Minimum Security for Georgetown-Managed Servers

Minimum Security for Georgetown Managed Servers
Standards What to do Low Risk System Moderate Risk System High Risk System
Vulnerability Management Apply security patches in accordance with Vulnerability Management Program requirements based on:

  • Severity
  • Applicability
  • Exploitability
 X X X
Acceptable Applications and Configurations All operating systems, middleware, applications, and associated code/programs must be supported by the vendor, assessed by UISO, and free from malicious/harmful vulnerabilities and bugs X X X
Malware Protection UISO cybersecurity agents installed and operating according to policy. X X X
Centralized Logging Forward logs to designated log correlator. X X X
Backups Included in UIS backup strategy. Encrypt backup data in transit and at rest. X X X
Inventory Review and update asset records quarterly. X X X
Configuration Management UISO cybersecurity agents installed and operating according to policy. X X X
Firewall Enable host-based firewall in default deny mode and permit the minimum necessary services. X X X
Credentials and Access Control
  • Review existing accounts and privileges quarterly.
  • Enforce password standards.
  • Administrative access to designated ports, interfaces, etc via secure methodology only.
 X X X
Multi-Factor Authentication Require two-factor authentication for all NetID user and administrator logins. X X X
Cybersecurity and Capabilities Training Complete applicable and required cybersecurity, technology, and role-based trainings annually. X X
Intrusion Detection UISO cybersecurity agents installed and operating according to policy. X X X
Physical Protection Where applicable, place system hardware in a data center, secure lab, or office authorized by UIS. X X
Administrative Access Administrative access to designated ports, interfaces, etc via secure methodology only. X X X
Cybersecurity, Privacy, and Legal Review Applicable Cybersecurity, Privacy, and Legal reviews are required prior to authorization to launch into production. X X X
Regulated Data Security Controls Applicable FERPA, GLBA, PCI DSS, HIPAA, export and privacy controls or other requirements must be implemented and operating per regulations not permissible not permissible X