Fredonia Minimum Security Standards: Servers

A server is defined as a host that provides a network accessible service.

Follow the minimum security standards in the table below to safeguard your servers.

STANDARDS	RECURRING TASK	WHAT TO DO	LOW RISK	MODERATE RISK	HIGH RISK
Patching	✔	Based on National Vulnerability Database (NVD) ratings, apply high severity security patches within seven days of publish and all other security patches within 30 days. Use a supported OS version.	✔	✔	✔
Vulnerability Management	✔	Perform a monthly Vulnerability scans via Enterprise Vulnerability Management System. Remediate severity Critical and High within seven days of discovery and severity Medium vulnerabilities within 90 days.	✔	✔	✔
Inventory	✔	Review and update records quarterly. Maximum of one node per record.	✔	✔	✔
Firewall		Enable host-based firewall in default deny mode and permit the minimum necessary services.	✔	✔	✔
Credentials and Access Control	✔	Review existing accounts and privileges quarterly.	✔	✔	✔
Two-Factor Authentication		Require two-factor authentication for all interactive user and administrator logins. Two-factor will be required for all remote authentications.		✔	✔
Centralized Logging		Forward logs to a remote log server. University IT Splunk service recommended.		✔	✔
Security Training	✔	Complete annual Secure the Human Training.		✔	✔
Malware Protection & Intrusion Detection	✔	Deploy Symantec Endpoint Protection. Review alerts as they are received.		✔	✔
Physical Protection		Place system hardware in a data center.		✔	✔
Dedicated Admin Workstation		Access administrative accounts only through a Privileged Access Workstation (PAW).			✔
Security, Privacy, and Legal Review		Request a Security, Privacy, and Legal review by the Information Security Officer and implement recommendations prior to deployment.		✔	✔
Regulated Data Security Controls		Implement PCI DSS, HIPAA, FISMA, or export controls as applicable per the Information Security Officer.			✔

Related articles