Endpoints
An endpoint is defined as any laptop, desktop, or mobile device.
1. Determine the risk level by reviewing the data, server and application risk classification examples and selecting the highest applicable risk designation across all. For example, a endpoint storing Low Risk data but accessing a High Risk application should be designated as High Risk.
2. Follow the minimum security standards in the table below to safeguard your endpoints.
| STANDARDS | FREE OF CHARGE | RECURRING TASK | WHAT TO DO | LOW | MEDIUM | HIGH |
|---|---|---|---|---|---|---|
| PATCHING | yes | yes | Apply security patches within seven days of publish. Use a supported OS version. | yes | yes | yes |
| WHOLE DISK ENCRYPTION | yes | Enable FileVault2 for Mac through Self Service, BitLocker for Windows. Install MDM on mobile devices. | yes | yes | yes | |
| MALWARE PROTECTION | yes | Install malware protection using Palo Alto Cortex XDR Pro. | yes | yes | yes | |
| BACKUPS | yes | Backup user data at least daily. NSave CrashPlan PROe is recommended for all University Endpoints. | yes | yes | yes | |
| CONFIGURATION MANAGEMENT | yes | Install Configuration Manager/SCCM (Windows) or Jamf Pro (Apple). | yes | yes | yes | |
| REGULATED DATA SECURITY CONTROLS | yes | Implement PCI DSS, HIPAA, or export controls as applicable. | yes | |||
| FIREWALL | yes | Enable local firewall in default deny mode and permit minimum necessary services. | yes | yes | yes |
| STANDARDS | FREE OF CHARGE | RECURRING TASK | WHAT TO DO | LOW | MEDIUM | HIGH |
|---|---|---|---|---|---|---|
| PATCHING | yes | Apply security patches within seven days of publish. Use a supported OS version. | yes | yes | yes | |
| INVENTORY | yes | Review and update inventory records quarterly. | yes | yes | yes | |
| FIREWALL | yes | Enable host-based and network firewall in default deny mode and permit minimum necessary services. | yes | yes | yes | |
| CREDENTIALS & ACCESS CONTROL | yes | Integration with NU-ITS Authentication Services is recommended. Review existing accounts and privileges quarterly. Enforce password complexity for any unmanaged/local accounts. | yes | yes | yes | |
| TWO-FACTOR AUTHENTICATION | yes | Require Duo two-factor authentication for all interactive user and administrator logins when possible. | yes | yes | yes | |
| CONFIGURATION MANAGEMENT |
yes | Install Configuration Manager/SCCM (Windows) or Jamf Pro (Apple). | yes | yes | yes | |
| CENTRALIZED LOGGING | Forward logs to a remote log server. University IT Splunk service recommended. | yes | yes | yes | ||
| VULNERABILITY MANAGEMENT | yes | yes | Enable local firewall in default deny mode and permit minimum necessary services. | yes | yes | yes |
| MALWARE PROTECTION | yes | yes | Install malware protection using Palo Alto Cortex XDR Pro. | yes | yes | yes |
| PHYSICAL PROTECTION | yes | Place system hardware in a data center. | yes | yes | ||
| SECURITY, PRIVACY & LEGAL REVIEW | yes | Request a Security, Privacy, and Legal review and implement recommendations before deployment. | yes | |||
| REGULATED DATA SECURITY CONTROLS | Implement PCI DSS, HIPAA, or export controls as applicable. | yes | ||||
| MONITORING | yes | Monitor system for uptime. | yes | yes |
| STANDARDS | FREE OF CHARGE | RECURRING TASK | WHAT TO DO | LOW | MEDIUM | HIGH |
|---|---|---|---|---|---|---|
| PATCHING | yes | Based on National Vulnerability Database (NVD) ratings, apply high severity security patches within seven days of publish, medium severity within 14 days, and low severity within 28 days. Use a supported version of the application. | yes | yes | yes | |
| INVENTORY | yes | Maintain a list of applications and data classifications. Review and update records quarterly. | yes | yes | yes | |
| FIREWALL | yes | Permit minimum necessary services in network firewall. Review and verify firewall rules annually. | yes | yes | yes | |
| CREDENTIALS & ACCESS CONTROL | yes | Review existing accounts and privileges quarterly. Integrate with UNL CAS or Shibboleth. Follow the Authentication Services Policy. | yes | yes | yes | |
| TWO-FACTOR AUTHENTICATION | yes | Require Duo two-factor authentication for all interactive user and administrator logins when possible. | yes | yes | yes | |
| CENTRALIZED LOGGING | Forward logs to a remote log server. University IT Splunk service recommended. | yes | yes | yes | ||
| WEBSITE SSL | yes | Obtain and use a TLS certificate on all websites. Sites that accept credentials or credit card information use an “extended validation” certificate. | yes | yes | yes | |
| VULNERABILITY MANAGEMENT | yes | yes | Monthly Qualys application scan. Remediate severity 5 vulnerabilities within seven days, severity 4 vulnerabilities within 14 days, and severity 3 vulnerabilities within 28 days of discovery. | yes | yes | yes |
| VULNERABILITY MANAGEMENT | Place system hardware in a data center. | yes | yes | |||
| SECURE SOFTWARE DEVELOPMENT | Include security as a design requirement. Review all code and correct identified security flaws before deployment. Use of static code analysis tools recommended. | yes | yes | yes | ||
| SECURITY APP SCAN | yes | Security Dept should run an initial app scan on the application on a staging server. Applies to both new vendor obtained and new custom developed apps. | yes | yes | ||
| DEVELOPER TRAINING | yes | yes | Attend two days of Information Security Academy training annually. | yes | yes | |
| BACKUPS | Backup application data nightly. Encrypt backup data in transit and at rest. | yes | yes | |||
| DEDICATED ADMIN WORKSTATION | Access administrative accounts only via a certified Personal Bastion Host (PBH) or the Full Tunnel VPN profile. | yes | yes | |||
| SECURITY, PRIVACY & LEGAL REVIEW | yes | Request a Security, Privacy, and Legal review and implement recommendations before deployment. | yes | |||
| REGULATED DATA SECURITY CONTROLS | Implement PCI DSS, HIPAA, or export controls as applicable. | yes |
Definitions
Computing Equipment
Any UNL-provided desktop or portable device or system, or any non-UNL desktop or portable device or system used to access UNL-provided data or services.
Masked number
- A credit card primary account number (PAN) has no more than the first six and the last four digits intact, and
- All other Prohibited or Restricted numbers have only the last four intact. See the entire DSS 3.1 Standard (if you are willing to agree to some terms).
NIST-Approved Encryption
The National Institute of Standards and Technology (NIST), develops and promotes cryptographic standards that enable U.S. Government agencies and others to select cryptographic security functionality for protecting their data. Encryption which meets NIST-approved standards is suitable for use to protect UNL data if the encryption keys are properly managed. In particular, secret cryptographic keys must not be stored or transmitted along with the data they protect. Cryptographic keys have the same data classification as the most sensitive data they protect.
Payment Card Industry Data Security Standards
- The practices used by the credit card industry to protect cardholder data.
- The Payment Card Industry Data Security Standards (PCI DSS) comprise an effective and appropriate security program for systems that store, process, or transmit card payment data.
Protected Health Information (PHI)
All individually identifiable information that relates to the health or health care of an individual and is protected under federal or state law. For questions about whether information is considered to be PHI, contact the University Privacy Officer.
Qualified Machine
A computing device located in a secure UNL facility and with access control protections that meet the Payment Card Industry Data Security Standards.
Student Records Information
Data maintained by UNL and under jurisdiction of the Family Educational Rights and Privacy Act (FERPA) tenets. Student Records include UNL-held student academic transcripts and other related academic records (official and unofficial), and UNL-held records related to:
- academic advising
- health/disability
- academic probation and/or suspension
- conduct (including disciplinary actions)
- Directory information and other biographical and personal data maintained by the Office of the University Registrar and/or other UNL offices.
- Applications for student admission are considered to be Student Records at the point the application has been received and accepted and acknowledged as such by UNL.