Minimum Security Standard: Applications

Standard What to do Risk/Data
Patching Systems that store, process, or access Sensitive data should be patched within two weeks of a security update addressing a Critical or High vulnerability becoming available. Systems that store, process, or access Restricted or Public data should be patched within four weeks of a security update addressing a Critical or High vulnerability becoming available.  
Vulnerability Management ITSO conducts monthly scans, which may uncover vulnerabilities on hosts or applications. Departments should use Security Center to identify and remediate vulnerabilities. Remediate Critical and High vulnerabilities within 14 days. Do not explicitly block our vulnerability scanning.  
Firewall Permit the minimum necessary services through any departmental network firewalls and/or host-based protections.  
Credentials and Access Control Review existing accounts and privileges annually. Enforce password complexity. Web application logins with credentials via SAML required.  
Two-Step Authentication Require multi-factor authentication for all administrator logins (PRS) and interactive users of RS applications.  
Centralized Logging Forward logs to a remote log server. University IT Splunk service recommended.  
Secure Software Development Include security as a design requirement. Review all code and correct identified security flaws prior to deployment. Use of static code analysis tools recommended.  
Monitor for Application Security Updates Join and monitor security and development lists to receive notification of updates.  
Backups Regular backup and encryption is recommended. Note that not all Sensitive or Restricted application data is permitted to be backed up.  
Administrative Account Access Use separate administrative and personal accounts. Manage group passwords with a password manager.  
Security Review Request a Vendor Risk Assessment prior to signing a contract or renewing an unreviewed contract with a vendor.  
Regulated Data Security Controls Implement PCI DSS, HIPAA, or export controls as applicable.  

 

Document Type: 
Standard
Applicable To: 
Duke University