A server is defined as a host that provides a network accessible service.
- Determine the risk level by reviewing the data, server, and application risk classification examples and selecting the highest applicable risk designation across all. For example, a server running a Low Risk application but storing High Risk Data is designated as High Risk.
- Follow the minimum security standards in the table below to safeguard your servers.
| Standards | Recurring Tasks | What to do | Low Risk | Medium Risk | High Risk |
|---|---|---|---|---|---|
| Patching | Apply security patches within seven days of publish. WSUS is recommended for Windows OS. Patch Management for Linux OS. Use a supported OS version. | ||||
| Vulnerability Management | Perform a monthly Nessus scan. Remediate severity 4 and 5 vulnerabilities within seven days of discovery and severity 3 vulnerabilities within 90 days. | ||||
| Inventory | Review and update network database quarterly. | ||||
| Credentials and Access Control | Review existing accounts and privileges quarterly. Enforce password complexity. Logins with NetID credentials via Kerberos recommended. | ||||
| Firewall | Enable host-based firewall in default deny mode and permit the minimum necessary services. | ||||
| Two-Step Authentication | Require Duo two-step authentication for all interactive user and administrator logins. | ||||
| Centralized Logging | Forward logs to a remote log server. UNM IT Splunk service recommended. | ||||
| SysAdmin Training | Attend at least one UNM Information Security Academy training course annually. | ||||
| Malware Protection | Deploy Symantec in high enforcement mode. Review alerts as they are received. | ||||
| Intrusion Detection | Deploy Cb Protection (formerly Bit9) on supported platforms, otherwise use OSSEC or Tripwire. Review alerts as they are received. | ||||
| Physical Protection | Place system hardware in a data center. | ||||
| Dedicated Admin Workstation | Access administrative accounts only through a Privileged Access Workstation (PAW). | ||||
| Security Privacy and Legal Review | Request a Security, Privacy, and Legal review and implement recommendations prior to deployment. | ||||
| Regulated Data Security Controls | Implement PCI, DSS, HIPAA, FISMA, or Export Controls as applicable. |
