POLICY FOR DATA AND

INFORMATION SECURITY AT BMC IN LUND

October 2005

Table of Contents

Introduction ......................................................................................................................... 1
Purpose Of This Policy....................................................................................................... 1
Responsibility...................................................................................................................... 1
General Policy ..................................................................................................................... 2
Data Classification Policy .................................................................................................. 2
Access Control Policy ........................................................................................................ 3
Virus Prevention Policy ...................................................................................................... 4
Acceptable Use Policy........................................................................................................ 4
Internet Security Policy ...................................................................................................... 4
Intrusion Detection Policy.................................................................................................. 5
Exceptions ........................................................................................................................... 5
 Information Security Policy - BMC

INTRODUCTION

This Data and Information Security Policy is written with consideration to the fact that the BMC is
made up of a large number of different units with different needs for and different uses of computers,
data handling and the data network. This policy is not intended to limit or restrict the academic
freedom. This policiy applies to all units and network users within the BMC.

The BMC data network is connected to LUNET, the Lund University NETwork, and to SUNET, the
Swedish University NETwork. This policy document is based on the LUNET security policy, the Lund
University rules for using data networks (Dnr: I D9 2218/2001), and the SUNET security policy. It is in
all aspects an implementation of rules of these policies. It is not necessarily an implementation of
each and every rule of these policies. Thus the rules of these policies are superior to this document,
and are all in effect. If there is any dispute regarding the meaning of a rule, SUNET has the
preferential right of interpretation.

PURPOSE OF THIS POLICY

The purpose of the policy is:

• to establish a set of rules to protect the BMC's data, applications, networks, and computer
systems from unauthorized access, unauthorized alteration, or destruction.

• to prescribe tools and methods to identify and prevent unauthorized access, unauthorized
alteration, or destruction of BMC or University data, applications, networks and computer
systems.

• to define tools and methods to protect the reputation of the University and the BMC, and allow
the University to satisfy its legal and ethical responsibilities with regard to its networks' and
computer systems' connectivity to the worldwide Internet.

• to prescribe effective methods for responding to external complaints and queries about real or
perceived abuses of the BMC networks and computer systems.

RESPONSIBILITY

• The BMC Board is responsible for implementing this policy.

• The BMC Board should ensure that:

o the data and information security policy is updated on a regular basis and published as
appropriate;

o network and system administrators, data custodians and users have adequate
knowledge and competence to carry out their assignments. The Lund University data
security office specifies competence requirements for installing, configuring and
running systems and applications, connected to the LUNET (Dnr: I A9 6461/2001)

• The BMC Board shall appoint a person to be responsible for security implementation, incident
response, periodic user access reviews, and education of the data and information security
policy including information about current virus infection risks.

• Users are responsible for safe handling and storage of all University authentication devices and
login information. Authentication tokens (such as a Secure ID card) should not be stored near
a computer that may be used to access the University's network or system resources. If an
authentication device is lost or stolen, the loss must be immediately reported to the
appropriate issuing unit so that the device can be disabled.

Page 1
 Information Security Policy - BMC

GENERAL POLICY

• Vulnerability and risk assessment tests of the network and external network connections should
be conducted on a regular basis. At a minimum, testing should be performed annually.
• Security reviews of servers, firewall(s), router(s) and monitoring platforms for breaches of
security shall be conducted on a regular basis. These reviews will include monitoring access
logs and results from intrusion detection software, where used.
• Education should be implemented to ensure that users understand data security issues, levels
of confidentiality, and the mechanisms to protect the data. This should be tailored to the role
of the individual, network administrator, system administrator, data custodian, and users.
• Violation of the Information Security Policy may result in disciplinary actions as authorized by
the University.

DATA CLASSIFICATION POLICY

• It is essential that the University's and the BMC's critical data be protected. All data should be
reviewed on a periodic basis and classified according to its use, sensitivity, and importance.
We have specified three classes below:
o Sensitive - Information assets that would cause severe damage to the University,
individuals, groups of individuals or organizations if disclosed or modified. Data
covered by state legislation, such as "Datalagen" or "Personuppgiftslagen" are in this
class, as are passwords. Payroll, personnel, and some financial information is also in
this class because of privacy requirements.
o Important- Source code, data logs, scientific experimental results, student's marks etc.
that would not expose the University or the BMC to loss if disclosed, but must be
protected to prevent unauthorized destruction or modification.
o Public - Information that may be freely disseminated.
• The SUNET security policy (securityinfo 2 and 5) sets detailed standards for the appropriate
protection levels for each data classification.
• All information resources should be categorized and protected according to the requirements set
for each classification, and the data classification and its corresponding level of protection
should be consistent when the data is replicated, moved and worked at.
• Data custodians have the responsibility for the integrity of the data stored. The individuals
entrusted with the data are responsible for protecting the data consistent with the security
requirements defined by the data custodian.
• All appropriate data should be backed up, and the backups tested periodically, as part of a
documented, regular process.
• Backups of secure data must be handled with the same security precautions as the data itself.
When systems are disposed of or repurposed, data should be certified deleted or disks
destroyed consistent with industry best practices for the security level of the data.
• Sensitive data should be encrypted during transmission, in accordance with the SUNET security
policy
• No system or network subnet within BMC may have a connection to the Internet without the
means to protect the information consistent with its confidentiality classification.

Page 2
 Information Security Policy - BMC

ACCESS CONTROL POLICY

• Access to the network and servers and systems will be achieved by individual and unique
logins, and will require authentication. Authentication includes the use of passwords, smart
cards, biometrics, or other recognized forms of authentication.
o Users must not share usernames and passwords, nor should they be written down or
recorded in unencrypted electronic files or documents. All users shall secure their
username or account, password, and system from unauthorized use.
o All users of critical systems (e.g. containing data protected by law or University policy)
must have a strong password, whose definition is established and documented by
SUNET (securityinfo 4) or the BMC Board. Passwords of empowered accounts, such
as administrator, root or supervisor accounts, must be changed more frequently,
consistent with guidelines established by the said bodies.
o Logins and passwords must not be coded into programs or queries.
o Passwords must not be placed in emails unless they have been encrypted. If this is not
possible, then another secure means must be used to communicate the password to
the user.
o Default passwords on all systems must be changed after installation. All administrator
or root accounts will be given a password that conforms to the password selection
criteria when a system is installed, rebuilt, or reconfigured.
• Intruder detection must be implemented on all servers. Accounts will be locked after a pre-
specified number of invalid attempts and will remain locked until reset consistent with unit
policy.
• Terminated network users should have their accounts disabled upon transfer or termination.
Since there could be delays in reporting changes in user responsibilities, periodic user access
reviews should be conducted by the BMC information security person.
• Transferred network user's access must be reviewed and adjusted as found necessary.
• Monitoring must be implemented on all sensitive systems (that support monitoring) to record
logon attempts and failures, successful logons (date and time of logon and logoff).
• Personnel who have broad system access, such as superuser, should use other less powerful
accounts for performing non-administrative tasks. Activities performed by those with
administrator or superuser rights must be logged where it is feasible to do so. There should
be a documented procedure for reviewing system logs.

Page 3
 Information Security Policy - BMC

VIRUS PREVENTION POLICY

• All University owned servers and workstations will be protected with an approved, licensed anti-
virus software product that will be updated to the current vendor recommended level.
• All incoming data including electronic mail will be scanned for viruses. Outgoing electronic mail
will be scanned.
• System or network administrators will inform users when a virus has been detected.
• Virus scanning logs will be maintained whenever email is centrally scanned for viruses.
• The willful introduction of computer "viruses" or disruptive/destructive programs into the
University environment is prohibited, and violators may be subject to prosecution.

ACCEPTABLE USE POLICY

• University computer resources will be used in a manner that is compliant with University policies
and Swedish law and regulations. It is against University policy to install or run software
requiring a license on any University computer without a valid license.
• Use of the University's computing and networking infrastructure by University network users
unrelated to their University positions must be limited in both time and resources and must not
interfere in any way with University functions or the network user's duties. It is the
responsibility of network users to consult their supervisors, if they have any questions in this
respect.
• Uses that interfere with the proper functioning or the ability of others to make use of the
University's networks, computer systems, applications and data resources are not permitted.
Examples are downloading of large amounts of data for private use - movies, music etc.
• Use of University computer resources for personal profit is not permitted. Business use or
distribution of material for money is forbidden.
• Decryption or attempts of decryption of passwords is not permitted, except by authorized staff
performing security reviews or investigations. Use of network sniffers shall be restricted to
system administrators who must use such tools to solve network problems. Auditors or
security officers in the performance of their duties may also use them. They must not be used
to monitor or track any individual's network activity except under special authorization in every
single case from the Lund University data security group..
• The University data security group and the BMC information security responsible person have
the right to monitor data- and logfiles in any equipment connected to or having been
connected to the LUNET, as part of an investigation of abuse or other incidents. This includes
the right to temporarily seize any such equipment for examination.

INTERNET SECURITY POLICY

• All connections to the Internet will go through a properly secured connection point to ensure the
network is protected. Public servers carrying information intended to be available from outside
the BMC network must be connected to network sockets assigned by the BMC information
security responsible person.

Page 4
 Information Security Policy - BMC

INTRUSION DETECTION POLICY

• Operating system and application software logging processes must be enabled on all host and
server systems. Where possible, alarm and alert functions, as well as logging and monitoring
systems must be enabled.
• System integrity checks of host and server systems housing sensitive or important University
data should be performed. Server, firewall, and critical system logs should be reviewed
frequently. Where possible, automated review should be enabled and alerts should be
transmitted to the administrator when a serious security intrusion is detected.
• Intrusion tools should be installed where appropriate and checked on a regular basis.
• System or network administrators must monitor appropriate sources for security related
information, relevant threats, vulnerabilities, incidents and relevant service patches, upgrades,
or updates and ensure all security related patches are applied on all machines under their
control.

EXCEPTIONS

In certain cases, compliance with specific policy requirements may not be immediately possible.
Reasons include, but are not limited to, the following:
• Required commercial or other software in use is not currently able to support the required
features;

• legacy systems are in use which do not comply, but near-term future systems will, and are
planned for;

• costs for reasonable compliance are prohibitive.

In such cases, units must develop a written explanation of the compliance issue and a plan for coming
into compliance in a reasonable amount of time and submit them to the BMC Board for written
approval.

Page 5