Skip to main content
Penn Information Systems & Computing Systems Home

Search form

System Status
  • Get Started
    • IT Staff
    • Faculty
    • Staff
    • Students
    • Alumni & Guests
    • ISC Staff
  • Services
    • — Services A to Z —
    • Accounts, Access & Security
      • Access Management Services
      • Active Directory
      • Identity Management Services
      • Information Security Services
    • Applications & Data Analytics
      • Application Development & Delivery
      • Data Analytics
        • Data Analytics at Penn
      • Integration Development & Delivery
    • Backup, Storage & Platforms
      • BackItUp
      • Cloud Solutions
      • Data Center & Colocation Solutions
      • Database & Application Platform Support & Consulting
      • Endpoint Management
      • Recovery Solutions
      • Storage
      • Virtual Desktop
      • Virtual Server Hosting
    • Community, Support & Learning
      • Classroom Technology Services
      • Desktop Engineering
      • IT Community Events
      • LinkedIn Learning
      • Tech Center
    • Consulting & Professional Services
      • Brokered Products
      • HireIT
      • Systems Support & Consulting
      • Technology Forecasting
    • Email, Calendaring & Collaboration
      • Classlists
      • Penn Email Routing
      • PennBox
      • PennNet Mailing Lists
      • PennO365
      • PennZoom
      • SMTP-Relay
      • Secure Share
    • Networks & Connectivity
      • Firewall Services
      • Network Design & Installation
      • PennNet
        • Network Names & Numbers
        • MAGPI (Penn's Internet2 Regional Optical Network)
      • PennNet Ethernet Ports
      • Wireless at Penn
    • Phone, TV & Video
      • Broadcasting Studio
      • Contact Center
      • Live Video Streaming
      • Penn Video Network
      • PennFlex Phone
      • PennNet Phone
      • Traditional Telephony
      • Video Content Management
      • Video Production
        • Producing Video Content
    • Web Hosting
      • Web Services
    • — Service Rates —
    • — Service Level Agreements —
  • Security
    • Office of Information Security
    • Security Services
    • Special Projects
    • Policies & Procedures
    • Training & Awareness
  • Collaborations
    • Computing Policies
    • Engaging Penn’s IT Community
    • Identity & Access Management
    • Penn IT Strategic Plan
    • Cloud First
    • Next Generation Unified Communications
    • Penn Bot
    • IT Advisory Groups
      • Common Solutions
      • IT Roundtable
      • Network Policy Committee
      • Penn Technology Investment Committee (PTIC)
        • About PTIC
        • The PTIC IT Development Fund
    • Special Interest Groups (SIGs)
      • Audio-Visual (AV-SIG)
      • Cloud Computing (Cloud-SIG)
      • Data Visualization (DataViz-SIG)
      • Developer SIG (Dev-SIG)
      • High-Performance Computing (HPC-SIG)
      • Instructional Technology SIG
      • Linux SIG
      • Macintosh Networking Group (MacNet)
      • Mobile Technologies (Mobile-SIG)
      • O365 Special Interest Group
      • PC Networking Group (PC-Net)
      • Project Partners SIG
      • Security SIG
      • Social Media SIG
      • Splunk Special Interest Group
      • Super User Group (SUG)
      • Web SIG
    • Technology Services Strategy Review Board
  • News
  • Events
  • About
    • Overview
    • Leadership & Groups
    • Purpose & Values
    • Strategic Goals
    • Recognition
    • Staff Profiles
    • Tech Jobs @ Penn
    • Contact Us
  • Hot Topics
  • Get IT Help
    • Help for Students
    • Help for Faculty & Staff
    • Help for Alumni
    • Help for Guests & Others
    • Resources for IT Staff

You are here

Home » Information Security Best Practices

Information Security Best Practices


Overview

The Office of Information Security (OIS) has published several best practices for common IT environments/scenarios that the University encounters. These best practices are recommended to be implemented regardless of the sensitivity of the data, as these best practices represent the minimum security posture. These security controls are considered voluntary at this time.

Penn IT staff members are encouraged to evaluate the technical environment to determine whether it meets these recommendations and to prioritize system-implementation efforts by risk level. As the field of Information Security is constantly evolving, these best practices may be updated over time. 

All of the recommendations will be considered for future inclusion in official University IT Policy.

If you have any questions regarding these best practices, you may email OIS at security@isc.upenn.edu.

 

Application
  • Application
  • Endpoint
  • Server
  • Logging
  • Secure Disposal

Application Best Practices

Definition: An application is defined as software running on a server that is network accessible, including mobile applications.

Standard

Recommendation

Resource

Critical Components

If there is sensitive data, register the host and application in Critical Components to ensure regular vulnerability scanning starting before rollout. For web applications, scan with a web application vulnerability scanner.

Critical Components
https://www.isc.upenn.edu/security/critcomp
WebInspect
http://www.upenn.edu/oacp/audit/audit101/it-controls.html#application-security

Secure Coding

Follow secure coding best practices, such as OWASP (for web applications) and implement a SDLC (Software Development Life Cycle) whenever possible. A SDLC should include regular regression testing, code review, security as a design requirement; and use of a framework.

OWASP (See Quick Download section)
https://www.owasp.org/index.php/Category:OWASP_Top_Ten_Project
CERT (See coding standards for C, Android, C++, Java, and Perl) https://www.securecoding.cert.org/confluence/display/seccode/SEI+CERT+Coding+Standards
Join Developer SIG
https://www.upenn.edu/computing/group/signup/index.html
Developer SIG Code Contributions
https://gitlab.com/groups/upenn-dev-sig
Developer SIG Slack Channel
https://upenn-dev-sig.slack.com

Sensitive Data

Consider your use of sensitive data - if you must store it, use encryption in transit and at rest.

Computer Security Policy
http://www.upenn.edu/computing/group/npc/approved/20100308-computersecurity.html
Consult ISC Information Security (security@isc.upenn.edu) about alternatives to handling sensitive data.

Patching

Security patches must be applied on a timely basis.

Computer Security Policy
http://www.upenn.edu/computing/group/npc/approved/20100308-computersecurity.html
University Computing Policies
http://www.upenn.edu/computing/policy/

SPIA

Conduct SPIA (Security and Privacy Impact Assessment), including inventory of applications, libraries on which they depend, application contacts/developers, data classifications, and data volume estimates. Consider any policy or legal implications as appropriate, consulting others as needed.

SPIA
https://www.isc.upenn.edu/security/spia

Account Review

Review accounts & privileges regularly.

PennGroups where possible, or equivalent control
http://www.upenn.edu/computing/penngroups/

Credential Management

Follow secure password handling practices for passwords used by the application, and wherever possible, use campus authentication system for user passwords.

Strong password recommendations for PennKeys
https://weblogin.pennkey.upenn.edu/changepassword
Best Practices for passwords handling in applications 
https://www.isc.upenn.edu/security/password-handling
Penn WebLogin
http://www.upenn.edu/computing/weblogin/
Two-Step Verification 
https://www.isc.upenn.edu/how-to/two-step-faq#Two-Step-Verification-FAQ

Endpoint Best Practices

Definition: Any laptop, desktop or mobile operating system.

Standard

Recommendation

Resource

Security Patching

Apply security patches within seven days of being published. Use a supported OS version.

Penn Endpoint Management Service (PennEM)
https://www.isc.upenn.edu/endpoint-management
Configure OS to perform automatic updates.

Whole Disk/Device Encryption

Run native encryption as available on newer devices.

InfoSec encryption recommendations

https://www.isc.upenn.edu/security/encryption

Backups

Backup user data daily.

Secure Remote Backup
http://www.upenn.edu/computing/isc/lts/srb/srbfaq.html

Access Control

Always use a password or a PIN on the device. Set the device to lock the screen automatically when not in use.

Computer Security Policy
http://www.upenn.edu/computing/group/npc/approved/20100308-computersecurity.html

Malware Protection

Run anti-malware/anti-virus software.

CrowdStrike

https://www.isc.upenn.edu/how-to/crowdstrike

Configuration Management

Use an endpoint management solution selected and supported at the school or center level.

IBM Endpoint Management

https://www.isc.upenn.edu/endpoint-management

Absolute Data & Device Security (DDS)

http://cms.business-services.upenn.edu/computerstore/component/sobi2/?catid=192

 

Secure Deletion

Erase or destroy storage media before recycling or donating devices.

Secure Data Deletion

https://www.isc.upenn.edu/secure-data-deletion

Server Best Practices

Definition: A server is defined as a host that provides a network accessible resource.

Standard

Recommendation

Resource

Physical security

Physical controls to prevent unauthorized access. Server hardware placed inside data centers wherever possible.

ISC Hosting
https://www.isc.upenn.edu/hosting
Facilities Managed Computing

https://upenn.app.box.com/v/FMChangeRequestInstructions

Multi-Factor Login

Multi-factor authentication required when logging into servers with privileged account access.

Two-Step Verification 
https://www.isc.upenn.edu/two-step-verification

Patching

Patches to vulnerabilities applied promptly after they have been made available.

IBM Endpoint Management
http://www.upenn.edu/computing/isc/lts/PennEM/index.html

Credential management

Credentials reviewed periodically. Group password management used for all shared credentials. Credential lifecycle management applied.

LastPass Premium at Penn
https://www.isc.upenn.edu/news-announcements/lastpass-premium-now-available-penn-community

Secure Disposal

Hard drives and writeable media used on servers follow secure destruction/deletion upon disposal.

Secure Data Deletion
https://www.isc.upenn.edu/secure-data-deletion

Inventory

Inventory created, maintained, and periodically reviewed regarding system hardware, applications/software in use, data classification, and any regulated data present on the server (HIPAA, PCI, FERPA, etc).

IBM Endpoint Management
http://www.upenn.edu/computing/isc/lts/PennEM/index.html

Identity Finder

https://www.isc.upenn.edu/how-to/identity-finder

Network firewall

Host-based network filtering (e.g. firewall) configured. Hardware firewall used wherever possible.

 

 

Centralized logging


Security-relevant events, including privileged access, are logged to a separate system.


Security Logging Service

https://www.isc.upenn.edu/security-logging-service

 

Vulnerability management


Servers regularly scanned with a vulnerability scanner. Findings resolved as soon as practicable. Continuous monitoring used wherever possible.


Nessus Vulnerability Scanner

https://www.isc.upenn.edu/vulnerability-scanning-service

 

SysAdmin Training


SAs trained with the tools and procedures required to implement the items listed in this standard. University policy, as well as prohibited behaviors covered.

 

 

Host integrity


Host integrity maintained through some combination of antivirus, anti-malware, rootkit detection, and file integrity monitoring, configured with external alerting whenever possible (see Centralized Logging).


OSSEC
https://ossec.github.io/

 

Least privilege

 

Admin/user accounts, processes, and applications limited to the most restrictive set of resources necessary. Periodic review of privileges.

 

Logging Best Practices

Definition: If you have a need to log the security events taking place on one of your hosts, use these best practices to determine what events to collect and how to collect them.

Standard

Recommendation

Resource

Storage

Move event logs off of the machine that generates them and onto a centralized storage solution on a regular basis. Restrict access to that storage solution and the event logs to just those with a need to review the event logs.


Splunk: https://www.isc.upenn.edu/security-logging-service
EventSentry: www.eventsentry.com
Tripwire: www.tripwire.com

Retention

Conduct a risk analysis of your systems and their data, and choose a retention period that's right for you. Be aware that retaining too much data may put you at risk, and retaining too little data may be of insufficient utility for detecting problems.

 

Ensure Events are Time-based

All logs compliant with these best practices will record the time at which an event transpired on a system.

PennNet NTP Service: https://www.isc.upenn.edu/how-to/network-time-protocol-ntp

Ensure Log Record Event Origin

All logs compliant with these best practices will record a host identifier (e.g. domain name, IP address) on which an event took place.

 

Ensure User Events Record Account Name

All logs compliant with these best practices will record the system account name under which an event took place, where relevant.

 

End-user workstation

At a minimum, log authentications (both local and remote). Log creation of user accounts. Log privilege escalation. If the system allows it, log the enabling and disabling of accounts. If the system supports it, log the changing of passwords on user accounts.

 

Server

At a minimum, log authentications (both local and remote) at the platform and to authenticated applications running on the server. Log creation of user accounts. Log privilege escalation. If the system allows it, log the enabling and disabling of accounts. If the system supports it, log the changing of passwords on user accounts.

 

 

Hardware firewall


At a minimum, log authentications (both local and remote) to the device's control plane. Log creation of user accounts. Log privilege escalation. If the system allows it, log the enabling and disabling of accounts. If the system supports it, log the changing of passwords on user accounts.

 

 

Other Devices


At a minimum, log authentications (both local and remote) to the device's control plane. Log creation of user accounts. Log privilege escalation. If the system allows it, log the enabling and disabling of accounts. I If the system supports it, log the changing of passwords on user accounts.

 

 

Establish Your Baseline


For each event type being logged, review your logs to determine what "normal" behavior looks like for your systems. Document this behavior as what you expect your systems to do.

 

 

Monitor & Alert


Through manual or automated review, compare your system's event logs against your established baseline on a regular basis. Where behavior deviates from what you expect, investigate and remediate its cause.


Splunk:
https://www.isc.upenn.edu/security-logging-service

Secure Disposal Best Practices

Digital Media

Standard

Recommendation

Resource

Hard Drives

- If the hard drive is fully encrypted, destroying the encryption key will render the data unrecoverable

- Secure wipe with a single pass of data over the entire disk

- Degauss and/or physical destruction by shredding


NIST 800-88 : http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf
Overwriting Hard Drive Data: The Great Wiping Controversy: https://link.springer.com/chapter/10.1007/978-3-540-89862-7_21

SDDs

- If the drive was encrypted prior to adding data, destroying the encryption key will render the data unrecoverable
- If drive manufacturer includes secure ATA erase, this will be a good course of action to render the data unrecoverable
- Physical Destruction by shredding


NIST 800-88 : http://nvlpubs.nist.gov/nistpubs/SpecialPublications/NIST.SP.800-88r1.pdf
ATA Secure Erase:https://ata.wiki.kernel.org/index.php/ATA_Secure_Erase

Optical Disks

Physical destruction by shredding

 

Portable devices (ie: smartphones)

Use manufacturer methods to implement perform a factory hard reset.


Apple: https://support.apple.com/en-us/HT201351
Android: http://www.androidcentral.com/how-factory-reset-android-phone

Magnetic media (ie: tapes)

- If encrypted, destroying the encryption key will render the data unrecoverable
- Secure wipe with a single pass of data over the entire tape
- Degauss and/or physical destruction by shredding"

 

Resources

Example tools for overwriting spinning disk drives

DBAN - http://dban.org
Eraser - https://eraser.heidi.ie
Apple Disk Utility- https://support.apple.com/kb/PH22241?viewlocale=en_US&locale=en_US

 

 

Campus disposal resources


University Records Center - http://www.archives.upenn.edu/urc/urc.html
ISC's Drive Degausser and Crusher - https://www.isc.upenn.edu/how-to/secure-drive-disposal
ISC Security's Secure Deletion Information - https://www.isc.upenn.edu/secure-data-deletion

 

 

Recycling services


Electronics:
Elemental, Inc - http://eleminc.com/


CellPhones:
Gazelle.com - https://www.gazelle.com/
sellcell.com - https://sellcell.com

Visit ISC on LinkedIn

Print
InfoSec Home
Resources
  • Standards & Supported Desktop Products Process
  • Penn 0365 Non-PennKey Account Naming Standard
  • Information Security Policies & Procedures
Contact InfoSec
  • Computing Policies
  • Tech Jobs @ Penn
System Status

© 2023 THE UNIVERSITY OF PENNSYLVANIA — 3401 Walnut Street, Philadelphia, PA 19104 — Report accessibility issues and get help — For ISC Staff