OUS iNOC

The INOC group provides telecommunications support and analysis to Oregon's public higher-education institutions. Some of our key services are:

  • Call record collection and analysis
  • Telecommunications billing through TCMS
  • 24x7 alarm monitoring and response
  • Hardware reserve and replacement
  • System capacity and upgrade planning

Contact Us






Team Member Role Contact
Jon Dolan Manager 541-737-5402 / email
Brian Clark Network Administrator 541-713-3331 / email
Doug Hopt Network Administrator 541-713-3336 / email
Chuck Potts TCMS Developer 541-737-3340 / email
Sharon Wahl TCMS Developer 541-737-2277 / email

The INOC group email is inoc@ous.edu.

Email mailing lists are also maintained for the membership of the OUS Intelcom group and TCMS users.

If you require emergency support, the current on-call team member can always be reached via telephone at 541-737-4566, option 3

Useful Resources

Avaya's e-IMS Aura Model

Avaya diagram of the e-IMS Aura Model
image © Avaya

Virtual Computing Lab Software List

The Umbrella virtual lab has been decommissioned and replaced by RemoteApps.

If you need to recover data stored on the Umbrella server, please contact the OSU Computer Helpdesk.

Data Management and Classification

Important

If you work or study at Oregon State University or access any OSU data for any reason, this policy applies to you.

If you access OSU data, you MUST

  • Protect the data you access.
  • Follow OSU policy, procedures, standards and guidelines.
  • Report unauthorized access or misuse.
  • Get trained on the appropriate use and protection of university data.
  • Understand how to classify the information you handle, so you know how secure it has to be
  • Report data quality issues.

Protecting the data you access

Storing information – You are responsible for making sure the system you store information on meets OSU minimum standards. Visit the standards for data management page to learn more. 

Lost, stolen, hacked, infected – Have you lost confidential or sensitive information? Do you know or suspect that someone has stolen confidential or sensitive information from you? Do you know or suspect someone has hacked into your computer? Do you know or suspect your computer has a virus (or other malware)? If you answered yes to any of these questions, you need to report it to the Office of Information Security

Third-party services – Before using confidential data with a cloud-based (third-party) service, contact the Office of Information Security. They need to conduct a security assessment of the service before it can be used.

Three data classifications for university information.

  1. Confidential.
  2. Sensitive.
  3. Unrestricted.

⇛ Specific types of confidential and sensitive data are listed at http://is.oregonstate.edu/ispolicies/datamanagement/examples.

How secure should this data be?

We have three data classifications (categories of data) based on the level of security the information needs. Understanding the relative sensitivity of that information helps you understand which category the data fits in.

Confidential information

This is the most restrictive classification. Four types of data fall into this category.

  1. Personal information that could be used in identity theft or exposure of personal health information if it’s not secured.
  2. Research data that a funding agency or other research partner has identified as highly sensitive.
  3. Financial, legal and other data of a highly confidential nature.
  4. Specific technical information detailing how we restrict access, or otherwise secure data, in this classification.

Sensitive information

This classification covers university data that has some security risk. It is less restrictive than the confidential classification. Sensitive information is commonly used in conducting Oregon State business and may be confidential or bound by non-disclosure expectations.

Unrestricted information

This is information that carries no security risk if it’s made public. Most university data is unrestricted.

What should you do if you suspect data’s been compromised?

There are two things you need to do immediately if you suspect your data’s been compromised (the data was out of your control, someone accessed it who wasn’t supposed to, etc.).

  1. Figure out its data classification.

What type of information is it? Which of the categories above does it fit into?

  1. Report it to your IT support group (departmental computer administrator – DCA).

Give the DCA as much information as you can, including how you think the data would be classified.

Follow the directions they give you, even when that means you’ll lose changes to files.

Once the initial risk has been eliminated, there are two more things you need to do.

  1. Report it to your supervisor.
  2. Report it to the Chief Information Security Officer.

The CISO will decide what needs to happen next. The Office of Information Security will lead the investigation of the possible breach and will let the appropriate data custodians know what’s happened.

Use the webform, or call x.7-9800 (541-737-9800).

The less activity that occurs on your computer after you realize information may have been compromised, the more likely it is that the security team will be able to tell whether or not it actually was compromised and what data was accessed.

Purpose of this policy

This policy is designed to help us comply with state and federal laws that require us to protect the confidentiality, integrity and availability of university data.

⇛ You can read the full policy at url.[FTF6] 

 [FTF6]link

Standards for Data Management

This document defines the baseline standards of care for Information Systems in use at Oregon State University. Baseline standards of care are system configuration and operational practices and procedures designed to protect the confidentiality, integrity, and availability of data housed on those systems.

Find step-by-step configuration help and best practices at http://oregonstate.edu/helpdocs/security-and-tuning/computer-tuning/operating-systems

Unrestricted Information

Access to Unrestricted Information: No restriction for viewing, copying or printing. Departments determine protocol for modification of information. 

Standard Operating Systems

Mobile Devices

Systems utilizing an operating systems designed specifically for mobile devices. Examples would include Android, iOS, Windows Phone, Firefox OS, Sailfish OS, Tizen, Ubuntu Touch OS, Blackberry.

Recommended: Current operating system with updates turned on.

Apple OS X systems

Recommended: Patched and officially supported version of the operating system, current antivirus client, and user name and password required for all accounts. 

Linux (or similar)

Recommended: Patched/current version of the operating system, current antivirus client (or equivalent), user name and password required for all accounts.

Microsoft Windows (PCs/Workstations)

Recommended: Patched and supported version of the operating system, current antivirus client, user name and password required for all accounts. 

Server Operating Systems

Linux (or similar), OS X

Required: Patched and supported version of the operating system, user name and complex password required for all accounts, all unused services disabled, system dedicated to server functions only (no web browsing, etc.).

Microsoft Windows

Required: Patched and supported version of the operating system, current antivirus client, login required by GPO, use of service accounts only, complex passwords with minimum length, system dedicated to server functions only (no web browsing, etc.).

Sensitive Information

Required Standards of Care for Sensitive Information includes all recommended and required standards for Unrestricted Information, plus:

Access to Sensitive Information: Viewing and modification restricted to authorized individuals with a business need to know. Copying or Printing of Sensitive Information is limited to legitimate need, with copies limited to individuals with a business need to know.

Access to Sensitive Information is assigned by role, pursuant to standards approved by the OSU Data Trustee.

Standard Operating Systems

Mobile Devices

Required: Passcode required, lock screen enabled, notifications on locked screen disabled, device encryption enabled, data on removable devices (SIM, SD card, etc.) encrypted.

Recommended: Factory OS intact (jail breaking or rooting not allowed), Bluetooth file sharing disabled.

Apple OS X systems

Required: Host-based firewall active, lock screen enabled, auto login disabled, unused services disabled, file and print sharing disabled, OS and applications configured for auto update unless centralized patch management is implemented by the cognizant OSU IT support team, password complexity enabled, remote access restricted.

Recommended: Gatekeeper enabled and configured to allow applications from App Store and Identified Developers only.

Linux (or similar)

Required: Host-based firewall active, lock screen installed/enabled, auto login disabled, any unused services disabled, file and print sharing disabled, OS and apps configured to auto update unless centralized patch management is implemented by the cognizant OSU IT support team, remote access restricted.

Microsoft Windows (PCs/Workstations)

Required: Host-based firewall active, lock screen enabled, auto login disabled, unused services disabled, file and print sharing disabled, OS and apps configured to auto update (or suitable alternative), remote access restricted.

Server Operating Systems

Linux (or similar), OS X

Required: Remote access restricted, remote root login disabled, insecure connection services (Telnet, FTP, etc.) restricted, latest stable service software installed (SSH, TLS, etc.), host-based firewall active with unneeded traffic disabled (IPTables or equivalent), access lockout if available from off campus (fail2ban or equivalent), password age and complexity enabled, authentication and security logs enabled with logs retained for a minimum of one month (use of logrotate encouraged), specific logs for server application (mail, web server, dbase) enabled and retained, quarterly vulnerability scan performed and found vulnerabilities addressed.

Recommended: Located behind physical firewall or equivalent device.

Microsoft Windows

Required: Network Level Authentication for Remote Desktop Services (via GPO), Local admin account (and any other well known SIDs) disabled, host-based firewall active with unneeded traffic disabled, password complexity/age enforced by local or GPO, unused services disabled, automated security updates subject to GPO, auditing enabled and security and system logs retained for a minimum of one month, specific logs for server applications (exchange, mssql, etc.) enabled and retained, quarterly vulnerability scan and found vulnerabilities addressed.

Recommended: Located behind physical firewall or equivalent device.

Confidential Information

Standards of care for Confidential Information includes all recommendations and requirements for Unrestricted Information and Sensitive Information, plus:

Access to Confidential Information: Viewing and modification restricted to authorized individuals with a business need to know. Copying or Printing of Confidential Information is limited to legitimate need, with copies limited to individuals with a business need to know, and must be labeled “Confidential.” A signed confidentiality agreement is required, both for accessing and viewing confidential information in any format. 

Access to Confidential Information is assigned by role pursuant to standards approved by the OSU Data Trustee.

Storage of Confidential Information on Paper or other physical media: Physical access to paper documents containing confidential information must be restricted to those who need the information to perform their responsibilities. Appropriate physical security, including door and cabinet locks, must be implemented.

Network Security: Systems housing or regularly accessing Confidential Information must be in isolated network segments, protected with a physical firewall or equivalent using a “default deny” rule set; firewall rule sets, including changes, must be approved by the Office of Information Security. An Intrusion Detection System (IDS) hosted by the Office of Information Security must monitor this segment. Systems within these segments cannot be visible to the entire Internet, nor to unprotected subnets. An inventory of systems authorized to be on that subnet will be kept and the subnet regularly scanned/monitored for unauthorized systems. The Office of Information Security will perform authenticated vulnerability scan of these networks quarterly and will inform cognizant support teams of scan results requiring corrective action; vulnerabilities will be addressed during the next normal patching cycle unless other remediation is established or an exception granted.

Standard Operating Systems

Mobile Devices

Required: University-owned device, Locked screen after 5 minutes of inactivity, long passcode, 256-bit symmetric-key device encryption, device must wipe data after 10 failed attempts, the device should have a durable physical or electronic label (or appearing on the lock screen) with contact information sufficient to facilitate an expedient return in the event that a lost device is found, use of sandboxed OS/desktop or sandboxed app for accessing the data or other similar means where the data is never stored on the mobile device, SIM card lock/PIN, location services off, disable cloud synchronization for passwords and data, syncing and backup to university-owned machines only, remote wipe enabled, use of public wireless networks prohibited. University-owned device, Locked screen after 5 minutes of inactivity, long passcode, 256-bit symmetric-key device encryption, device must wipe data after 10 failed attempts, the device should have a durable physical or electronic label (or appearing on the lock screen) with contact information sufficient to facilitate an expedient return in the event that a lost device is found, use of sandboxed OS/desktop or sandboxed app for accessing the data or other similar means where the data is never stored on the mobile device, SIM card lock/PIN, location services off, disable cloud synchronization for passwords and data, syncing and backup to university-owned machines only, remote wipe enabled, use of public wireless networks prohibited. 

Apple OS X systems

Required: University-owned device, 256-bit symmetric-key full-disk encryption (FileVault or equivalent), Locked screen saver after 15 minutes of inactivity, all sharing disabled, infrared port disabled, remote management for authorized accounts (OSU IT) only, Firmware password, remote access restricted, use of administrator account for day-to-day access prohibited, require administrator password to access system preferences and install software, password complexity and length (min. of 14 characters), password rotation, Quarterly vulnerability scan and found vulnerabilities addressed.

Linux (or similar)

Required: University-owned device, 256-bit symmetric-key full-disk encryption, Locked screen saver after 15 minutes of inactivity, all sharing disabled, infrared port disabled, remote management for authorized accounts (OSU IT) only, BIOS password, remote access restricted, use of administrator account for day-to-day access prohibited, require administrator password to access system preferences and install software, password complexity and length (min. of 14 characters), password rotation, Quarterly vulnerability scan and found vulnerabilities addressed.

Microsoft Windows (PCs/Workstations)

Required: University-owned device, 256-bit symmetric-key full-disk encryption (Bitlocker or equivalent), locked screen saver after 15 minutes of inactivity, all sharing disabled, infrared port disabled, centralized remote management for authorized accounts (OSU IT) only, BIOS password, remote access restricted, use of administrator account for day-to-day access prohibited, require administrator password to access system preferences and install software, password complexity and length (min. of 14 characters), password rotation, Quarterly vulnerability scan and found vulnerabilities addressed.

Server Operating Systems

Virtual Server Environments: All security controls apply both to the host and guest virtual machines in a virtual server environment. Cannot share the same virtual host environment with guest servers of other security classifications.

Physical Security: Must be hosted in a secure Data Center with Physical Access monitored, logged and limited to authorized individuals 24x7.

Backup Media: All backup media must be encrypted. If stored off-site, a secure location is required.

Linux (or similar), OS X

Required: Field level encryption for protected fields in database, removable back-up media encrypted using 256-bit symmetric-key encryption, monthly authenticated vulnerability scans performed by Office of Information Security, authentication and security logs retained for six months and made available to Office of Information Security, found vulnerabilities addressed within normal maintenance windows or sooner (based on criticality,) annual security audit.

Recommended: System administrators must possess enterprise-level certification, or an equivalent combination of training and experience, for the operating system version in use. Host-based software IDS/IPS.

Microsoft Windows

Required: Field level encryption for protected fields in database, removable back-up media encrypted using 256-bit symmetric-key encryption, use of Best Practice Analyzer, security and system logs retained for six months and made available to Office of Information Security, monthly authenticated vulnerability scans performed by Office of Information Security, found vulnerabilities addressed within normal maintenance windows or sooner, based on criticality, annual security audit.

Recommended: Bystem administrators must possess enterprise-level certification, or an equivalent combination of training and experience, for the operating system version in use, host-based software IDS/IPS.