| Patching |
Apply security patches 48 hours:
- CVSS > 7
- Vendor “Critical”
- Remotely Exploitable
Other patches within 14 days.
Use a supported version of the application.
|
X |
X |
X |
|
Vulnerability Management
|
Ensure server is in Qualys.
- Remediate severity 5 vulnerabilities within 48 hours,
- Remediate severity 4 within 7 days
- Remediate severity 3 vulnerabilities within 14 days.
|
X |
X |
X |
|
Inventory
|
Maintain a list of applications and the associated risk classifications and data volume estimates. Review and update records quarterly.
|
X |
X |
X |
|
Firewall
|
Permit the minimum necessary services.
|
X |
X |
X |
|
Credentials and Access Control
|
Review existing accounts and privileges quarterly. Enforce password complexity. Logins with NetID credentials via WebAuth/SAML.
|
X |
X |
X |
|
Centralized Logging
|
Forward logs to UIS Splunk.
|
X |
X |
X |
|
Secure Software Development
|
Include security as a design requirement. Review all code and correct identified security flaws prior to deployment. Use of static code analysis tools recommended.
|
|
X |
X |
|
Developer Training
|
Attend role-based Information Security training course annually.
|
|
X |
X |
|
Backups
|
Back up application data at least weekly. Encrypt backup data in transit and at rest.
|
|
X |
X |
|
Multi-Factor Authentication
|
Require Duo multi-factor authentication for all interactive user and administrator logins.
|
X |
X |
X |
|
Dedicated Admin Workstation
|
Access administrative accounts only through a Privileged Access Workstation (PAW).
|
|
|
X |
|
Security, Privacy, and Legal Review
|
Request a Security, Privacy, and Legal review and implement recommendations prior to deployment.
|
X |
X |
X |
|
Regulated Data Security Controls
|
Implement PCI DSS, HIPAA, or export controls as applicable.
|
|
|
X |
