Skip to Content

University Technology Services


Minimum Security Standards

(Effective Date - 7/1/16)

The list of imaginable threats–and possible countermeasures–is limitless. However, resources to address them are not.  The University Information Security Office values practical, evidence-based solutions. The Minimum Security Standards are a result of that practice.

Read more about the Minimum Security Standards methodology here.

Endpoints

An endpoint is defined as any laptop, desktop, or mobile device.

Standard

Public & Internal Use

Confidential & Restricted Use

What To Do
Anti-malware  X  X

Goal: Stop dangerous software from running.

Option(s):  Install anti-virus, configure for regular scans and updates. Symantec Endpoint Protection (SEP) recommended and available at no additional cost through Software Distribution

Training  X  X

Goal: Keep portable devices with you or locked up and out of sight. Never click on links or attachments from unexpected emails.

Option(s): Security awareness videos recommended and available at no additional cost through Securing The Human

Patching  X  X

Goal: Install security updates for operating systems and applications within 30 days.

Option(s): BigFix.  Available to System Administrators on Software Distribution.  Alternatively, available as part of UTS Desktop SLA

Monitoring
   X

Goal: Track critical file changes and event logs.

Option(s): OSSEC.  Open a ticket with the UISO, following instructions for Windows or Linux

Encryption

(at rest)

   X

Goal: Render sensitive data on stolen/lost devices unreadable.

Option(s): WinMagic SecureDoc.  Open a ticket with Desktop Engineering (per these on boarding instructions for System Administrators)

Backups  X  X

Goal: Store important files in a redundant way.

Option(s): OneDrive for Business.  Available at https://portal.office.com, following the quick start guide

Data Loss Protection

 X  X

Goal: Reduce sensitive data to absolute minimum.

Required: Install Spirion (Identity Finder), available at no additional cost through Software Distribution

Implementation Deadline: 1 Dec 2017

Incident Response  X X

Goal: Speed up response and reduce downtime.

Required: Install FireEye HX Endpoint Security, available at no additional cost through Software Distribution

Implementation Deadline: 1 Dec 2017

 

Servers

A server is defined as a host that provides a network accessible service.

Standard

Public & Internal Use

Confidential & Restricted Use

What To Do
Anti-malware  X  X

Goal: Stop dangerous software from running.

Option(s):  Install anti-virus, configure for regular scans and updates. Symantec Endpoint Protection (SEP) recommended and available at no additional cost through Software Distribution

Training    X

Goal: Attend training specific to secure server administration at least once every three years.

Option(s): SANS course recommended, vouchers available at no additional cost through the Information Security Office

Patching  X  X

Goal: Install security updates within 30 days.

Option(s): BigFix.  Available to System Administrators on Software Distribution.

Monitoring    X

Goal: Check for unusual activity.

Required: Install OSSEC.  Open a ticket with the UISO, following instructions for Windows or Linux.  Perform reviews of access privileges and system logs at least quarterly.

MFA    X

Goal: Place administrator access behind multi-factor authentication.

Option(s): DUO available at no additional cost through UTS

Data Loss Protection  X  X

Goal: Apply appropriate controls based on data sensitivity.

Required: Classify the system according to South Carolina’s guidance here. Review publicly posted information at least quarterly. Review access privileges at least quarterly.

Incident Response   X

Goal: Speed up response and reduce downtime.

Required:  Install FireEye HX Endpoint Securityavailable at no additional cost through Software Distribution. Configure logs to reconstruct these events: user logins (successful and unsuccessful); actions taken by individuals with root or administrator privileges; creation and deletion of accounts; modification to account privileges; and modification to log settings.

 

Applications

An application is defined as software running on a server that is remotely accessible, including mobile applications.

Standard

Public & Internal Use

Confidential & Restricted Use

What To Do
Training    X

Goal: Attend training specific to secure administration of web applications at least once every three years.

Option(s): SANS course recommended, vouchers available at no additional cost through the Information Security Office

Patching  X  X

Goal: Install security updates for application–as well as any plugins–within 30 days.

Option(s): BigFix.  Available to System Administrators on Software Distribution.

Monitoring    X

Goal: Check for unusual activity.

Required: OSSEC.  Open a ticket with the UISO, following instructions for Windows or Linux. Configure OSSEC to receive application logs. Perform reviews of access privileges and system logs at least quarterly.

MFA    X

Goal: Place user and administrator access behind multi-factor authentication.

Option(s): DUO recommended and available at no additional cost through UTS

Account Lockouts X X

Goal: Deter brute force/password guessing attacks.

Option(s): Configure to lock user accounts after no more than 50 consecutive invalid login attempts (central authentication is typically configured for less)

Scanning & Penetration Testing    X

Goal: Verify the application does not have any vulnerabilities.

Option(s): Use an automated scanning tool prior to deployment; after major updates; and at least annually (OWASP recommended tools here). Use an independent, qualified provider to perform a penetration test at least annually.

Incident Response   X

Goal: Speed up response and reduce downtime.

Required: Configure logs to reconstruct these events: user logins (successful and unsuccessful); actions taken by individuals with root or administrator privileges; creation and deletion of accounts; modification to account privileges; and modification to log settings.