Standards What to do
Low Risk System
Moderate Risk System
High Risk System
Patching

Apply security patches 48 hours:
- CVSS> 7
- Qualys >3
- Vendor "Critical"
- Remotely Exploitable

Other patches within 14 days.

Use a supported OS version.

check-mark check-mark check-mark

Vulnerability Management

Ensure server is in Qualys.    

  • Remediate severity 5 vulnerabilities within 48 hours,
  • Remediate severity 4 within 7 days
  • Remediate severity 3 vulnerabilities within 14 days.
check-mark check-mark check-mark

Malware Protection

Install Symantec Anti-Virus

check-mark check-mark check-mark

Centralized Logging

Forward logs to UIS Splunk.

check-mark check-mark check-mark

Backups

Included in UIS backup strategy. Encrypt backup data in transit and at rest.

check-mark check-mark check-mark

Inventory

Review and update Snipe-IT records quarterly. Maximum of one system per record.

check-mark check-mark check-mark

Configuration Management

Install Tanium Client.

check-mark check-mark check-mark

Firewall

Enable host-based firewall in default deny mode and permit the minimum necessary services.

check-mark check-mark check-mark

Credentials and Access Control

Review existing accounts and privileges quarterly. Enforce password complexity. Logins with NetID credentials via Kerberos.

check-mark check-mark check-mark

Multi-Factor Authentication

Require Duo multi-factor authentication for all interactive user and administrator logins.

check-mark check-mark check-mark

Sysadmin Training

Attend role-based Information Security training course annually.

  check-mark check-mark

Intrusion Detection

Deploy Symantec on supported platforms. Review alerts as they are received.

  check-mark check-mark

Physical Protection

Place system hardware in a data center.

  check-mark check-mark

Dedicated Admin Workstation

Access administrative accounts only through a Privileged Access Workstation (PAW).

    check-mark

Security, Privacy, and Legal Review

Request a Security, Privacy, and Legal review and implement recommendations prior to deployment.

check-mark check-mark check-mark

Regulated Data Security Controls

Implement PCI DSS, HIPAA, or export controls as applicable.

    check-mark