Purpose

Clemson University is committed to protecting the privacy of its students, alumni, faculty, and staff while protecting the confidentiality, integrity, and availability of information important to the University’s mission. To meet that commitment, the University has developed minimum security standards which will be used to identify the security controls required for University managed systems, applications, cloud-based services and other devices that process or connect to University data and resources.

Standards

The Minimum Security Standards will vary based on the classification of the data that is stored or processed on the system or application. Systems must be protected up to the highest data classifications stored or processed on it. For example, if a laptop is used to access a server with Confidential Data, the laptop must be protected at the Confidential level as well. For more information on how data is classified, refer to the University Data Classification Policy. For assistance in understanding and implementing these guidelines, contact the Office of Information Security Privacy (OIS) through the IT Support Center.

Minimum Security Standards:

• Endpoints (Any desktop or laptop purchased by Clemson and issued to a user)
• Servers
• Mobile Devices
• Personally Owned Devices
• University Developed Software Services
• University Hosted Software Services
• Software as a Service (SaaS)
• High Performance Computing (HPC)

For assistance in understanding and implementing these guidelines, contact the Office of Information Security and Privacy (OIS) through our ticketing system.

Endpoints, which are any devices that connect to the Clemson network, also include any desktop or laptop purchased by Clemson and issued to a user.

Control	Requirement	Public	Internal Use	Confidential	Restricted
Inventory Management	All assets must be tracked in Configuration Management Database (CMDB) or relevant inventory system.
Configuration Management and System Patching	Asset must be managed by the CCIT Configuration Management Solution and maintained according to University Patching Guidelines
Credentials and Access Control	Access must be managed in accordance with the User Account and Password Policy and Strong Password Guidelines.
Antivirus/Malware Protection	University supported antivirus solution must be enabled.
Local Encryption	Local encryption must be configured in accordance with University Encryption Guidelines.
Advanced Threat Detection	Use the University supported Endpoint Protection Platform.
Regulated Data Security Controls	Implement FERPA, HIPAA, PCI, FISMA, CUI, Export Controls, or other regulations as applicable.

Back to Top of Page

A server is any University hosted system that provides a service over the network. Servers constitute a much smaller portion of University managed systems, but due to their very nature are much more exposed. Servers include hosts such as web servers, application servers, shared drives, and databases.

Control	Requirement	Public	Internal Use	Confidential	Restricted
Inventory Management	All assets must be tracked in Configuration Management Database (CMDB) or relevant inventory system.
Configuration Management and System Patching	Asset must be managed by the CCIT Configuration Management Solution and maintained according to University Patching Guidelines.
Credentials and Access Control	Access must be managed in accordance with the User Account and Password Policy and Strong Password Guidelines.
Antivirus/Malware Protection	University supported antivirus solution must be enabled.
Logging and Monitoring	Logging must be enabled and forwarded to the University logging solution if requested.
Firewall	Host-based firewall must be in default deny mode and permit minimum necessary services.
Vulnerability Management	Identified vulnerabilities must be remediated according to University Patching Guidelines.
Physical Access Control	Systems must be located in a University managed or approved Data Center.
Two-Factor Authentication	Two-factor authentication must be required for all privileged user and administrator logins.
Local Encryption	Local encryption must be configured in accordance with University Encryption Guidelines.
Dedicated Admin Workstation	Access administrative accounts only via Virtual Desktop Interface (VDI).
Advanced Threat Detection	Use the University supported Endpoint Protection Platform.
Regulated Data Security Controls	Implement FERPA, HIPAA, PCI, FISMA, CUI, Export Controls, or other regulations as applicable.

Back to Top of Page

Mobile devices consist primarily of phones and tablets and are generally running Android or iOS software. University purchased or managed mobile devices must adhere to the controls below.

Control	Requirement	Public	Internal Use	Confidential	Restricted
Inventory	Register devices in University supported Configuration Management Solution.
Configuration Management and System Patching	Use University supported Configuration Management Solution. Use a supported Operating System (OS) version.
Credentials and Access Control	Devices must be password/pin protected in accordance with Strong Password Guidelines.
Local Encryption	Enable device encryption.

Back to Top of Page

Personally owned devices include computers and mobile devices owned and managed by a user. When these devices are connected to the University network or are used to store or process data including email, the devices must meet the requirements below.

Control	Requirement	Public	Internal Use	Confidential	Restricted
Configuration Management and System Patching	Asset must be maintained according to University Patching Guidelines.			Not Authorized
Credentials and Access Control	Devices must be password/pin protected in accordance with Strong Password Guidelines.
Local Encryption	Local encryption must be configured in accordance with University Encryption Guidelines.

Back to Top of Page

University Developed Software Services are defined as any software or web applications developed by University faculty or staff running on a University owned endpoint or server that provides services across University resources.

Control	Requirement	Public	Internal Use	Confidential	Restricted
Inventory	Internally developed apps must be tracked in Configuration Management Database (CMDB) or relevant inventory system.
Firewall	Minimum necessary services must be permitted through the network firewall.
Credentials and Access Control	Access must be managed in accordance with the User Account and Password Policy and Strong Password Guidelines.
Vulnerability Management	Identified vulnerabilities must be remediated according to University Patching Guidelines .
Logging and Monitoring	Logging must be enabled and forwarded to the University logging solution if requested.
Secure Software Development	Security must be considered in design requirements. Review all code and correct identified security flaws prior to deployment. For web apps, follow applicable Web Development Standards.
Two-Factor Authentication	Two-factor authentication must be required for all privileged user and administrator logins.
Security Review	OIS must review and all findings must be addressed prior to deployment.
Regulated Data Security Controls	Implement FERPA, HIPAA, PCI, FISMA, CUI, Export Controls, or other regulations as applicable.

Back to Top of Page

University Hosted Software Services are defined as any third-party software running on a University owned endpoint or server that provides services across University resources.

Control	Requirement	Public	Internal Use	Confidential	Restricted
Inventory	Hosted software must be tracked in Configuration Management Database (CMDB) or relevant inventory system.
Configuration Management and System Patching	Asset must be managed by the CCIT Configuration Management Solution and maintained according to University Patching Guidelines.
Credentials and Access Control	Access must be managed in accordance with the User Account and Password Policy and Strong Password Guidelines.
Vulnerability Management	Identified vulnerabilities must be remediated according to University Patching Guidelines.
Firewall	Minimum necessary services must be permitted through the network firewall.
Security Review	Software must be procured through Vendor Management. OIS must review and all findings must be addressed prior to deployment.
Logging and Monitoring	Logging must be enabled and forwarded to the University logging solution if requested.
Backups	Create external backups of application data periodically. Encrypt at rest and in transit.
Two-Factor Authentication	Two-factor authentication must be required for all privileged user and administrator logins.
Dedicated Admin Workstation	Access administrative accounts only via Virtual Desktop Interface (VDI).
Regulated Data Security Controls	Implement FERPA, HIPAA, PCI, FISMA, CUI, Export Controls, or other regulations as applicable.

Back to Top of Page

Software as a Service (SaaS) is defined as any application or software procured by Clemson University that processes or stores University data in an environment controlled by a third party.

Control	Requirement	Public	Internal Use	Confidential	Restricted
Inventory	Asset must be tracked in Configuration Management Database (CMDB) or relevant inventory system.
Credentials and Access Control	Access must be managed in accordance with the User Account and Password Policy and Strong Password Guidelines.
Security Review	Software must be procured through Vendor Management. OIS must review and all findings must be addressed prior to deployment.
Local Encryption	Local encryption must be configured in accordance with University Encryption Guidelines.
Network Encryption	Encryption protocol must be configured in accordance with University Encryption Guidelines.
Two-Factor Authentication	Two-factor authentication must be required for all privileged user and administrator logins.
Logging and Monitoring	Logging must be enabled and forwarded to the University logging solution if available, or contractually require vendor to supply logs when requested.
Regulated Data Security Controls	Implement FERPA, HIPAA, PCI, FISMA, CUI, Export Controls, or other regulations as applicable.

Back to Top of Page

HPC systems are complex sets of hardware and software stacks designed to maximize performance and efficiency. As these components have varying limitations of what can be installed or managed for security, the Office of Research Computing will develop additional configuration guidelines for individual components based on NIST recommendations.

Control	Requirement	Public	Internal Use	Confidential	Restricted
Physical Access Control	Systems must be located in a University managed Data Center.
Inventory Management	Asset must be tracked in Configuration Management Database (CMDB) or relevant inventory system.
Configuration Management and System Patching	Asset must be maintained according to University Patching Guidelines.
Credentials and Access Control	Devices must be password/pin protected in accordance with Strong Password Guidelines.
Logging and Monitoring	Logging must be enabled and forwarded to the University logging solution if requested.
Firewall	Firewalls must be configured to permit minimum necessary access and services.
Vulnerability Management	Identified vulnerabilities must be remediated according to University Patching Guidelines.
Two-Factor Authentication	Two-factor authentication must be required for all privileged user and administrator logins.
Regulated Data Security Controls	Implement FERPA, HIPAA, PCI, FISMA, CUI, Export Controls, or other regulations as applicable.

Back to Top of Page

References and Related Documents

Patching Guidelines

Encryption Guidelines

Responsible Division

CCIT

Revision Date

May 30, 2023