Minimum Security Standards
Overview
These standards are intended to reflect the minimum level of care necessary for Pepperdine University's Confidential and RESTRICTED data. They do not relieve Pepperdine or its employees, partners, consultants, or vendors of further obligations that may be imposed by law, regulation or contract. Pepperdine University expects all partners, consultants, and vendors to abide by Pepperdine University information security policies. If non-public information is to be accessed or shared with these third parties, they should be bound by contract to abide by Pepperdine University information security policies.
Endpoints
An endpoint is defined as any laptop, desktop, or mobile device.
- Determine the highest level data classification present on the endpoint and apply the controls designated for that classification to the entire endpoint.
- Follow the minimum security standards in the table below to safeguard your endpoints.
| Process | Policy | What to Do | Public | Confidential | RESTRICTED |
|---|---|---|---|---|---|
| Patching | CNRUP |
University Owned: Apply Pepperdine Domain WSUS (Win) and install Device Management to automatically apply security patches and configurations (Win/Mac); Turn on auto-update and verify with browsercheck.pepperdine.edu (iOS/Android). Note: a University computer that cannot receive the latest security patches, must be removed from the network, turned into IT as surplus and replaced by the department.
|
Required | Required | Required |
| Whole Disk Encryption | ICPP | University Owned: Use SafeGuard Enterprise Managed FileVault2 (Mac) or SafeGuard Enterprise
Managed BitLocker (Win) or Broadcom Enterprise Managed PGP (Win). Non-enterprise encryption
prohibited. RESTRICTED information is prohibited on: 1) All personally purchased endpoints and 2) all personal or University purchased mobile device endpoints. |
NO | NO | Required |
| Backups | ICPP Records Management |
University Owned: Enterprise Secure Cloud Backup is required for RESTRICTED data. (Win/Mac). Confidential University data should be stored on Google Workspace Shared Drive or My Drive as backup. | Required | Required | |
| Inventory | ICPP CNRUP |
All University owned endpoints must be registered in IT designated automated inventories. As of 2021 this means WavesConnect computer registration for all endpoints plus Device Management (Win/Mac) and JAMF (Mac). | Required | Required | Required |
| Configuration Management | CNRUP | Install Device Management (Win/Mac) and JAMF (Mac) for secure configuration on all computer endpoints. University owned iOS mobiles may be required to use JAMF in future. | Required | Required | Required |
| Regulated Data Security Controls | CNRUP | Implement PCI DSS, HIPAA, controls over and above University RESTRICTED data controls as applicable. | Required |
Servers
A server is defined as a host that provides a network accessible service.
- Determine the highest level data classification present on the server and apply the controls designated for that classification to the entire server.
- Follow the minimum security standards in the table below to safeguard your servers.
| Standards | Recurring Task | What to Do | Public | Confidential | RESTRICTED |
|---|---|---|---|---|---|
| Patching | Yes | Apply all vendor security patches within 30 days. When exploits are in use against the unpatched system, apply patches ASAP. | Required | Required | Required |
| Vulnerability Management | Yes | Perform a weekly Qualys scan. Remediate severity 4 and 5 vulnerabilities and ISO selected severity 3 vulnerabilities according to Patching standard. | Required | Required | Required |
| Inventory | Yes | Notify ISO and enroll server in Qualys, as the server inventory system. | Required | Required | Required |
| Firewall | Enable host-based firewall in default deny mode and permit the minimum necessary services. | Required | Required | Required | |
| Credentials and Access Control | Yes | Review local accounts and privileges periodically. Enforce IT standard password complexity plus minimum 15 character passwords for administrator logins. Use Enterprise authentication everywhere possible; CAS/SAML is preferred everywhere, but LDAPS is permitted ONLY from within University datacenters. | Required | Required | Required |
| Multi-factor Authentication (MFA) | Require SecureConnect powered by DUO MFA for all user and administrator logins where possible. Administrator logins must be protected by TOTP or other MFA where SecureConnect is not possible. | Required | Required | ||
| Centralized Logging | Forward logs to a remote log server. ISO central log service is recommended. All University-owned servers and any server within University datacenters shall use clock.pepperdine.edu to set its time. | Required | Required | Required | |
| Sysadmin Training | Yes | System administrators shall attend IT mandated training. Application administrators should attend IT mandated training. All admins shall acknowledge these standards. | Required | Required | Required |
| Malware Protection | Yes | Deploy the IT standard anti-malware system. Review alerts as they are received. | Required | Required | Required |
| Intrusion Detection | Yes | ISO attempts to review IDS alerts for every day of the year, unless incidents or priority projects prevent time on task. ISO periodically adds automated remediation to IDS alerts, as time from priority projects, permits. | Required | Required | Required |
| Physical Protection | Place system hardware in a data center. | Required | Required | ||
| Certificates | Yes | Make sure that certificates comply with the CTO Certificate Encryption Standard and are renewed timely (30 days in advance recommended). External vendors shall use Pepperdine enterprise certs where at all possible. | Required | Required |
Networked Applications
A networked application is defined as software running on a computing device, which is accessible to other computing devices across a network.
- Determine the highest level data classification present on the application and apply the controls designated for that classification to the entire application.
- Follow the minimum security standards in the table below to safeguard your applications.
| Standards | Recurring Task | What to Do | Public | Confidential | RESTRICTED |
|---|---|---|---|---|---|
| Patching | Yes | Apply all vendor security patches within 30 days. When exploits are in use against the unpatched system, apply patches ASAP. | Required | Required | Required |
| Vulnerability Management | Yes | Respond to all ISO and third party alerts to vulnerabilities timely. | Required | Required | Required |
| Inventory | Yes | Maintain a list of applications and the associated data classifications. Review and update records as determined by IT or annually, whichever is sooner. | Required | Required | Required |
| Firewall | Request the minimum necessary services with the minimum necessary access scope through the network firewall. | Required | Required | Required | |
| Credentials and Access Control | Yes | Review local accounts and privileges periodically. Enforce IT standard password complexity plus minimum 15 character passwords for administrator logins. Use Enterprise authentication everywhere possible; CAS/SAML is preferred everywhere, but LDAPS is permitted ONLY from within University data centers. | Required | Required | Required |
| Multi-factor Authentication (MFA) | Require SecureConnect powered by DUO MFA for all user and administrator logins where possible. Administrator logins must be protected by TOTP or other MFA where SecureConnect is not possible. | Required | Required | Required | |
| Centralized Logging | Forward logs to a remote log server. ISO central log service is recommended. | Required | Required | Required | |
| Secure Software Development | Yes | Include security as a design requirement. Review all code and correct identified security flaws prior to deployment. Use of static code analysis tools recommended. Adhere to IT AppDev Software Development Life Cycle. | Required | Required | Required |
| Developer Training | Yes | Attend developer security training initially and periodically to include OWASP and additional applicable secure coding practices. | Required | Required | Required |
| Backups | Yes | Back up and synchronize application data as required to ensure compliance with IT Business Continuity and Disaster Recovery requirements. | Required | Required | Required |
| Penetration Testing | Yes | Remediate any finding of vulnerability scans or penetration tests timely. | Required | Required | Required |
| Regulated Data Security Controls | Implement PCI DSS, HIPAA or other controls as applicable. | Required |
University Security Policies
There are 3 main University information security policies:
- Computer and Network Responsible Use Policy (CNRUP)
- Information Classification and Protection Policy (ICPP)
- Records Management
See the Policies and Guidelines page on the ISO web pages for detailed information.
Since 2009 the University's Information Classification and Protection Policy (ICPP) has defined 3 data classifications. You are required by policy to adopt the controls specified for each classification. You are also requested to learn the terms and definitions of that policy, which was modeled on other University policies and enacted by UMC and to discard meaningless terms such as "sensitive," which are sometimes applies to data of all 3 classifications (e.g. email address or campus wide ID (Public), grades and business email (Confidential) or Social Security Numbers (RESTRICTED).
The standards above for endpoints, servers and applications are intended to implement such standards as have been delegated to IT to create by the following University policies: the ICPP, the Computer and Network Responsible Use Policy (CNRUP) and the Records Management Policy.
As cybersecurity is a rapidly evolving professional discipline that continuously presents us with new methods to deal with new challenges, the above standards will be revised and updated accordingly.