Skip to main content

IT Security Principles

Statement: Security must be enforced consistently across all systems and data, assuming no implicit trust within or outside the organization.

Rationale: Adopting a Zero Trust Security model ensures robust protection against evolving threats by verifying every access request, regardless of its origin.

Implication

  • Enforce least-privilege access controls, granting users only the minimum necessary permissions.
  • Use segmentation to minimize the impact of potential security breaches.
  • Regularly update and patch systems to address vulnerabilities promptly.
  • Foster a security-first culture and provide ongoing training to all employees.

System Engineering Security Principles

  1. Maintain current information security and privacy policies that are consistent with industry best practices and comply with applicable regulations.
  2. Maintain current incident response, disaster recovery, and business continuity plans and perform routine testing exercises.
  3. Employ appropriate information security controls and auditing for all assets with access to university resources.
  4. Establish secure baseline configurations and incorporate security best practices into the system development life cycle.
  5. Enforce least privilege access control for all university assets and resources.
  6. Require multi-factor authentication for all important or high-risk assets.
  7. Encrypt all private data in-transit and at-rest.
  8. Backup all important assets and routinely test for reliable recovery.
  9. Segment assets into appropriate risk zones based on resource type and criticality.
  10. Ensure all personnel with access to important university resources receive regular and relevant security training.

Software Development Security Principles

  1. Establish secure baseline configurations for all systems and components.
  2. Enforce the principle of least privilege access for all resources.
  3. Perform routine and on-demand patch management to apply timely remediations.
  4. Maintain deployment zones with proper segmentation and protections for the target environment, such as development, testing, staging, and production.
  5. Utilize source code version and repository control systems.
  6. Configure log forwarding for all relevant systems to central SOC for monitoring.
  7. Leverage mature, well-supported integrated development environment (IDE) tools and modern security frameworks.
  8. Ensure all developers receive regular and relevant security training.
  9. Configure systems for implicit denial and secure failure. 
  10. Require cyclical vulnerability management and penetration testing for all customer-facing applications and support systems.

 

 Last Updated: 2025-12-19