A PDF version of this document is also available.
Purpose
This standard outlines the minimum controls for protecting information assets, as required by the Information Asset Classification and Management Policy ( IV.06.02 ). The purpose of requirements identified herein is to reduce risks to the confidentiality, integrity and availability of University data and systems (“information assets”) and to protect the privacy of members of the University community.
Scope
This standard applies to all users with access to University information assets, and all devices that store, process or transmit University data.
Standard
All users with access to University information assets, and all devices that store, process or transmit University data shall meet the following minimum controls for protecting University information assets, unless an exception is approved by the Information Security Office (ISO).
Exception Request
There may be valid reasons why a given required control cannot be met; e.g., technology limitations, conflict with other controls, the presence of compensating controls, lack of funding, and financial needs that exceed the potential risk of not implementing the control. Exception requests must be submitted to ISO detailing reasons the control cannot be met and proposing compensating controls to minimize the risk caused by not meeting the controls. Exceptions request should be submitted using this form https://service.uoregon.edu/TDClient/2030/Portal/Requests/ServiceDet?ID=43440
Compliance Management
The ISO shall implement processes and services to continuously monitor information systems for compliance with this standard.
Policy Violation
Non-compliance with this standard is a violation of the University Information Asset Classification Policy ( IV.06.02 ) and are subject to University sanctions. In cases where noncompliance poses serious risks to University information assets, ISO may take steps to mitigate such risks including temporarily quarantining vulnerable or compromised computers, temporarily disabling affected network ports, blocking known bad or compromised IP addresses, disabling affected network ports, blocking known bad or compromised IP addresses, disabling compromised user accounts, or other actions as necessary to protect University information assets and users.
Definitions
Mandatory Controls must be applied as described in this standard.
Recommendation Controls should be applied as described in this standard.
Compensating Controls are alternative controls put in place to meet or exceed the security requirement, typically to address difficulty or impracticality in implementing the required control. Typically, compensating controls are temporary until it becomes practical to implement the required controls.
For control definitions, refer to the glossary.
UO Minimum Security Controls by Classification
The following security controls must be implemented for University-owned systems or vendor/partner systems that store, process or transmit University data in accordance with the classification of the system. Personally-owned systems (e.g., BYOD, home computers, personal phones, etc.) that are used to store, process or transmit University data are required to meet or exceed these standards, before such use is approved by ISO.
Table Legend
M = Mandatory; This control must be applied to information systems if this classification of is data present on the system or transits through the system.
R = Recommended; The ISO recommends that this control be applied to information systems if this classification of is data present on the system or transits through the system.
NR = Not Required; This control is not required to be applied to information systems if this classification of is data present on the system or transits through the system.
Servers
| Control reference | Control | High Risk | Moderate Risk | Low Risk | Applicable Service |
|---|---|---|---|---|---|
| UO.ID.1 | Configuration Management System (CMS): Registration | M | M | M | SCCM, JAMF, Puppet, NetDot |
| UO.ID.2 | Configuration Management System (CMS): Management (OS) | M | M | M | SCCM, JAMF, Puppet, CMDB |
| UO.ID.3 | Configuration Management System (CMS): Management (Apps) | M | M | R | SCCM, Jamf, Puppet, CMDB |
| UO.ID.4 | Vulnerability Scanning | M | M | M | ISO Vulnerability Scanning Service |
| UO.ID.5 | Penetration Testing | M | R | NR | |
| UO.PR.1 | Physical Security | M | R | NR | Datacenter, approved cloud |
| UO.PR.2 | Wall Jack Access Control | ||||
| UO.PR.3 | System Hardening | M | M | R | |
| UO.PR.4 | Security Baseline Configuration | M | M | R | ISO CIS Baseline |
| UO.PR.5 | Security Updates | M | M | M | SCCM, JAMF, Puppet |
| UO.PR.6 | Application Blocklist | M | R | NR | |
| UO.PR.7 | Anti-malware | M | M | M | McAfee, Microsoft Defender |
| UO.PR.8 | Auto-lock system consoles | M | M | M | |
| UO.PR.9 | Firewall: Host-based | R | R | R | |
| UO.PR.10 | Firewall: Network | M | M | R | |
| UO.PR.11 | Encryption: Data-at-Rest | M | R | NR | |
| UO.PR.12 | Encryption: Data-in-Transit | M | M | R | |
| UO.PR.13 | Encryption: Full Disk | ||||
| UO.PR.14 | User Access Control: Unique Account | M | M | M | Duck ID |
| UO.PR.15 | User Access Control: Least Privilege Access | M | M | M | |
| UO.PR.16 | User Access Control: Access Approval | M | M | M | |
| UO.PR.17 | User Access Control: Authentication | M | M | M | Active Directory, LDAP, SAML |
| UO.PR.18 | User Access Control: Limit Failed Login Attempts | M | R | R | |
| UO.PR.19 | User Access Control: Inactive Session Timeout | M | M | M | |
| UO.PR.20 | User Access Control: Two-Factor Authentication | M | M | M | DUO 2FA |
| UO.PR.21 | User Access Control: Remote Privileged Access Session Security | M | M | M | IPSec VPN, SSH, sFTP, SCP |
| UO.DE.1 | Logging and Retention | M | R | R | ISO Logging & Security Analytics |
| UO.DE.2 | Log Monitoring | M | R | R | SIEM |
| UO.RE.1 | Incident Recovery: Backup & Recovery | M | M | M | |
| UO.RE.2 | Incident Recovery: Restoration Testing | M | M | M |
Workstations: Desktops, laptops, and devices with full-featured OS
| Control Reference | Control | High Risk | Moderate Risk | Low Risk | Applicable Service |
|---|---|---|---|---|---|
| UO.ID.1 | Configuration Management System (CMS): Registration | M | M | M | SCCM, JAMF, Puppet, NetDot |
| UO.ID.2 | Configuration Management System (CMS): Management (OS) | M | M | M | SCCM, JAMF, Puppet, CMDB |
| UO.ID.3 | Configuration Management System (CMS): Management (Apps) | M | M | R | SCCM, JAMF, Puppet, CMDB, Ansible |
| UO.ID.4 | Vulnerability Scanning | M | M | M | ISO Vulnerability Scanning Service |
| UO.ID.5 | Penetration Testing | R | NR | NR | |
| UO.PR.2 | Wall Jack Access Control | ||||
| UO.PR.3 | System Hardening | ||||
| UO.PR.4 | Security Baseline Configuration | M | R | R | UO CIS Baseline |
| UO.PR.5 | Security Updates | M | M | M | SCCM, JAMF, Puppet |
| UO.PR.6 | Application Blocklist | M | M | R | OS ACL, consider different lists per risk |
| UO.PR.7 | Anti-malware | M | M | M | McAfee, Microsoft Defender |
| UO.PR.8 | Auto-lock system consoles | M | M | M | |
| UO.PR.9 | Firewall: Host-based | R | R | R | |
| UO.PR.10 | Firewall: Network | M | M | R | |
| UO.PR.11 | Encryption: Data-at-Rest | M | R | NR | |
| UO.PR.12 | Encryption: Data-in-Transit | M | R | NR | |
| UO.PR.13 | Encryption: Full Disk | M | M | R | |
| UO.PR.15 | User Access Control: Least Privilege Access | M | M | R | |
| UO.PR.17 | User Access Control: Authentication | M | M | M | Active Directory, LDAP, Shibboleth/SAML |
| UO.PR.18 | User Access Control: Limit Failed Login Attempts | M | M | R | |
| UO.PR.20 | User Access Control: Two-Factor Authentication | M | M | R | DUO 2FA |
| UO.PR.21 | User Access Control: Remote Privileged Access Session Security | M | M | R | IPSec VPN, SSH, TLS |
| UO.PR.22 | Web Reputation Filtering | M | R | R | |
UO.DE.1 | Logging and Retention | M | R | NR | ISO Logging & Security Analytics Service |
| UO.DE.2 | Log Monitoring | M | R | NR | SIEM |
| UO.RE.1 | Incident Recovery: Backup & Recovery | M | R | R |
Application Systems: Web-layer, middleware, databases, etc. -
| Control Reference | Control | High Risk | Moderate Risk | Low Risk | Applicable Service |
|---|---|---|---|---|---|
| UO.ID.1 | Configuration Management System (CMS): Registration | SCCM, JAMF, Puppet, NetDot | |||
| UO.ID.2 | Configuration Management System (CMS): Management (OS) | SCCM, JAMF, Puppet, CMDB | |||
| UO.ID.3 | Configuration Management System (CMS): Management (Apps) | M | M | NR | SCCM, JAMF, Puppet, CMDB, Ansible |
| UO.ID.4 | Vulnerability Scanning | M | R | R | ISO Vulnerability Scanning Service |
| UO.ID.5 | Penetration Testing | M | R | NR | |
| UO.PR.2 | Wall Jack Access Control | ||||
| UO.PR.3 | System Hardening | M | M | M | |
| UO.PR.4 | Security Baseline Configuration | UO CIS Baseline | |||
| UO.PR.5 | Security Updates | M | M | M | SCCM, JAMF, Puppet |
| UO.PR.6 | Application Blocklist | OS ACL, consider different lists per risk | |||
| UO.PR.7 | Anti-malware | McAfee, Microsoft Defender | |||
| UO.PR.8 | Auto-lock system consoles | ||||
| UO.PR.9 | Firewall: Host-based | ||||
| UO.PR.10 | Firewall: Network | ||||
| UO.PR.11 | Encryption: Data-at-Rest | ||||
| UO.PR.12 | Encryption: Data-in-Transit | M | M | M | |
| UO.PR.13 | Encryption: Full Disk | ||||
| UO.PR.14 | User Access Control: Unique Account | M | R | NR | Duck ID |
| UO.PR.15 | User Access Control: Least Privilege Access | M | R | R | |
| UO.PR.16 | User Access Control: Access Approval | M | M | R | |
| UO.PR.17 | User Access Control: Authentication | M | M | R | Active Directory, LDAP, Shibboleth/SAML |
| UO.PR.18 | User Access Control: Limit Failed Login Attempts | M | R | R | |
| UO.PR.19 | User Access Control: Inactive Session Timeout | M | R | NR | |
| UO.PR.20 | User Access Control: Two-Factor Authentication | M | R | NR | DUO 2FA |
| UO.PR.21 | User Access Control: Remote Privileged Access Session Security | M | M | R | IPSec VPN, SSH, TLS |
| UO.PR.22 | Web Reputation Filtering | ||||
UO.DE.1 | Logging and Retention | ISO Logging & Security Analytics Service | |||
| UO.DE.2 | Log Monitoring | SIEM | |||
| UO.RE.1 | Incident Recovery: Backup & Recovery | ||||
| UO.RE.2 | Incident Recovery: Restoration Testing |
Network Infrastructure Devices: Routers, Firewalls, Switches, APs, etc.
| Control Reference | Control | High Risk | Moderate Risk | Low Risk | Applicable Service |
|---|---|---|---|---|---|
| UO.ID.1 | Configuration Management System (CMS): Registration | SCCM, JAMF, Puppet, NetDot | |||
| UO.ID.2 | Configuration Management System (CMS): Management (OS) | M | M | M | SCCM, JAMF, Puppet, CMDB |
| UO.ID.3 | Configuration Management System (CMS): Management (Apps) | SCCM, JAMF, Puppet, CMDB, Ansible | |||
| UO.ID.4 | Vulnerability Scanning | M | M | M | ISO Vulnerability Scanning Service |
| UO.ID.5 | Penetration Testing | M | M | M | |
| UO.PR.1 | Physical Security | M | M | M | Datacenter, Network core node PoP |
| UO.PR.2 | Wall Jack Access Control | M | M | M | |
| UO.PR.3 | System Hardening | M | M | M | |
| UO.PR.4 | Security Baseline Configuration | M | M | M | UO CIS Baseline |
| UO.PR.5 | Security Updates | M | M | M | SCCM, JAMF, Puppet |
| UO.PR.6 | Application Blocklist | OS ACL, consider different lists per risk | |||
| UO.PR.7 | Anti-malware | McAfee, Microsoft Defender | |||
| UO.PR.8 | Auto-lock system consoles | ||||
| UO.PR.9 | Firewall: Host-based | ||||
| UO.PR.10 | Firewall: Network | ||||
| UO.PR.11 | Encryption: Data-at-Rest | M | R | NR | |
| UO.PR.12 | Encryption: Data-in-Transit | M | M | NR | Some exemptions for syslog |
| UO.PR.13 | Encryption: Full Disk | ||||
| UO.PR.14 | User Access Control: Unique Account | M | M | M | DuckID |
| UO.PR.15 | User Access Control: Least Privilege Access | M | M | M | |
| UO.PR.16 | User Access Control: Access Approval | M | M | M | |
| UO.PR.17 | User Access Control: Authentication | M | M | M | Active Directory, LDAP, Shibboleth/SAML |
| UO.PR.18 | User Access Control: Limit Failed Login Attempts | M | R | R | |
| UO.PR.19 | User Access Control: Inactive Session Timeout | M | M | M | |
| UO.PR.20 | User Access Control: Two-Factor Authentication | M | M | M | DUO 2FA |
| UO.PR.21 | User Access Control: Remote Privileged Access Session Security | M | M | M | IPSec VPN, SSH, TLS |
| UO.PR.22 | Web Reputation Filtering | ||||
UO.DE.1 | Logging and Retention | M | R | R | ISO Logging & Security Analytics Service |
| UO.DE.2 | Log Monitoring | M | R | R | SIEM |
| UO.RE.1 | Incident Recovery: Backup & Recovery | M | M | M | |
| UO.RE.2 | Incident Recovery: Restoration Testing | M | M | M |
Mobile Devices: Tablets, smartphones, IoT's, printers and devices with pared-down OS, etc.
| Control Reference | Control | High Risk | Moderate Risk | Low Risk | Applicable Service |
|---|---|---|---|---|---|
| UO.ID.1 | Configuration Management System (CMS): Registration | M | R | R | SCCM, JAMF, Puppet, NetDot |
| UO.ID.2 | Configuration Management System (CMS): Management (OS) | M | R | R | SCCM, JAMF, Puppet, CMDB |
| UO.ID.3 | Configuration Management System (CMS): Management (Apps) | M | R | NR | SCCM, JAMF, Puppet, CMDB, Ansible |
| UO.ID.4 | Vulnerability Scanning | ISO Vulnerability Scanning Service | |||
| UO.ID.5 | Penetration Testing | R | NR | NR | |
| UO.PR.1 | Physical Security | M | R | NR | |
| UO.PR.2 | Wall Jack Access Control | ||||
| UO.PR.3 | System Hardening | ||||
| UO.PR.4 | Security Baseline Configuration | M | M | M | UO CIS Baseline |
| UO.PR.5 | Security Updates | M | M | M | SCCM, JAMF, Puppet |
| UO.PR.6 | Application Blocklist | M | R | NR | OS ACL, consider different lists per risk |
| UO.PR.7 | Anti-malware | M | M | M | McAfee, Microsoft Defender |
| UO.PR.8 | Auto-lock system consoles | M | M | M | UO Baselines |
| UO.PR.9 | Firewall: Host-based | M | M | M | |
| UO.PR.10 | Firewall: Network | ||||
| UO.PR.11 | Encryption: Data-at-Rest | M | M | M | |
| UO.PR.12 | Encryption: Data-in-Transit | M | M | M | |
| UO.PR.13 | Encryption: Full Disk | M | R | R | |
| UO.PR.14 | User Access Control: Unique Account | ||||
| UO.PR.15 | User Access Control: Least Privilege Access | M | M | R | |
| UO.PR.16 | User Access Control: Access Approval | ||||
| UO.PR.17 | User Access Control: Authentication | M | M | R | Active Directory, LDAP, Shibboleth/SAML |
| UO.PR.18 | User Access Control: Limit Failed Login Attempts | M | M | R | |
| UO.PR.19 | User Access Control: Inactive Session Timeout | ||||
| UO.PR.20 | User Access Control: Two-Factor Authentication | DUO 2FA | |||
| UO.PR.21 | User Access Control: Remote Privileged Access Session Security | IPSec VPN, SSH, TLS | |||
| UO.PR.22 | Web Reputation Filtering | ||||
UO.DE.1 | Logging and Retention | ISO Logging & Security Analytics Service | |||
| UO.DE.2 | Log Monitoring | SIEM | |||
| UO.RE.1 | Incident Recovery: Backup & Recovery | M | R | NR | |
| UO.RE.2 | Incident Recovery: Restoration Testing |
Acronyms
- SCCM – Microsoft System Center Configuration Manager
- CMDB – Configuration Management Database
- SSH – Secure Socket Layer protocol
- BYOD – Bring your own device
- SCP - Secure Copy protocol
- SFTP - Secure File Transfer Protocol
- VPN – Virtual Private Network
- TLS - Transport Layer Security
- IPSec – Internet Protocol Security
- SIEM – Security Information and Event Management
- CVSS – Common Vulnerability Scoring System, supported by the National Institute of Standards and Technology National Vulnerability Database (NIST NVD)