Standard for System Integrity

Purpose

This standard establishes the need for the university to maintain a standard for the integrity of information systems in order to ensure the protection of data processing against malicious attacks, unauthorized changes to those systems, and unauthorized use of those system beyond the original intent.

Scope

The scope of this standard covers all electronic systems that provide computer services, or that store or process university data, whether managed centrally by C&IT or at a departmental support level. 

Roles and responsibilities

University IT staff will configure information systems under their authority with the proper controls to ensure system integrity.

University management will include minimum requirements as defined by this standard and related materials necessary to ensure system integrity is protected. 

The C&IT Information Security office assists system administrators in ensuring their systems and applications meet the minimum standards as defined by this standard and related materials.

System integrity standards, procedures, and guidelines

Detailed procedures, standards, and guidelines will be authored and maintained by the C&IT Information Security Office outlining the specific system integrity controls to be developed and implemented, along with appropriate guidance when necessary. New or modified procedures, standards, and guidelines will be communicated to all University IT staff once approved by the C&IT Risk & Security Oversight Committee.

Organizational coordination

The C&IT Information Security Office will solicit feedback from on-campus IT units regarding the effectiveness and applicability of this standard and related materials, which will be taken into consideration during periodic standard reviews. This standard and associated documents will be openly published and communicated to all IT staff at a minimum of an annual basis.

Compliance

All university units are required to be in compliance with this standard and any associated materials. Any exceptions to this standard must be approved by the C&IT Information Security office, will be given a deadline for proper compliance, and will be reviewed on an annual basis.

Standard review

This standard and any associated materials will be reviewed at a minimum on an annual basis by the C&IT Risk & Security Oversight Committee.

Definitions

  • As used in this standard, Information System refers to a single or group of computing devices that are collectively designed to perform the task of collecting, storing, and processing enterprise data to produce the desired output.
  • As used in this standard, Malicious Code refers to any unwanted software running within an Information System designed to cause harm, compromise data, or have other adverse effects on normal operations of that system. Examples include viruses, worms, Trojan Horses, and ransomware.
  • As used in this standard, enterprise systems are electronic information systems maintained by C&IT that contain confidential institutional data.  Current examples of enterprise systems include Banner, Cognos, and Imaging.

General standards for system integrity

The university must use and maintain the following controls in all active information systems to maintain a standard and reliable Information System:

  1. Flaw remediation: All information systems must have a plan to address system flaws (e.g. software bugs or other flaws that prevent the system from running as intended) in firmware, OS, application, or other code responsible for processing data. Any Information System processing university data must have:
    • A process for monitoring and identifying system flaws, this includes security alerts generated both internally and externally to the university;
    • A process for regularly applying fixes to address system flaws, this should be automated using a patch management tool when possible;
    • A process that ensures the system flaw has been completely removed from the system;
    • A process for managing changes that address system flaws.
  2. Malicious code protection: All information systems must use a C&IT-approved mechanism for protecting against malicious code. This mechanism must be capable of:
    • Blocking, quarantining, and alerting administrators to malicious or suspicious activity, this includes activities in active memory;
    • This mechanism may use signature-based or heuristic-based detections but must be regularly updated, this should be done through an automated process when possible;
    • Regularly scan systems for malicious code, this should be done in real time when possible;
    • Ensure changes to the mechanism can only be modified by a user with System Administrator or System Level privileges.
  1. Data processing: All university Systems must provide a mechanism to validate data during input, processing, and output by:
    • Performing proper validation of data input;
    • Ensure proper handling of creating and closing sessions in memory, use non-persistent mechanisms when feasible;
    • Validate system output is formatted as expected;
    • System errors should generate the minimal amount of information necessary to correct the problem by using fail-safe procedures;
    • Predictive failure mechanisms and/or self-correcting measures should be used whenever possible.
  2. Data transmission: Transmission of data within an Information System must be done using secure methods of communication for both internal and external data flows.
    • Internal data flow must use mechanisms to ensure data is processed within protected memory and ensure data reads and writes are properly validated;
    • Any Information System that is virtualized, including containerization, must implement measures to protect against "data leakage" between shared physical system components such as memory and disk;
    • Any data flows between systems that transverse an internal network, including virtually, should use a secure protocol when feasible;
    • Any data flows between systems that transverse an external network must use secure protocols, if a secure protocol is not available the data must be encapsulated by a VPN or other similar method of secure transportation;
    • All secure protocols must follow C&IT standards for minimal levels of encryption strength, the encryption mechanism should provide for non-repudiation when feasible.
  1. Data a rest:
    • Data are rest should be encrypted based on data sensitivity as defined by the University data governance standards and must follow University encryption standards;
    • Encryption methods can be performed at the disk level, physical or virtual, and at the file or database level;
    • Any PII stored on computing devices that are mobile (laptops, phones, tablets. Etc..) or on removable media must be at minimum encrypted at the disk level.
  2. Information system monitoring: Critical Information system components must be regularly monitored for signs of malicious attacks, unintended changes, and unintended use of the system by:
    • Regular review of system logs and change records by a person of appropriate authority or by implementing a system that provides for automated monitoring of adverse activity;
    • Alert system owners and the Information Security Office to any adverse or potentially adverse activity.
  3. SPAM protection: All Information Systems must deploy or subscribe to a mechanism for protecting again unwanted messages both entering and leaving an Information System. This mechanism must be regularly updated.
  4. Information Retention.  All data contained in an Information System must be retained following all University Policies or contractual commitments and must be in compliance with all federal, state, and local laws as identified by the Office of The General Counsel.
  5. Data sisposal: Data should be deleted or destroyed once there is no longer a business need to keep the information. For any data stored as part of a third-party agreement such a Solution-as-a-service (SaaS) application, in such case data should also be returned to WSU at the end of the contract term and then destroyed in all third-party Information Systems, this includes copies of backup data.

Additional standards for enterprise systems

Enterprise systems that store or process confidential data are subject to a higher standard of system integrity and require the following additional security controls.

  1. Additional malicious code protection: Enterprise systems should use a C&IT-approved next-generation anti-malware mechanism that includes Endpoint Detection and Response (EDR) functionality. If for some reason this mechanism cannot be deployed a combination of system integrity monitoring, application allow/deny list, and off-system log storage may be used as an alternative.
  2. Additional mechanisms for university-developed code: All code developed for use in enterprise systems must follow the university secure coding guidelines and at minimum be peer-reviewed before being deployed to production. Enterprise systems of high risk may require additional review and testing as determined by the Information Security Office.
  3. Personally identifiable information quality: Regularly validate that all critical Personal Identifiable Information (PII) is relevant and correct. A process should be created for correcting PII that is incorrect, outdated, or no longer relevant to the business process.
  4. Data de-identification: High-risk data elements such as Social Security Numbers (SSN) and Payment Card Data (PCI) must be de-identified or displayed in a masked format when stored in an enterprise system. This must be done in a manner that does not change the underlying data elements in order to allow access to the data for individuals with exceptional business needs.

Non-compliance 

The C&IT Information Security Office may limit access to or from a system if it does not meet the above guidelines. 

Exceptions 

Exceptions to these standards may be granted by the Information Security Office given business justification and a satisfactory risk assessment.  In such cases, the system owner shall acknowledge the risk and take responsibility for any breaches, incidents, or compromises that occur as a result of not utilizing a supported operating system.