Device Firewall Standard
Appendix to Policy
Objective
To ensure authorized access and to prevent unauthorized access to University information and IT resources, end-user devices, servers and other computing devices must be protected through the use of a device firewall.
Security Controls
Multi-user systems (e.g., server)
The following table defines the baseline security controls for device-based firewall on multi-user systems.
Control | Security Level | |||
---|---|---|---|---|
ID | Description | High | Medium | Low |
DF.A.01 | Firewall installed and operating | Required | Required | Required |
DF.A.02 | Documentation of firewall rules | Required | Recommended | Optional |
DF.A.03 | Periodic review of rulesets (suggested: semi-annual or annual) | Required | Recommended | Optional |
Single-user systems (e.g., desktop, laptop, mobile devices)
The following table defines the baseline security controls for device-based firewall on single-user systems.
Control | Security Level | |||
---|---|---|---|---|
ID | Description | High | Medium | Low |
DF.B.01 | Firewall installed and operating | Required | Required | Required |
DF.B.02 | Documentation of firewall rules | Recommended 1 | Recommended | Optional |
DF.B.03 | Periodic review of rulesets (suggested: semi-annual or annual) | Recommended 1 | Recommended | Optional |
1 This is required for systems in scope for credit card processing environment per PCI-DSS. This includes systems that support or store, process or transmit cardholder data.
Resources Covered
This applies to IT resources owned or contracted by the University. This also applies to personally owned devices accessing, or authorized to store, University data designated as private-highly restricted or private-restricted .
Individuals Covered
This applies to University community members who use or manage University IT resources.
Related Information
More information on Device Firewall
Published Date
November 2014
Document Feedback