The purpose of the Stevens Minimum Security Standards is to provide the information security standards necessary to comply with Stevens's Information Security Policy. These standards are mandatory requirements, and establish an effective baseline of appropriate system, administrative, and physical controls to apply to Data based upon its classification.
This standard applies to all University data, defined as any information within its purview, including but not limited to, student record data, personnel data, financial data (budget and payroll), student life data, departmental administrative data, police records and legal files, and all other data that pertains to, or supports the administration of the University.
III Classification Levels
Restricted data is the most sensitive information and requires the highest level of protection. This information is usually described as 'non-public information' about people and under the purview of a Data Custodian. Restricted data also includes data that Stevens is required to protect under regulatory or legal requirements. Examples include student or employee identifiable information (i.e., name, SSN, birth date, home address, etc.), medical records, legal records, student records, police records, and credit card information. Unauthorized disclosure of restricted information could result in adverse legal, financial or reputational impact upon the University.
Sensitive data is information that business units may share with other units outside their administrative control for the purpose of collaboration. This information is not information that meets the requirements of 'non-pubic' information. Examples include data created by the department, research data, and project data. Loss of this information could cause harm to the University's image or reputation, but would not necessarily violate existing laws or regulations.
This information is suitable for public dissemination and is accessible to anyone in the world. Examples include public web pages, course listings, press releases, marketing brochures, etc. While the requirements for protection of public data are less than that of Restricted and Sensitive, sufficient controls must be maintained to protect unauthorized modification of data.
|A network based Firewall shall be implemented that denies traffic|
from "untrusted" networks and hosts.
Network traffic shall be limited to only those services and ports considered essential, unless exceptions to allow access to required services are requested and granted.
|Networks that house devices with restricted data shall be scanned for vulnerabilities on a regular schedule. Vulnerabilities detected shall be remediated in a timely manner.|
- Additional Security detection tools (Intrusion Detection (IDS), File Integrity) should be considered in cases where a high degree of restricted data exists.
Servers that store or process restricted information are subject to the standards of this section. Departments servers are subject to compliance with these standards.
|Devices that process or store restricted information shall be housed in a physically secure location, accessible to only those with a business purpose.||Required||Recommended||Recommended|
|Security updates and patches shall be applied in a timely manner, or automatically when possible.|
Computer system support must monitor for announced vulnerabilities in their hardware and software.
|Where possible, computer anti-virus shall be implemented, and updated in a timely manner, or automatically when possible.||Required||Required||Required|
|Where available, a host based firewall shall be implemented.||Required||Recommended||Recommended|
|Services and applications should be the minimum necessary to accomplish the required business functions.|
- Passwords shall be changed from the vendor defaults.
- Systems should be âhardenedâ to a recognized standard, where available.
|Individual access to data shall be limited to only those needing access for legitimate purposes||Required||Recommended||Not Applicable|
|The amount of restricted information collected and stored shall be the minimum amount required for the efficient and effective conduct of business functions||Required||Not Applicable||Not Applicable|
|Only secure (encrypted) transmission and storage shall be allowed, for all devices, including laptops and portable media.||Required||Recommended||Not Applicable|
|Devices processing or storing data shall log all significant security event information. Logs should be reviewed on a daily basis, and retained for a minimum of 1 year.||Required||Recommended||Recommended|
|Files shall be backed up and tested on a regular schedule, and stored in a secured location both on and off-site.||Required||Recommended||Not Required|
|Hardware, Software and data shall be securely disposed at the termination of business need.||Required||Recommended||Not Required|
C User Accounts
|A process shall be established to create and assign, maintain, and verify a unique system identifier (i.e. UserID) for each user.||Required||Recommended||Not Applicable|
|Authentication to a system identifier shall be controlled by a mechanism implemented based upon the sensitivity of the data.||Required||Recommended||Not Applicable|
D Software Development
|Internally developed software shall be based on secure coding guidelines, and reviewed for common coding vulnerabilities.||Required||Recommended||Recommended|
E Policy and Procedure
|Each department processing or storing restricted data shall establish a security policy, and corresponding procedures to address the following.|
- Computer Incident Response
- Computer Incident Reporting
|Each department processing or storing restricted information shall provide security awareness training (i.e. seminar, podcast, etc) on an annual basis.||Required||Recommended||Recommended|
Authentication: The process of identifying an individual, usually based on a username and password. In security systems, authentication is distinct from authorization, which is the process f giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual.
Availability: To ensure that the information remains accessible to authorized users.
Baseline Requirement: A baseline requirement is a requirement that represents a minimum security requirement from a body of minimum requirements. Baseline requirements are directed at maintaining a minimum level of security.
Baseline Control:A baseline control is a minimum security control.
Confidentiality: To ensuring that only authorized people have access to information.
Data Owner: Department head, manager or delegate within the University who has responsibility and authority for a particular set of information
"Hardened": The process of securing a system, which is done to protect systems against attackers.
Server(s): Computer systems engaged in providing data or services across the network.
User(s): Users are identified as all individuals who make use of Stevens Institute of Technology IT systems