Standards What to do
Low Risk System
Moderate Risk System
High Risk System
Patching

Apply security patches 48 hours:
- CVSS > 7
- Vendor "Critial"
- Remotely Exploitable

Other patches within 14 days.

Use a supported version of the application.

check-mark check-mark check-mark

Vulnerability Management

Ensure server is in Qualys.    

  • Remediate severity 5 vulnerabilities within 48 hours,
  • Remediate severity 4 within 7 days
  • Remediate severity 3 vulnerabilities within 14 days.
check-mark check-mark check-mark

Inventory

Maintain a list of applications and the associated risk classifications and data volume estimates. Review and update records quarterly.

check-mark check-mark check-mark

Firewall

Permit the minimum necessary services.

check-mark check-mark check-mark

Credentials and Access Control

Review existing accounts and privileges quarterly. Enforce password complexity. Logins with NetID credentials via WebAuth/SAML.

check-mark check-mark check-mark

Centralized Logging

Forward logs to UIS Splunk.

check-mark check-mark check-mark

Secure Software Development

Include security as a design requirement. Review all code and correct identified security flaws prior to deployment. Use of static code analysis tools recommended.

  check-mark check-mark

Developer Training

Attend role-based Information Security training course annually.

  check-mark check-mark

Backups

Back up application data at least weekly. Encrypt backup data in transit and at rest.

  check-mark check-mark

Multi-Factor Authentication

Require Duo multi-factor authentication for all interactive user and administrator logins.

check-mark check-mark check-mark

Dedicated Admin Workstation

Access administrative accounts only through a Privileged Access Workstation (PAW).

    check-mark

Security, Privacy, and Legal Review

Request a Security, Privacy, and Legal review and implement recommendations prior to deployment.

check-mark check-mark check-mark

Regulated Data Security Controls

Implement PCI DSS, HIPAA, or export controls as applicable.

    check-mark