Minimum Security Standards
- Brian Hushour (Deactivated)
Owned by Brian Hushour (Deactivated)
Description
A set of minimum security standards for systems, generally aligned with SCS, AIS, and UNS with the consultation of ITS.
Based on the group agree upon https://security.utexas.edu/content/min-security-standards
Definitions
The below are copied from the official policy, if they ever conflict the official policy at https://www.howardcc.edu/about-us/policies-procedures/chapter-61/61.13.01 Safeguarding College Information.html prevails.
The most restricted class of data on a server defines what the server is categorized as.
| Term | Examples |
|---|---|
Public | Include, but are not limited to, board of trustees’ open meeting materials, college reports, course descriptions, directory information, marketing materials, newsletters, and web content. This data is generally accessible or available on request through the Maryland Public Information Act process. |
Confidential | Include, but are not limited to, employee evaluations, marketing plans, network information, and intellectual property. |
Regulated | Include, but are not limited to, academic performance records, banking information, birth dates, counseling records, financial aid data, medical records, and social security numbers. This data is commonly referred to as personally identifiable information (PII). |
| Mission Critical | IP Networking |
🔷 = Recommended 
= Required
Minimum standards
| Item | Repeats | Public | Confidential | Regulated |
|---|---|---|---|---|
| Backups | ||||
| System administrators should establish and follow a procedure to carry out regular system backups. |
| 🔷 | 🔷 |
|
| Backups must be verified at least monthly, either through automated verification, through customer restores, or through trial restores. |
| 🔷 | 🔷 |
|
| Systems administrators must maintain documented restoration procedures for systems and the data on those systems. |
| 🔷 | 🔷 |
|
| Change Management | Repeats | Public | Confidential | Regulated |
| There must be a change management process for systems configuration. This process must be documented. |
| 🔷 | 🔷 |
|
System changes should be evaluated prior to being applied in a production environment. Patches must be tested prior to installation in the production environment if a test environment is available. If a test environment is not available, the lack of patch testing should be communicated to the service subscriber or data customer, along with possible changes in the environment due to the patch. |
| 🔷 | 🔷 |
|
| Review and update the Server Inventory Spreadsheet Quarterly |
|
|
|
|
| Virus Protection | Repeats | Public | Confidential | Regulated |
| Antivirus software must be installed and enabled Example: Microsoft ATP |
|
|
| |
| Install and enable anti-spyware software. If the machine is used by administrators to browse Web sites not specifically related to the administration of the machine, which is not recommended, installing and enabling anti-spyware software is required. Example: Microsoft ATP, MSRT | 🔷 | 🔷 | 🔷 | |
| Anti-virus and, if applicable, anti-spyware software should be configured to update signatures daily. |
|
|
| |
| Systems administrators should maintain and keep available a description of the standard configuration of anti-virus software. |
| 🔷 | 🔷 |
|
| Physical Access | Repeats | Public | Confidential | Regulated |
| Systems acting as servers must be physically located in one of the datacenters or with an approved exception request - a physically secured area with restricted access. All other systems, including portable devices, must be physically secured if left unattended. | 🔷 | 🔷 |
| |
| Backup media must be secured from unauthorized physical access. If the backup media is stored off-site, it must be encrypted or have a documented process to prevent unauthorized access. | 🔷 | 🔷 |
| |
| Unattended computing devices must be secured from unauthorized access using a combination of physical and logical security controls commensurate with associated risks. Physical security controls include barriers such as locked doors or security cables. Logical security controls include screen saver passwords and automatic session time-outs that are set to activate after 15-minutes of inactivity. |
|
|
| |
| System Hardening | Repeats | Public | Confidential | Regulated |
| Systems must be set up in a protected network environment or by using a method that assures the system is not accessible via a potentially hostile network until it is secured. (Note: This differs from UTexas which it was required for regulated) | 🔷 | 🔷 | 🔷 | |
| Operating system and application services security patches should be installed expediently. This means 30 days for High and Critical, 90 days for Medium and below. Products that no longer receive security updates from the vendor (e.g., unsupported) must be documented via the unsupported software form |
|
|
| |
| Enable automatic notification of new patches if possible |
|
|
| |
| Services, applications, and user accounts that are not being utilized should be disabled or uninstalled. | 🔷 | 🔷 |
| |
| Limit connections to services to only the authorized users of the service. Examples: A configured host-based firewall is required for all systems handling Confidential data. Software firewalls, hardware firewalls, and service configuration for all other systems. | 🔷 | 🔷 |
| |
| Services or applications running on systems manipulating Confidential data should implement encrypted communications as required by confidentiality and integrity needs. (See Protecting Data in Transit) | 🔷 | 🔷 |
| |
| Systems will provide secure storage for Confidential data. Security can be provided by means such as, but not limited to, encryption (see Data Encryption Guidelines ), access controls, file system audits, physically securing the storage media, or any combination thereof as deemed appropriate. Examples:
| 🔷 | 🔷 |
| |
| If the operating system supports it, integrity checking of critical operating system files should be enabled and tested. Third-party tools may also be used to implement this. Examples:
|
| 🔷 | 🔷 |
|
| Integrity checking of system accounts, group memberships, and their associated privileges should be enabled and tested. |
| 🔷 | 🔷 |
|
| The required warning banner should be installed. Examples:
| 🔷 | 🔷 |
| |
| Whenever possible, all non-removable or (re-) writable media must be configured with file systems that support access control. (Not FAT) | 🔷 | 🔷 |
| |
| Access to non-public file system areas must require authentication. |
|
|
| |
| Enforce password complexity requirements per NIST SP800-63b |
|
|
| |
| Apply the principle of least privilege to user, admin, and system accounts. Administrative accounts must not be used as a primary user account or for non-administrative purposes. Examples: Windows:Unix: | 🔷 | 🔷 |
| |
| Data Stewardship - TODO Follow https://www.howardcc.edu/about-us/policies-procedures/chapter-61/61.13.01 Safeguarding College Information.html |
| 🔷 | 🔷 |
|
| Security Monitoring | Repeats | Public | Confidential | Regulated |
| If the operating system comes with a means to log activity, enabling and testing of those controls is required. |
| 🔷 | 🔷 |
|
| Operating system and service log monitoring and analysis should be performed routinely. This process should be documented. |
| 🔷 | 🔷 |
|
| The systems administrator must follow a documented backup strategy for security logs (for example, account management, access control, data integrity, etc.). Security logs should retain at least 14 days of relevant log information (data retention requirements for specific data should be considered). Note: This is required for all servers, regardless of data classification. Example: Forward logs to Graylog. |
|
|
|
|
| All administrator or root access must be logged. |
|
|
|
|
| If it is a server with an expectation of being available for general use, there must be monitoring of the availability. Layer 4 (TCP/UDP) or higher monitoring is preferred. | 🔷 | 🔷 |
| |
| Vulnerability Management | Repeats | Public | Confidential | Regulated |
| Configure vulnerability scanning using Nessus, Rapid 7, or Microsoft ATP, and make sure that neither host-based nor network firewalls block access to the vulnerability scanners. | 🔷 | 🔷 |
| |
| Share patch records with ITS - TODO |
| 🔷 | 🔷 |
|
| Regularly review vulnerability scan findings for your systems in Nessus/Rapid 7/Cherwell. Remediate vulnerabilities with published exploits or malware kits within 14 days of discovery, and remediate other significant vulnerabilities within 30 days. If a vulnerability cannot be remediated, file a Security Exception Request(POAM) with Cyber Security Department via Cherwell. |
| 🔷 | 🔷 |
|
| Regulated Data Controls | Repeats | Public | Confidential | Regulated |
| Implement PCI DSS , HIPAA , or export controls as applicable. |
| |||
Mission Critical Systems | Repeats | Public | Confidential | Regulated |
| Implement Mission Critical Systems Controls - Doesn't apply to SCS? |
|
|
| |
| Software Applications | Repeats | Public | Confidential | Regulated |
| Software applications designed to handle Confidential or higher data must meet additional controls at TODO |
|
|
Todo:
- Exception form for non-NOC servers
- Exception form for Unsupported software
- Security Exception Request
- Data Stewardship
- Share Patch Logs with ITS?
- Mission Critical
- Software Applications