Boise State University Minimum Security Standards for Systems
This document specifies the details of minimum security standards as referred to by policies
- 8020 Server Administration
- 8030 Desktop, Laptop, and Tablet PC Computing Standards
- 8060 Information Privacy and Data Security
These standards apply to all users and devices, physical or virtual, connected to Boise State’s network or managed cloud services through a physical, wireless, or VPN. The standards vary based on the type of data stored on the device and are classified using the University Data Classification Standard.
All users and administrators are required to complete the annual state provided security training.
All university owned computers connected to the network must be configured and tied back to the OIT centralized patch management systems for action, reporting, and alerts. Mobile devices must be configured to receive automatic updates from their respective manufacturers. Other network devices, including printers and internet of things (IoT), must be updated according to the vendor patch schedule.
- EndPoint Protection (Antivirus and Malware)
- Configuration and Patch Management
- Inventory management
- Added to primary AD domain
All university owned devices, that support the technology, must be configured in the following ways:
- Encryption – University endpoints must utilize full disk encryption with AES 256 or equivalent. Laptops and tablet PCs that support it must use a boot up PIN.
- Firewall – A host-based firewall configured to permit only the minimum necessary services and set to default deny mode.
- Access Control – Systems must be configured to prohibit anonymous access.
- Credentials – Each system should be evaluated and granted the least amount of privileges needed to accomplish the purposes of that device. Elevated accounts should be used sparingly to accomplish a task that can only be done with elevated privileges and should be logged out immediately afterwards.
- Password Control – All password and timeout requirements are enforced for age, length, and complexity.
- Warranty – All will be purchased with warranty. Laptops, desktops, all in ones, and servers will have a minimum of three years.
System Defaults – All default admin accounts and passwords must be changed, removed or disabled.
- Firmware – Firmware is updated when commissioned, upon subsequent recommissioning, or when a significant vulnerability is identified and determined to be urgent by the CISO office. This is usually a CVE rating of 9.0 or greater.
In addition to what is above servers should be configured with the following
- Security Commissioning – Each server should have a security review and recommendations implemented prior to commissioning
- Documentation – All servers should provide a list of services offered, who utilizes/access them, architecture diagram, firewall requirements, and department contact, etc.
- Physical Security – All servers hardware will be in a data center with controlled access.
- Backups – All systems with operational data will be backed up. These backups should be encrypted and need to be kept in a secure location. Periodically restore procedures should be verified.
- Vulnerability Management – Security Operations will perform a monthly scan. Critical and high vulnerabilities will be remediated within the appropriate time frame based on the type of data stored on the system and based on access allowed to it.
Systems with Level 1 Data
All university-owned devices that access or store Level 1 Data, as defined by the data classification standard, must be configured with the following, in addition to what is listed above, as a minimum.
- Intrusion detection
- Centralized logging
- Multi-factor authentication
Contracts, governments (CUI and FISMA), governing bodies (PCI DSS), sponsors or providers often will require greater security than these measures. These requirements will be assessed when a Level 1 system is brought up or a research proposal is initiated.
Non-Compliance and Exceptions
A Request for Exception, along with a plan for risk assessment and management, can be submitted at Help Desk Self Service. Non-compliance with these standards may result in revocation of access, notification of supervisors, and reporting to the Office of Internal Audit and Institutional Compliance.
Created: March 2019
Last Update: September 2022
Next Review: September 2024