Minimum Security Standards for Systems

This page lists the minimum standards to be applied and enabled in Category I,II, III data systems that are connected to the UNTHSC network. Standards for Category I data are generally required.
If products are not available from reputable commercial or reliable open source communities for a specific requirement, then the specific requirement is waived until an appropriate solution is available. In such cases a security exception report must be filed.
IT Owners and IT Custodians, lead researchers, and/or systems administrators are expected to use their professional judgment in managing risks to the information and systems they use and/or support. All security controls should be proportional to the confidentiality, integrity, and availability requirements of the data processed by the system.
  1. Determine the risk level by reviewing the data types and selecting the highest applicable risk designation across all. For example, a system storing Category III data but utilized to access an application accessing Category I data is designated as a Category I system.
  2. Follow the minimum security standards below to protect your systems.

♻   : A recurring task; this should be automated when possible
👍   : Recommended
✔   : Required

Control Category What to Do
Recurring
Category III Category II Category I

Backups

System administrators should establish and follow a procedure to carry out regular system backups.

👍

👍

Backups must be verified at least monthly, either through automated verification, through customer restores, or through trial restores.

👍

👍

Systems administrators must maintain documented restoration procedures for systems and the data on those systems.

👍

👍

Change Management

There must be a change management process for systems configuration. This process must be documented.

👍

👍

System changes should be evaluated prior to being applied in a production environment. Patches must be tested prior to installation in the production environment if a test environment is available.

If a test environment is not available, the lack of patch testing should be communicated to the service subscriber or data customer, along with possible changes in the environment due to the patch.

👍

👍

System administrators should establish and follow a procedure to carry out regular system backups.

👍

👍

Systems administrators must maintain documented restoration procedures for systems and the data on those systems.

Anti-Malware/Antivirus Protection

Anti-virus software must be installed and enabled.  Example:  McAfee Endpoint Protection

Install and enable anti-spyware software. If the machine is used by administrators to browse Web sites not specifically related to the administration of the machine, which is not recommended, installing and enabling anti-spyware software is required.  Example:  McAfee Endpoint Protection

👍

👍

👍

Anti-virus and, if applicable, anti-spyware software should be configured to update signatures daily.

Systems administrators should maintain and keep available a description of the standard configuration of anti-virus software.

👍

👍

Physical Access

Systems acting as servers must be physically located in an authorized UNTHSC Data Center, or, with an approved security exception request , a physically secured area with restricted access. All other systems, including portable devices, must be physically secured if left unattended.

👍

👍

Backup media must be secured from unauthorized physical access. If the backup media is stored off-site, it must be encrypted or have a documented process to prevent unauthorized access.

👍

👍

System Hardening

Systems must be set up in a protected network environment or by using a method that assures the system is not accessible via a potentially hostile network until it is secured.

Example:

  • Keep the host offline until you have your firewall configured to block inbound traffic by default, and restrict remote access services (VNC, RDP, etc.) to authorized campus-only networks and the campus VPN, or
  • Connect the host to a network protected by a SOHO firewall or router configured to block inbound traffic by default, and restrict remote access services (VNC, RDP, etc.) to authorized campus-only networks and the campus VPN

👍

👍

Operating system and application services security patches should be installed expediently (e.g., 30-days) and in a manner consistent with change management procedures. Products that no longer receive security updates from the vendor (e.g., unsupported) are not authorized.

Enable automatic notification of new patches if possible.

Services, applications, and user accounts that are not being utilized should be disabled or uninstalled.

👍

👍

Limit connections to services to only the authorized users of the service.  Examples: A configured host-based firewall is required for all systems handling Confidential data.  Software firewalls, hardware firewalls, and service configuration for all other systems.

👍

👍

Services or applications running on systems manipulating Confidential data should implement encrypted communications as required by confidentiality and integrity needs. (See Data Encryption Guidelines .)

👍

👍

Systems will provide secure storage for Confidential data. Security can be provided by means such as, but not limited to, encryption (see Data Encryption Guidelines ), access controls, file system audits, physically securing the storage media, or any combination thereof as deemed appropriate.

Examples:

Windows: Bitlocker

Mac: FileVault 2

Linux: LUKS Encryption

Mobile: See Approved Encryption Methods for Handhelds

👍

👍

If the operating system supports it, integrity checking of critical operating system files should be enabled and tested. Third-party tools may also be used to implement this.  Examples:

Windows: Using File System Checker in Windows 10 , SFC

Linux: Checking Integrity with AIDE

👍

👍

Integrity checking of system accounts, group memberships, and their associated privileges should be enabled and tested.

👍

👍

The required university warning banner should be installed.

Examples:

Windows: Group policy – UNT System AUP Logon Banner

Linux: Message of the Day

👍

👍

Whenever possible, all non-removable or (re-) writable media must be configured with file systems that support access control.

👍

👍

Access to non-public file system areas must require authentication.

Enforce password complexity requirements per the UNT System Information Security Handbook or more restrictive institutional policies

Apply the principle of least privilege to user, admin, and system accounts. Administrative accounts must not be used as a primary user account or for non-administrative purposes.

Examples:

Windows:

Implementing Least-Privilege Administrative Models

Unix:

Best Practices for Simple,Effective Unix/Linux Least Privilege Policies

👍

👍

Follow Data Security Standards for Data Ownership for storage of data.

Security Monitoring

If the operating system comes with a means to log activity, enabling and testing of those controls is required.

👍

👍

Operating system and service log monitoring and analysis should be performed routinely. This process should be documented.

👍

👍

The systems administrator must follow a documented backup strategy for security logs (for example, account management, access control, data integrity, etc.). Security logs should retain at least 14 days of relevant log information (data retention requirements for specific data should be considered).  Note: This is required for all servers, regardless of data classification.

👍

👍

All administrator or root access must be logged.

👍

👍

Vulnerability Management

Add credentials for ISO vulnerability scanning on the system if system is not domain joined.

 

👍

👍

Share patch logs with the ISO via log shipping or system reporting that include:

  1. When the patch was available for download
  2. When it was applied
  3. When the host was rebooted if the patch required a reboot
  4. (Optional but preferred) What CVE the patch is addressing

Examples:

  • SCCM

 

👍

👍

Review your monthly vulnerability report or assigned remediation tickets. Remediate vulnerabilities with published exploits or malware kits within 14 days of discovery and other vulnerabilities within 90 days.

👍

👍

Regulated Data Security Controls

Implement  PCI DSS ,  HIPAA , or  export  controls as applicable

Mission-critical Systems

Implement additional controls for all mission-critical systems.

Software Applications

Software applications designed to handle or manage university data that are being developed or administered by faculty, staff, student employees, contractors, and vendors must implement additional controls .