Facebook pixel Information Security Office Service Catalog | Pepperdine University | Pepperdine Community

Information Security Office Service Catalog

Business Service Catalog

ISO services that are for use by all colleagues and students.

Service
Name
Audience Abstract
Description (link)
(Service Level Target | System Name and/or Type)

Email Security

Students and Colleagues with a Personal Email address

Protects the University community from SPAM, Phishing, email borne Malware.

The spam filter is an automated and self-service system that protects university email addresses from SPAM by:

  • blocking connections from known SPAM hosts
  • quarantining inbound and outbound messages that look like SPAM.
  • white/black-listing, opt outs and quarantine release via web link or daily digest 
  • Departments requesting to have their contracted mass emailers whitelisted for the entire University, must provide Information Security Office with a message that is actually caught in spam filter quarantine.

    ( Spam block and release: Self-service; Global Whitelisting: Next business day after approved request | spamfilter.pepperdine.edu is a redundant pair of physical server appliances + mailout & mailout-bulk are pairs of virtual appliances on SE hardware)

Attachments File Sending Service

Students, Faculty, and Staff, as well as outside contractors

Allows the sending of RESTRICTED information securely, as well as transmitting files too large to be carried in normal emails.

Attachments is a website and service that transmits large files, or files that require secure transit like RESTRICTED data.

  • Can pause and resume downloads
  • Available to all users with an @pepperdine.edu address, and can be used to send files to external users as well
  • Retains files for later use (downloading them again or sending to another user)
  • Supported for the transfer of RESTRICTED data
  • Web based interface is cross platform compatible with all OS types

PGP Whole Disk Encryption

Colleagues with RESTRICTED information on their computer

Helps users prevent financial damages or loss of trust when a University computer with RESTRICTED data is lost or stolen.

Whole disk encryption and the related procedures and signed agreement allow the University to secure RESTRICTED data and prevent costly compliance/litigation in the event a computer is stolen. Computers that must occasionally or regularly store RESTRICTED information are required to be encrypted by University policy; Information Security provides manager/end-user training on RESTRICTED information policy and technical training for IT and school technical staff that install the software. Software installation requires justification of RESTRICTED data storage, $75 recharge and signed security agreement per computer. Information Security runs the server that licenses the software to end users and which provides install/recovery tools to field technicians. In addition, backup end-user support is provided for recovery, when alternate users and field technicians are unable to log into a machine (Verification of identity and lack of local resources required - Call x4040).

( Client installation: as CS & School technicians can be scheduled. Recovery: real time by phone call to technicians or ISO. | pgp.pepperdine.edu is a virtual appliance on imperator for system management only)

WavesConnect Computer Registration

Students and Colleagues accessing the University network

Computer Registration is used to block and inform users and provide appropriate access.

Having every machine on the network registered allows university wide actions to be taken swiftly and precisely for a given case.  Most often this is demonstrated when a compromised machine is quarantined on the network to prevent damaging other users.  However it serves other functions as well, including providing easy self-registered guest limited access.

  • All devices on the network are accounted for and monitored for network compliance
  • Provides the framework for the remediation of at risk machines, protecting users from spam and malware dissemination
  • Allows enforcement on behalf of general counsel when notified of copyright infringement
  • Lost or stolen devices are monitored and when they appear anywhere on the university, DPS officials are notified through the Campus Management system
  • The system prevents registration of certain network devices that could cause disruptions to overall network integrity
    (Registration: Self-service with local technician or Tech Central troubleshooting | wavesconnect & wavesconnect2 are high availability pairs or hardware appliances) |

Internet Bandwidth Management

All users connected to the Pepperdine University Intranet.

Manages and allocates bandwidth so that students, guests and colleagues can access the Internet services they need. 

The university's bandwidth management system ensures that network traffic is correctly identified so that students, colleagues and guests are able to access Internet content. This system has multiple benefits:.

  • Ensures that critical traffic leaving the campus intranet is prioritized, e.g. athletic event video streams.
  • Categorizes new and expanding content such as research and learning services, HD video streams or the latest video games to ensure that content is delivered to campus lag free.
  • Controls the amount of traffic utilized by filesharing clients so that other users and the network at large are not impacted. 

The service is placed at the perimeter of the university's network and only impacts traffic as it enters or leaves the university network. All internal traffic is not managed. 

Technical Service Catalog

The technical service catalog details internal services that support business services; this catalog is intended as a guide for other IT personnel.

Service
Name
Business Service Rollup Abstract
Description (link)
(Service Level Target | System Name and/or Type)

Domain Name Service
(DNS)

All University online services

Maps user-friendly system names to network friendly IP numbers.

If attackers can control the DNS service, they can provide user friendly names mapped to evil IP addresses, trivially facilitating the capture of information.

(24x7 uptime | newton and maxwell are high availability load balanced caching local & external DNS servers; dns 5-7 are emergency/secondary/load balanced external DNS hosts at WWU, TAMU & Trinity)

Dynamic Host Configuration Protocol
(DHCP)

All student and colleague client computers on the University network

Automatically provides appropriate network parameters for client computers.

If attackers can control the DHCP service, they can provide inappropriate network parameters for clients computers, including evil DNS servers, compromised subnet gateways and other options, trivially facilitating the capture of information.

(24x7 uptime | DHCP provided by newton & maxwell, wavesconnect & wavesconnect2 are load balanced/high availability DHCP systems)

Network Time Protocol
(NTP)

All servers at the University

Provides a consistent time to all network hosts and clients.

This service is not only critical to end user services like Kerberos authentication, but ensures that logs from disparate systems can be easily correlated to track intrusions, problems or suspicious activity.

(24x7 uptime | clock & clock2 are independent services on maxwell & newton )

Intrusion Detection System
(IDS)

None

Analyzes permitted traffic used as a vector for attacks.

Firewalls are used to protect some services and systems -- and to expose others for use! The exposed services may have vulnerabilities or points of attack; the IDS is used to watch for bad traffic to intended services.

(24x7 alerting and blocks | 4 Sourcefire hardware appliances)

Node Sensors

None

Enables network forensics to determine how and when a machine became compromised, and implement changes to prevent it.

The node sensors are a network of machines placed at strategic locations throughout the university.  They hold a running buffer for network traffic and allow us an opportunity for retrospective analysis.  This allows us to make changes and suggestions with a sound understanding of network activity.  Through these systems we're able to bring up malicious websites to the firewall for a shun, or determine what vulnerability was exploited so that a fix can be applied or recommended.  They act as our eyes and ears on the network when we can't be everywhere at once.

(24x7 capture | 13 different independent physical hardware capture systems in the node telecom rooms)

Internet Firewall

None

The University firewalls are the first line of defense against network threats

The University is bombarded daily with traffic, and a lot of it is unwanted, unneeded, and just plain bad.  The firewall stops this kind of traffic before it ever enters the University network.  Many websites and servers host malicious content that would be dangerous to allow into the network, and the firewall prevents their traffic from getting in, even when you may not be aware of it.  Ads fetching images and compromising code are shunned at the firewall and never get any further.

(24x7 traffic passing and filtering | 2 high availability internet firewall appliance pairs & 2 high availability datacenter firewall appliance pairs)

Related Definitions

PGP: acronym for Pretty Good Privacy, one of the most examined, proven and widespread encryption systems in the world. IT: none. Wikipedia: Pretty Good Privacy

RESTRICTED INFORMATION: defined in University Policy as authentication secrets and information that makes the University liable for costs or damages for unauthorized disclosure. IT: Information Classification and Protection Policy  Google: Higher education references to "Restricted Information"

SPAM: is unsolicited commercial email. IT: SPAM and the SPAM Filter Wikipedia: Electronic SPAM

References

  1. http://campustechnology.com/articles/2011/09/01/secrets-of-the-service-catalog.aspx