Fredonia Minimum Security Standards: Applications
An application is defined as software running on a server that is remotely accessible, including mobile applications.
Follow the minimum security standards in the table below to safeguard your applications.
STANDARDS | RECURRING TASK | WHAT TO DO | LOW RISK | MODERATE RISK | HIGH RISK |
| Patching | ✔ | Based on National Vulnerability Database (NVD) ratings, apply high severity security patches within seven days of publish and all other security patches within 90 days. Use a supported version of the application. | ✔ | ✔ | ✔ |
| Vulnerability Management | ✔ | Perform a monthly Qualys application scan. Remediate severity 4 and 5 vulnerabilities within seven days of discovery and severity 3 vulnerabilities within 90 days. | ✔ | ✔ | ✔ |
| Inventory | ✔ | Maintain a list of applications and the associated risk classifications and data volume estimates. Review and update records quarterly. | ✔ | ✔ | ✔ |
| Firewall | Permit the minimum necessary services through the network firewall. | ✔ | ✔ | ||
| Credentials and Access Control | ✔ | Review existing accounts and privileges quarterly. Enforce password complexity. Logins with Fredonia eServices account (Single Sign On) is recommended. | ✔ | ✔ | ✔ |
| Two-Step Authentication | ✔ | Require two-step authentication for all interactive user and administrator logins. (As available) | ✔ | ✔ | |
| Centralized Logging | ✔ | Forward logs to a remote log server. University IT Splunk service recommended. | ✔ | ✔ | |
| Secure Software Development | Include security as a design requirement. Review all code and correct identified security flaws prior to deployment. Use of static code analysis tools recommended. | ✔ | ✔ | ||
| Backups | ✔ | Back up application data at least weekly. Encrypt backup data in transit and at rest. | ✔ | ✔ | |
| Dedicated Admin Workstation | ✔ | Access administrative accounts only via a Privileged Access Workstation (PAW). | ✔ | ||
| Security, Privacy, and Legal Review | Request a Security, Privacy, and Legal review and implement recommendations prior to deployment. | ✔ | ✔ | ||
| Regulated Data Security Controls | Implement PCI DSS, HIPAA, FISMA, or export controls as applicable. | ✔ |
Related articles