A server is defined as a host that provides a network accessible service.

Follow the minimum security standards in the table below to safeguard your servers.


PatchingBased on National Vulnerability Database (NVD) ratings, apply high severity security patches within seven days of publish and all other security patches within 30 days. Use a supported OS version.
Vulnerability ManagementPerform a monthly Vulnerability scans via Enterprise Vulnerability Management System. Remediate severity Critical and High within seven days of discovery and severity Medium vulnerabilities within 90 days.
InventoryReview and update records quarterly. Maximum of one node per record.
Firewall Enable host-based firewall in default deny mode and permit the minimum necessary services.
Credentials and Access ControlReview existing accounts and privileges quarterly.
Two-Factor Authentication Require Duo two-factor authentication for all interactive user and administrator logins. Duo two-factor will be required for all local and remote authentications. 
Centralized Logging Forward logs to a remote log server. University IT Splunk service recommended. 
Security TrainingComplete annual Secure the Human Training. 
Malware Protection & Intrusion DetectionDeploy Symantec Endpoint Protection. Review alerts as they are received. 
Physical Protection Place system hardware in a data center. 
Dedicated Admin Workstation Access administrative accounts only through a Privileged Access Workstation (PAW).  
Security, Privacy, and Legal Review Request a Security, Privacy, and Legal review by the Information Security Officer and implement recommendations prior to deployment.  
Regulated Data Security Controls Implement PCI DSS, HIPAA, FISMA, or export controls as applicable per the Information Security Officer.  

Short URL to this page: 

Related articles

Related articles appear here based on the labels you select. Click to edit the macro and add or change labels.

Related issues