Checklists & related documents
This page is maintained by the IT Community Partnerships group within UITS. These templates and checklists are provided as examples for your own departmental use, to save you time as you document your own policies and procedures, and strengthen the security posture of your department. It is not meant to be an authoritative source of policies, nor it is it an exhaustive source of examples.
Please feel free to contact us to add or modify any of the content here. We are always happy to add more examples!
Email: talk2uits@iu.edu
Phone: 317-278-5387
| Document | Description | Last Update |
|---|---|---|
| Policy Checklist | Maps requirements of IU Policies to specific actions | 12/1/2011 |
| Planning Guide | Security Project Planning Guide (see also the tables below) | 12/4/2012 |
| Self Review | Administrative and technical questions to prepare you for an audit | 12/1/2011 |
| Policy Manual | Example of a complete policy manual | 12/1/2011 |
| Templates | Zipped file of sample templates | 12/1/2011 |
| Departmental Policy | Zipped file of departmental policy examples | 12/1/2011 |
| IT Procedures | Zipped file of IT procedure examples | 12/1/2011 |
Security Project Planning Guide, Phase 1
| Link | Description | Last Update |
|---|---|---|
| Incident Response | Work with your leadership to approve and implement a written Incident Response Procedure. Click the link at the left to view a template. | 12/4/2012 |
| Equipment | Work with your leadership to approve and implement a written procedure for equipment decommissioning. | 12/4/2012 |
| Private IP Addresses | Unless operationally necessary, all servers and printers should utilize a private IP address. The link at the left describes how to request one. | 12/4/2012 |
| Patch and Secure | All workstations should be configured for automatic updates and patches, both to the OS and virus protection software | 12/11/12 |
| Securing Printers | Most printers are fairly "open" with their factory defaults. Here are some tips on securing networked printers. | 12/4/2012 |
| Scanning Servers | All servers & Web apps should be scanned for vulnerabilities. Here's more information to get started. | 12/4/2012 |
| Supported OSes: Windows | Upgrade all your servers to a currently supported operating system | 12/5/2012 |
| Supported OSes: RHEL | That includes Linux, too! | 12/5/2012 |
Security Project Planning Guide, Phase 2
| Link | Description | Last Update |
|---|---|---|
| Admin | Users should only be given administrative rights to their computers in exceptional circumstances. Work with leadership in your department to develop and implement a policy to restrict administrative access to computers and to develop a procedure for requesting and approving/declining exceptions. Click here for other best practices. | 12/11/12 |
| Critical Data | All servers and workstations should be routinely scanned for critical data. Work with departmental leadership to approve and implement a policy to do so. The link at the left provides a template for getting started. | 12/4/2011 |
| Limit Access | Physical access to servers should be highly restricted. Your best option is to put your servers in the Data Center by virtualizing them in II or moving them there physically | 12/4/2012 |
| WDE | All laptops should be encrypted using whole disk encryption. You may decide PGP, BitLocker, or File Vault, among others, is best for your situation. The important thing is to encrypt them! | 12/4/2012 |
| Backups Encrypted | The media you use to backup your servers should be encrypted and stored offsite. Consider the UITS TSM service. | 12/4/2012 |
Security Project Planning Guide, Phase 3
| Link | Description | Last Update |
|---|---|---|
| Awareness | All employees in your department should participate in a security/privacy awareness program. Until something is widely available at IU, you are free to create your own. | 12/4/2012 |
| DR/BC | Prepare a disaster recovery plan using IU Ready. If you already have one, be sure to update it each year. | 12/4/2012 |
| Roles | Formally assign the roles of security and privacy officer for your department, either through job descriptions or written policy. This does not mean you have to hire someone! It just means that you need to find a point person who will lead the security/privacy awareness training, act as decision maker in matters regarding security and privacy, and look out for the interests of the department in these matters. | 12/4/2012 |