Minimum Security for Applications

Standards	What to do	Low Risk System	Moderate Risk System	High Risk System
Operating System	Maintain current supported version as designated by UIS configuration management	X	X	X
Vulnerability Management	Ensure server is recorded in Tenable. Remediate severity 5 vulnerabilities within 48 hours, Remediate severity 4 within 7 days Remediate severity 3 vulnerabilities within 14 days.	X	X	X
Inventory	Maintain a list of applications and the associated risk classifications and data volume estimates. Review and update records quarterly.	X	X	X
Firewall	Permit only the minimum necessary services.	X	X	X
Credentials and Access Control	Review existing accounts and privileges quarterly. Enforce password complexity. Logins with NetID credentials via WebAuth/SAML.	X	X	X
Centralized Logging	Forward logs to UIS Splunk.	X	X	X
Secure Software Development	Include security as a design requirement. Review all code and correct identified security flaws prior to deployment. Use of static code analysis tools recommended.		X	X
Developer Training	Attend role-based Information Security training course annually.		X	X
Backups	Back up application data at least weekly. Encrypt backup data in transit and at rest.		X	X
Multi-Factor Authentication	Require Duo multi-factor authentication for all interactive user and administrator logins.	X	X	X
Dedicated Admin Procedures	Execute system administrative actions in accordance with departmental and security procedures (admin accts, secure devices, etc)	X	X	X
Security, Privacy, and Legal Review	Request a Security, Privacy, and Legal review and implement recommendations prior to deployment.	X	X	X
Regulated Data Security Controls	Implement PCI DSS, HIPAA, or export controls as applicable.	not permissible	not permissible	X