Skip to main content

Minimum Security Standard for Systems

Revised
07/31/2013

These minimum standards serve as a supplement to the SCU Data Classification Standard. Adherence to the standards will increase the security of systems (servers, workstations, laptops, mobile devices) and help safeguard university information.

 

These minimum standards exist in addition to all other university policies and federal and state regulations governing the protection of the university's data.
Compliance with these requirements does not imply a completely secure system. Instead, these requirements should be integrated into a comprehensive system security plan.

Scope:

Applies to all students, faculty, staff, contractors, consultants, temporary employees, guests, volunteers and all other entities or individuals with access to confidential information through Santa Clara Univ. or its affiliates. This policy applies to all university information resources, including those used by the university under license or contract. These standards apply to all devices, physical or virtual, connected to SCU's network through a physical, wireless, or VPN connection where data is classified as Level One, Two, or Three (see Data Classification Standard).

Responsible Party:

Information Security Office

Procedure:

Stewards, Users, Managers, Information Service Providers, (as defined in SCU Administrative User Standard) and lead primary investigators, are expected to use their professional judgment in managing risks to the information and systems they use and/or support. All security controls should be proportional to the confidentiality, integrity, and availability requirements of the data processed or stored by the system.

This section lists the minimum standards that should be applied and enabled in Level One, Two, and Three systems that are connected to the university network. Standards for Level One are generally required.

If products are not available from reputable commercial or reliable open source communities for a specific requirement, then the specific requirement is waived until an appropriate solution is available. In such cases a Policy Exception and Risk Assumption request shall be filed.

Backups:

# Practice Level 1 Levels 2 & 3 
1.1 System administrators should establish and follow a procedure to carry out regular system backups. Required  Recommended
1.2 Backups must be verified at least monthly, either through automated verification, through customer restores, or through trial restores.  Required Recommended
1.3 Systems administrators must maintain documented restoration procedures for systems and the data on those systems. Required Recommended

Change Management:

# Practice Level 1 Levels 2 & 3
2.1

There must be a change control process for systems configuration. This process must be documented.

  • System changes should be evaluated prior to being applied in a production environment.
  • Patches must be tested prior to installation in the production environment if a test environment is available. 
Required Recommended
2.2 If a test environment is not available, the lack of patch testing should be communicated to the service subscriber or data customer, along with possible changes in the environment due to the patch. Required Recommended

Computer Virus Prevention:

# Practice Level 1 Levels 2 & 3
3.1 Anti-virus software must be installed and enabled. Required Required
3.2 Anti-spyware software must be installed and enabled if the machine is used by administrators to browse Web sites not specifically related to the administration of the machine. In addition, anti-spyware software must be installed and enabled if users are able to install software. Required Required
3.3 Anti-virus and, if applicable, anti-spyware software should be configured to update signatures daily. Required Required
3.4 Systems administrators should maintain and keep available a description of the standard configuration of anti-virus software. Required Recommended

Physical Access:

# Practice Level 1 Levels 2 & 3
4.1 Systems must be physically secured in racks or areas with restricted access. Portable devices shall be physically secured if left unattended. Required Recommended
4.2 Backup media must be secured from unauthorized physical access. If the backup media is stored off-site, it must be encrypted or have a documented process to prevent unauthorized access. Required Recommended

System Hardening:

# Practice Level 1 Levels 2 & 3
5.1 Systems must be set up in a protected network environment or by using a method that assures the system is not accessible via a potentially hostile network until it is secured. Required Required
5.2 Operating system and application services security patches should be installed expediently and in a manner consistent with change management procedures. If automatic notification of new patches is available, that option must be enabled. Required Required
5.3 Services, applications, and user accounts that are not being utilized should be disabled or uninstalled. Required Required
5.4 Methods should be enabled to limit connections to services running on the host to only the authorized users of the service. Software firewalls, hardware firewalls, and service configuration are a few of the methods that may be employed. Required Recommended
5.5 Services or applications running on systems manipulating Level One data should implement secure (that is, encrypted) communications as required by confidentiality and integrity needs. Required Recommended
5.6 Systems will provide secure storage for Level-One data as required by confidentiality, integrity, and availability needs. Security can be provided by means such as, but not limited to, encryption , access controls, filesystem audits, physically securing the storage media, or any combination thereof as deemed appropriate. Required Recommended
5.7 If the operating system supports it, integrity checking of critical operating system files should be enabled and tested. Third-party tools may also be used to implement this. Required Recommended
5.8 Services, applications, and user accounts that are not being utilized should be disabled or uninstalled. Required Recommended
5.9 Integrity checking of system accounts, group memberships, and their associated privileges should be enabled and tested. Required Recommended
5.10 The required university warning banner should be installed. Required Recommended
5.11 Whenever possible, all non-removable or (re-) writeable media must be configured with file systems that support access control. Required Recommended
5.12 Access to non-public file system areas must require authentication. Required Recommended
5.13 Strong password requirements shall be enabled. Required Required
5.14 Apply the principle of least privilege to user, administrator, and system accounts. Required Recommended

Security Monitoring:

# Practice Level 1 Levels 2 & 3
6.1 If the operating system comes with a means to log activity, enabling and testing of those controls is required. Required Recommended
6.2 Operating system and service log monitoring and analysis should be performed routinely. This process should be documented. Required Recommended
6.3 The systems administrator must follow a documented backup strategy for security logs (for example, account management, access control, data integrity, etc.). Security logs should retain at least 14 days of relevant log information (data retention requirements for specific data should be considered). Required Recommended
6.4 All administrator or root access must be logged. Required Recommended

Security Review for New Security Software and Appliances:

Departments evaluating the implementation of new security software or appliances, involving Level One data, should request a security review by sending a written description of the proposed implementation to the Information Security Office prior to selecting vendors or products. Security reviews tend to be informal and can often be performed quickly, while ensuring that best practices are being considered.

Non-Compliance and Exceptions:

If any of the minimum standards contained within this document cannot be met on systems manipulating Level-One or Level-Two data, an Information Security Exception and Risk Assumption Request shall be filed, along with a plan for risk assessment and management. Non-compliance with these standards may result in revocation of system or network access, notification of supervisors, expulsion, termination of employment, and possible civil and/or criminal prosecution to the full extent of the law.

Related SCU Policies and Procedures:

Be familiar with the approved practices and standards listed here which inform the system hardening procedures described in this document. (This is not an all-inclusive list of approved practices and standards that affect information technology resources.)

Portions Adapted with Permission from the University of Texas at Austin.