Minimum Information Security Technical Controls Standard

A PDF version of this document is also available.

Purpose

This standard outlines the minimum controls for protecting information assets, as required by the Information Asset Classification and Management Policy (IV.06.02). The purpose of requirements identified herein is to reduce risks to the confidentiality, integrity and availability of University data and systems (“information assets”) and to protect the privacy of members of the University community.


Scope

This standard applies to all users with access to University information assets, and all devices that store, process or transmit University data.


Standard

All users with access to University information assets, and all devices that store, process or transmit University data shall meet the following minimum controls for protecting University information assets, unless an exception is approved by the Information Security Office (ISO).


Exception Request

There may be valid reasons why a given required control cannot be met; e.g., technology limitations, conflict with other controls, the presence of compensating controls, lack of funding, and financial needs that exceed the potential risk of not implementing the control. Exception requests must be submitted to ISO detailing reasons the control cannot be met and proposing compensating controls to minimize the risk caused by not meeting the controls. Exceptions request should be submitted to infosec@uoregon.edu.


Compliance Management

The ISO shall implement processes and services to continuously monitor information systems for compliance with this standard.


Policy Violation

Non-compliance with this standard is a violation of the University Information Asset Classification Policy (IV.06.02) and are subject to University sanctions. In cases where noncompliance poses serious risks to University information assets, ISO may take steps to mitigate such risks including temporarily quarantining vulnerable or compromised computers, temporarily disabling affected network ports, blocking known bad or compromised IP addresses, disabling affected network ports, blocking known bad or compromised IP addresses, disabling compromised user accounts, or other actions as necessary to protect University information assets and users.


Definitions

Mandatory Controls must be applied as described in this standard.

Recommendation Controls should be applied as described in this standard.

Compensating Controls are alternative controls put in place to meet or exceed the security requirement, typically to address difficulty or impracticality in implementing the required control. Typically, compensating controls are temporary until it becomes practical to implement the required controls.

For control definitions, refer to the glossary.

See Glossary


UO Minimum Technical Security Controls by Classification

The following technical security controls must be implemented for University-owned systems or vendor/partner systems that store, process or transmit University data in accordance with the classification of the system. Personally-owned systems (e.g., BYOD, home computers, personal phones, etc.) that are used to store, process or transmit University data are required to meet or exceed these standards, before such use is approved by ISO.

 

Table Legend

M = Mandatory; This control must be applied to information systems if this classification of is data present on the system or transists through the system.

R = Reccomended; The ISO reccomends that this control be applied to information systems if this classification of is data present on the system or transists through the system.

NR = Not Reccomended; The ISO does not reccomends that this control be applied to information systems if this classification of is data present on the system or transists through the system.

 

Servers

Control referenceControlHigh RiskModerate RiskLow RiskApplicable Service
UO.ID.1Configuration Management System (CMS): RegistrationMMMSCCM, JAMF, Puppet, NetDot
UO.ID.2Configuration Management System (CMS): Management (OS)MMMSCCM, JAMF, Puppet, CMDB
UO.ID.3Configuration Management System (CMS): Management (Apps)MMRSCCM, Jamf, Puppet, CMDB
UO.ID.4Vulnerability ScanningMMMISO Vulnerability Scanning Service
UO.ID.5Penetration TestingMRNR 
UO.PR.1Physical SecurityMRNRDatacenter, approved cloud
UO.PR.2Wall Jack Access Control    
UO.PR.3System HardeningMMR 
UO.PR.4Security Baseline ConfigurationMMRISO CIS Baseline
UO.PR.5Security UpdatesMMMSCCM, JAMF, Puppet
UO.PR.6Application BlocklistMRNR 
UO.PR.7Anti-malwareMMMMcAfee
UO.PR.8Auto-lock system consolesMMM 
UO.PR.9Firewall: Host-basedRRR 
UO.PR.10Firewall: NetworkMMR 
UO.PR.11Encryption: Data-at-RestMRNR 
UO.PR.12Encryption: Data-in-TransitMMR 
UO.PR.13Encryption: Full Disk    
UO.PR.14User Access Control: Unique AccountMMMDuck ID
UO.PR.15User Access Control: Least Privilege AccessMMM 
UO.PR.16User Access Control: Access ApprovalMMM 
UO.PR.17User Access Control: AuthenticationMMMActive Directory, LDAP, SAML
UO.PR.18User Access Control: Limit Failed Login AttemptsMRR 
UO.PR.19User Access Control: Inactive Session TimeoutMMM 
UO.PR.20User Access Control: Two-Factor AuthenticationMMMDUO 2FA
UO.PR.21User Access Control: Remote Privileged Access Session SecurityMMMIPSec VPN, SSH, sFTP, SCP
UO.DE.1Logging and RetentionMRRISO Logging & Security Analytics
UO.DE.2Log MonitoringMRRSIEM
UO.RE.1Incident Recovery: Backup & RecoveryMMM 
UO.RE.2Incident Recovery: Restoration TestingMMM 

Non-mobile Workstations

Control ReferenceControlHigh RiskModerate RiskLow RiskApplicable Service
UO.ID.1Configuration Management System (CMS): RegistrationMMMSCCM, JAMF, Puppet, NetDot
UO.ID.2Configuration Management System (CMS): Management (OS)MMMSCCM, JAMF, Puppet, CMDB
UO.ID.3Configuration Management System (CMS): Management (Apps)MMRSCCM, JAMF, Puppet, CMDB, Ansible
UO.ID.4Vulnerability ScanningMMMISO Vulnerability Scanning Service
UO.ID.5Penetration TestingRNRNR 
UO.PR.2Wall Jack Access Control    
UO.PR.3System Hardening    
UO.PR.4Security Baseline ConfigurationMRRUO CIS Baseline
UO.PR.5Security UpdatesMMRSCCM, JAMF, Puppet
UO.PR.6Application BlocklistMMROS ACL, consider different lists per risk
UO.PR.7Anti-malwareMMMMcAfee
UO.PR.8Auto-lock system consoles    
UO.PR.9Firewall: Host-basedRRR 
UO.PR.10Firewall: NetworkMMR 
UO.PR.11Encryption: Data-at-Rest    
UO.PR.12Encryption: Data-in-Transit    
UO.PR.13Encryption: Full Disk    
UO.PR.14User Access Control: Unique Account    
UO.PR.15User Access Control: Least Privilege AccessMMR 
UO.PR.16User Access Control: Access Approval    
UO.PR.17User Access Control: AuthenticationMMRActive Directory, LDAP, Shibboleth/SAML
UO.PR.18User Access Control: Limit Failed Login AttemptsMMR 
UO.PR.19User Access Control: Inactive Session Timeout    
UO.PR.20User Access Control: Two-Factor AuthenticationMMRDUO 2FA
UO.PR.21User Access Control: Remote Privileged Access Session SecurityMMRIPSec VPN, SSH, TLS
UO.PR.22Web Reputation FilteringMRR 

UO.DE.1
Logging and RetentionMRNRISO Logging & Security Analytics Service
UO.DE.2Log MonitoringMRNRSIEM
UO.RE.1Incident Recovery: Backup & RecoveryMRR 
UO.RE.2Incident Recovery: Restoration Testing    

Application Systems: Web-layer, middleware, databases, etc. -

 

Control ReferenceControlHigh RiskModerate RiskLow RiskApplicable Service
UO.ID.1Configuration Management System (CMS): Registration   SCCM, JAMF, Puppet, NetDot
UO.ID.2Configuration Management System (CMS): Management (OS)   SCCM, JAMF, Puppet, CMDB
UO.ID.3Configuration Management System (CMS): Management (Apps)MMNRSCCM, JAMF, Puppet, CMDB, Ansible
UO.ID.4Vulnerability ScanningMRRISO Vulnerability Scanning Service
UO.ID.5Penetration TestingMRNR 
UO.PR.2Wall Jack Access Control    
UO.PR.3System HardeningMMM 
UO.PR.4Security Baseline Configuration   UO CIS Baseline
UO.PR.5Security UpdatesMMMSCCM, JAMF, Puppet
UO.PR.6Application Blocklist   OS ACL, consider different lists per risk
UO.PR.7Anti-malware   McAfee
UO.PR.8Auto-lock system consoles    
UO.PR.9Firewall: Host-based    
UO.PR.10Firewall: Network    
UO.PR.11Encryption: Data-at-Rest    
UO.PR.12Encryption: Data-in-TransitMMM 
UO.PR.13Encryption: Full Disk    
UO.PR.14User Access Control: Unique AccountMRNRDuck ID
UO.PR.15User Access Control: Least Privilege AccessMRR 
UO.PR.16User Access Control: Access ApprovalMMR 
UO.PR.17User Access Control: AuthenticationMMRActive Directory, LDAP, Shibboleth/SAML
UO.PR.18User Access Control: Limit Failed Login AttemptsMRR 
UO.PR.19User Access Control: Inactive Session TimeoutMRNR 
UO.PR.20User Access Control: Two-Factor AuthenticationMRNRDUO 2FA
UO.PR.21User Access Control: Remote Privileged Access Session SecurityMMRIPSec VPN, SSH, TLS
UO.PR.22Web Reputation Filtering    

UO.DE.1
Logging and Retention   ISO Logging & Security Analytics Service
UO.DE.2Log Monitoring   SIEM
UO.RE.1Incident Recovery: Backup & Recovery    
UO.RE.2Incident Recovery: Restoration Testing    

Network Infrastructure Devices: Routers, Firewalls, Switches, APs, etc.

Control ReferenceControlHigh RiskModerate RiskLow RiskApplicable Service
UO.ID.1Configuration Management System (CMS): Registration   SCCM, JAMF, Puppet, NetDot
UO.ID.2Configuration Management System (CMS): Management (OS)MMMSCCM, JAMF, Puppet, CMDB
UO.ID.3Configuration Management System (CMS): Management (Apps)   SCCM, JAMF, Puppet, CMDB, Ansible
UO.ID.4Vulnerability ScanningMMMISO Vulnerability Scanning Service
UO.ID.5Penetration TestingMMM 
UO.PR.1Physical SecurityMMMDatacenter, Network core node PoP
UO.PR.2Wall Jack Access ControlMMM 
UO.PR.3System HardeningMMM 
UO.PR.4Security Baseline ConfigurationMMMUO CIS Baseline
UO.PR.5Security UpdatesMMMSCCM, JAMF, Puppet
UO.PR.6Application Blocklist   OS ACL, consider different lists per risk
UO.PR.7Anti-malware   McAfee
UO.PR.8Auto-lock system consoles    
UO.PR.9Firewall: Host-based    
UO.PR.10Firewall: Network    
UO.PR.11Encryption: Data-at-RestMRNR 
UO.PR.12Encryption: Data-in-TransitMMNRSome exemptions for syslog
UO.PR.13Encryption: Full Disk    
UO.PR.14User Access Control: Unique AccountMMMDuckID
UO.PR.15User Access Control: Least Privilege AccessMMM 
UO.PR.16User Access Control: Access ApprovalMMM 
UO.PR.17User Access Control: AuthenticationMMMActive Directory, LDAP, Shibboleth/SAML
UO.PR.18User Access Control: Limit Failed Login AttemptsMRR 
UO.PR.19User Access Control: Inactive Session TimeoutMMM 
UO.PR.20User Access Control: Two-Factor AuthenticationMMMDUO 2FA
UO.PR.21User Access Control: Remote Privileged Access Session SecurityMMMIPSec VPN, SSH, TLS
UO.PR.22Web Reputation Filtering    

UO.DE.1
Logging and RetentionMRRISO Logging & Security Analytics Service
UO.DE.2Log MonitoringMRRSIEM
UO.RE.1Incident Recovery: Backup & RecoveryMMM 
UO.RE.2Incident Recovery: Restoration TestingMMM 

Mobile Devices: laptops, tablets, smartphones, etc.

Control ReferenceControlHigh RiskModerate RiskLow RiskApplicable Service
UO.ID.1Configuration Management System (CMS): RegistrationMRRSCCM, JAMF, Puppet, NetDot
UO.ID.2Configuration Management System (CMS): Management (OS)MRRSCCM, JAMF, Puppet, CMDB
UO.ID.3Configuration Management System (CMS): Management (Apps)MRNRSCCM, JAMF, Puppet, CMDB, Ansible
UO.ID.4Vulnerability Scanning   ISO Vulnerability Scanning Service
UO.ID.5Penetration TestingRNRNR 
UO.PR.1Physical SecurityMRNR 
UO.PR.2Wall Jack Access Control    
UO.PR.3System Hardening    
UO.PR.4Security Baseline ConfigurationMMMUO CIS Baseline
UO.PR.5Security UpdatesMMMSCCM, JAMF, Puppet
UO.PR.6Application BlocklistMRNROS ACL, consider different lists per risk
UO.PR.7Anti-malwareMMMMcAfee
UO.PR.8Auto-lock system consolesMMMUO Baselines
UO.PR.9Firewall: Host-basedMMM 
UO.PR.10Firewall: Network    
UO.PR.11Encryption: Data-at-RestMMM 
UO.PR.12Encryption: Data-in-TransitMMM 
UO.PR.13Encryption: Full DiskMRR 
UO.PR.14User Access Control: Unique Account    
UO.PR.15User Access Control: Least Privilege AccessMMR 
UO.PR.16User Access Control: Access Approval    
UO.PR.17User Access Control: AuthenticationMMRActive Directory, LDAP, Shibboleth/SAML
UO.PR.18User Access Control: Limit Failed Login AttemptsMMR 
UO.PR.19User Access Control: Inactive Session Timeout    
UO.PR.20User Access Control: Two-Factor Authentication   DUO 2FA
UO.PR.21User Access Control: Remote Privileged Access Session Security   IPSec VPN, SSH, TLS
UO.PR.22Web Reputation Filtering    

UO.DE.1
Logging and Retention   ISO Logging & Security Analytics Service
UO.DE.2Log Monitoring   SIEM
UO.RE.1Incident Recovery: Backup & RecoveryMRNR 
UO.RE.2Incident Recovery: Restoration Testing    

Acronyms

SCCM – Microsoft System Center Configuration Manager
CMDB – Configuration Management Database
SSH – Secure Socket Layer protocol
BYOD – Bring your own device
SCP - Secure Copy protocol
SFTP - Secure File Transfer Protocol
VPN – Virtual Private Network
TLS - Transport Layer Security
IPSec – Internet Protocol Security
SIEM – Security Information and Event Management
CVSS – Common Vulnerability Scoring System, supported by the National Institute of Standards and Technology National Vulnerability Database (NIST NVD)