This standard outlines the operational requirements necessary to maintain the security posture of infrastructure and associated applications deployed in production environments up to and including decommissioning and disposal.
Date of Effectiveness |
To Be Determined |
|
Standard Owner |
Director, Information Security, Information Technology Services |
|
Version |
Version 0.5 |
Summary showing Section Headings
| ID | Section Headings | Brief Description |
| OPS-GN | General | |
| OPS-SN | Security Hardening | |
| OPS-PM | Vendor Security Patch Management | |
| OPS-AV | Antivirus Software | |
| OPS-SM | Security Monitoring and Intrusion Detection | |
| OPS-VA | Vulnerability Assessment | |
| OPS-PT | Penetration Testing | |
| OPS-IM | Security Incident Management | |
| OPS-NO | Network Operations | |
| OPS-FW | Firewalls (OPS) | |
| OPS-DR | System Backups, Restorations, and Disaster Recovery | |
| OPS-DD | Decommissioning and Disposal of Hardware and Media |
Operational Security Standard Controls
| Control ID | Control | Existing | Status | Public | Confidential | Restricted | Effort |
|---|---|---|---|---|---|---|---|
| OPS-GN | General | Existing | Status | Public | Confidential | Restricted | Effort |
| OPS-GN-01 | Operational activities, processes, and changes to infrastructure and applications must not circumvent or degrade any security controls implemented in accordance with published security hardening requirements. Temporary disablement of security controls necessary to facilitate a change must be identified and approved through the Enterprise Change Management process. | TRUE | Approved | Recommended | Required | Required | TBD |
| OPS-GN-02 | Security based operational processes, security hardening requirements, and other documentation defined in this standard must be followed and must be reviewed annually or as identified by process owners. | TRUE | Approved | Recommended | Required | Required | TBD |
| OPS-GN-03 | Following the implementation of any changes to the network infrastructure all related configuration copies and documentation (including processes and disaster recovery documents) must be updated and stored in more than one secure facility. | TRUE | Approved | Recommended | Required | Required | TBD |
| OPS-SH | Security Hardening | Existing | Status | Public | Confidential | Restricted | Effort |
| OPS-SH-01 | As part of an annual review, a formal process must be followed to ensure that risk associated with individual platforms is regularly assessed and any updates required to published security hardening requirements are identified and documented. | FALSE | Proposed | Required | Required | Required | TBD |
| OPS-SH-02 | All security hardening requirements must be approved by ISEA. | TRUE | Approved | Required | Required | Required | TBD |
| OPS-PM | Vendor Security Patch Management | Existing | Status | Public | Confidential | Restricted | Effort |
| OPS-PM-01 | To ensure that systems are continuously hardened, a process must be developed, documented, and implemented for assessing and approving vendor security patches on designated network devices, hosts, platforms, and workstations. The process must identify:
|
TRUE | Approved | Recommended | Required | Required | TBD |
| OPS-PM-02 | Once notification is received that a vendor will cease providing product security updates, patches or support, affected network devices, platforms, hosts, or workstations must be identified and risk-assessed. The risk assessment results must be documented and an action plan for decommissioning must be developed and approved | TRUE | Approved | Recommended | Required | Required | Medium |
| OPS-AV | Antivirus Software | Existing | Status | Public | Confidential | Restricted | Effort |
| OPS-AV-01 | Antivirus software must be centrally managed and monitored. | FALSE | Proposed | Recommended | Required | Required | TBD |
| OPS-AV-02 | A privileged-class ID must be required to disable anti-virus software | TRUE | Approved | Required | Required | Required | TBD |
| OPS-AV-03 | ISEA must approve the disabling of anti-virus software | FALSE | Proposed | Required | Required | Required | TBD |
| OPS-AV-04 | Antivirus software must be kept up-to-date and actively running as designated by published security hardening requirements. These requirements must identify specific platforms on which anti virus products must be installed. If it is identified, it must be installed on all instances of that platform. | TRUE | In Progress | Required | Required | Required | TBD |
| OPS-SM | Security Monitoring and Intrusion Detection | Existing | Status | Public | Confidential | Restricted | Effort |
| OPS-SM-01 | Processes must be developed, documented, and implemented for monitoring, assessing, and escalating security events. The process must identify and define targets, methods, monitoring frequency, log review (as defined in the Infrastructure and Application Security standards) frequency, and escalation procedures. | TRUE | Approved | Recommended | Required | Required | TBD |
| OPS-SM-02 | A process must be developed, documented, and implemented for monitoring, correlating, and assessing security events detected by network and host intrusion detection and prevention systems (NIDS, NIPS, HIDS, and HIPS). The process must determine and document the criteria used to select monitoring targets, methods and frequencies; the frequency of implementation of updates; and escalation procedures. | TRUE | Approved | Required | Required | Required | TBD |
| OPS-VA-01 | Vulnerability Assessment | Existing | Status | Public | Confidential | Restricted | Effort |
| OPS-VA-01 | A process must be developed, documented, and implemented for conducting vulnerability assessment (VA) scanning on production network segments. The process must identify:
|
TRUE | Approved | Required | Required | Required | TBD |
| OPS-PT | Penetration Testing | Existing | Status | Public | Confidential | Restricted | Effort |
| OPS-PT-01 | Penetration testing must be conducted on infrastructure and applications according to the schedule and methodology detailed in the ISEA Penetration Testing Document. | TRUE | Approved | Recommended | Required | Required | TBD |
| OPS-PT-02 | Departments, Division and Faculties must notify ISEA prior to implementing a new version or major release of an Internet-facing environment. The need to conduct or not conduct penetration testing based on the changes implemented must be determined and documented. | FALSE | Deferred | Required | Required | Required | TBD |
| OPS-PT-03 | Penetration testing must be conducted by an approved independent internal unit or independent third party service provider. | FALSE | Proposed | Required | Required | Required | TBD |
| OPS-PT-04 | Frequency and applicability of systems for penetration testing must be documented in the ISEA Penetration Testing Document | TRUE | Approved | Recommended | Required | Required | TBD |
| OPS-PT-05 | The resource or application owner must ensure that the recommendations resulting from the penetration testing are implemented within the timeframes defined in the ISEA Penetration Testing Document | TRUE | Approved | Recommended | Required | Required | TBD |
| OPS-IM | Security Incident Management | Existing | Status | Public | Confidential | Restricted | Effort |
| OPS-IM-01 | A process must be developed, documented, and implemented for monitoring, analyzing, escalating, and responding to identified information security incidents | TRUE | In Progress | Required | Required | Required | TBD |
| OPS-IM-02 | All incidents determined to have security implications must be managed in accordance with the Coordinated Information Security Incident Response Process (CISIRP). | TRUE | In Progress | Required | Required | Required | TBD |
| OPS-IM-03 | All information security incident management must be centrally coordinated and managed by ISEA. | TRUE | In Progress | Required | Required | Required | TBD |
| OPS-NO | Network Operations | Existing | Status | Public | Confidential | Restricted | Effort |
| OPS-NO-01 | Use of approved network packet capturing tools, diagnostic probes, or diagnostic modes on network devices must be restricted to approved personnel. Any data captured or created by approved network packet capturing tools, diagnostic probes, or diagnostic modes on network devices is considered Confidential | TRUE | In Progress | Required | Required | Required | TBD |
| OPS-NO-02 | Third party network connections to the UofT network must be reviewed annually. | TRUE | In Progress | Required | Required | Required | TBD |
| OPS-FW | Firewalls (OPS) | Existing | Status | Public | Confidential | Restricted | Effort |
| OPS-FW-01 | Firewalls managed by UofT Technology or UofT’s designated agents must be centrally managed | TRUE | In Progress | Required | Required | Required | TBD |
| OPS-FW-02 | Firewall configurations must be updated and maintained according to documented and approved published security hardening requirements | TRUE | In Progress | Required | Required | Required | TBD |
| OPS-FW-03 | All firewall rules must be reviewed, at minimum, on an annual basis, and rules that are no longer required must be disabled | TRUE | In Progress | Required | Required | Required | TBD |
| OPS-DR | System Backups, Restorations, and Disaster Recovery | Existing | Status | Public | Confidential | Restricted | Effort |
| OPS-DR-01 | Information security controls in disaster recovery environments must provide a similar level of assurance as those implemented within UofT production environments | TRUE | In Progress | Required | Required | Required | TBD |
| OPS-DD | Decommissioning and Disposal of Hardware and Media | Existing | Status | Public | Confidential | Restricted | Effort |
| OPS-DD-01 | Decommissioning and disposal of all hardware and media must be performed in accordance with UofT approved processes | TRUE | In Progress | Required | Required | Required | TBD |
| OPS-DD-02 | Removal and decommissioning of UofT hardware must be restricted to approved personnel | TRUE | In Progress | Required | Required | Required | TBD |