Third Party System Guidelines
Information Protection Guides
Securing Third Party (Contractor) Systems on Campus
In order to keep campus network assets safe, third party systems are to undergo a security assessment to ensure they are resilient to internal and external attacks and any identified vulnerabilities dealt with.
All systems are to be checked by the IT Security Officer before the system goes live.
The following checklist provides guidance to contractors and departments on how to properly secure a system.
Policy and Governance
- The Acceptable Computing Use policy applies to all third party systems and those individuals who use them. Contractors should read and acknowledge this policy
- Campus departments are responsible for ensuring the contractor receives a copy of the policy
Operating System and Basic Applications
- Check to make sure all security patches have been applied and are up to date. Patches should be applied at regular intervals to ensure new vulnerabilities have been mitigated
- System should have Anti virus and/or Anti malware software installed. These programs should be updated regularly to ensure they are able to mitigate newly identified hostile code
- If a personal Firewall is part of the system, it should be turned on and configured in a way that any open services running on the system are protected from unauthorized access
- All unnecessary services on the system should be turned off
- User accounts should be created and limited to the specific role the system is there to perform. Administrator or root accounts should not be used for daily use
- Strong passwords should be used on all accounts
- When not accessed, systems should auto logoff, or have a password protected screensaver applied
Physical Security and Contingency Planning
- The system should be located in a secure area and access limited to only those individuals who require it
- Provisions should be made for sudden loss of availability, such as a UPS, redundant hard drives, full system backups and documentation for system recovery
- Campus departments should have first-line contact information for the contractor in the event of a disaster or system failure
- Placement on the campus network is defined by the role the system will play. If the system is providing a crucial service or hosting/accessing sensitive or highly sensitive information, provisions should be made to segregate it from other networks and systems using Firewalls and access lists
- If Internet access is not a function requirement it should be denied
- If Internet access is required for specific reasons such as program updates, diligence should be taken to ensure only those sites be accessed