Minimum Security for Servers
Standards | What to do | Low Risk System | Moderate Risk System | High Risk System |
---|---|---|---|---|
Patching |
Apply security patches 48 hours:
Other patches within 14 days. |
X | X | X |
Vulnerability Management |
Ensure server is in Qualys.
|
X | X | X |
Malware Protection | Install Symantec Anti-Virus | X | X | X |
Centralized Logging | Forward logs to UIS Splunk. | X | X | X |
Backups | Included in UIS backup strategy. Encrypt backup data in transit and at rest. | X | X | X |
Inventory | Review and update Snipe-IT records quarterly. Maximum of one system per record. | X | X | X |
Configuration Management | Install Tanium Client. | X | X | X |
Firewall | Enable host-based firewall in default deny mode and permit the minimum necessary services. | X | X | X |
Credentials and Access Control | Review existing accounts and privileges quarterly. Enforce password complexity. Logins with NetID credentials via Kerberos. | X | X | X |
Multi-Factor Authentication | Require Duo multi-factor authentication for all interactive user and administrator logins. | X | X | X |
Sysadmin Training | Attend role-based Information Security training course annually. | X | X | |
Intrusion Detection | Deploy Symantec on supported platforms. Review alerts as they are received. | X | X | |
Physical Protection | Place system hardware in a data center. | X | X | |
Dedicated Admin Workstation | Access administrative accounts only through a Privileged Access Workstation (PAW). | X | ||
Security, Privacy, and Legal Review | Request a Security, Privacy, and Legal review and implement recommendations prior to deployment. | X | X | X |
Regulated Data Security Controls | Implement PCI DSS, HIPAA, or export controls as applicable. | X |