”TigerSecurity Standards

Guidelines

Minimum IT Security Standards

Purpose

Clemson University is committed to protecting the privacy of its students, alumni, faculty, and staff while protecting the confidentiality, integrity, and availability of information important to the University’s mission. To meet that commitment, the University has developed minimum security standards which will be used to identify the security controls required for University managed systems, applications, cloud-based services and other devices that process or connect to University data and resources.

Standards

The Minimum Security Standards will vary based on the classification of the data that is stored or processed on the system or application. Systems must be protected up to the highest data classifications stored or processed on it. For example, if a laptop is used to access a server with Confidential Data, the laptop must be protected at the Confidential level as well. For more information on how data is classified, refer to the University Data Classification Policy. For assistance in understanding and implementing these guidelines, contact the Office of Information Security Privacy (OIS) through the IT Support Center.

Minimum Security Standards:

For assistance in understanding and implementing these guidelines, contact the Office of Information Security and Privacy (OIS) through our ticketing system.

 

Endpoints

Endpoints, which are any devices that connect to the Clemson network, also include any desktop or laptop purchased by Clemson and issued to a user.

Control Requirement
Public
Internal Use
Confidential
Restricted
Inventory Management All assets must be tracked in Configuration Management Database (CMDB) or relevant inventory system. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Configuration Management and System Patching Asset must be managed by the CCIT Configuration Management Solution and maintained according to University Patching Guidelines Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Credentials and Access Control Access must be managed in accordance with the User Account and Password Policy and Strong Password Guidelines. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Antivirus/Malware Protection University supported antivirus solution must be enabled. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Local Encryption Local encryption must be configured in accordance with University Encryption Guidelines. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Advanced Threat Detection Use the University supported Endpoint Protection Platform. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Regulated Data Security Controls Implement FERPA, HIPAA, PCI, FISMA, CUI, Export Controls, or other regulations as applicable. Check mark signifying Yes

Back to Top of Page

 

Servers

A server is any University hosted system that provides a service over the network. Servers constitute a much smaller portion of University managed systems, but due to their very nature are much more exposed. Servers include hosts such as web servers, application servers, shared drives, and databases.

Control Requirement
Public
Internal Use
Confidential
Restricted
Inventory Management All assets must be tracked in Configuration Management Database (CMDB) or relevant inventory system. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Configuration Management and System Patching Asset must be managed by the CCIT Configuration Management Solution and maintained according to University Patching Guidelines. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Credentials and Access Control Access must be managed in accordance with the User Account and Password Policy and Strong Password Guidelines. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Antivirus/Malware Protection University supported antivirus solution must be enabled. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Logging and Monitoring Logging must be enabled and forwarded to the University logging solution if requested. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Firewall Host-based firewall must be in default deny mode and permit minimum necessary services. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Vulnerability Management Identified vulnerabilities must be remediated according to University Patching Guidelines. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Physical Access Control Systems must be located in a University managed or approved Data Center. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Two-Factor Authentication Two-factor authentication must be required for all privileged user and administrator logins. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Local Encryption Local encryption must be configured in accordance with University Encryption Guidelines. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Dedicated Admin Workstation Access administrative accounts only via Virtual Desktop Interface (VDI). Check mark signifying Yes Check mark signifying Yes
Advanced Threat Detection Use the University supported Endpoint Protection Platform. Check mark signifying Yes Check mark signifying Yes
Regulated Data Security Controls Implement FERPA, HIPAA, PCI, FISMA, CUI, Export Controls, or other regulations as applicable. Check mark signifying Yes

Back to Top of Page

 

Mobile Devices

Mobile devices consist primarily of phones and tablets and are generally running Android or iOS software. University purchased or managed mobile devices must adhere to the controls below.

Control Requirement
Public
Internal Use
Confidential
Restricted
Inventory Register devices in University supported Configuration Management Solution. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Configuration Management and System Patching Use University supported Configuration Management Solution. Use a supported Operating System (OS) version. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Credentials and Access Control Devices must be password/pin protected in accordance with Strong Password Guidelines. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Local Encryption Enable device encryption. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes

Back to Top of Page

 

Personally Owned Devices

Personally owned devices include computers and mobile devices owned and managed by a user. When these devices are connected to the University network or are used to store or process data including email, the devices must meet the requirements below.

Control Requirement
Public
Internal Use
Confidential
Restricted
Configuration Management and System Patching Asset must be maintained according to University Patching Guidelines. Check mark signifying Yes Check mark signifying Yes

Not Authorized

Credentials and Access Control Devices must be password/pin protected in accordance with Strong Password Guidelines. Check mark signifying Yes Check mark signifying Yes
Local Encryption Local encryption must be configured in accordance with University Encryption Guidelines. Check mark signifying Yes

Back to Top of Page

 

University Developed Software Services

University Developed Software Services are defined as any software or web applications developed by University faculty or staff running on a University owned endpoint or server that provides services across University resources.

Control Requirement
Public
Internal Use
Confidential
Restricted
Inventory Internally developed apps must be tracked in Configuration Management Database (CMDB) or relevant inventory system. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Firewall Minimum necessary services must be permitted through the network firewall. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Credentials and Access Control Access must be managed in accordance with the User Account and Password Policy and Strong Password Guidelines. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Vulnerability Management Identified vulnerabilities must be remediated according to University Patching Guidelines . Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Logging and Monitoring Logging must be enabled and forwarded to the University logging solution if requested. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Secure Software Development Security must be considered in design requirements. Review all code and correct identified security flaws prior to deployment. For web apps, follow applicable Web Development Standards. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Two-Factor Authentication Two-factor authentication must be required for all privileged user and administrator logins. Check mark signifying Yes Check mark signifying Yes
Security Review OIS must review and all findings must be addressed prior to deployment. Check mark signifying Yes Check mark signifying Yes
Regulated Data Security Controls Implement FERPA, HIPAA, PCI, FISMA, CUI, Export Controls, or other regulations as applicable. Check mark signifying Yes

Back to Top of Page

 

University Hosted Software Services

University Hosted Software Services are defined as any third-party software running on a University owned endpoint or server that provides services across University resources.

Control Requirement
Public
Internal Use
Confidential
Restricted
Inventory Hosted software must be tracked in Configuration Management Database (CMDB) or relevant inventory system. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Configuration Management and System Patching Asset must be managed by the CCIT Configuration Management Solution and maintained according to University Patching Guidelines. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Credentials and Access Control Access must be managed in accordance with the User Account and Password Policy and Strong Password Guidelines. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Vulnerability Management Identified vulnerabilities must be remediated according to University Patching Guidelines. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Firewall Minimum necessary services must be permitted through the network firewall. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Security Review Software must be procured through Vendor Management. OIS must review and all findings must be addressed prior to deployment. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Logging and Monitoring Logging must be enabled and forwarded to the University logging solution if requested. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Backups Create external backups of application data periodically. Encrypt at rest and in transit. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Two-Factor Authentication Two-factor authentication must be required for all privileged user and administrator logins. Check mark signifying Yes Check mark signifying Yes
Dedicated Admin Workstation Access administrative accounts only via Virtual Desktop Interface (VDI). Check mark signifying Yes Check mark signifying Yes
Regulated Data Security Controls Implement FERPA, HIPAA, PCI, FISMA, CUI, Export Controls, or other regulations as applicable. Check mark signifying Yes

Back to Top of Page

 

Software as a Service (SaaS)

Software as a Service (SaaS) is defined as any application or software procured by Clemson University that processes or stores University data in an environment controlled by a third party.

Control Requirement
Public
Internal Use
Confidential
Restricted
Inventory Asset must be tracked in Configuration Management Database (CMDB) or relevant inventory system. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Credentials and Access Control Access must be managed in accordance with the User Account and Password Policy and Strong Password Guidelines. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Security Review Software must be procured through Vendor Management. OIS must review and all findings must be addressed prior to deployment. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Local Encryption Local encryption must be configured in accordance with University Encryption Guidelines. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Network Encryption Encryption protocol must be configured in accordance with University Encryption Guidelines. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Two-Factor Authentication Two-factor authentication must be required for all privileged user and administrator logins. Check mark signifying Yes Check mark signifying Yes
Logging and Monitoring Logging must be enabled and forwarded to the University logging solution if available, or contractually require vendor to supply logs when requested. Check mark signifying Yes Check mark signifying Yes
Regulated Data Security Controls Implement FERPA, HIPAA, PCI, FISMA, CUI, Export Controls, or other regulations as applicable. Check mark signifying Yes

Back to Top of Page

 

References and Related Documents

Patching Guidelines

Encryption Guidelines

 

Responsible Division

CCIT

Revision Date

May 22, 2020