![University of Â鶹´«Ã½ at Mānoa](/its/template/system_2019/images/uh-nameplate.png")
Servers — Minimum Security Standards
Last Updated 2023-02-06
As defined by the , a server is a computer or device on a network that manages network resources. Examples include file servers (to store files), print servers (to manage one or more printers), network servers (to manage network traffic), and database servers (to process database queries).
Please refer to the Implementation Guides for assistance with implementing the minimum security standard for your device.
Key
| Item | Description |
|---|---|
| Implementation required | |
| Implementation recommended | |
| Recurring task |
When working with Regulated Data, please refer to the applicable Standard, Act, or Policy (e.g., CMMC, PCI DSS, HIPAA, FERPA, NIST SP800-171, etc.) for specific details on any additional controls needed.
The standards listed below are adapted from a subset of the Center for Internet Security's (CIS) Controls, which are a prioritized set of actions that collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks. The subset of CIS Controls were chosen based on their applicability to the University of Â鶹´«Ã½.
If a standard cannot be implemented in your environment for any reason, please contact infosec@hawaii.edu for consulting.
Quick Reference
- 1.0 - Patching
- 2.0 - Firewall Configuration
- 3.0 - Password Security
- 4.0 - Data Management
- 5.0 - Encryption
- 6.0 - Asset Management
- 7.0 - Data Inventory
- 9.0 - Malware Protection
- 10.0 - Session Timeout
- 11.0 - Backups
- 12.0 - Multi-Factor Authentication
- 13.0 - Centralized Logging
- 14.0 - Secure Access
- 15.0 - Secure Configuration
- 16.0 - Event Logging
- 17.0 - Network Security
- 18.0 - Access Control
- 19.0 - Account Management
- 20.0 - Vulnerability Scanning
| # | Standards |
Institutional Data Category |
||||
|---|---|---|---|---|---|---|
| Patching | Recurring Task | Public |
Restricted |
Sensitive |
Regulated |
|
| Enable automatic updates for operating systems and software if possible. | ||||||
| Install standard operating system and software security patches on a monthly basis for servers and networking devices. | ||||||
| Firewall Configuration | Recurring Task | Public |
Restricted |
Sensitive |
Regulated |
|
| Configure and manage a host based firewall or a network firewall device with a default deny-all policy. Only necessary services should be allowed through the firewall. | ||||||
| Password Security | Recurring Task | Public |
Restricted |
Sensitive |
Regulated |
|
| Ensure that all servers have strong and unique password protected individual logins for all local and remote accounts. | ||||||
| Ensure that all web applications have strong and unique password protected individual logins for administrative accounts. | ||||||
| Data Management | Recurring Task | Public |
Restricted |
Sensitive |
Regulated |
|
| Utilize the University's records management process for . | ||||||
| Securely dispose of Institutional Data following our Disposal Guidelines. | ||||||
| Encryption | Recurring Task | Public |
Restricted |
Sensitive |
Regulated |
|
| Ensure that data is encrypted with a secure encryption algorithm while in transit. | ||||||
| Ensure that files containing Sensitive and Regulated data stored on servers, applications, databases, and removable media are encrypted or stored in an encrypted file container such as Veracrypt. | ||||||
| Asset Management | Recurring Task | Public |
Restricted |
Sensitive |
Regulated |
|
| Complete the Annual Device Registration. | ||||||
| Maintain an updated inventory of all software and hardware assets. | ||||||
| Ensure that hardware and software assets are fully supported by their vendors. | ||||||
| Review asset lists on a monthly basis. Remove or replace unauthorized and end-of-life assets if possible. | ||||||
| Data Inventory | Recurring Task | Public |
Restricted |
Sensitive |
Regulated |
|
| Complete the annual Personal Information Survey (PIS). | ||||||
| Malware Protection | Recurring Task | Public |
Restricted |
Sensitive |
Regulated |
|
| Install and enable an anti-malware solution. | ||||||
| Ensure automatic anti-malware signature updates are enabled. | ||||||
| Session Timeout | Recurring Task | Public |
Restricted |
Sensitive |
Regulated |
|
| Configure a maximum 15 minute session timeout for system access and remote access protocols (SSH, RDP, etc.) | ||||||
| Backups | Recurring Task | Public |
Restricted |
Sensitive |
Regulated |
|
| Maintain an offline, off-site, or cloud-based backup instance. | ||||||
| Ensure backups are encrypted. | ||||||
| Perform manual or automatic backups of systems on at least a weekly basis. | ||||||
| Multi-Factor Authentication (MFA) | Recurring Task | Public |
Restricted |
Sensitive |
Regulated |
|
| Enable multi-factor authentication to access externally-exposed applications, remote network access, and administrative access where possible. | ||||||
| Utilize for public facing web application logins if applicable. | ||||||
| Centralized Logging | Recurring Task | Public |
Restricted |
Sensitive |
Regulated |
|
| Deploy a centralized log management system for servers and aggregate logs. | ||||||
| Retain centralized logs for at least 90 days. Adequate log storage must be accounted for. | ||||||
| Review centralized audit logs on a weekly basis. | ||||||
| Secure Access | Recurring Task | Public |
Restricted |
Sensitive |
Regulated |
|
| Access applications and manage software over a secure encrypted connection (SSH, HTTPS, etc.). | ||||||
| Secure Configuration | Recurring Task | Public |
Restricted |
Sensitive |
Regulated |
|
| Ensure that servers and network devices are configured following industry security best practices. CIS Configuration Guides are recommended. Configuration scripts are available upon request. | ||||||
| Uninstall or disable unnecessary and unused services on servers and network devices. | ||||||
| Event Logging | Recurring Task | Public |
Restricted |
Sensitive |
Regulated |
|
| Enable logging of system, security, and application events. | ||||||
| Retain logs for at least 90 days. Adequate log storage must be accounted for. | ||||||
| Review audit logs on a weekly basis. | ||||||
| Network Security | Recurring Task | Public |
Restricted |
Sensitive |
Regulated |
|
| Utilize network segmentation to address least privilege by isolating personal, untrusted, and IoT devices from critical services. | ||||||
| Maintain network architecture diagrams. | ||||||
| Utilize Wi-Fi Protected Access 2 (WPA2) with AES-128 or greater and a strong password for wireless networks. | ||||||
| Access Control | Recurring Task | Public |
Restricted |
Sensitive |
Regulated |
|
| Maintain an updated access control list of user roles, accounts and permissions for local/remote file systems, databases, and applications. | ||||||
| Grant access and apply access privileges to systems and services on a need to know basis. | ||||||
| Revoke privileges to systems and services upon employee termination, rights revocation, or role change. | ||||||
| Account Management | Recurring Task | Public |
Restricted |
Sensitive |
Regulated |
|
| Restrict administrator privileges to individually dedicated administrator accounts. | ||||||
| Remove dormant accounts (45 days of inactivity). | ||||||
| Disable default system and software accounts or make them unusable. | ||||||
| Review account privileges and permissions quarterly. | ||||||
| Vulnerability Scanning | Recurring Task | Public |
Restricted |
Sensitive |
Regulated |
|
| Â鶹´«Ã½Vulnerability Scan SitePerform vulnerability scans using ScanUH or Nessus Agents on a monthly basis. | ||||||
| Remediate all High and Critical severity vulnerabilities within 7 days. | ||||||