Skip to Content

Division of Information Technology


Minimum Security Standards

The list of imaginable threats–and possible countermeasures–is limitless. However, resources to address them are not.  The University Information Security Office values practical, evidence-based solutions. The Minimum Security Standards are a result of that practice.

Effective Date - 7/1/16

Read more about the minimum security standards methodology..

 

Endpoints

An endpoint is defined as any laptop, desktop, or mobile device.

Standard Public & Internal Use Confidential & Restricted Use What To Do
Anti-malware  X  X

Goal: Stop dangerous software from running.

Option(s):  Install anti-virus, configure for regular scans and updates. Symantec Endpoint Protection (SEP) recommended and available at no additional cost through Software Distribution

Training  X  X

Goal: Keep portable devices with you or locked up and out of sight. Never click on links or attachments from unexpected emails.

Option(s): Security awareness videos recommended and available at no additional cost through Securing The Human

Patching  X  X

Goal: Install security updates for operating systems and applications within 30 days.

Option(s): BigFix.  Available to System Administrators on Software Distribution.  Alternatively, available as part of DoIT Desktop SLA

Monitoring
   X

Goal: Track critical file changes and event logs.

Option(s): OSSEC.  Open a ticket with the UISO, following instructions for Windows [pdf] or Linux [pdf]

Encryption

(at rest)

   X

Goal: Render sensitive data on stolen/lost devices unreadable.

Option(s): WinMagic SecureDoc.  Open a ticket with Desktop Engineering (per these on boarding instructions [pdf] for System Administrators)

Backups  X  X

Goal: Store important files in a redundant way.

Option(s): OneDrive for Business.  Available at https://portal.office.com, following the quick start guide [pdf]

Data Loss Protection

 X  X

Goal: Reduce sensitive data to absolute minimum.

Required: Install Spirion (Identity Finder), available at no additional cost through Software Distribution

Implementation Deadline: 1 Dec 2017 [pdf]

Incident Response  X X

Goal: Speed up response and reduce downtime.

Required: Install FireEye HX Endpoint Security, available at no additional cost through Software Distribution

Implementation Deadline: 1 Dec 2017 [pdf]

 

Servers

A server is defined as a host that provides a network accessible service.

Standard Public & Internal Use Confidential & Restricted Use What To Do
Anti-malware  X  X

Goal: Stop dangerous software from running.

Option(s):  Install anti-virus, configure for regular scans and updates. Symantec Endpoint Protection (SEP) recommended and available at no additional cost through Software Distribution

Training    X

Goal: Attend training specific to secure server administration at least once every three years.

Option(s): SANS course recommended, vouchers available at no additional cost through the Information Security Office

Patching  X  X

Goal: Install security updates within 30 days.

Option(s): BigFix.  Available to System Administrators on Software Distribution.

Monitoring    X

Goal: Check for unusual activity.

Required: Install OSSEC.  Open a ticket with the UISO, following instructions for Windows [pdf] or Linux [pdf].  Perform reviews of access privileges and system logs at least quarterly.

MFA    X

Goal: Place administrator access behind multi-factor authentication.

Option(s): DUO available at no additional cost through DoIT

Data Loss Protection  X  X

Goal: Apply appropriate controls based on data sensitivity.

Required: Classify the system according to South Carolina’s guidance [doc]. Review publicly posted information at least quarterly. Review access privileges at least quarterly.

Incident Response   X

Goal: Speed up response and reduce downtime.

Required:  Install FireEye HX Endpoint Securityavailable at no additional cost through Software Distribution. Configure logs to reconstruct these events: user logins (successful and unsuccessful); actions taken by individuals with root or administrator privileges; creation and deletion of accounts; modification to account privileges; and modification to log settings.

 

Applications

An application is defined as software running on a server that is remotely accessible, including mobile applications.

Standard Public & Internal Use Confidential & Restricted Use What To Do
Training    X

Goal: Attend training specific to secure administration of web applications at least once every three years.

Option(s): SANS course recommended, vouchers available at no additional cost through the Information Security Office

Patching  X  X

Goal: Install security updates for application–as well as any plugins–within 30 days.

Option(s): BigFix.  Available to System Administrators on Software Distribution.

Monitoring    X

Goal: Check for unusual activity.

Required: OSSEC.  Open a ticket with the UISO, following instructions for Windows [pdf] or Linux [pdf]. Configure OSSEC to receive application logs. Perform reviews of access privileges and system logs at least quarterly.

MFA    X

Goal: Place user and administrator access behind multi-factor authentication.

Option(s): DUO recommended and available at no additional cost through DoIT

Account Lockouts X X

Goal: Deter brute force/password guessing attacks.

Option(s): Configure to lock user accounts after no more than 50 consecutive invalid login attempts (central authentication is typically configured for less)

Scanning & Penetration Testing    X

Goal: Verify the application does not have any vulnerabilities.

Option(s): Use an automated scanning tool prior to deployment; after major updates; and at least annually (OWASP recommended tools). Use an independent, qualified provider to perform a penetration test at least annually.

Incident Response   X

Goal: Speed up response and reduce downtime.

Required: Configure logs to reconstruct these events: user logins (successful and unsuccessful); actions taken by individuals with root or administrator privileges; creation and deletion of accounts; modification to account privileges; and modification to log settings.