Minimum Security Standards

Information Security Minimum Security Standards

Endpoints Servers Applications Definitions
security standards

Endpoints

An endpoint is defined as any laptop, desktop, or mobile device.

1. Determine the risk level by reviewing the data, server and application risk classification examples and selecting the highest applicable risk designation across all. For example, a endpoint storing Low Risk data but accessing a High Risk application should be designated as High Risk.

2. Follow the minimum security standards in the table below to safeguard your endpoints.


Endpoints
STANDARDS FREE OF CHARGE RECURRING TASK WHAT TO DO PUBLIC NON-PUBLIC CONFIDENTIAL
PATCHING yes yes Apply security patches within seven days of publish. Use a supported OS version. yes yes yes
WHOLE DISK ENCRYPTION yes Enable FileVault2 for Mac through Self Service, BitLocker for Windows. Install MDM on mobile devices. yes yes yes
MALWARE PROTECTION yes Install antivirus (Symantec Enpoint Protection recommended). yes yes yes
BACKUPS yes Backup user data at least daily. NSave CrashPlan PROe is recommended for all University Endpoints. yes yes yes
CONFIGURATION MANAGEMENT yes Install Casper Suite or SCCM. Recommended Recommended yes
REGULATED DATA SECURITY CONTROLS yes Implement PCI DSS, HIPAA, or export controls as applicable. yes
FIREWALL yes Enable local firewall in default deny mode and permit minimum necessary services. yes yes yes
Servers
STANDARDS FREE OF CHARGE RECURRING TASK WHAT TO DO PUBLIC NON-PUBLIC CONFIDENTIAL
PATCHING yes Apply security patches within seven days of publish. Use a supported OS version. yes yes yes
INVENTORY yes Review and update IS-HAM records quarterly. yes yes yes
FIREWALL yes Enable host-based and network firewall in default deny mode and permit minimum necessary services. yes yes yes
CREDENTIALS & ACCESS CONTROL yes Integration with UNL's Authentication Services is recommended. Review existing accounts and privileges quarterly. Enforce password complexity for any unmanaged/local accounts. yes yes yes
TWO-FACTOR AUTHENTICATION yes Require Duo two-factor authentication for all interactive user and administrator logins. Recommended yes
CENTRALIZED LOGGING Forward logs to a remote log server. University IT Splunk service recommended. yes
VULNERABILITY MANAGEMENT yes yes Enable local firewall in default deny mode and permit minimum necessary services. yes yes yes
MALWARE PROTECTION yes yes Monthly security scan. yes yes
PHYSICAL PROTECTION yes Place system hardware in a data center. yes yes
SECURITY, PRIVACY & LEGAL REVIEW yes Request a Security, Privacy, and Legal review and implement recommendations before deployment. yes
REGULATED DATA SECURITY CONTROLS Implement PCI DSS, HIPAA, or export controls as applicable. yes
MONITORING yes Monitor system for uptime. yes yes
Applications
STANDARDS FREE OF CHARGE RECURRING TASK WHAT TO DO PUBLIC NON-PUBLIC CONFIDENTIAL
PATCHING yes Based on National Vulnerability Database (NVD) ratings, apply high severity security patches within seven days of publish, medium severity within 14 days, and low severity within 28 days. Use a supported version of the application. yes yes yes
INVENTORY yes Maintain a list of applications and data classifications. Review and update records quarterly. yes yes yes
FIREWALL yes Permit minimum necessary services in network firewall. Review and verify firewall rules annually.  yes yes yes
CREDENTIALS & ACCESS CONTROL yes Review existing accounts and privileges quarterly. Integrate with UNL CAS or Shibboleth. Follow the Authentication Services Policy. yes yes yes
TWO-FACTOR AUTHENTICATION yes Require Duo two-factor authentication for all interactive user and administrator logins. yes yes
CENTRALIZED LOGGING Forward logs to a remote log server. University IT Splunk service recommended. yes yes
WEBSITE SSL yes Obtain and use a TLS certificate on all websites. Sites that accept credentials or credit card information use an “extended validation” certificate. If UNL hosted, request and obtain from UNL Security Dept. yes yes
VULNERABILITY MANAGEMENT yes yes Monthly Qualys application scan. Remediate severity 5 vulnerabilities within seven days, severity 4 vulnerabilities within 14 days, and severity 3 vulnerabilities within 28 days of discovery. yes yes
VULNERABILITY MANAGEMENT Place system hardware in a data center. yes yes
SECURE SOFTWARE DEVELOPMENT Include security as a design requirement. Review all code and correct identified security flaws before deployment. Use of static code analysis tools recommended.  yes
SECURITY APP SCAN yes Security Dept should run an initial IBM app scan on the application on a staging server.  Applies to both new vendor obtained and new custom developed apps. yes yes
DEVELOPER TRAINING yes yes Attend two days of  Information Security Academy training annually. yes yes
BACKUPS Backup application data nightly. Encrypt backup data in transit and at rest. yes yes
DEDICATED ADMIN WORKSTATION Access administrative accounts only via a certified Personal Bastion Host (PBH) or the Full Tunnel VPN profile. yes yes
SECURITY, PRIVACY & LEGAL REVIEW yes Request a Security, Privacy, and Legal review and implement recommendations before deployment. yes
REGULATED DATA SECURITY CONTROLS Implement PCI DSS, HIPAA, or export controls as applicable. yes

Definitions

Computing Equipment

Any UNL-provided desktop or portable device or system, or any non-UNL desktop or portable device or system used to access UNL-provided data or services.

Masked number

  1. A credit card primary account number (PAN) has no more than the first six and the last four digits intact, and 
  2. All other Prohibited or Restricted numbers have only the last four intact. See the entire DSS 3.1 Standard (if you are willing to agree to some terms). 


NIST-Approved Encryption
The National Institute of Standards and Technology (NIST), develops and promotes cryptographic standards that enable U.S. Government agencies and others to select cryptographic security functionality for protecting their data. Encryption which meets NIST-approved standards is suitable for use to protect UNL data if the encryption keys are properly managed. In particular, secret cryptographic keys must not be stored or transmitted along with the data they protect. Cryptographic keys have the same data classification as the most sensitive data they protect.

Payment Card Industry Data Security Standards

  • The practices used by the credit card industry to protect cardholder data.
  • The Payment Card Industry Data Security Standards (PCI DSS) comprise an effective and appropriate security program for systems that store, process, or transmit card payment data. The most recent version of the PCI DSS is available here

Protected Health Information (PHI)

All individually identifiable information that relates to the health or health care of an individual and is protected under federal or state law. For questions about whether information is considered to be PHI, contact the University Privacy Officer.

Qualified Machine. 
A computing device located in a secure UNL facility and with access control protections that meet the Payment Card Industry Data Security Standards.

Student Records Information
Data maintained by UNL and under jurisdiction of the Family Educational Rights and Privacy Act (FERPA) tenets. Student Records include UNL-held student academic transcripts and other related academic records (official and unofficial), and UNL-held records related to: 

  1. academic advising
  2. health/disability 
  3. academic probation and/or suspension
  4. conduct (including disciplinary actions)
  5. Directory information and other biographical and personal data maintained by the Office of the University Registrar and/or other UNL offices.
  6. Applications for student admission are considered to be Student Records at the point the application has been received and accepted and acknowledged as such by UNL.