A server is defined as a host that provides a network accessible service.
Follow the minimum security standards in the table below to safeguard your servers.
STANDARDS | RECURRING TASK | WHAT TO DO | LOW RISK | MODERATE RISK | HIGH RISK |
| Patching | ✔ | Based on National Vulnerability Database (NVD) ratings, apply high severity security patches within seven days of publish and all other security patches within 30 days. Use a supported OS version. | ✔ | ✔ | ✔ |
| Vulnerability Management | ✔ | Perform a monthly Vulnerability scans via Enterprise Vulnerability Management System. Remediate severity Critical and High within seven days of discovery and severity Medium vulnerabilities within 90 days. | ✔ | ✔ | ✔ |
| Inventory | ✔ | Review and update records quarterly. Maximum of one node per record. | ✔ | ✔ | ✔ |
| Firewall | Enable host-based firewall in default deny mode and permit the minimum necessary services. | ✔ | ✔ | ✔ | |
| Credentials and Access Control | ✔ | Review existing accounts and privileges quarterly. | ✔ | ✔ | ✔ |
| Two-Factor Authentication | Require Duo two-factor authentication for all interactive user and administrator logins. Duo two-factor will be required for all local and remote authentications. | ✔ | ✔ | ||
| Centralized Logging | Forward logs to a remote log server. University IT Splunk service recommended. | ✔ | ✔ | ||
| Security Training | ✔ | Complete annual Secure the Human Training. | ✔ | ✔ | |
| Malware Protection & Intrusion Detection | ✔ | Deploy Symantec Endpoint Protection. Review alerts as they are received. | ✔ | ✔ | |
| Physical Protection | Place system hardware in a data center. | ✔ | ✔ | ||
| Dedicated Admin Workstation | Access administrative accounts only through a Privileged Access Workstation (PAW). | ✔ | |||
| Security, Privacy, and Legal Review | Request a Security, Privacy, and Legal review by the Information Security Officer and implement recommendations prior to deployment. | ✔ | ✔ | ||
| Regulated Data Security Controls | Implement PCI DSS, HIPAA, FISMA, or export controls as applicable per the Information Security Officer. | ✔ |
Short URL to this page:
Related articles