Fredonia Minimum Security Standards: Applications

Patching

Based on National Vulnerability Database (NVD) ratings, apply high severity security patches within seven days of publish and all other security patches within 90 days. Use a supported version of the application.

Vulnerability Management

Perform a monthly Qualys application scan. Remediate severity 4 and 5 vulnerabilities within seven days of discovery and severity 3 vulnerabilities within 90 days.

Inventory

Maintain a list of applications and the associated risk classifications and data volume estimates. Review and update records quarterly.

Firewall

Permit the minimum necessary services through the network firewall.

Credentials and Access Control

Review existing accounts and privileges quarterly. Enforce password complexity. Logins with Fredonia eServices account (Single Sign On) is recommended.

Two-Step Authentication

Require two-step authentication for all interactive user and administrator logins. (As available)

Centralized Logging

Forward logs to a remote log server. University IT Splunk service recommended.

Secure Software Development

Include security as a design requirement. Review all code and correct identified security flaws prior to deployment. Use of static code analysis tools recommended.

Backups

Back up application data at least weekly. Encrypt backup data in transit and at rest.

Dedicated Admin Workstation

Access administrative accounts only via a Privileged Access Workstation (PAW).

Security, Privacy, and Legal Review

Request a Security, Privacy, and Legal review and implement recommendations prior to deployment.

Regulated Data Security Controls

Implement PCI DSS, HIPAA, FISMA, or export controls as applicable.