Minimum Security Standards
- Minimum Standard
- Review for New Security Software and Appliances
This minimum standard serves as a enhancement to The Information Resources Security Operations Manual.
Having the following does not imply a completely secure system. Instead, these requirements should be integrated into a comprehensive system security plan.
This standard applies to all devices, physical or virtual, connected to the university network through a physical, wireless, or VPN connection where data is classified as Restricted, Sensitive or Public (see Data Classification Guidelines.
3. Minimum Standard
This section lists the minimum standards that should be applied and enabled in data systems that are connected to the university network.
IT owners and custodians are expected to use their professional judgment in managing risks to the information and systems they use and/or support. All security controls should be proportional to the confidentiality, integrity, and availability requirements of the data processed by the system.
- 1.1 System administrators should establish and follow a procedure to carry out regular system backups.
- 1.2 Backups must be verified at least monthly, either through automated verification, through customer restores, or through trial restores.
- 1.3 Systems administrators must maintain documented restoration procedures for systems and the data on those systems.
- 2.1 There must be a change control process for systems configuration. This process must be documented.
- 2.2 System changes should be evaluated prior to being applied in a production environment.
- Patches must be tested prior to installation in the production environment if a test environment is available.
- If a test environment is not available, the lack of patch testing should be communicated to the service subscriber or data customer, along with possible changes in the environment due to the patch.
Computer Virus Prevention
- 3.1 Anti-virus software must be installed and enabled.
- 3.2 Anti-spyware software must be installed and enabled if the machine is used by administrators to browse Web sites not specifically related to the administration of the machine. In addition, anti-spyware software must be installed if users are able to install software.
- 3.3 Anti-virus and, if applicable, anti-spyware software should be configured to update signatures daily.
- 3.4 Systems administrators should maintain and keep available a description of the standard configuration of anti-virus software.
- 4.1 Systems must be physically secured in racks or areas with restricted access. Portable devices shall be physically secured if left unattended.
- 4.2 Backup media must be secured from unauthorized physical access. If the backup media is stored off-site, it must be encrypted or have a documented process to prevent unauthorized access.
- 5.1 Systems must be set up in a protected network environment or by using a method that assures the system is not accessible via a potentially hostile network until it is secured.
- 5.2 Operating system and application services security patches should be installed expediently and in a manner consistent with change management procedures.
- 5.3 If automatic notification of new patches is available, that option should be enabled.
- 5.4 Services, applications, and user accounts that are not being utilized should be disabled or uninstalled.
- 5.5 Methods should be enabled to limit connections to services running on the host to only the authorized users of the service. Software firewalls, hardware firewalls, and service configuration are a few of the methods that may be employed.
- 5.6 Services or applications running on systems manipulating Category I data should implement secure (that is, encrypted) communications to ensure Category I data does not traverse the Internet in clear text.
- 5.7 Systems will provide secure (that is, encrypted) storage for Category I data as required by confidentiality and integrity needs.
- 5.8 If the operating system supports it, integrity checking of critical operating system files should be enabled and tested. Third-party tools may also be used to implement this.
- 5.9 Integrity checking of system accounts, group memberships, and their associated privileges should be enabled and tested.
- 5.10 The required university warning banner should be installed.
- 5.11 Whenever possible, all non-removable or (re-) writeable media must be configured with file systems that support access control.
- 5.12 Access to non-public file system areas must require authentication.
- 6.1 If the operating system comes with a means to log activity, enabling and testing of those controls is required.
- 6.2 Operating system and service log monitoring and analysis should be performed routinely. This process should be documented.
- 6.3 The systems administrator must follow a documented backup strategy for security logs (for example, account management, access control, data integrity, etc.). Security logs should retain at least 14 days of relevant log information (data retention requirements for specific data should be considered).
- 6.4 All administrator or root access must be logged.
4. Review for New Security Software and Appliances
Departments evaluating the implementation of new security software or appliances should request a security review by sending a written description of the proposed implementation to the User Support Services Department prior to selecting vendors or products.
University of Texas at Brownsville employees are required to comply with both institutional rules and regulations and applicable UT System rules and regulations. In addition to university and System rules and regulations, University of Texas at Brownsville employees are required to comply with state laws and regulations.