Procedures

  • Access Control Management

    Use processes and tools to create, assign, manage, and revoke access credentials and privileges for user, administrator, and service accounts for enterprise assets and software.

  • Account Management

    Use processes and tools to assign and manage authorization to credentials for user accounts, including administrator accounts, as well as service accounts, to enterprise assets and software.

  • Application Access Controls

    Access control security standards for applications

  • Application Backups

    Backup procedures for applications that run on Linux, macOS, and Windows systems.

  • Application Centralized Logging

    IT Security Office requires remote, centralized logging for all medium and high risk applications.

  • Application Data Security Controls

    Data security control techniques include encryption, masking, and erasure.

  • Application Developer Training

    All developers of medium and high risk applications are required to stay up-to-date on the latest security trends by taking a security awareness training at least once per year.

  • Application Firewall

    Guide on how to allow applications through firewall and the risks involved with doing so

  • Application Inventory

    Keeping an accurate, up-to-date application inventory list allows you, your department, and the IT Security Office to collaborate and quickly respond to security incidents.

  • Application Patching

    Patching is the process of supplying and applying patches to software.

  • Application Secure Software Development

    Application developers must run security tests to find problem areas in the application code and know the best practices for secure web development.

  • Application Security Review

    All Virginia Tech applications should properly implement data security policies and standards to ensure integrity and authenticity.

  • Application Software Security

    Manage the security life cycle of in-house developed, hosted, or acquired software to prevent, detect, and remediate security weaknesses before they can impact the enterprise.

  • Application Two Factor Authentication

    Virginia Tech uses Duo 2-factor authentication as a part of its Single Sign-On service.

  • Application Vulnerability Management

    Requesting a Web Application Scan, a Vulnerability Scan, an Application Review and Reporting an Incident

  • Audit Log Management

    Collect, alert, review, and retain audit logs of events that could help detect, understand, or recover from an attack.

  • Building Private Network

    Steps showing how to migrate an Ethernet portal to the building private network

  • Continuous Vulnerability Management

    Develop a plan to continuously assess and track vulnerabilities on all enterprise assets within the enterprise’s infrastructure, in order to remediate, and minimize, the window of opportunity for attackers. Monitor public and private industry sources for new threat and vulnerability information.

  • Data Protection

    Develop processes and technical controls to identify, classify, securely handle, retain, and dispose of data.

  • Data Recovery

    Establish and maintain data recovery practices sufficient to restore in-scope enterprise assets to a pre-incident and trusted state.

  • Email and Web Browser Protections

    Improve protections and detections of threats from email and web vectors, as these are opportunities for attackers to manipulate human behavior through direct engagement.

  • Endpoint Backups

    Backup procedures for Linux, macOS, and Windows clients to securely back up Virginia Tech endpoint systems.

  • Endpoint Centralized Logging

    IT Security Office requires remote, centralized logging for all high risk endpoints.

  • Endpoint Configuration Management

    Configuration management is a process for maintaining computer systems, server and software in a certain desired state.

  • Endpoint Credentials and Access Control

    Endpoint devices can be secured by having strong security practices, such as enabling 2-factor authentication and keeping separate, secure passwords for endpoint account access.

  • Endpoint Data Security Controls

    The use of data security controls ensures only those who are permitted access to a specific piece of data are able to access it. Data security control techniques include encryption, masking, and erasure.

  • Endpoint Encryption

    Endpoint encryption use cases: File encryption, Disk encryption, and Data in Transit encryption

  • Endpoint Equipment Disposal

    Endpoint device hard drives should be wiped before disposal. This procedure covers how to wipe each physical hard drive.

  • Endpoint Firewall

    Steps to verify that the host-based firewall is enabled for your operating system to ensure maximum security on every network

  • Endpoint Inventory

    Keeping an accurate, up-to-date endpoint inventory allows you, your department, and the IT Security Office to collaborate and quickly respond to security incidents.

  • Endpoint Malware Protection

    Using strong malware protection is important in keeping your device secure from vulnerabilities and attacks. This guide will outline ways to ensure your device has malware protection.

  • Endpoint Patching

    Patching is the process of applying updates to software. These updates correct security, reliability and usability issues. Patches may be applied to the operating system (OS), system software (such as database engines), and application software such as office productivity suites and web browsers.

  • Incident Response Management

    Establish a program to develop and maintain an incident response capability (e.g., policies, plans, procedures, defined roles, training, and communications) to prepare, detect, and quickly respond to an attack.

  • Inventory and Control of Enterprise Assets

    Actively manage (inventory, track, and correct) all enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/Internet of Things (IoT) devices; and servers) connected to the infrastructure physically, virtually, remotely, and those within cloud environments, to accurately know the totality of assets that need to be monitored and protected within the enterprise. This will also support identifying unauthorized and unmanaged assets to remove or remediate.

  • Inventory and Control of Software Assets

    Actively manage (inventory, track, and correct) all software (operating systems and applications) on the network so that only authorized software is installed and can execute, and that unauthorized and unmanaged software is found and prevented from installation or execution.

  • ITSO Approved Cryptographic Algorithms

    If you are not protecting data that is required to use NIST-approved algorithms, then you may also use these ITSO-approved algorithms.

  • Linux Systems Hardening

    Resources for hardening Linux systems that we find useful in the ITSO

  • Malware Defenses

    Prevent or control the installation, spread, and execution of malicious applications, code, or scripts on enterprise assets.

  • Network Infrastructure Management

    Establish, implement, and actively manage (track, report, correct) network devices, in order to prevent attackers from exploiting vulnerable network services and access points.

  • Network Monitoring and Defense

    Operate processes and tooling to establish and maintain comprehensive network monitoring and defense against security threats across the enterprise’s network infrastructure and user base.

  • Penetration Testing

    Test the effectiveness and resiliency of enterprise assets through identifying and exploiting weaknesses in controls (people, processes, and technology), and simulating the objectives and actions of an attacker

  • Secure Configuration of Enterprise Assets and Software

    Establish and maintain the secure configuration of enterprise assets (end-user devices, including portable and mobile; network devices; non-computing/IoT devices; and servers) and software (operating systems and applications).

  • Security Awareness and Skills Training

    Establish and maintain a security awareness program to influence behavior among the workforce to be security conscious and properly skilled to reduce cyber security risks to the enterprise.

  • Server Backups

    Backup procedures for Linux and Windows servers that you may use to securely backup Virginia Tech server systems

  • Server Centralized Logging

    During an IT security incident, logs help determine what happened and when. Attackers often delete or modify local logs, so the IT Security Office requires remote, centralized logging for all medium and high risk servers.

  • Server Credentials and Access Control

    Servers can be targets for hackers thereforew it is important to have a strong protection against these threats. Common strategies for combating malicious threats include creating strong passwords and enabling 2-factor authentication for account access.

  • Server Data Security Controls

    The use of data security controls ensures only those who are permitted access to a specific piece of data are able to access it. Data security control techniques include encryption, masking and erasure.

  • Server Equipment Disposal

    This procedure covers how to wipe each physical hard drive. Before following this procedure, you must know how many hard drives are in the server.

  • Server Firewall

    A firewall is a network security device that monitors and filters incoming and outgoing network traffic based on an organization’s previously established security policies. At its most basic, a firewall is essentially the barrier that sits between the host and the network.

  • Server Intrusion Detection

    Virginia Tech’s IT Security Office runs a network intrusion detection system 24/7 that can help protect your computer. However it is important to run intrusion detection systems locally to provide an extra layer of defense.

  • Server Inventory

    Keeping an accurate, up-to-date server inventory allows you, your department, and the IT Security Office to collaborate and quickly respond to security incidents.

  • Server Malware Protection

    Having strong malware protection on your server is an important part of not only keeping the server safe, but also the other computers that may be using that server. The Virginia Tech minimum security standards requires that some form of a security monitoring tool must be used.

  • Server Patching

    You should apply critical and high severity security patches within seven days of their release and all other security patches within 90 days. Key factors for server patching are downtime, duration, and frequency.

  • Server Physical Protection

    Server physical security should be achieved through a multilayered approach, targeting safety, security, and maintenance.

  • Server Security Review

    Security reviews provide a thorough overview of the current state of an application, server, or endpoint device and its security.

  • Server sysadmin Training

    Virginia Tech requires system administrators (sysadmins) to attend a security training course once per year to ensure they have a basic understanding of best practices for security at Virginia Tech.

  • Server Two Factor Authentication

    Virginia Tech uses Duo 2-factor authentication as a part of its Single Sign-On service. This enables users to authenticate their login attempts by either providing a code or verifying a “push” notification via the Duo mobile app.

  • Server Vulnerability Management

    Virginia Tech departments may request a vulnerability scan of a commercial or homegrown application. The Virginia Tech IT Security Office is responsible for conducting security reviews, which can be requested through 4Help. If you believe a server, application, or account has been hacked, you may report the incident in 4Help.

  • Service Provider Management

    Develop a process to evaluate service providers who hold sensitive data, or are responsible for an enterprise’s critical IT platforms or processes, to ensure these providers are protecting those platforms and data appropriately.