Versions Compared


  • This line was added.
  • This line was removed.
  • Formatting was changed.


  1. Follow the minimum security standards in the table below to safeguard your servers.


PatchingBased on National Vulnerability Database (NVD) ratings, apply high severity security patches within seven days of publish and all other security patches within 90 30 days. Use a supported OS version.
Vulnerability ManagementPerform a monthly Qualys scanmonthly Vulnerability scans via Enterprise Vulnerability Management System. Remediate severity 4 Critical and 5 vulnerabilities High within seven days of discovery and severity 3 Medium vulnerabilities within 90 days.
InventoryReview and update NetDB and SUSI records update records quarterly. Maximum of one node per NetDB record.
Firewall Enable host-based firewall in default deny mode and permit the minimum necessary services.
Credentials and Access ControlReview existing accounts and privileges quarterly. Enforce password complexity. Logins with SUNet credentials via Kerberos recommended.
Two-Step Factor Authentication Require Duo two-step factor authentication for all interactive user and administrator logins. Duo two-factor will be required for all local and remote authentications. 
Centralized Logging Forward logs to a remote log server. University IT Splunk service recommended. 
Sysadmin Security TrainingAttend at least one Stanford Information Security Academy training course annuallyComplete annual Secure the Human Training. 
Malware Protection & Intrusion DetectionDeploy Cb Protection (formerly Bit9) in high enforcement modeDeploy Symantec Endpoint Protection. Review alerts as they are received. Intrusion DetectionDeploy Cb Protection (formerly Bit9) on supported platforms, otherwise use OSSEC or Tripwire. Review alerts as they are received.

Physical Protection Place system hardware in a data center. 
Dedicated Admin Workstation Access administrative accounts only through a Privileged Access Workstation (PAW).  
Security, Privacy, and Legal Review Request a Security, Privacy, and Legal review and review by the Information Security Officer and implement recommendations prior to deployment.  
Regulated Data Security Controls Implement PCI DSS, HIPAA, FISMA, or export controls as applicable per the Information Security Officer.  

Short URL to this page: