Fredonia Minimum Security Standards: Applications

An application is defined as software running on a server that is remotely accessible, including mobile applications.

Follow the minimum security standards in the table below to safeguard your applications.

STANDARDS

RECURRING TASK

WHAT TO DO

LOW RISK

MODERATE RISK

HIGH RISK

Patching

✔

Based on National Vulnerability Database (NVD) ratings, apply high severity security patches within seven days of publish and all other security patches within 90 days. Use a supported version of the application.

✔

✔

✔

Vulnerability Management

✔

Perform a monthly Qualys application scan. Remediate severity 4 and 5 vulnerabilities within seven days of discovery and severity 3 vulnerabilities within 90 days.

✔

✔

✔

Inventory

✔

Maintain a list of applications and the associated risk classifications and data volume estimates. Review and update records quarterly.

✔

✔

✔

Firewall

 

Permit the minimum necessary services through the network firewall.

 

✔

✔

Credentials and Access Control

✔

Review existing accounts and privileges quarterly. Enforce password complexity. Logins with Fredonia eServices account (Single Sign On) is recommended.

✔

✔

✔

Two-Step Authentication

 ✔

Require two-step authentication for all interactive user and administrator logins. (As available)



✔

✔

Centralized Logging

 ✔

Forward logs to a remote log server. University IT Splunk service recommended.



✔

✔

Secure Software Development



Include security as a design requirement. Review all code and correct identified security flaws prior to deployment. Use of static code analysis tools recommended.



✔

✔

Backups

 ✔

Back up application data at least weekly. Encrypt backup data in transit and at rest.



✔

✔

Dedicated Admin Workstation

 ✔

Access administrative accounts only via a Privileged Access Workstation (PAW).

 

 

✔

Security, Privacy, and Legal Review



Request a Security, Privacy, and Legal review and implement recommendations prior to deployment.



✔ 

✔

Regulated Data Security Controls

 

Implement PCI DSS, HIPAA, FISMA, or export controls as applicable.

 

 

✔


Search Answers

Related articles