Appendix
Sidebar
Table of Contents
Governing Policy
Questions?
Please use the contact section in the governing policy.
- Management by an IT Service
- Configuration
- Firewall
- Systems to locate behind a Network Firewall
- Backup and Recovery for Software/Applications and System Configurations
- Virus/Malware Protection
- Physical Security
- For Devices
Objective
University systems and devices must be deployed and maintained to an appropriate level, based on the data stored on or accessed through them. Some systems and devices must meet legal, regulatory, or contractual agreements related to their configuration and management.
Security Controls
Management by an IT Service
The following table identifies where management by an IT service (includes University IT or an approved vendor) is required.
| Control | Security Level | |||
|---|---|---|---|---|
| ID | Description | High | Medium | Low |
| SDM.A.01 | Multi-user system (e.g., server, container, virtual system component) | Required Effective July 2019 | Required Effective July 2019 | Recommended |
| SDM.A.02 | Single-user system (e.g., workstation, laptop)1 | Required | Recommended | Optional |
1Some mobile devices and IoT devices may require management by an IT Service (e.g., devices in the health care components).
Configuration
The following table defines the baseline security controls for configuring a system or device.
| Control | Security Level | |||
|---|---|---|---|---|
| ID | Description | High | Medium | Low |
| SDM.B.01 | Implement one primary function per server, container, or virtual system component to prevent different security levels co-existing on the same server | Required Effective July 2019 | Recommended | Recommended |
| SDM.B.02 | Use industry-accepted system hardening standards (e.g., CIS, NIST) | Required Effective July 2019 | Required Effective July 2019 | Recommended |
| SDM.B.03 | Remove vendor or open source community software when the vendor or open source community no longer develops security patches | Required | Required | Recommended |
| SDM.B.04 | Enable only necessary services, protocols, daemons, etc. for the function or management of the system | Required Effective July 2019 | Required Effective July 2019 | Recommended |
| SDM.B.05 | Implement additional security features for any required services, protocols, or daemons that are considered insecure (e.g., ftp, telnet, pop3, imap, snmp v1 & 2) | Required Effective July 2019 | Required Effective July 2019 | Recommended |
| SDM.B.06 | Remove unnecessary functionality (e.g., applications, scripts, drivers, features, subsystems, file systems) | Required Effective July 2019 | Recommended | Recommended |
| SDM.B.07 | Enable logging | Required | Required | Recommended |
| SDM.B.08 | Use industry standard strong encryption for workstations, laptops, mobile devices, and removable media | Required | Required Effective July 2019 | Recommended |
| SDM.B.09 | For single-user systems: Enable automatic updates, or use a University-provided service for managing the security patches | Required | Required | Required |
| SDM.B.10 | Apply and periodically review configuration hardening settings (suggest: annual) | Required Effective July 2019 | Required Effective July 2019 | Recommended |
Firewall
Built-in Firewall
The following table defines the baseline security controls for systems or devices with a built-in firewall.
| Control | Security Level | |||
|---|---|---|---|---|
| ID | Description | High | Medium | Low |
| SDM.C.01 | Enable in default deny mode (deny all traffic) and permit the minimum necessary services | Required | Required | Required |
| SDM.C.02 | Document the firewall rules including purpose, justification and approvals for use of all services, protocols, and ports allowed. For insecure protocols include the additional security features implemented for the protocol | Required Effective July 2019 | Required Effective July 2019 | Recommended |
| SDM.C.03 | For multi-user systems: Review firewall rules, usage, remove rules without current justification (suggest: annual)1 | Required | Recommended | Optional |
| SDM.C.03 | For single-user systems: Review firewall rules, usage, remove rules without current justification (suggest: annual)1 | Required Effective July 2019 | Recommended | Optional |
| SDM.C.04 | For multi-user systems (e.g., servers): Enable firewall logging | Required Effective July 2019 | Required Effective July 2019 | Recommended |
1 PCI DSS requires a review of firewall rules every 6 months for all systems that store, process or transmit cardholder data, or support the credit card processing environment.
Systems to locate behind a Network Firewall
The following table defines IT Resources that need to be located behind a University approved network firewall.
| Control | Security Level | |||
|---|---|---|---|---|
| ID | Description | High | Medium | Low |
| SDM.D.01 | Systems where a network firewall is needed for legal, regulatory, or contractual compliance | Required Effective July 2019 | Required Effective July 2019 | Required Effective July 2019 |
| SDM.D.02 | Systems in a data center | Required Effective July 2019 | Required Effective July 2019 | Recommended |
| SDM.D.03 | Multi-user systems (e.g., servers for file storage, application hosting, data processing) | Required Effective July 2019 | Required Effective July 2019 | Recommended |
Backup and Recovery for Software/Applications and System Configurations
Backup copies of data, software/applications, and system configurations must be created on a regular basis, physically secured and backup processes tested periodically to protect against the loss of University data and to maintain business continuity.
The following table defines baseline security controls for backup and recovery of software/applications and system configurations.
| Control | Security Level | |||
|---|---|---|---|---|
| ID | Description | High | Medium | Low |
| SDM.E.01 | For multi-user systems: Back up software and system configurations where needed for continuity | Required | Recommended | Optional |
| SDM.E.01 | For single-user systems: Back up software and system configurations where needed for continuity | Required Effective July 2019 | Recommended | Optional |
| SDM.E.02 | For multi-user systems: Periodically review a backup and recovery plan and procedures including frequency, extent of backups, monitoring for successful completion of backups, physical storage, access to backups, and backup testing (suggest: annual) | Required | Recommended | Optional |
| SDM.E.02 | For single-user systems: Periodically review a backup and recovery plan and procedures including frequency, extent of backups, monitoring for successful completion of backups, physical storage, access to backups, and backup testing (suggest: annual) | Required Effective July 2019 | Recommended | Optional |
| SDM.E.03 | For multi-user system: Test for a successful backup and restoration following documented procedures (suggest: annual) | Required | Recommended | Optional |
| SDM.E.03 | For single-user system: Test for a successful backup and restoration following documented procedures (suggest: annual) | Required Effective July 2019 | Recommended | Optional |
Virus/Malware Protection
To protect University information and IT resources from viruses or other malicious code, anti-virus/malware software must be used to assist in preventing and detecting infections. Infections must be eradicated or quarantined. Virus/malware is a threat to the University network and not limited to a single system.
The following table defines the baseline security controls for virus/malware protection.
| Control | Security Level | |||
|---|---|---|---|---|
| ID | Description | High | Medium | Low |
| SDM.F.01 | Actively run anti-virus software on all systems commonly affected by malicious software (e.g., Windows, Mac) | Required | Required | Required |
| SDM.F.02 | Use current supported versions and definitions for anti-virus and virus filtering software (suggest: definitions updated within 1-7 days of release) | Required | Required | Required |
| SDM.F.03 | For multi-user systems: Enable anti-virus audit logs | Required | Recommended | Recommended |
| SDM.F.03 | For single-user systems: Enable anti-virus audit logs | Required Effective July 2019 | Required Effective July 2019 | Recommended |
| SDM.F.04 | For systems not using anti-virus/malware software, evaluate the evolving virus/malware threats to assess whether system continues to not require anti-virus/malware software (suggest: annual) | Required Effective July 2019 | Required Effective July 2019 | Recommended |
Physical Security
Systems to locate in a Protected Facility
The following table defines IT Resources that need to be located in a University approved protected facility (e.g., a data center, telecommunications room/closet).
| Control | Security Level | |||
|---|---|---|---|---|
| ID | Description | High | Medium | Low |
| SDM.G.01 | Multi-user systems (e.g., servers for file storage, application hosting, data processing) | Required | Required | Recommended |
For Devices
The following table defines baseline security controls for physical security of devices (e.g., laptop, tablet, mobile device, card swipe, point of sale terminal, medical device).
| Control | Security Level | |||
|---|---|---|---|---|
| ID | Description | High | Medium | Low |
| SDM.H.01 | Secure devices and other equipment when unattended (e.g., secure cabinet, safe, continuously locked facility)1 | Required Effective July 2019 | Recommended | Optional |
| SDM.H.02 | Secure devices and removable media when traveling (e.g., keep in your possession or locked in a secure location) | Required Effective July 2019 | Required Effective July 2019 | Recommended |
| SDM.H.03 | Position device display or monitor to limit viewing data | Required | Recommended | Recommended |
| SDM.H.04 | Use tamper resistant label on devices | Optional 2 | Optional | Optional |
| SDM.H.05 | Maintain a log that tracks placement or assignment of devices | Required Effective July 2019 | Recommended | Recommended |
| SDM.H.06 | Maintain a log of who has access to the secure storage location (e.g., locked closet) | Required Effective July 2019 | Required Effective July 2019 | Recommended |
| SDM.H.07 | Review and assess the physical security controls for devices (suggest: annual) | Optional 2 | Optional | Optional |
1 PCI DSS requires an anchoring device for card swipe devices not in storage.
2 PCI DSS requires this for all systems that store, process or transmit cardholder data, or support the credit card processing environment.
Resources Covered
This applies to IT resources owned or contracted by the University. This also applies to personally owned devices accessing, or authorized to store, University data designated as private-highly restricted or private-restricted.
Individuals Covered
This applies to University community members who use or manage University IT resources.
Related Information
- More information on Systems and Device Management
- How to use the information security standards
- See the Information Security policy appendices for additional information security standards that also apply to systems and device management.
Published Date
November 2014
Last Reviewed
April 2019