Minimum Security for Servers

Minimum Security for Servers
Standards What to do Low Risk System Moderate Risk System High Risk System
Patching Apply security patches 48 hours:

  • CVSS > 7
  • Qualys > 3
  • Vendor “Critical”
  • Remotely Exploitable

Other patches within 14 days.
Use a supported OS version.

Vulnerability Management Ensure server is in Qualys.    

  • Remediate severity 5 vulnerabilities within 48 hours,
  • Remediate severity 4 within 7 days
  • Remediate severity 3 vulnerabilities within 14 days.
Malware Protection Install Symantec Anti-Virus X X X
Centralized Logging Forward logs to UIS Splunk. X X X
Backups Included in UIS backup strategy. Encrypt backup data in transit and at rest. X X X
Inventory Review and update Snipe-IT records quarterly. Maximum of one system per record. X X X
Configuration Management Install Tanium Client. X X X
Firewall Enable host-based firewall in default deny mode and permit the minimum necessary services. X X X
Credentials and Access Control Review existing accounts and privileges quarterly. Enforce password complexity. Logins with NetID credentials via Kerberos. X X X
Multi-Factor Authentication Require Duo multi-factor authentication for all interactive user and administrator logins. X X X
Sysadmin Training Attend role-based Information Security training course annually.   X X
Intrusion Detection Deploy Symantec on supported platforms. Review alerts as they are received.   X X
Physical Protection Place system hardware in a data center.   X X
Dedicated Admin Workstation Access administrative accounts only through a Privileged Access Workstation (PAW).     X
Security, Privacy, and Legal Review Request a Security, Privacy, and Legal review and implement recommendations prior to deployment. X X X
Regulated Data Security Controls Implement PCI DSS, HIPAA, or export controls as applicable.     X