An application is defined as software running on a server that is remotely accessible, including mobile applications.
Follow the minimum security standards in the table below to safeguard your applications.
|RECURRING TASK||WHAT TO DO||LOW RISK||MODERATE RISK||HIGH RISK|
|Patching||✔||Based on National Vulnerability Database (NVD) ratings, apply high severity security patches within seven days of publish and all other security patches within 90 days. Use a supported version of the application.||✔||✔||✔|
|Vulnerability Management||✔||Perform a monthly Qualys application scan. Remediate severity 4 and 5 vulnerabilities within seven days of discovery and severity 3 vulnerabilities within 90 days.||✔||✔||✔|
|Inventory||✔||Maintain a list of applications and the associated risk classifications and data volume estimates. Review and update records quarterly.||✔||✔||✔|
|Firewall||Permit the minimum necessary services through the network firewall.||✔||✔|
|Credentials and Access Control||✔||Review existing accounts and privileges quarterly. Enforce password complexity. Logins with Fredonia eServices account (Single Sign On) is recommended.||✔||✔||✔|
|Two-Step Authentication|| ✔||Require Duo two-step authentication for all interactive user and administrator logins. (As available)||✔||✔|
|Centralized Logging|| ✔||Forward logs to a remote log server. University IT Splunk service recommended.||✔||✔|
|Secure Software Development||Include security as a design requirement. Review all code and correct identified security flaws prior to deployment. Use of static code analysis tools recommended.||✔||✔|
|Backups|| ✔||Back up application data at least weekly. Encrypt backup data in transit and at rest.||✔||✔|
|Dedicated Admin Workstation|| ✔||Access administrative accounts only via a Privileged Access Workstation (PAW).||✔|
|Security, Privacy, and Legal Review||Request a Security, Privacy, and Legal review and implement recommendations prior to deployment.||✔ ||✔|
|Regulated Data Security Controls||Implement PCI DSS, HIPAA, FISMA, or export controls as applicable.||✔|
There is no content with the specified labels