A server is defined as a host that provides a network accessible service.
Follow the minimum security standards in the table below to safeguard your servers.
|RECURRING TASK||WHAT TO DO||LOW RISK||MODERATE RISK||HIGH RISK|
|Patching||✔||Based on National Vulnerability Database (NVD) ratings, apply high severity security patches within seven days of publish and all other security patches within 30 days. Use a supported OS version.||✔||✔||✔|
|Vulnerability Management||✔||Perform a monthly Vulnerability scans via Enterprise Vulnerability Management System. Remediate severity Critical and High within seven days of discovery and severity Medium vulnerabilities within 90 days.||✔||✔||✔|
|Inventory||✔||Review and update records quarterly. Maximum of one node per record.||✔||✔||✔|
|Firewall||Enable host-based firewall in default deny mode and permit the minimum necessary services.||✔||✔||✔|
|Credentials and Access Control||✔||Review existing accounts and privileges quarterly.||✔||✔||✔|
|Two-Factor Authentication||Require Duo two-factor authentication for all interactive user and administrator logins. Duo two-factor will be required for all local and remote authentications.||✔||✔|
|Centralized Logging||Forward logs to a remote log server. University IT Splunk service recommended.||✔||✔|
|Security Training||✔||Complete annual Secure the Human Training.||✔||✔|
|Malware Protection & Intrusion Detection||✔||Deploy Symantec Endpoint Protection. Review alerts as they are received.||✔||✔|
|Physical Protection||Place system hardware in a data center.||✔||✔|
|Dedicated Admin Workstation||Access administrative accounts only through a Privileged Access Workstation (PAW).||✔|
|Security, Privacy, and Legal Review||Request a Security, Privacy, and Legal review by the Information Security Officer and implement recommendations prior to deployment.||✔||✔|
|Regulated Data Security Controls||Implement PCI DSS, HIPAA, FISMA, or export controls as applicable per the Information Security Officer.||✔|