Our methodology starts with incidents handled by the Incident Response team. We merge our information with data collected from across Higher Education. Combined, we have an accurate picture of the top threats facing our industry.
We then evaluate safeguards based on effectiveness, cost, and productivity impact. After countless hours of research and consideration, we select the best protection options. Those become Minimum Security Standards.
You should implement the Minimum Security Standards before committing resources to other information security issues. Please note, this is not an exhaustive list of otherwise responsible IT practices. Nor does it absolve you of regulatory or contractual obligations, such as HIPAA, PCI, and some research arrangements. In these cases, you should prove compliance while meeting the Minimum Security Standards.
Apply each standard according to the asset type (e.g. Server vs. Endpoint) and the data classification (e.g. Public vs. Confidential). Unless stated otherwise, units may meet a standard's goal however they see fit. We list options for informational purposes only. The few required technologies or practices allow us to conduct Incident Response and administer the Security Program.