Applicable To: Duke University
Legend: ✓ = yes; – = no
|
Standard |
What to do |
Public Data |
Restricted Data |
Sensitive Data |
|---|---|---|---|---|
|
Patching and Vulnerability Management |
Mitigate operating system and application vulnerabilities following the timelines established in Vulnerability Management Procedure. Use automated patching tools to apply operating system patches and, when possible, application patches. |
✓ |
✓ |
✓ |
|
Firewall |
Enable host-based firewall in default deny mode and permit the minimum necessary services. |
✓ |
✓ |
✓ |
|
Access Control |
Use centralized group management services with appropriate deprovisioning policies. When local accounts are needed, ensure requirements for account management are met. |
✓ |
✓ |
✓ |
| Administrative Account Access | Follow the principle of least privilege for use and assignment of privileges. | ✓ | ✓ | ✓ |
|
Multi-Factor Authentication |
Use multi-factor authentication for administrator logins and access to Sensitive systems. Multi-factor authentication is recommended for Public and Restricted systems and wherever practical. |
✓ |
✓ |
✓ |
|
Centralized Logging |
Forward logs to a remote log server. University IT Splunk service recommended. |
– |
✓ |
✓ |
|
Monitor for Security Updates |
Join and/or monitor security and IT lists and websites to receive notification of security updates for the operating system and application(s). |
– |
✓ |
✓ |
|
Malware Protection |
Install CrowdStrike Falcon software for malware and threat protection and ensure the CrowdStrike Falcon software maintains communication with the CrowdStrike Falcon management console. |
✓ |
✓ |
✓ |
|
Physical Protection |
Locate servers in an access-controlled environment and limit physical access. Log physical access for Sensitive systems. |
– |
✓ |
✓ |
|
Regulated Data Security Controls |
– |
– |
✓ | |
|
Equipment Disposal |
Overwrite data from hard drives before disposal of old equipment. See the Media Control and Disposal Policy. |
✓ |
✓ |
✓ |
|
Credentials and Access Control |
Configure servers to prohibit anonymous access. Set an account lockout policy (recommended: after five unsuccessful attempts followed by a five-minute lockout). Require password-protected screen savers, with a recommended 15-minute timer for inactivity. |
✓ |
✓ |
✓ |
|
Inventory |
Designate in Planisphere a support group that is responsible for the server's security configuration and complete and maintain the asset inventory information. |
✓ |
✓ |
✓ |
|
Software Security |
Install and use only operating systems and applications supported by the vendor (i.e. where security updates and patches are still available). If a browser is required to receive operating system updates, the browser must be fully supported. Uninstall or disable unnecessary operating systems, applications, browsers, and extensions. |
✓ |
✓ |
✓ |