Fredonia Minimum Security Standards: Applications

An application is defined as software running on a server that is remotely accessible, including mobile applications.

Follow the minimum security standards in the table below to safeguard your applications.


PatchingBased on National Vulnerability Database (NVD) ratings, apply high severity security patches within seven days of publish and all other security patches within 90 days. Use a supported version of the application.
Vulnerability ManagementPerform a monthly Qualys application scan. Remediate severity 4 and 5 vulnerabilities within seven days of discovery and severity 3 vulnerabilities within 90 days.
InventoryMaintain a list of applications and the associated risk classifications and data volume estimates. Review and update records quarterly.
Permit the minimum necessary services through the network firewall.
Credentials and Access ControlReview existing accounts and privileges quarterly. Enforce password complexity. Logins with Fredonia eServices account (Single Sign On) is recommended.
Two-Step Authentication Require two-step authentication for all interactive user and administrator logins. (As available)
Centralized Logging Forward logs to a remote log server. University IT Splunk service recommended.
Secure Software Development
Include security as a design requirement. Review all code and correct identified security flaws prior to deployment. Use of static code analysis tools recommended.
Backups Back up application data at least weekly. Encrypt backup data in transit and at rest.
Dedicated Admin Workstation Access administrative accounts only via a Privileged Access Workstation (PAW).

Security, Privacy, and Legal Review
Request a Security, Privacy, and Legal review and implement recommendations prior to deployment.
Regulated Data Security Controls
Implement PCI DSS, HIPAA, FISMA, or export controls as applicable.

Filter by label

There are no items with the selected labels at this time.