An application is defined as software running on a server that is remotely accessible, including mobile applications.
- Determine the risk level by reviewing the data, server, and application risk classification examples and selecting the highest applicable risk designation across all. For example, an application providing access to Low Risk Data but running on a High Risk server is designated as High Risk.
- Follow the minimum security standards in the table below to safeguard your applications.
| Standards | Recurring Tasks | What to do | Low Risk | Medium Risk | High Risk |
|---|---|---|---|---|---|
| Patching | Based on National Vulnerability Database (NVD) ratings, apply high severity security patches within seven days of publish and all other security patches within 90 days. Use a supported version of the application. | ||||
| Vulnerability Management | Perform a monthly Qualys application scan. Remediate severity 4 and 5 vulnerabilities within seven days of discovery and severity 3 vulnerabilities within 90 days. | ||||
| Inventory | Maintain a list of applications and the associated risk classifications and data volume estimates. Review and update records quarterly. | ||||
| Credentials and Access Control | Review existing accounts and privileges quarterly. Enforce password complexity. Logins with UNM NetID credentials via WebAuth/SAML recommended. | ||||
| Firewall | Permit the minimum necessary services through the network firewall. | ||||
| Two-Step Authentication | Review existing accounts and privileges quarterly. Enforce password complexity. Logins with UNM NetID credentials via WebAuth/SAML recommended. | ||||
| Centralized Logging | Require Duo two-step authentication for all interactive user and administrator logins. | ||||
| Secure Software Development | Forward logs to a remote log server. UNM IT Splunk service recommended. | ||||
| Developer Training | Include security as a design requirement. Review all code and correct identified security flaws prior to deployment. Use of static code analysis tools recommended. | ||||
| Backups | Attend at least one UNM Information Security Academy training course annually. | ||||
| Dedicated Admin Workstation | Access administrative accounts only via a Privileged Access Workstation. | ||||
| Security, Privacy, and Legal Review | Request a Security, Privacy, and Legal review and implement recommendations prior to deployment. | ||||
| Regulated Data Security Controls | Implement PCI, DSS, HIPAA, FISMA, or Export Controls as applicable. |
