Printed on: 08/15/2020. Please go to http://policy.umn.edu for the most current version of the Policy or related document.
University of Minnisota  Appendix

Systems and Device Management Standard

Appendix to Policy

Objective

University systems and devices must be deployed and maintained to an appropriate level, based on the data stored on or accessed through them. Some systems and devices must meet legal, regulatory, or contractual agreements related to their configuration and management.

Security Controls

Management by an IT Service

The following table identifies where management by an IT service (includes University IT or an approved vendor) is required.

ControlSecurity Level
ID Description High Medium Low
SDM.A.01 Multi-user system (e.g., server, container, virtual system component) Required
Effective July 2019
Required
Effective July 2019
Recommended
SDM.A.02 Single-user system (e.g., workstation, laptop)1 Required Recommended Optional

1Some mobile devices and IoT devices may require management by an IT Service (e.g., devices in the health care components).

Configuration

The following table defines the baseline security controls for configuring a system or device.

Control Security Level
ID Description High Medium Low
SDM.B.01 Implement one primary function per server, container, or virtual system component to prevent different security levels co-existing on the same server Required Effective July 2019 Recommended Recommended
SDM.B.02 Use industry-accepted system hardening standards (e.g., CIS, NIST) Required
Effective July 2019
Required
Effective July 2019
Recommended
SDM.B.03 Remove vendor or open source community software when the vendor or open source community no longer develops security patches Required Required Recommended
SDM.B.04 Enable only necessary services, protocols, daemons, etc. for the function or management of the system Required
Effective July 2019
Required
Effective July 2019
Recommended
SDM.B.05 Implement additional security features for any required services, protocols, or daemons that are considered insecure (e.g., ftp, telnet, pop3, imap, snmp v1 & 2) Required
Effective July 2019
Required
Effective July 2019
Recommended
SDM.B.06 Remove unnecessary functionality (e.g., applications, scripts, drivers, features, subsystems, file systems) Required Effective
July 2019
Recommended Recommended
SDM.B.07 Enable logging Required Required Recommended
SDM.B.08 Use industry standard strong encryption for workstations, laptops, mobile devices, and removable media Required Required
Effective July 2019
Recommended
SDM.B.09 For single-user systems: Enable automatic updates, or use a University-provided service for managing the security patches Required Required Required
SBM.B.10 Apply and periodically review configuration hardening settings (suggest: annual) Required
Effective July 2019
Required
Effective July 2019
Recommended

Firewall

Built-in Firewall

The following table defines the baseline security controls for systems or devices with a built-in firewall.

ControlSecurity Level
ID Description High Medium Low
SDM.C.01 Enable in default deny mode (deny all traffic) and permit the minimum necessary services Required Required Required
SDM.C.02 Document the firewall rules including purpose, justification and approvals for use of all services, protocols, and ports allowed. For insecure protocols include the additional security features implemented for the protocol Required
Effective July 2019
Required
Effective July 2019
Recommended
SDM.C.03 For multi-user systems: Review firewall rules, usage, remove rules without current justification (suggest: annual)1 Required Recommended Optional
SDM.C.03 For single-user systems: Review firewall rules, usage, remove rules without current justification (suggest: annual)1 Required
Effective July 2019
Recommended Optional
SDM.C.04 For multi-user systems (e.g., servers): Enable firewall logging Required
Effective July 2019
Required
Effective July 2019
Recommended

1 PCI DSS requires a review of firewall rules every 6 months for all systems that store, process or transmit cardholder data, or support the credit card processing environment.

Systems to locate behind a Network Firewall

The following table defines IT Resources that need to be located behind a University approved network firewall.

ControlSecurity Level
ID Description High Medium Low
SDM.D.01 Systems where a network firewall is needed for legal, regulatory, or contractual compliance Required
Effective July 2019
Required
Effective July 2019
Required
Effective July 2019
SDM.D.02 Systems in a data center Required
Effective July 2019
Required
Effective July 2019
Recommended
SDM.D.03 Multi-user systems (e.g., servers for file storage, application hosting, data processing) Required
Effective July 2019
Required
Effective July 2019
Recommended

Backup and Recovery for Software/Applications and System Configurations

Backup copies of data, software/applications, and system configurations must be created on a regular basis, physically secured and backup processes tested periodically to protect against the loss of University data and to maintain business continuity.

The following table defines baseline security controls for backup and recovery of software/applications and system configurations.

ControlSecurity Level
ID Description High Medium Low
SDM.E.01 For multi-user systems: Back up software and system configurations where needed for continuity Required Recommended Optional
SDM.E.01 For single-user systems: Back up software and system configurations where needed for continuity Required
Effective July 2019
Recommended Optional
SDM.E.02 For multi-user systems: Periodically review a backup and recovery plan and procedures including frequency, extent of backups, monitoring for successful completion of backups, physical storage, access to backups, and backup testing (suggest: annual) Required Recommended Optional
SDM.E.02 For single-user systems: Periodically review a backup and recovery plan and procedures including frequency, extent of backups, monitoring for successful completion of backups, physical storage, access to backups, and backup testing (suggest: annual) Required
Effective July 2019
Recommended Optional
SDM.E.03 For multi-user system: Test for a successful backup and restoration following documented procedures (suggest: annual) Required Recommended Optional
SDM.E.03 For single-user system: Test for a successful backup and restoration following documented procedures (suggest: annual) Required Effective July 2019 Recommended Optional

Virus/Malware Protection

To protect University information and IT resources from viruses or other malicious code, anti-virus/malware software must be used to assist in preventing and detecting infections. Infections must be eradicated or quarantined. Virus/malware is a threat to the University network and not limited to a single system.

The following table defines the baseline security controls for virus/malware protection.

ControlSecurity Level
ID Description High Medium Low
SDM.F.01 Actively run anti-virus software on all systems commonly affected by malicious software (e.g., Windows, Mac) Required Required Required
SDM.F.02 Use current supported versions and definitions for anti-virus and virus filtering software (suggest: definitions updated within 1-7 days of release)  Required  Required  Required
SDM.F.03 For mulit-user systems: Enable anti-virus audit logs Required Recommended Recommended
SDM.F.03 For single-user systems: Enable anti-virus audit logs Required
Effective July 2019
Required
Effective July 2019
Recommended
SDM.F.04 For systems not using anti-virus/malware software, evaluate the evolving virus/malware threats to assess whether system continues to not require anti-virus/malware software (suggest: annual) Required
Effective July 2019
Required
Effective July 2019
Recommended

Physical Security

Systems to locate in a Protected Facility

The following table defines IT Resources that need to be located in a University approved protected facility (e.g., a data center, telecommunications room/closet).

ControlSecurity Level
ID Description High Medium Low
SDM.G.01 Multi-user systems (e.g., servers for file storage, application hosting, data processing) Required Required Recommended

For Devices

The following table defines baseline security controls for physical security of devices (e.g., laptop, tablet, mobile device, card swipe, point of sale terminal, medical device).

ControlSecurity Level
ID Description High Medium Low
SDM.H.01 Secure devices and other equipment when unattended (e.g., secure cabinet, safe, continuously locked facility)1 Required
Effective July 2019
Recommended Optional
SDM.H.02 Secure devices and removable media when traveling (e.g., keep in your possession or locked in a secure location) Required
Effective July 2019
Required
Effective July 2019
Recommended
SDM.H.03 Position device display or monitor to limit viewing data Required Recommended Recommended
SDM.H.04 Use tamper resistant label on devices Optional 2 Optional Optional
SDM.H.05 Maintain a log that tracks placement or assignment of devices Required
Effective July 2019
Recommended Recommended
SDM.H.06 Maintain a log of who has access to the secure storage location (e.g., locked closet) Required
Effective July 2019
Required
Effective July 2019
Recommended
SDM.H.07 Review and assess the physical security controls for devices (suggest: annual) Optional 2 Optional Optional

1 PCI DSS requires an anchoring device for card swipe devices not in storage.

2 PCI DSS requires this for all systems that store, process or transmit cardholder data, or support the credit card processing environment.

Resources Covered

This applies to IT resources owned or contracted by the University. This also applies to personally owned devices accessing, or authorized to store, University data designated as private-highly restricted or private-restricted.

Individuals Covered

This applies to University community members who use or manage University IT resources.

Related Information

Published Date

November 2014

Last Reviewed

April 2019

Document Feedback

Information Technology