The Security Hardening Project will improve security of the IT infrastructure in a range of areas - from technical architecture, to policy and user education - as identified and recommended in the IT Security Risk Review. The project is split into 7 work streams. The activity carried out within each work stream will be clearly defined and managed, with recommendations for further activity.
For full details of the project background and workstreams, please see Project Background.
- The University is engaging specialist consultants to provide support in developing requirements to inform a tender exercise which will cover; intelligent application firewall, networking zoning (including DMZ), Network Access Control, encrypted VPN. The tender process is close to completion and implementation of these network hardening activities is planned to start in late summer 2012
- The network stream of the project has also implemented a security review contract to carry out regular health checks, monitor PCI/DSS compliance, carry out regular penetration testing and reputation monitoring.
- CIS now provide encrypted Windows and Mac managed laptops as standard plus guidance on how you can encrypt your Linux laptop on the CIS website. You can also get an existing laptop encrypted by contacting the Service Desk
- We have purchased a new anti-virus solution for the University and are currently working to implement. This will begin with CIS services and roll out to departments
- Steps are being taken to improve the security of root and admin passwords for CIS servers and applications
User Account Management
- All non-personal user accounts now have automated expiry and policies for both non-personal and personal accounts are in development
- We are also reviewing the management of privilieged accounts (i.e. accounts which have higher levels of access to servers and systems)
- Student email will be outsourced to Microsoft Office 365 during 2012. This follows a large scale consultation exercise with our student body is under way alongside discussions with the potential provider (Microsoft or Google) and reference sites to ensure the right option for the organisation is selected
- Staff email migration to Exchange 2010 has begun and continues with MDS and CIS-managed mailboxes being migrated this summer. Roll out for DUCAS users will take place during 2012.
- A core body of security information and guidance is now available on the CIS website. This will be complemented with a significant security awareness campaign during Michaelmas Term 2012
- The feasibility of a security questionnaire/exercise for staff and students on induction is also being explored
- The University has approved the development of a comprehensive IT security policy following the UCISA Information Toolkit. This is being developed in sections, beginning with the over-arching Electronic Information Security Policy, with sub-policies following at regular intervals
- The University website will be restructured to improve security by separating personally managed web pages - these will be housed in the new community.dur.ac.uk domain - from the main website
- Improved functionality such as a standard option for blogs will also be investigated
If you would like to contact the project team, please email Project Manager, James Pettican.