Data Standards

Minimum Security Standards

  • Minimum Security Standards: Endpoints
    Endpoint device; laptop, desktop, mobile device or any end-user device that has connectivity to the network or Internet.
    Note: The below are the minimum requirements with incremental requirements based on the level of risk
    Standard Recurring Process
    Malware/Antivirus Protection   Enable host firewall and install antivirus (Sophos: https://software.nmsu.edu/sophos/).      
    Log-in Credentials and Access Control   Authentication must be enabled on all endpoint devices used to conduct university business
    and must meet passphrase or complexity requirements.
         
    User Training Annually Attend university required training courses annually and those required by Data Stewards for
    their oversight systems.
         
    Backup/Recovery   Back up user data incrementally at least weekly if not daily. Follow university DR/BC plan. Encrypt
    backup data in transit and at rest.
         
    Whole-Disc Encryption   Enable encryption methods to protect data being used on an endpoint device.      
    Two-factor Authentication   Use multi-factor authentication for all interactive user and administrator logins, if available.      
    Configuration Management   Implement PCI DSS, HIPAA, or export controls as applicable.      
    Inventory Annual and Audited Review and update inventory records yearly. Record should include; location, asset type, owner,
    department, and data type.
         
    Patches/Upgrades As Issued Apply security patches/upgrades within seven days of published release and verification. Follow patch management program and enable auto-updates on endpoint devices.      
    Contractual Security Controls   Configure devices to meet DFARs, CMMC, NIST-171, NIST-53, etc. requirements for controlled unclassified information (CUI) and Classified systems.      
    Other Regulated Data Security Controls   Implement PCI-DSS, HIPAA, FISMA, etc. or export controls as applicable. Inventory and monitor data access and usage.      
     
  • Minimum Security Standards: Servers
    Server: host that provides a network accessible services

    Standard Recurring  Process
    Vulnerability Management Annual and Audited Perform scans as mitigation process is completed. Remediate severity 4 and 5 vulnerabilities within seven days of discovery and severity 3 vulnerabilities within 90 days.      
    Firewall   Enable host-based firewall in default deny mode and permit the minimum necessary services.      
    Credentials and Access Control Quarterly Review existing accounts and privileges quarterly. Enforce password complexity.      
    Centralized Logging   Forward logs to a remote log server. Review for issues and mitigation support.      
    Sysadmin Training Annually Attend at least one professional development academy training course annually.      
    Backup/Recovery   Back up user data incrementally at least weekly if not daily. Follow university DR/BC plan. Encrypt backup data in transit and at rest.      
    Two-factor Authentication   Use multi-factor authentication for all interactive user and administrator logins.      
    Malware/Antivirus Protection   Deploy service in a high enforcement and monitor mode. Review alerts as they are received.      
    Intrusion Detection   Deploy service IDS and IPS execution. Review alerts as they are received.      
    Physical Protection   Place system hardware in a data center and protect with physical security measures.      
    Inventory Annual and Audited Review and update inventory records yearly. Record should include; location, asset type, owner, department, and data type.      
    Patches/Upgrades As Issued Based on the exposure and mitigation management tool ratings, apply high severity security patches within seven days of published release and verification and all other security patches within 90 days.      
    Dedicated Admin Workstation   Access administrative accounts only through a privileged access workstation. Audit user access to ensure correct usage of privilege.      
    Security, Privacy, and Legal Review   Request a security, privacy, and legal review/audit and implement recommendations prior to deployment.      
    Contractual Security Controls   Harden systems according to DFARs, CMMC, NIST-171, NIST-53, etc. requirements for controlled unclassified information (CUI) and Classified systems.      
    Other Regulated Data Security Controls   Implement PCI-DSS, HIPAA, FISMA, etc. or export controls as applicable. Inventory and monitor data access and usage.      
     
  • Minimum Security Standards: Applications
    Application: software running on a server that is remotely accessible, including mobile applications
    Standard Recurring
    Process
    Vulnerability Management Annual and Audited Perform scans as mitigation process is completed. Remediate severity 4 and 5 vulnerabilities
    within seven days of discovery and severity 3 vulnerabilities within 90 days.
         
    Firewall   Permit the minimum necessary services through the network firewall. Test and verify firewall setting.      
    Credentials and Access Control Quarterly Review existing accounts and privileges quarterly. Enforce password complexity.      
    Developer Training Annually Attend at least one professional development academy training course annually.      
    Centralized Logging   Forward logs to a remote log server. Review for issues and mitigation support.      
    Two-factor Authentication   Include security as a design requirement. Review all code and correct identified security
    flaws prior to production. Use multi-factor authentication for all interactive user and administrator logins.
         
    Backup/Recovery   Back up user data incrementally at least weekly if not daily. Follow university DR/BC plan.
    Encrypt backup data in transit and at rest.
         
    Inventory Quarterly Maintain a list of applications and the associated risk classifications and data volume estimates. Review
    and update records quarterly.
         
    Patches/Upgrades As Issued Based on the exposure and mitigation management tool ratings, apply high severity security patches within
    seven days of published release and verification and all other security patches within 90 days.
         
    Dedicated Admin Workstation   Access administrative accounts only through a privileged access workstation. Audit user access to ensure
    correct usage of privilege.
         
    Security, Privacy, and Legal Review   Request a security, privacy, and legal review/audit and implement recommendations prior to deployment.      
    Contractual Security Controls   Applications must be configured according to DFARs, CMMC, NIST-171, NIST-53, etc. requirements for
    controlled unclassified information (CUI) and Classified systems.
         
    Other Regulated Data Security Controls   Implement PCI-DSS, HIPAA, FISMA, etc. or export controls as applicable. Inventory and monitor data access and usage.      
     
  • Minimum Security Standards: Physical Security
    Physical: building or access environment
    Standard Recurring  Process
    Monitor Location   Request visitors to login/sign in and provide coverage of entire area that has access to secure data.      
    User Access Annually Deploy controls to have users lock systems, files, and hide viewable secure data from the public.      
    User Training   Attend at least one professional development academy training course annually.      
    Grant Physical Access   Implement controls for granting access to the Data Center or areas accessing secure data and
    removing access? (On-Boarding and Off-Boarding). Monitor and review access (card access, logs, video, etc.).
         
    Secure Data Location   Implement controls to prevent tailgating or pass-backing access to locations with secure data. Implement
    physical security measures/controls (man trap, physical presence, locked systems, etc.).
         
    System Integrity   Implement controls to verify physical systems handling secure data is on an encrypted connection.
    Encrypt data in transit and at rest.
         
    Contractual Security Controls   Hard copy documents must be MARKED or handled according to DFARs, CMMC, NIST-171, NIST-53,
    etc. requirements for controlled unclassified information (CUI) and classified information.
         
    Facility Physical Security   Ensure facility and offices follow DFARs, CMMC, NIST-171, NIST-53, etc. physical control requirements
    or controlled unclassified information (CUI) and classified information.
         
     

Cybersecurity is a rapidly evolving field that continuously presents us with new challenges, the above minimum security data standards will be revised and updated accordingly.

For more information contact:

Carlos S. Lobato
Interim Chief Information Security Officer
(575) 646-5902

Robert Doyle
Interim Chief Privacy Officer/IT Compliance Officer
(575) 646-5969

 

Print Friendly, PDF & Email