Applicable To: Duke University

Legend: ✓ = yes; – = no

Standard

What to do

Public Data

Restricted Data

Sensitive Data

Patching and Vulnerability Management

Mitigate operating system and application vulnerabilities following the timelines established in Vulnerability Management Procedure. Use automated patching tools to apply operating system patches and, when possible, application patches.

Firewall

Enable host-based firewall in default deny mode and permit the minimum necessary services.

Access Control

Use centralized group management services with appropriate deprovisioning policies. When local accounts are needed, ensure requirements for account management are met. 

Administrative Account AccessFollow the principle of least privilege for use and assignment of privileges.

Multi-Factor Authentication

Use multi-factor authentication for administrator logins and access to Sensitive systems. Multi-factor authentication is recommended for Public and Restricted systems and wherever practical. 

Centralized Logging

Forward logs to a remote log server. University IT Splunk service recommended.

Monitor for Security Updates

Join and/or monitor security and IT lists and websites to receive notification of security updates for the operating system and application(s).

Malware Protection

Install CrowdStrike Falcon software for malware and threat protection and ensure the CrowdStrike Falcon software maintains communication with the CrowdStrike Falcon management console.

Physical Protection

Locate servers in an access-controlled environment and limit physical access. Log physical access for Sensitive systems.

Regulated Data Security Controls

Implement PCI DSSHIPAA, or export controls as applicable.

Equipment Disposal

Overwrite data from hard drives before disposal of old equipment. See the Media Control and Disposal Policy.

Credentials and Access Control

Configure servers to prohibit anonymous access. Set an account lockout policy (recommended: after five unsuccessful attempts followed by a five-minute lockout). Require password-protected screen savers, with a recommended 15-minute timer for inactivity.

Inventory

Designate in Planisphere a support group that is responsible for the server's security configuration and complete and maintain the asset inventory information.

Software Security

Install and use only operating systems and applications supported by the vendor (i.e. where security updates and patches are still available). If a browser is required to receive operating system updates, the browser must be fully supported. Uninstall or disable unnecessary operating systems, applications, browsers, and extensions.