| Vulnerability Management |
Apply security patches in accordance with Vulnerability Management Program requirements based on:
- Severity
- Applicability
- Exploitability
|
X |
X |
X |
| Acceptable Applications and Configurations |
All operating systems, middleware, applications, and associated code/programs must be supported by the vendor, assessed by UISO, and free from malicious/harmful vulnerabilities and bugs |
X |
X |
X |
| Malware Protection |
UISO cybersecurity agents installed and operating according to policy. |
X |
X |
X |
| Centralized Logging |
Forward logs to designated log correlator. |
X |
X |
X |
| Backups |
Included in UIS backup strategy. Encrypt backup data in transit and at rest. |
X |
X |
X |
| Inventory |
Review and update asset records quarterly. |
X |
X |
X |
| Configuration Management |
UISO cybersecurity agents installed and operating according to policy. |
X |
X |
X |
| Firewall |
Enable host-based firewall in default deny mode and permit the minimum necessary services. |
X |
X |
X |
| Credentials and Access Control |
- Review existing accounts and privileges quarterly.
- Enforce password standards.
- Administrative access to designated ports, interfaces, etc via secure methodology only.
|
X |
X |
X |
| Multi-Factor Authentication |
Require two-factor authentication for all NetID user and administrator logins. |
X |
X |
X |
| Cybersecurity and Capabilities Training |
Complete applicable and required cybersecurity, technology, and role-based trainings annually. |
|
X |
X |
| Intrusion Detection |
UISO cybersecurity agents installed and operating according to policy. |
|
X |
X |
| Physical Protection |
Where applicable, place system hardware in a data center, secure lab, or office authorized by UIS. |
|
X |
X |
| Administrative Access |
Administrative access to designated ports, interfaces, etc via secure methodology only. |
|
|
X |
| Cybersecurity, Privacy, and Legal Review |
Applicable Cybersecurity, Privacy, and Legal reviews are required prior to authorization to launch into production. |
X |
X |
X |
| Regulated Data Security Controls |
Applicable FERPA, GLBA, PCI DSS, HIPAA, export and privacy controls or other requirements must be implemented and operating per regulations |
|
|
X |
