Minimum Security for Applications

Standards What to do Low Risk System Moderate Risk System High Risk System
Operating System Maintain current supported version as designated by UIS configuration management X X X
Vulnerability Management Ensure server is recorded in Tenable.
  • Remediate severity 5 vulnerabilities within 48 hours,
  • Remediate severity 4 within 7 days
  • Remediate severity 3 vulnerabilities within 14 days.
Inventory Maintain a list of applications and the associated risk classifications and data volume estimates. Review and update records quarterly. X X X
Firewall Permit only the minimum necessary services. X X X
Credentials and Access Control Review existing accounts and privileges quarterly. Enforce password complexity. Logins with NetID credentials via WebAuth/SAML. X X X
Centralized Logging Forward logs to UIS Splunk. X X X
Secure Software Development Include security as a design requirement. Review all code and correct identified security flaws prior to deployment. Use of static code analysis tools recommended.   X X
Developer Training Attend role-based Information Security training course annually.   X X
Backups Back up application data at least weekly. Encrypt backup data in transit and at rest.   X X
Multi-Factor Authentication Require Duo multi-factor authentication for all interactive user and administrator logins. X X X
Dedicated Admin Procedures Execute system administrative actions in accordance with departmental and security procedures (admin accts, secure devices, etc) X X X
Security, Privacy, and Legal Review Request a Security, Privacy, and Legal review and implement recommendations prior to deployment. X X X
Regulated Data Security Controls Implement PCI DSS, HIPAA, or export controls as applicable. not permissible not permissible X