Cybersecurity

Public Facing IT Assets Standards

Cyber threat actors are continuously scanning the internet for vulnerable systems to conduct attacks and campaigns. An organization’s internet-facing or public facing systems represent much of their attack surface area. Inadequate security controls, practices and procedures can put classified, sensitive and private information/data at risk from unauthorized access and disclosure.

Watch the following two-minute video to get a quick understanding of public facing IT assets standards being used at NMSU. 

The implementation of stringent security controls should not be compromised unless the organization has made a conscious decision to accept the risk. Where this is the case, any residual risk should be addressed by the application of compensatory controls.

At present, most of NMSU’s websites are publicly available and hosted on publicly accessible IT assets/servers placing the university at high risk to Cyber-attacks. In response to this exposure, the university has taken some strategic steps to improve its web presence by reducing the number of public facing websites and moving websites needed for internal use or university business operations behind a firewall. The web platform that the university has selected for public facing sites is Cascade and WordPress for internal facing sites.

Additionally, the university identified over ~950 public facing websites containing web-forms that collect information, of which many collect personally identifiable information (PII), but these websites also pose a serious elevated security threat to the university, as they could be susceptible to injection attacks. A successful injection attack can result in confidential data being deleted, lost or stolen; websites being defaced; unauthorized access to systems or accounts and, ultimately, compromise of individual machines or entire networks.

Requirements:

  • External Facing IT Asset Standards – Requirements
    Internet-facing servers/computers and other IT assets are constantly being probed by hackers looking for vulnerabilities left unplugged which would allow hackers easy access and, in some cases, privileged escalation. As a result, all public/internet facing IT assets must meet the following minimum-security requirements:

    • The server must be administered by a professional server administrator
    • The server must be subject to:
              -Regular vulnerability assessments
              -Patching
              -Firewalling
              -Credentials and Access Controls
              -Multi-factor authentication
              -Centralized logging
              -Malware protection (IPS) and intrusion detection (IDS)
              -SysAdmin Training
              -Physical Security
              -Data Security Controls based on sensitivity
    •The server must be part of an institutional IT inventory system

    Overall, an IT asset inventory with public facing IP addresses will be maintained by the IT auditor at NMSU to monitor and audit for compliance to this standard on a regular basis.

  • Public Facing Websites containing Web Forms – Requirements
    All NMSU public facing websites must be hosted on Cascade and kept-up with modern/updated content.  Additionally, public facing websites containing web-forms that collect information pose an elevated security risk to the university, as they could be susceptible to injection attacks. As a result, all public/internet facing webpages containing web forms must meet the following minimum-security requirements:

    • Website must be hosted in a centrally managed server by ICT, if on premise
    • If website is hosted by a third-party, security/privacy assurances must be obtained
    • Website must be subject to regular web application security pen testing
    • Website must be regularly scan for injection attack vulnerabilities
    • Backend databases must be harden, regularly scan and installed on ICT managed servers

    Web Forms collecting confidential personally identifiable information (PII) must meet additional security requirements:

    • Notify the NMSU chief privacy officer when collecting the following PII:
              -Social Security Numbers
              -Date of Birth
              -Names in combination with one of the other listed data elements
              -Grades
              -Credit card numbers
              -Medical information, etc.
    • Document the data flow of data collection and how is data stored
              -Backend database and who administers the database
              -Flat file and who has access to this data
    • Implement access controls to PII

    Overall, it should be noted that each data field in a web form represents an opportunity for a hacker to launch and injection attack and therefore data collection should always aim at collecting the minimum amount of data elements from students, faculty, staff and public.

  • Internal Facing Websites containing Web Forms – Requirements
    All NMSU internal facing websites must be hosted on WordPress and kept-up with modern/updated content. Additionally, internal facing websites containing web-forms must meet the following minimum-security requirements:

    • Website must be hosted in a centrally managed server by ICT
    • Website must be regularly scan for injection attack vulnerabilities
    • Backend databases must be harden, regularly scan and installed on ICT managed servers

    Web Forms collecting confidential personally identifiable information (PII) must meet additional security requirements:

    • Notify the NMSU chief privacy officer when collecting the following PII:
              -Social Security Numbers
              -Date of Birth
              -Names in combination with one of the other listed data elements
              -Grades
              -Credit card numbers
              -Medical information, etc.
    • Document the data flow of data collection and how is data stored
              -Backend database and who administers the database
              -Flat file and who has access to this data
    • Implement access controls to PII

    Overall, information security is a top priority for NMSU and all data collected along with the underlying technology in use must meet the NMSU data security standards, which are part of the NMSU Data Governance Program. 

Note:
Exceptions to these standards may be granted on a case-by-case basis, but such exceptions must be properly documented via the completion of a risk acceptance form and this form must be signed & approved by the Chancellor as recommended by the Web Governance Committee.

This document is considered a living document and will be revised as Cybersecurity is always evolving.
Page

Public Facing IT Assets Standards– PDF Version

Print Friendly, PDF & Email