Skip to main content

Minimum security standards for data protection

The purpose of the Rutgers Minimum Security Standards is to provide the information security standards necessary to comply with Rutgers Information Classification Policy. These standards are mandatory requirements and establish an effective baseline of appropriate system, administrative, and physical controls to apply to data based upon its classification.

Scope

This standard applies to all University data, including but not limited to: HIPAA/PHI, student record data, personnel data, financial data (budget and payroll), student life data, departmental administrative data, police records and legal files, and all other data that pertains to, or supports the mission and/or administration of the University or any of its functions.

Classification levels

The Information Classification Policy identifies three categories of data: Critical and Restricted, Internal, and Public.  For more information on these classification levels and the major responsibilities of the parties involved (i.e. Vice Presidents, Chancellors, Deans, Information Owners Data Custodians, Information Managers and Information Users) please review the policy (PDF).

Standard

The following security standards outline the minimum level of protection and controls that must be adhered to based on the information classification of the data:

 

Network

Control StandardCritical and RestrictedInternalPublic
A network based Firewall (or functional equivalent) shall be implemented that denies traffic from networks and hosts that are not secured at this level.RequiredRecommendedNot Applicable
Network traffic shall be limited to only those services and ports considered essential for departmental business practices.RequiredRecommendedNot Applicable
Networks shall be scanned for vulnerabilities on a regular schedule. Those that contain Restricted data should be scanned more frequently. Vulnerabilities detected shall be remediated in a timely manner.RequiredRecommendedSuggested
Security detection tools (Intrusion Detection (IDS) and File Integrity Monitoring) shall be implemented.RequiredRecommendedSuggested
Devices processing or storing data shall log all significant security event information. Logs should be reviewed on a daily basis, and retained for a minimum of 1 year.RequiredRecommendedSuggested

 

Servers

Control StandardCritical and RestrictedInternalPublic
Devices shall be housed in a physically secure location, accessible to only those with a business purpose.RequiredRecommendedRecommended
Security updates and patches shall be applied in a timely manner, or automatically when possible.RequiredRequiredRequired
Computer system support staff must monitor for announced vulnerabilities in their hardware and software.RequiredRequiredRequired
Where possible, computer anti-virus shall be implemented, and updated in a timely manner, or automatically when possible.RequiredRequiredRequired
Where available, a host based firewall shall be implemented.RequiredRecommendedRecommended
Services and applications should be the minimum necessary to accomplish the required business functions.RequiredRecommendedRecommended
Passwords shall be changed from the vendor defaults.RequiredRecommendedRecommended
Systems shall be 'hardened' to a recognized standard, where available. (e.g. CIS…..)RequiredRecommendedRecommended
Individual access to data shall be limited to only those needing access for legitimate purposes.RequiredRecommendedNot Applicable
The amount of restricted information collected and stored shall be the minimum amount required for the efficient and effective conduct of business functionsRequiredNot ApplicableNot Applicable
Only secure (encrypted) transmission shall be allowed. Only secure (encrypted) storage of Restricted information shall be allowed, in absence of mitigating controls (e.g. physically secured area)RequiredRecommendedNot Applicable
Files shall be backed up and tested on a regular schedule, and stored in a secured location both on and off-site.RequiredRecommendedNot Required
Hardware, Software and data destruction shall be securely disposed at the termination of business need in accordance with Rutgers records management policy, 30.4.5.RequiredRecommendedNot Required

 

User Accounts 

Control StandardCritical and RestrictedInternalPublic
A process shall be established to create and assign, maintain, and verify a unique system identifier (e.g. NetID, UserID) for each user.RequiredRecommendedRecommended
Authentication to a system identifier shall be controlled by a mechanism implemented based upon the sensitivity of the data.RequiredRecommendedRecommended

 

Desktop

Control StandardCritical and RestrictedInternalPublic
Services and applications should be the minimum necessary to accomplish the required business functions.RequiredRecommendedRecommended
Passwords shall be changed from the vendor defaults.RequiredRecommendedRecommended
Systems shall be 'hardened' to a recognized standard, where available.RequiredRecommendedRecommended
Security updates and patches shall be applied in a timely manner, or automatically when possible.RequiredRequiredRequired
Computer system support staff must monitor for announced vulnerabilities in their hardware and software.RequiredRequiredRequired
Where possible, computer anti-virus shall be installed and updated automatically or in a timely manner.RequiredRequiredRequired
The amount of restricted information collected and stored shall be the minimum amount required for the efficient and effective conduct of business functionsRequiredNot ApplicableNot Applicable
Hardware, Software and data destruction shall be securely disposed at the termination of business need in accordance with Rutgers records management policy, 30.4.5.RequiredRecommendedNot Required
Only secure (encrypted) storage of restricted information shall be allowed, in absence of mitigating controls (i.e. physically secured area)RequiredRecommendedNot Applicable
Screen saver password must be used when workstation is unattended.RequiredRequiredRecommended

 

Portable devices (laptops, cell phones, tablets, etc.), removable media and non Rutgers owned machines/equipment

Control StandardCritical and RestrictedInternalPublic
Security standards for desktops are followed.RequiredRequiredRequired
Systems shall have a “strong password” and lock (or wipe) after 10 failed attempts to login.RequiredRecommendedNot Applicable
Systems shall be remotely traceable, lock-able and wipe-able.RequiredRecommendedNot Applicable
Hardware, Software and data destruction shall be securely disposed at the termination of business need in accordance with Rutgers records management policy. Hardware not capable of being wiped shall be physically destroyed.RequiredRecommendedNot Required
Only secure storage (full disk/device encryption) shall be allowed.RequiredRecommendedNot Applicable
Use of Non Rutgers owned equipmentNot AllowedAllowedAllowed
Screen saver passwords must be used when unattended.RequiredRequiredRecommended

 

Software Development

Control StandardCritical and RestrictedInternalPublic
Internally developed software shall be based on secure coding guidelines, and reviewed for common coding vulnerabilities.RequiredRecommendedRecommended