Facebook pixel Minimum Security Standards | Pepperdine University | Pepperdine Community Skip to main content
Pepperdine | Community

Minimum Security Standards

Overview

These standards are intended to reflect the minimum level of care necessary for Pepperdine University's Confidential and RESTRICTED data.  They do not relieve Pepperdine or its employees, partners, consultants, or vendors of further obligations that may be imposed by law, regulation or contract.  Pepperdine University expects all partners, consultants, and vendors to abide by Pepperdine University information security policies. If non-public information is to be accessed or shared with these third parties, they should be bound by contract to abide by Pepperdine University information security policies.

Endpoints

An endpoint is defined as any laptop, desktop, or mobile device.

  1. Determine the highest level data classification present on the endpoint and apply the controls designated for that classification to the entire endpoint.
  2. Follow the minimum security standards in the table below to safeguard your endpoints.
Process Policy  What to Do Public Confidential RESTRICTED
Patching CNRUP University Owned: Apply Pepperdine Domain WSUS (Win) and install Device Management to automatically apply security patches and configurations (Win/Mac); Turn on auto-update and verify with browsercheck.pepperdine.edu (iOS/Android)
Personally Purchased: browsercheck.pepperdine.edu is recommended to find genuine patches (Win/Mac/Mobile)

Required Required Required
Whole Disk Encryption  ICPP University Owned: Use SafeGuard Enterprise Managed FileVault2 (Mac) or SafeGuard Enterprise Managed BitLocker (Win) or Broadcom Enterprise Managed PGP (Win). Non-enterprise encryption prohibited.
RESTRICTED information is prohibited on: 1) All personally purchased endpoints and 2) all personal or University purchased mobile device endpoints.
 NO  NO Required
Backups  ICPP
Records Management
University Owned: Enterprise Secure Cloud Backup is required for RESTRICTED data. (Win/Mac). Confidential University data should be stored on Google Workspace Shared Drive or My Drive as backup.   Required Required
Inventory ICPP
CNRUP
All University owned endpoints must be registered in IT designated automated inventories. As of 2021 this means WavesConnect computer registration for all endpoints plus Device Management (Win/Mac) and JAMF (Mac). Required Required Required
Configuration Management CNRUP Install Device Management (Win/Mac) and JAMF (Mac) for secure configuration on all computer endpoints. University owned iOS mobiles may be required to use JAMF in future. Required Required Required
Regulated Data Security Controls  CNRUP Implement PCI DSS, HIPAA, controls over and above University RESTRICTED data controls as applicable.     Required

Servers

A serves is defined as a host that provides a network accessible service.

  1. Determine the highest level data classification present on the server and apply the controls designated for that classification to the entire server.
  2. Follow the minimum security standards in the table below to safeguard your servers.
Standards Recurring Task What to Do Public Confidential RESTRICTED
Patching  Yes Apply all vendor security patches within 30 days. When exploits are in use against the unpatched system, apply patches ASAP. Required Required Required
Vulnerability Management  Yes Perform a weekly Qualys scan. Remediate severity 4 and 5 vulnerabilities and ISO selected severity 3 vulnerabilities according to Patching standard. Required Required Required
Inventory  Yes Notify ISO and enroll server in Qualys, as the server inventory system. Required Required Required
Firewall   Enable host-based firewall in default deny mode and permit the minimum necessary services. Required Required Required
Credentials and Access Control Yes Review local accounts and privileges periodically. Enforce IT standard password complexity plus minimum 15 character passwords for administrator logins. Use Enterprise authentication everywhere possible; CAS/SAML is preferred everywhere, but LDAPS is permitted ONLY from within University datacenters. Required Required Required
Multi-factor Authentication (MFA)   Require SecureConnect powered by DUO MFA for all user and administrator logins where possible. Administrator logins must be protected by TOTP or other MFA where SecureConnect is not possible.   Required Required
Centralized Logging   Forward logs to a remote log server. ISO central log service is recommended. All University-owned servers and any server within University datacenters shall use clock.pepperdine.edu to set its time.  Required Required Required
Sysadmin Training  Yes System administrators shall attend IT mandated training. Application administrators should attend IT mandated training. All admins shall acknowledge these standards. Required  Required Required
Malware Protection  Yes Deploy the IT standard anti-malware system. Review alerts as they are received. Required  Required Required
Intrusion Detection  Yes ISO attempts to review IDS alerts for every day of the year, unless incidents or priority projects prevent time on task. ISO periodically adds automated remediation to IDS alerts, as time from priority projects, permits. Required Required Required
Physical Protection   Place system hardware in a data center.   Required Required
Certificates  Yes  Make sure that certificates comply with the CTO Certificate Encryption Standard and are renewed timely (30 days in advance recommended). External vendors shall use Pepperdine enterprise certs where at all possible.  Required    

Applications

An application is defined as software running on a server that is remotely accessible, including mobile applications.

  1. Determine the highest level data classification present on the application and apply the controls designated for that classification to the entire application.
  2. Follow the minimum security standards in the table below to safeguard your applications.
Standards Recurring Task What to Do Public Confidential RESTRICTED
Patching  Yes Apply all vendor security patches within 30 days. When exploits are in use against the unpatched system, apply patches ASAP. Required Required Required
Vulnerability Management Yes Respond to all ISO and third party alerts to vulnerabilities timely. Required Required Required
Inventory Yes Maintain a list of applications and the associated data classifications. Review and update records as determined by IT or annually, whichever is sooner. Required Required Required
Firewall   Request the minimum necessary services with the minimum necessary access scope through the network firewall. Required Required Required
Credentials and Access Control Yes Review local accounts and privileges periodically. Enforce IT standard password complexity plus minimum 15 character passwords for administrator logins. Use Enterprise authentication everywhere possible; CAS/SAML is preferred everywhere, but LDAPS is permitted ONLY from within University data centers. Required Required Required
Multi-factor Authentication (MFA)   Require SecureConnect powered by DUO MFA for all user and administrator logins where possible. Administrator logins must be protected by TOTP or other MFA where SecureConnect is not possible. Required  Required Required
Centralized Logging   Forward logs to a remote log server. ISO central log service is recommended.  Required  Required Required
Secure Software Development  Yes Include security as a design requirement. Review all code and correct identified security flaws prior to deployment. Use of static code analysis tools recommended. Adhere to IT AppDev Software Development Life Cycle. Required  Required Required
Developer Training Yes Attend developer security training initially and periodically to include OWASP and additional applicable secure coding practices.  Required Required Required
Backups Yes  Back up and synchronize application data as required to ensure compliance with IT Business Continuity and Disaster Recovery requirements. Required  Required Required
Penetration Testing Yes Remediate any finding of vulnerability scans or penetration tests timely. Required Required Required
Regulated Data Security Controls   Implement PCI DSS, HIPAA or other controls as applicable.     Required

University Security Policies

There are 3 main University information security policies:

  • Computer and Network Responsible Use Policy (CNRUP)
  • Information Classification and Protection Policy (ICPP)
  • Records Management

See the  Policies and Guidelines page on the ISO web pages for detailed information.

Since 2009 the University's Information Classification and Protection Policy (ICPP) has defined 3 data classifications. You are required by policy to adopt the controls specified for each classification. You are also requested to learn the terms and definitions of that policy, which was modeled on other University policies and enacted by UMC and to discard meaningless terms such as "sensitive," which are sometimes applies to data of all 3 classifications (e.g. email address or campus wide ID (Public),  grades and business email (Confidential) or Social Security Numbers (RESTRICTED).

The standards above for endpoints, servers and applications are intended to implement such standards as have been delegated to IT to create by the following University policies: the ICPP, the Computer and Network Responsible Use Policy (CNRUP) and the Records Management Policy.

As cybersecurity is a rapidly evolving professional discipline that continuously presents us with new methods to deal with new challenges, the above standards will be revised and updated accordingly.  

FAQs

 General Questions

Tech Central

Assistance with implementing endpoint security standards
310-506-4357 (HELP)

Information Security Office

Information Security Questions
310-506-4040
iso -at- pepperdine.edu

 Suspected Information Security Incident

Information Security Office

DO NOT JUST EMAIL US!

YOU MUST CALL 310-506-4040 and follow instructions on the voicemail until you get a live operator.

Once you contact that person you may email iso ~at~ pepperdine.edu with details.

 Report Lost or Stolen Device

Department of Public Safety

All lost or stolen endpoints must be reported to DPS, they will contact ISO as required.
310-506-4442 (24x7)