Child pages
  • Fredonia Minimum Security Standards: Applications

Need more help?

See the Quick Start Digital Tools for Students page

Contact the ITS Service Center:

(716) 673-3407
W203 Thompson Hall


An application is defined as software running on a server that is remotely accessible, including mobile applications.

Follow the minimum security standards in the table below to safeguard your applications.


PatchingBased on National Vulnerability Database (NVD) ratings, apply high severity security patches within seven days of publish and all other security patches within 90 days. Use a supported version of the application.
Vulnerability ManagementPerform a monthly Qualys application scan. Remediate severity 4 and 5 vulnerabilities within seven days of discovery and severity 3 vulnerabilities within 90 days.
InventoryMaintain a list of applications and the associated risk classifications and data volume estimates. Review and update records quarterly.
Firewall Permit the minimum necessary services through the network firewall.
Credentials and Access ControlReview existing accounts and privileges quarterly. Enforce password complexity. Logins with Fredonia eServices account (Single Sign On) is recommended.
Two-Step Authentication Require Duo two-step authentication for all interactive user and administrator logins. (As available) 
Centralized Logging Forward logs to a remote log server. University IT Splunk service recommended. 
Secure Software Development Include security as a design requirement. Review all code and correct identified security flaws prior to deployment. Use of static code analysis tools recommended. 
Backups Back up application data at least weekly. Encrypt backup data in transit and at rest. 
Dedicated Admin Workstation Access administrative accounts only via a Privileged Access Workstation (PAW).  
Security, Privacy, and Legal Review Request a Security, Privacy, and Legal review and implement recommendations prior to deployment.  
Regulated Data Security Controls Implement PCI DSS, HIPAA, FISMA, or export controls as applicable.  

Short URL to this page: