Printed on: 08/19/2018. Please go to http://policy.umn.edu for the most current version of the Policy or related document.

APPENDIX TO POLICY

Device Firewall Standard

Objective

To ensure authorized access and to prevent unauthorized access to University information and IT resources, end-user devices, servers and other computing devices must be protected through the use of a device firewall.

Security Controls

Multi-user systems (e.g., server)

The following table defines the baseline security controls for device-based firewall on multi-user systems.

Control Security Level
ID Description High Medium Low
DF.A.01 Firewall installed and operating Required Required Required
DF.A.02 Documentation of firewall rules Required Recommended Optional
DF.A.03 Periodic review of rulesets (suggested: semi-annual or annual) Required Recommended Optional
Single-user systems (e.g., desktop, laptop, mobile devices)

The following table defines the baseline security controls for device-based firewall on single-user systems.

Control Security Level
ID Description High Medium Low
DF.B.01 Firewall installed and operating Required Required Required
DF.B.02 Documentation of firewall rules Recommended 1 Recommended Optional
DF.B.03 Periodic review of rulesets (suggested: semi-annual or annual) Recommended 1 Recommended Optional

1 This is required for systems in scope for credit card processing environment per PCI-DSS. This includes systems that support or store, process or transmit cardholder data.

Resources Covered

This applies to IT resources owned or contracted by the University. This also applies to personally owned devices accessing, or authorized to store, University data designated as private-highly restricted or private-restricted .

Individuals Covered

This applies to University community members who use or manage University IT resources.

Related Information

More information on Device Firewall

Published Date

November 2014

Document Feedback