Minimum Security Standards and Risk Classification for IT Staff

To use the following procedures, first determine the risk level by reviewing the data classification policy and selecting the highest applicable risk designation.

Minimum Security Standards

Standards Recurring Task What to do Low Risk Moderate Risk High Risk
Patching Apply security patches either automatically, or within time limit.
Whole Disk Encryption   Enable appropriate technology. E.g., BitLocker (Windows), FileVault (OSX), Unix or mobile-specific encryption.
Malware Protection Install antivirus .
Access Control   Integrate device into AD or Shibboleth as appropriate, otherwise implement UB Password Policy.
Firewall   Enable host-based firewall in default deny inbound mode and only permit necessary services.
Backups Backup data at least daily using Spectrum Protect (Tivoli) or UBbox.  
Inventory Register device in Lansweeper (or dept-provided tool).  
Vulnerability Management Register for Nexpose scanning service.  
Centralized Logging   Forward logs to central logging service.  
End User Security Training Enroll in UB EDGE training.  
Intrusion Detection Enroll in UB EDGE training.    
Physical Protection   Place device in a datacenter or controlled location.    
Security Assessment Request a review by the Information Security Office    

Risk Classification

Service Low Risk Moderate Risk High Risk: Non-ePHI1 High Risk: ePHI2
Audio and Video Conferencing: Zoom
Backups: Central Backups
Calendar: Microsoft Exchange
Cloud Infrastructure: Self-Selected (No official cloud partner yet)
Content Management: UBCMS
Content Management: Drupal, Wordpress
Database Hosting: MSSQL, Oracle, MySQL
Document Management: UBbox
Document Management: UBFS (CIFS, NFS)
Document Management: Dropbox, Google Docs, Google Drive, Office 365 OneDrive
Document Imaging: ImageNOW
Electronic Signature: AdobeSign, DocuSign
Email: UBmail for students
Email: UBmail for faculty and staff
Email: Personal Email Services
Encryption: BitLocker, Filevault, PGP WDE
Instant Messaging: Jabber
Issue Tracking: RemedyForce
Shared Computing: UBVCL
Voice Messaging (VOIP)
Web Programming Environment (Openshift)
Wiki: Confluence

1 Payment Card Industry (PCI) data has special requirements that preclude using the services above. Contact Financial Management for assistance with handling this type of data.

2 Protected Health Information (PHI) data has special regulatory requirements that govern using the services above. Contact the ISO for assistance handling this type of data.