PantherTech Support

ITS Security Assessment and Configuration Review Policy

Policy Statement

To ensure the security of computers in use at the University, all such resources used to house and/or process University information will be subject to monthly security assessment scans. In addition to monthly assessment scans, any computer server housing protected and/or personal information will be subject to an annual configuration review to ensure proper configuration.

Entities Affected By This Policy

Any University department, group or area responsible for the operation and administration of a computer server or information storage area containing University information or connected to the University’s network are affected by this policy.

Contacts

EIU Information Security 217-581-1939

Policy

Security Assessments

Security Assessments of computer servers and information storage areas will be conducted on a monthly basis.

Security Assessments will include automated scans assessing at least, but not limited to:

• Current patch level of server Operating System;
• Current patch level of applications installed;
• and Configuration issues that may result in risks to server operation.

Security Assessments will contain:

• Assessments of risk found on the computer servers;
• Details, if available, on how the risk was discovered;
• A ranking of the severity of the risk;
• and Recommendations for remediating the risks.

Configuration Reviews

Configuration Reviews will be required of any computer server containing protected and/or personal information prior to implementation of the resource and/or following a significant change to the resource.

Configuration Reviews will be done annually for all computer server containing protected and/or personal information.

Computer server owners and/or those individuals tasked with the administration and/or maintenance of such a resource containing protected and/or personal information must notify the Information Security group when:

• Implementing a new resource;
• and/or There is a significant change to an existing information resource.

Configuration Reviews may occur outside of regularly scheduled timeframes if the Information Security group or the University becomes aware of a significant new risk to information resources at the University.

Security Assessment and Configuration Review Results

Results will be distributed as soon as possible following the Security Assessment and/or Configuration Review.

Results will be delivered in an electronic format and be made available to authorized individuals either through email or a web page

Additional distribution of Security Assessment and/or Configuration Review results may be made available upon request through the Assistant Director of Information Security or the Dean, Director or Department Head that owns the resource

Basic Sercurity Configuration

Eastern Illinois University ITS adheres to the principle of secure configurations by implementing secure configurations by utilizing system hardening controls and safeguards such as disk encryption or system restore software, malware protection, and vendor supplied security patches.

Compromised Accounts, Account Locks, Password Resets, and Disabled Accounts

Any EIU NetID accounts that have known, reported, or suspected compromised passwords will be password reset until the real authorized user is able to contact the ITS Help Desk.

• The Information Security Team will make a good faith effort to identify and contact the owner when this happens via direct contact or with the assistance of the ITS Help Desk.
• The Information Security Incident Response Policy empowers ITS to defend the EIU network.
• Accessing University information and information resources are done using unique identifiers and authenticators based on the ITS Authentication Policy.

The Information Security Team will follow the guidelines set by the University Network Identity Life-Cycle Policy, as outlined above, but will have authority to use judgement and discretion on password resets, account lockouts, and account disablement in the event a security incident or compromised account is suspected.

Examples of a security incidents include, but are not limited to brute force attempts, phishing attacks, suspicious logins from malicious IP geo-locations, impossible travel activity, and user activity from infrequent countries.

The Information Security Team strives to ensure Confidentiality, Integrity, and Availability of the EIU network. Active threat hunting and helping to ensure only authorized users are allowed to access the campus network is a critical function for information security. It is recognized an authorized user not having access temporarily is an inconvenience, and ITS will strive to limit that downtime as quickly as possible.

Credit Cards Payments on Campus

The Payment Card Industry Data Security Standard (PCI DSS) is a set of security standards designed to protect cardholder data. It is enforced by the Payment Card Industry Security Standards Council (PCI SSC), which is a group of major credit card brands. The PCI DSS applies to all organizations that store, process, or transmit cardholder data. Organizations that fail to comply with the PCI DSS may be subject to fines, penalties, and other sanctions. They may also be liable for any losses incurred by cardholders as a result of a data breach. Following the PCI DSS is essential for protecting cardholder data and preventing data breaches. By following the PCI DSS, EIU can help to keep their customers' data safe and secure. Please work with our Bursar office to ensure safe acceptance of credit card data.

Related Documents

https://www.pcisecuritystandards.org/

Supporting Policies, Procedures and Guidelines

University Network Identity Life-Cycle Policy

Last Date Reviewed: 05/23/2023