Guidelines for Data Protection - Information System Security
The following tables define baseline security controls for protecting Information Systems that store, process or transmit Institutional Data. By definition, an Information System is any electronic system that stores, processes or transmits Institutional Data. This may include workstations, servers, mobile devices (e.g. smart phones, PDAs, etc.) or network devices (e.g. firewalls, routers, etc.). Controls defined in other portions of this document (e.g. Electronic Access Controls, Encryption and Key Management, etc.) also impact the security of Information Systems and should be reviewed to ensure comprehensive implementation of controls.
System Hardening
| ID |
Control |
Public |
Private |
Restricted |
| IS-1 |
Controls are deployed to protect against unauthorized connections to services (e.g. firewalls, proxies, access control lists, etc.) |
Required |
Required |
Required |
| IS-2 |
Controls are deployed to protect against malicious code execution(e.g. antivirus, antispyware, etc.) |
Required |
Required |
Required |
| IS-3 |
Controls deployed to protect against malicious code execution are kept up to date (e.g. software version, signatures, etc.) |
Required |
Required |
Required |
| IS-4 |
Host-based intrusion detection and/or prevention software is deployed and monitored |
Recommended |
Recommended |
Recommended |
| IS-5 |
Local accounts that are not being utilized are disabled or removed |
Required |
Required |
Required |
| IS-6 |
Default or vendor supplied credentials (e.g. username and password) are changed prior to implementation |
Required |
Required |
Required |
| IS-7 |
Services that are not being utilized are disabled or removed |
Required |
Required |
Required |
| IS-8 |
Applications that are not being utilized are removed |
Recommended |
Recommended |
Recommended |
| IS-9 |
Auto-run for removable Electronic Media (e.g. CDs, DVDs, USB drives, etc.) and network drives is disabled |
Required |
Required |
Required |
| IS-10 |
Active sessions are locked after a period of inactivity |
Required |
Required |
Required |
| IS-11 |
Native security mechanisms are enabled to protect against buffer overflows and other memory based attacks (e.g. address space layout randomization, executable space protection, etc.) |
Recommended |
Recommended |
Recommended |
Vulnerability Management
| ID |
Control |
Public |
Private |
Restricted |
| IS-12 |
Procedures for monitoring for new security vulnerabilities are documented and followed |
Required |
Required |
Required |
| IS-13 |
Operating system and software security patches are deployed in a timely manner |
Required |
Required |
Required |
| IS-14 |
Mitigating controls are deployed for known security vulnerabilities in situations where a vendor security patch is not available |
Required |
Required |
Required |
| IS-15 |
System is periodically tested for security vulnerabilities (e.g. vulnerability scanning, penetration testing, etc.) |
Recommended |
Recommended |
Required |
System Logging
| ID |
Control |
Public |
Private |
Restricted |
| IS-16 |
Successful attempts to access Information Systems are logged |
Required |
Required |
Required |
| IS-17 |
Failed attempts to access Information Systems are logged |
Required for privileged access. Recommended for all other access. |
Required for privileged access. Recommended for all other access. |
Required |
| IS-18 |
Attempts to execute an administrative command are logged * |
Recommended |
Recommended |
Required |
| IS-19 |
Changes in access to an Information System are logged |
Required |
Required |
Required |
| IS-20 |
Changes to critical system files (e.g. configuration files, executables, etc.) are logged |
Recommended |
Recommended |
Required |
| IS-21 |
Process accounting is enabled, where available |
Recommended |
Recommended |
Recommended |
| IS-22 |
System logs are reviewed on a periodic basis for security events |
Recommended |
Recommended |
Required |
| IS-23 |
System logs are protected against tampering |
Required |
Required |
Required |
Supplemental Guidance
IS-18: Administrative commands are those commands that typically require some level of privileged access to execute. For example, adding and deleting users of a system, starting and stopping services and rebooting a system are all examples of administrative commands. Execution of these commands may occur through some type of command-line interface or they may occur through access to a graphical user interface. The full scope of administrative commands that should be logged may vary from one system to the next. As a general rule of thumb, a command that requires the use of sudo on a UNIX or Linux platform would be considered an administrative command. On a Windows platform, a command that requires a typical user to “Run as administrator” would constitute an administrative command.