Minimum Security Standards
Overview
These standards are intended to reflect the minimum level of care necessary for Pepperdine University's Confidential and RESTRICTED data. They do not relieve Pepperdine or its employees, partners, consultants, or vendors of further obligations that may be imposed by law, regulation or contract. Pepperdine University expects all partners, consultants, and vendors to abide by Pepperdine University information security policies. If non-public information is to be accessed or shared with these third parties, they should be bound by contract to abide by Pepperdine University information security policies.
Endpoints
An endpoint is defined as any laptop, desktop, or mobile device.
- Determine the highest level data classification present on the endpoint and apply the controls designated for that classification to the entire endpoint.
- Follow the minimum security standards in the table below to safeguard your endpoints.
| Process | Policy | What to Do | Public | Confidential | RESTRICTED |
|---|---|---|---|---|---|
| Purchase & Disposal |
Acquisition: For fiscal responsibility, timely service, and University due diligence in securing student and University data, effective FY24 any computer or electronic device must be acquired from an authorized partner, which shall preconfigure the device for Information Technology Device Management. Computers or electronic devices not acquired from such a partner in contravention of this policy requirement must be turned over to Information Technology, before use, for the secure onboarding process. Unmanaged computers are subject to blocking until all required agents and configurations are installed. Disposal: All University-owned electronic devices must be turned over to IT to completely wipe before disposal, donation, sale or gift; skipping this step may result in a legally required information breach disclosure notice to the possibly affected parties, which is signed by the senior executive of the major area. |
Required | Required | Required | |
| Patching | CNRUP |
University-owned: Apply Pepperdine Domain WSUS (Win) and install Device Management to automatically apply security patches and configurations (Win/Mac); Turn on auto-update and verify with browsercheck.pepperdine.edu (iOS/Android). Note: a University computer that cannot receive the latest security patches must be removed from the network, turned into IT as surplus, and replaced by the department.
|
Required | Required | Required |
| Whole Disk Encryption | ICPP | University-owned: Use SafeGuard Enterprise Managed FileVault2 (Mac) or SafeGuard Enterprise Managed
BitLocker (Win) (or Broadcom Enterprise Managed PGP (Win) - no longer licensed, so
new installs or re-installs are not allowed). Non-enterprise encryption is prohibited. Note: RESTRICTED information is prohibited on: 1) All personally purchased endpoints and 2) all personal or University purchased mobile device endpoints. |
NO | NO | Required |
| Backups | ICPP Records Management |
University-owned: Enterprise Secure Cloud Backup is required for RESTRICTED data. (Win/Mac). Confidential University data should be stored on a departmental or personal Google Workspace Shared Drive (best practice is to avoid using My Drive for your Pepperdine work). | Required | Required | |
| Inventory | ICPP CNRUP |
University-owned: Endpoints must be registered in IT-designated automated inventories. As of 2024, this means WavesConnect computer registration for all endpoints plus Device Management agents from KACE (Win/Mac) and JAMF (Mac). Personally purchased: All devices connected to the University network must be self-registered before full access is granted. |
Required | Required | Required |
| Anti-malware | CNRUP | University-owned: the Device Management inventory agents will install Sophos Intercept X. Personally purchased: Sophos Home is recommended, but any reputable anti-virus should be installed on your computer when it connects to our systems or networks. |
|||
| Configuration Management | CNRUP | University-owned: Install Device Management agents KACE (Win/Mac) and JAMF (Mac) for secure configuration on all computer endpoints. University-owned iOS mobiles may be required to use JAMF in the future. | Required | Required | Required |
| Regulated Data Security Controls | CNRUP | Implement PCI DSS and HIPAA controls over and above University RESTRICTED data controls as required by law or contract. | Required |
Servers
A server is defined as a host that provides a network-accessible service.
- Determine the highest level data classification present on the server and apply the controls designated for that classification to the entire server.
- Follow the minimum security standards in the table below to safeguard your servers.
| Standards | Recurring Task | What to Do | Public | Confidential | RESTRICTED |
|---|---|---|---|---|---|
| Patching | Yes | Apply all vendor security patches within 30 days. When exploits are in use against the unpatched system, apply patches ASAP. | Required | Required | Required |
| Vulnerability Management | Yes | Perform a weekly Qualys scan. Remediate severity 4 and 5 vulnerabilities and ISO selected severity 3 vulnerabilities according to Patching standard. | Required | Required | Required |
| Inventory | Yes | Notify ISO and enroll server in Qualys, as the server inventory system. | Required | Required | Required |
| Firewall | Enable host-based firewall in default deny mode and permit the minimum necessary services. | Required | Required | Required | |
| Credentials and Access Control | Yes | Review local accounts and privileges periodically. Enforce IT standard password complexity plus minimum 15-character passwords for administrator logins. Use Enterprise authentication everywhere possible; CAS/SAML is preferred everywhere, but LDAPS is permitted ONLY from within University datacenters. | Required | Required | Required |
| Multi-factor Authentication (MFA) | Require SecureConnect powered by DUO MFA for all user and administrator logins where possible. Administrator logins must be protected by TOTP or other MFA where SecureConnect is not possible. | Required | Required | ||
| Centralized Logging | Forward logs to a remote log server. ISO central log service is recommended. All University-owned servers and any server within University datacenters shall use clock.pepperdine.edu to set its time. | Required | Required | Required | |
| Sysadmin Training | Yes | System administrators shall attend IT-mandated training. Application administrators should attend IT-mandated training. All admins shall acknowledge these standards. | Required | Required | Required |
| Malware Protection | Yes | Deploy the IT standard anti-malware system. Review alerts as they are received. | Required | Required | Required |
| Intrusion Detection | Yes | ISO attempts to review IDS alerts for every day of the year, unless incidents or priority projects prevent time on task. ISO periodically adds automated remediation to IDS alerts, as time from priority projects, permits. | Required | Required | Required |
| Physical Protection | Place system hardware in a data center. | Required | Required | ||
| Certificates | Yes | Make sure that certificates comply with the CTO Certificate Encryption Standard and are renewed timely (30 days in advance recommended). External vendors shall use Pepperdine enterprise certs where at all possible. | Required | Required |
Networked Applications
A networked application is defined as software running on a computing device that is accessible to other computing devices across a network.
- Determine the highest level data classification present on the application and apply the controls designated for that classification to the entire application.
- Follow the minimum security standards in the table below to safeguard your applications.
| Standards | Recurring Task | What to Do | Public | Confidential | RESTRICTED |
|---|---|---|---|---|---|
| Patching | Yes | Apply all vendor security patches within 30 days. When exploits are in use against the unpatched system, apply patches ASAP. | Required | Required | Required |
| Vulnerability Management | Yes | Respond to all ISO and third-party alerts to vulnerabilities timely. | Required | Required | Required |
| Inventory | Yes | Maintain a list of applications and the associated data classifications. Review and update records as determined by IT or annually, whichever is sooner. | Required | Required | Required |
| Firewall | Request the minimum necessary services with the minimum necessary access scope through the network firewall. | Required | Required | Required | |
| Credentials and Access Control | Yes | Review local accounts and privileges periodically. Enforce IT standard password complexity plus minimum 15-character passwords for administrator logins. Use Enterprise authentication everywhere possible; CAS/SAML is preferred everywhere, but LDAPS is permitted ONLY from within University data centers. | Required | Required | Required |
| Multi-factor Authentication (MFA) | Require SecureConnect powered by DUO MFA for all user and administrator logins where possible. Administrator logins must be protected by TOTP or other MFA where SecureConnect is not possible. | Required | Required | Required | |
| Centralized Logging | Forward logs to a remote log server. ISO central log service is recommended. | Required | Required | Required | |
| Secure Software Development | Yes | Include security as a design requirement. Review all code and correct identified security flaws prior to deployment. Use of static code analysis tools recommended. Adhere to IT AppDev Software Development Life Cycle. | Required | Required | Required |
| Developer Training | Yes | Attend developer security training initially and periodically to include OWASP and additional applicable secure coding practices. | Required | Required | Required |
| Backups | Yes | Back up and synchronize application data as required to ensure compliance with IT Business Continuity and Disaster Recovery requirements. | Required | Required | Required |
| Penetration Testing | Yes | Remediate any finding of vulnerability scans or penetration tests timely. | Required | Required | Required |
| Regulated Data Security Controls | Implement PCI DSS, HIPAA, or other controls as applicable. | Required |
University Security Policies
There are 3 main University information security policies:
- Computer and Network Responsible Use Policy (CNRUP)
- Information Classification and Protection Policy (ICPP)
- Records Management
See the Policies and Guidelines page on the ISO web pages for detailed information.
Since 2009 the University's Information Classification and Protection Policy (ICPP) has defined 3 data classifications. You are required by policy to adopt the controls specified for each classification. You are also requested to learn the terms and definitions of that policy, which was modeled on other University policies and enacted by UMC and to discard meaningless terms such as "sensitive," which are sometimes applies to data of all 3 classifications (e.g. email address or campus wide ID (Public), grades and business email (Confidential) or Social Security Numbers (RESTRICTED).
The standards above for endpoints, servers and applications are intended to implement such standards as have been delegated to IT to create by the following University policies: the ICPP, the Computer and Network Responsible Use Policy (CNRUP) and the Records Management Policy.
As cybersecurity is a rapidly evolving professional discipline that continuously presents us with new methods to deal with new challenges, the above standards will be revised and updated accordingly.