Draft Minimum Security Standards for Networked Devices

I. Purpose

The purpose of the Stevens Minimum Security Standards is to provide the information security standards necessary to comply with Stevens's Information Security Policy. These standards are mandatory requirements, and establish an effective baseline of appropriate system, administrative, and physical controls to apply to Data based upon its classification.

II Scope

This standard applies to all University data, defined as any information within its purview, including but not limited to, student record data, personnel data, financial data (budget and payroll), student life data, departmental administrative data, police records and legal files, and all other data that pertains to, or supports the administration of the University.

III Classification Levels

Restricted Data
Restricted data is the most sensitive information and requires the highest level of protection. This information is usually described as 'non-public information' about people and under the purview of a Data Custodian. Restricted data also includes data that Stevens is required to protect under regulatory or legal requirements. Examples include student or employee identifiable information (i.e., name, SSN, birth date, home address, etc.), medical records, legal records, student records, police records, and credit card information. Unauthorized disclosure of restricted information could result in adverse legal, financial or reputational impact upon the University.
Sensitive Data
Sensitive data is information that business units may share with other units outside their administrative control for the purpose of collaboration. This information is not information that meets the requirements of 'non-pubic' information. Examples include data created by the department, research data, and project data. Loss of this information could cause harm to the University's image or reputation, but would not necessarily violate existing laws or regulations.
Public Data
This information is suitable for public dissemination and is accessible to anyone in the world. Examples include public web pages, course listings, press releases, marketing brochures, etc. While the requirements for protection of public data are less than that of Restricted and Sensitive, sufficient controls must be maintained to protect unauthorized modification of data.

IV Standard

A Network

Control Standard	Restricted	Sensitive	Public
A network based Firewall shall be implemented that denies traffic from "untrusted" networks and hosts. Network traffic shall be limited to only those services and ports considered essential, unless exceptions to allow access to required services are requested and granted.	Required	Recommended	Not Applicable
Networks that house devices with restricted data shall be scanned for vulnerabilities on a regular schedule. Vulnerabilities detected shall be remediated in a timely manner. Additional Security detection tools (Intrusion Detection (IDS), File Integrity) should be considered in cases where a high degree of restricted data exists.	Required	Recommended	Recommanded

B Host

Servers that store or process restricted information are subject to the standards of this section. Departments servers are subject to compliance with these standards.

Control Standard	Restricted	Sensitive	Public
Devices that process or store restricted information shall be housed in a physically secure location, accessible to only those with a business purpose.	Required	Recommended	Recommended
Security updates and patches shall be applied in a timely manner, or automatically when possible. Computer system support must monitor for announced vulnerabilities in their hardware and software.	Required	Required	Required
Where possible, computer anti-virus shall be implemented, and updated in a timely manner, or automatically when possible.	Required	Required	Required
Where available, a host based firewall shall be implemented.	Required	Recommended	Recommended
Services and applications should be the minimum necessary to accomplish the required business functions. Passwords shall be changed from the vendor defaults. Systems should be âhardenedâ to a recognized standard, where available.	Required	Recommended	Recommended
Individual access to data shall be limited to only those needing access for legitimate purposes	Required	Recommended	Not Applicable
The amount of restricted information collected and stored shall be the minimum amount required for the efficient and effective conduct of business functions	Required	Not Applicable	Not Applicable
Only secure (encrypted) transmission and storage shall be allowed, for all devices, including laptops and portable media.	Required	Recommended	Not Applicable
Devices processing or storing data shall log all significant security event information. Logs should be reviewed on a daily basis, and retained for a minimum of 1 year.	Required	Recommended	Recommended
Files shall be backed up and tested on a regular schedule, and stored in a secured location both on and off-site.	Required	Recommended	Not Required
Hardware, Software and data shall be securely disposed at the termination of business need.	Required	Recommended	Not Required

C User Accounts

Control Standard	Restricted	Sensitive	Public
A process shall be established to create and assign, maintain, and verify a unique system identifier (i.e. UserID) for each user.	Required	Recommended	Not Applicable
Authentication to a system identifier shall be controlled by a mechanism implemented based upon the sensitivity of the data.	Required	Recommended	Not Applicable

D Software Development

Control Standard	Restricted	Sensitive	Public
Internally developed software shall be based on secure coding guidelines, and reviewed for common coding vulnerabilities.	Required	Recommended	Recommended

E Policy and Procedure

Control Standard	Restricted	Sensitive	Public
Each department processing or storing restricted data shall establish a security policy, and corresponding procedures to address the following. Computer Incident Response Computer Incident Reporting	Required	Recommended	Recommended
Each department processing or storing restricted information shall provide security awareness training (i.e. seminar, podcast, etc) on an annual basis.	Required	Recommended	Recommended

Glossary

Authentication: The process of identifying an individual, usually based on a username and password. In security systems, authentication is distinct from authorization, which is the process f giving individuals access to system objects based on their identity. Authentication merely ensures that the individual is who he or she claims to be, but says nothing about the access rights of the individual.

Availability: To ensure that the information remains accessible to authorized users.

Baseline Requirement: A baseline requirement is a requirement that represents a minimum security requirement from a body of minimum requirements. Baseline requirements are directed at maintaining a minimum level of security.

Baseline Control:A baseline control is a minimum security control.

Confidentiality: To ensuring that only authorized people have access to information.

Data Owner: Department head, manager or delegate within the University who has responsibility and authority for a particular set of information

"Hardened": The process of securing a system, which is done to protect systems against attackers.

Server(s): Computer systems engaged in providing data or services across the network.

User(s): Users are identified as all individuals who make use of Stevens Institute of Technology IT systems