Security and Maintenance Plan

Section Overview

> Section 1 Operating Procedures
> Section 2 Security and Maintenance Plan
> Section 3 Policy
> Section 4 Security & Maintenance Schedule
> Section 5 Security & Maintenance Checklist

Section One
Operating Procedures

This plan constitutes the “Standard Operating Procedures” relating to physical, cyber, and Procedural security for all (Utility) for all server rooms. It contains a comprehensive overview of the (Utility)’s security program, and in some sections, makes reference to other relevant plans and procedures. Security personnel, operators, and selected server personnel shall be familiar with the information and procedures associated with this Security Plan.

Section 2
Security and Maintenance Plan
Purpose
This policy is to be used as a reference when issuing keys within the (Utility). It will also
Explain our policy for returning keys, reporting lost or stolen keys, the use of unauthorized
Duplicate keys and loaned keys.
The key system will be entered into the computer-based Key Control Program for on-going
Maintenance and will be maintained by the Key Administrator.
The Facilities Department will program cores and cut keys, and the Key Administrator will issue keys. 6. Issuing Authority – Keys will be authorized in writing for issuance to employees of the
(Utility) by one of the following individuals:
a) General Manager
b) Executive Managers or their designees
c) Department Directors or their designees
If keys are requested from one Business Group that would access another Business
Group, written approval will be required from Directors of each unit.
All approvals will be routed through the Key Administrator. Only in an emergency will a key be issued by Building Maintenance Foreman without the Key Administrator’s prior knowledge, and it will require the approval of a Department Director. When a key is issued under these circumstances, the Building Maintenance Foreman will notify then Key Administrator as soon as possible.
2. Who is authorized to have specific keys – Access will be given only to areas where need can be demonstrated.
3. Keys will not be loaned and should not be left unattended – All keys issued on a “permanent” basis should be retained in the possession of the person to whom issued.
Keys may not be transferred directly from one employee to another. Avoid the practice of leaving keys on desks, counter tops, etc., or loaning to others.
4. Lost/Stolen Keys – Any person losing a key must report the loss to his or her superintendent/supervisor immediately, who will then report the loss to the Key Administrator.
The Security Department along with the Facilities Department will make a determination as to whether the system has been compromised and if a core change is necessary. If a core change is required, that expense will be borne by the department that misplaced the key.

Section 3
Policy #708
Purpose
This policy addresses the responsibility of all employees to comply with (Utility) security measures. Employees and contractors are prohibited from tampering with or obstructing the view of (Utility) security cameras and/or security-related equipment.
This policy also addresses interfering with or disabling any other security-related measures.
The (Utility) relies on comprehensive security systems and measures to ensure our employees, contractors and visitors remain safe and our critical assets are protected.
Many of these security measures are required by federal law due to the nature of the
(Utility)’s facilities. All employees are expected to know and support the security measures related to their jobs.
Security cameras strategically placed throughout the (Utility) have an integral role in security. Unauthorized interference with these cameras can jeopardize people and facilities. Therefore, no employee shall knowingly tamper with or obstruct the view of any security camera or security-related equipment.
The (Utility) has carefully implemented a number of other integrated security measures, including but not limited to: electronic access control, restricted access, intrusion alarms, locked doors/gates/windows, fencing, and signage. No employee shall knowingly disable, circumvent, bypass or compromise any of the (Utility)’s security measures.
Any employee having knowledge of any tampering with, circumvention of or breach of security or security measures shall notify either their supervisor or the Security Division immediately.
Investigations of alleged violations of this policy will be conducted under the direction of the Security director. If the director is unavailable, then the general counsel/chief compliance officer will assume such responsibility. At the conclusion of the investigation, any employees found to be in violation of this policy will be subject to disciplinary action, up to and including termination of employment.

Section 4
System & Maintenance Schedule

Incremental backup of files and database storage will take place every 24 hours. An incremental backup are backups that are taken place throughout the day when the data changes. The system will automatically backup files at 3am every morning. A full backup will occur bi-weekly. A full backup is a backup where all data is saved since the last full backup. We suggest that the backup tapes are placed at different locations in case of a disaster. Office managers will be responsible for theft, reporting power outages, and any damage related with networking equipment. Each employee will be informed about maintenance and security via email. During the training you will learn more about how to maintain the network and all employees will have to attend an information security class. The upgrades and testing will take place either before or after hours that way it doesn’t hinder patient care. HID single door access cards will provide external and internal security to the building and server room and this will help prevent intruder and theft. Along with the access cards two people will need to accompany each other when they enter the server room. There are discernible risks to this project. Any absence in the network administration department will postpone any networked share of the upgrade. Other interruptions may arise if the sellers don’t meet the stated delivery times or if the orders are shipped incorrectly. Any specialty software that we weren’t made aware of may cause other applications to not work properly and interfere with the installation processes.

These are the national standards we are going to follow:

6) EIA-606: The Administration Standard for the Telecommunications Infrastructure of Commercial Buildings

2) EIA-570: Residential and Light Commercial Telecommunications Wiring Standard

3) TIA/EIA-569: Commercial Building Standard for Telecommunications Pathways and Spaces

4) TIA/EIA-568B: Commercial Building Telecommunications Wiring Standard

5) TSB-36: Technical Systems Bulletin: Additional Cable Specifications for Unshielded Twisted-Pair Cables

6) TSB-40: Technical Systems Bulletin: Additional Transmission Specifications for Unshielded Twisted-Pair Connecting Hardware

We are going to follow the HIPAA Standards:

The federal law entitled the Health Insurance Portability and Accountability Act of 1996, also known as “HIPAA”, mandates how a patient’s health information is utilized. The aim of the law is to protect against the misuse of a patient’s health information and provide protection of patients’ health data.

Section 5
Computer Security and Maintenance Checklist

Maintaining your devices is essential to keep them running smoothly and securely, but sometimes you just don't remember what tasks are necessary. Use the checklist below to help you keep a safe and problem-free device. Add the items on this checklist to your calendar or print the PDF for students PDF or faculty and staff PDF next to your computer.

First, be sure you've installed the following tools:
•Symantec Endpoint Protection—Protects against viruses, spyware, and more, and is provided at no additional cost to all faculty, staff, and students for work and personal use.
•Spybot Search & Destroy—NUIT recommends this free antispyware application to detect spyware on your Windows computer. It is safe to use this tool with other antispyware or antimalware applications.

Before significantly changing your computer habits, check with your local technical support team or NUIT to avoid conflicts with departmental computer maintenance or security.

Protect Your Data
•Create a secure Net ID password (remember, longer is stronger!) to protect your paychecks, banking information, personal information, and more; don’t share it with friends, family, coworkers, instructors, or managers.
•Lock your screen when you step away to keep others from accessing information on your computer. Secure sensitive data with encryption software.
•Beware what you share on social media. Could someone find the answers to your security questions (birthdate and town, mother’s maiden name, model of your first car, name of your grade school)? Choose security questions with hard-to-guess answers, or use answers that don't match the question.
•Back up data regularly to a secure offsite or cloud-based location. Ask your local technical support.

Protect Your Devices
•Lock your phone with a strong passcode to protect personal information like email accounts, contacts, calendar, bank information, social media, etc. Use a cable lock and strong password to secure computers and other equipment.
•Install antivirus software on computers and set it to run weekly scans.
•Check weekly for updates to software or apps you use regularly on computers, smartphones, or tablets, including: ◦Operating system
◦Security software (antivirus, antispyware, firewall, etc.)
◦Productivity suites (Microsoft Office)
◦Internet browsers
◦Email client
◦iTunes and QuickTime
◦Adobe software (Reader, Flash Player)
◦Java

•Download apps with caution; when possible, only install reviewed apps from reputable sources.
•Uninstall or delete unused apps, photos, music, etc. regularly to save space and improve performance.
•Use a tracking service, if available, to find or remotely wipe your phone if it’s lost or stolen.

Keep Dell Desktop Protected.
•Learn the key identifiers of email scams to avoid sharing login information to secure University resources. Always check the URLs of sites that ask for personal information; if you receive an email claiming to be from Dell that asks you to enter personal data on a site, be sure the URL ends with northwestern.edu.
•If you become infected by a virus or worm, there is a strong possibility you could lose some or all of your data.
•Your computer could be used for illegal activities, like storing copyrighted materials, music and movies, or hacking into other computers.
•Worms can significantly increase network traffic on the network and negatively affect Internet speed for all users.
•Connect to a secure wireless network like Northwestern VPN from off campus; avoid public Wi-Fi if you can't connect to VPN at libraries, coffee shops, hotels, airports, etc. to protect sensitive information.
•Browse wisely; use common sense to avoid websites that seem questionable.
Important information
•If you run an antivirus scan with updated virus definition files and do not find any infections, please check for these programs that exhibit virus-like behavior: ◦Share Scan
◦Common Name

•Please remove these programs if you find them on your computer.
•If your computer is quarantined for the same virus after we re-enable your Reset jack, you will have to bring in your computer and have it disinfected before your jack will be turned back on

Practice general safe computing habits every day: keep your Net ID password private, stay aware of email scam attempts, and report any suspected security compromises to the NUIT Support Center at 847-491-4357 (1-HELP).