Fredonia Minimum Security Standards: Servers

Patching

Based on National Vulnerability Database (NVD) ratings, apply high severity security patches within seven days of publish and all other security patches within 30 days. Use a supported OS version.

Vulnerability Management

Perform a monthly Vulnerability scans via Enterprise Vulnerability Management System. Remediate severity Critical and High within seven days of discovery and severity Medium vulnerabilities within 90 days.

Inventory

Review and update records quarterly. Maximum of one node per record.

Firewall

Enable host-based firewall in default deny mode and permit the minimum necessary services.

Credentials and Access Control

Review existing accounts and privileges quarterly.

Two-Factor Authentication

Require two-factor authentication for all interactive user and administrator logins. Two-factor will be required for all remote authentications.

Centralized Logging

Forward logs to a remote log server. University IT Splunk service recommended.

Security Training

Complete annual Secure the Human Training.

Malware Protection & Intrusion Detection

Deploy Symantec Endpoint Protection. Review alerts as they are received.

Physical Protection

Place system hardware in a data center.

Dedicated Admin Workstation

Access administrative accounts only through a Privileged Access Workstation (PAW).

Security, Privacy, and Legal Review

Request a Security, Privacy, and Legal review by the Information Security Officer and implement recommendations prior to deployment.

Regulated Data Security Controls

Implement PCI DSS, HIPAA, FISMA, or export controls as applicable per the Information Security Officer.