will be customized to meet each specific technology environment. For each environment, the logging requirements must be identified, risk assessed, and documented as a supporting document to this standard—Logging Requirements table. | TRUE | Approved | Required | Required | Required | TBD |