Effective Date - 7/1/16
Read more about the minimum security standards methodology..
Endpoints
An endpoint is defined as any laptop, desktop, or mobile device.
| Standard | Public & Internal Use | Confidential & Restricted Use | What To Do |
|---|---|---|---|
| Anti-malware | X | X |
Goal: Stop dangerous software from running. Option(s): Install anti-virus, configure for regular scans and updates. Symantec Endpoint Protection (SEP) recommended and available at no additional cost through Software Distribution |
| Training | X | X |
Goal: Keep portable devices with you or locked up and out of sight. Never click on links or attachments from unexpected emails. Option(s): Security awareness videos recommended and available at no additional cost through Securing The Human |
| Patching | X | X |
Goal: Install security updates for operating systems and applications within 30 days. Option(s): BigFix. Available to System Administrators on Software Distribution. Alternatively, available as part of DoIT Desktop SLA |
|
|
X |
Goal: Track critical file changes and event logs. Option(s): OSSEC. Open a ticket with the UISO, following instructions for Windows [pdf] or Linux [pdf] |
|
|
Encryption (at rest) |
X |
Goal: Render sensitive data on stolen/lost devices unreadable. Option(s): WinMagic SecureDoc. Open a ticket with Desktop Engineering (per these on boarding instructions [pdf] for System Administrators) |
|
| Backups | X | X |
Goal: Store important files in a redundant way. Option(s): OneDrive for Business. Available at https://portal.office.com, following the quick start guide [pdf] |
|
Data Loss Protection |
X | X |
Goal: Reduce sensitive data to absolute minimum. Required: Install Spirion (Identity Finder), available at no additional cost through Software Distribution Implementation Deadline: 1 Dec 2017 [pdf] |
| Incident Response | X | X |
Goal: Speed up response and reduce downtime. Required: Install FireEye HX Endpoint Security, available at no additional cost through Software Distribution Implementation Deadline: 1 Dec 2017 [pdf] |
Servers
A server is defined as a host that provides a network accessible service.
| Standard | Public & Internal Use | Confidential & Restricted Use | What To Do |
|---|---|---|---|
| Anti-malware | X | X |
Goal: Stop dangerous software from running. Option(s): Install anti-virus, configure for regular scans and updates. Symantec Endpoint Protection (SEP) recommended and available at no additional cost through Software Distribution |
| Training | X |
Goal: Attend training specific to secure server administration at least once every three years. Option(s): SANS course recommended, vouchers available at no additional cost through the Information Security Office |
|
| Patching | X | X |
Goal: Install security updates within 30 days. Option(s): BigFix. Available to System Administrators on Software Distribution. |
| Monitoring | X |
Goal: Check for unusual activity. Required: Install OSSEC. Open a ticket with the UISO, following instructions for Windows [pdf] or Linux [pdf]. Perform reviews of access privileges and system logs at least quarterly. |
|
| MFA | X |
Goal: Place administrator access behind multi-factor authentication. |
|
| Data Loss Protection | X | X |
Goal: Apply appropriate controls based on data sensitivity. Required: Classify the system according to South Carolina’s guidance [doc]. Review publicly posted information at least quarterly. Review access privileges at least quarterly. |
| Incident Response | X |
Goal: Speed up response and reduce downtime. Required: Install FireEye HX Endpoint Security, available at no additional cost through Software Distribution. Configure logs to reconstruct these events: user logins (successful and unsuccessful); actions taken by individuals with root or administrator privileges; creation and deletion of accounts; modification to account privileges; and modification to log settings. |
Applications
An application is defined as software running on a server that is remotely accessible, including mobile applications.
| Standard | Public & Internal Use | Confidential & Restricted Use | What To Do |
|---|---|---|---|
| Training | X |
Goal: Attend training specific to secure administration of web applications at least once every three years. Option(s): SANS course recommended, vouchers available at no additional cost through the Information Security Office |
|
| Patching | X | X |
Goal: Install security updates for application–as well as any plugins–within 30 days. Option(s): BigFix. Available to System Administrators on Software Distribution. |
| Monitoring | X |
Goal: Check for unusual activity. Required: OSSEC. Open a ticket with the UISO, following instructions for Windows [pdf] or Linux [pdf]. Configure OSSEC to receive application logs. Perform reviews of access privileges and system logs at least quarterly. |
|
| MFA | X |
Goal: Place user and administrator access behind multi-factor authentication. Option(s): DUO recommended and available at no additional cost through DoIT |
|
| Account Lockouts | X | X |
Goal: Deter brute force/password guessing attacks. Option(s): Configure to lock user accounts after no more than 50 consecutive invalid login attempts (central authentication is typically configured for less) |
| Scanning & Penetration Testing | X |
Goal: Verify the application does not have any vulnerabilities. Option(s): Use an automated scanning tool prior to deployment; after major updates; and at least annually (OWASP recommended tools). Use an independent, qualified provider to perform a penetration test at least annually. |
|
| Incident Response | X |
Goal: Speed up response and reduce downtime. Required: Configure logs to reconstruct these events: user logins (successful and unsuccessful); actions taken by individuals with root or administrator privileges; creation and deletion of accounts; modification to account privileges; and modification to log settings. |