Minimum Security for Applications

Standards What to do Low Risk System Moderate Risk System High Risk System
Patching Apply security patches 48 hours:
  • CVSS > 7
  • Vendor “Critical”
  • Remotely Exploitable
Other patches within 14 days. Use a supported version of the application.
Vulnerability Management Ensure server is in Qualys.
  • Remediate severity 5 vulnerabilities within 48 hours,
  • Remediate severity 4 within 7 days
  • Remediate severity 3 vulnerabilities within 14 days.
Inventory Maintain a list of applications and the associated risk classifications and data volume estimates. Review and update records quarterly. X X X
Firewall Permit the minimum necessary services. X X X
Credentials and Access Control Review existing accounts and privileges quarterly. Enforce password complexity. Logins with NetID credentials via WebAuth/SAML. X X X
Centralized Logging Forward logs to UIS Splunk. X X X
Secure Software Development Include security as a design requirement. Review all code and correct identified security flaws prior to deployment. Use of static code analysis tools recommended. X X
Developer Training Attend role-based Information Security training course annually. X X
Backups Back up application data at least weekly. Encrypt backup data in transit and at rest. X X
Multi-Factor Authentication Require Duo multi-factor authentication for all interactive user and administrator logins. X X X
Dedicated Admin Workstation Access administrative accounts only through a Privileged Access Workstation (PAW). X
Security, Privacy, and Legal Review Request a Security, Privacy, and Legal review and implement recommendations prior to deployment. X X X
Regulated Data Security Controls Implement PCI DSS, HIPAA, or export controls as applicable. X