The purpose of the Rutgers Minimum Security Standards is to provide the information security standards necessary to comply with Rutgers Information Classification Policy. These standards are mandatory requirements and establish an effective baseline of appropriate system, administrative, and physical controls to apply to data based upon its classification.
Scope
This standard applies to all University data, including but not limited to: HIPAA/PHI, student record data, personnel data, financial data (budget and payroll), student life data, departmental administrative data, police records and legal files, and all other data that pertains to, or supports the mission and/or administration of the University or any of its functions.
Classification levels
The Information Classification Policy identifies three categories of data: Critical and Restricted, Internal, and Public. For more information on these classification levels and the major responsibilities of the parties involved (i.e. Vice Presidents, Chancellors, Deans, Information Owners Data Custodians, Information Managers and Information Users) please review the policy (PDF).
Standard
The following security standards outline the minimum level of protection and controls that must be adhered to based on the information classification of the data:
Network
Control Standard | Critical and Restricted | Internal | Public |
---|---|---|---|
A network based Firewall (or functional equivalent) shall be implemented that denies traffic from networks and hosts that are not secured at this level. | Required | Recommended | Not Applicable |
Network traffic shall be limited to only those services and ports considered essential for departmental business practices. | Required | Recommended | Not Applicable |
Networks shall be scanned for vulnerabilities on a regular schedule. Those that contain Restricted data should be scanned more frequently. Vulnerabilities detected shall be remediated in a timely manner. | Required | Recommended | Suggested |
Security detection tools (Intrusion Detection (IDS) and File Integrity Monitoring) shall be implemented. | Required | Recommended | Suggested |
Devices processing or storing data shall log all significant security event information. Logs should be reviewed on a daily basis, and retained for a minimum of 1 year. | Required | Recommended | Suggested |
Servers
Control Standard | Critical and Restricted | Internal | Public |
---|---|---|---|
Devices shall be housed in a physically secure location, accessible to only those with a business purpose. | Required | Recommended | Recommended |
Security updates and patches shall be applied in a timely manner, or automatically when possible. | Required | Required | Required |
Computer system support staff must monitor for announced vulnerabilities in their hardware and software. | Required | Required | Required |
Where possible, computer anti-virus shall be implemented, and updated in a timely manner, or automatically when possible. | Required | Required | Required |
Where available, a host based firewall shall be implemented. | Required | Recommended | Recommended |
Services and applications should be the minimum necessary to accomplish the required business functions. | Required | Recommended | Recommended |
Passwords shall be changed from the vendor defaults. | Required | Recommended | Recommended |
Systems shall be 'hardened' to a recognized standard, where available. (e.g. CIS…..) | Required | Recommended | Recommended |
Individual access to data shall be limited to only those needing access for legitimate purposes. | Required | Recommended | Not Applicable |
The amount of restricted information collected and stored shall be the minimum amount required for the efficient and effective conduct of business functions | Required | Not Applicable | Not Applicable |
Only secure (encrypted) transmission shall be allowed. Only secure (encrypted) storage of Restricted information shall be allowed, in absence of mitigating controls (e.g. physically secured area) | Required | Recommended | Not Applicable |
Files shall be backed up and tested on a regular schedule, and stored in a secured location both on and off-site. | Required | Recommended | Not Required |
Hardware, Software and data destruction shall be securely disposed at the termination of business need in accordance with Rutgers records management policy, 30.4.5. | Required | Recommended | Not Required |
User Accounts
Control Standard | Critical and Restricted | Internal | Public |
---|---|---|---|
A process shall be established to create and assign, maintain, and verify a unique system identifier (e.g. NetID, UserID) for each user. | Required | Recommended | Recommended |
Authentication to a system identifier shall be controlled by a mechanism implemented based upon the sensitivity of the data. | Required | Recommended | Recommended |
Desktop
Control Standard | Critical and Restricted | Internal | Public |
---|---|---|---|
Services and applications should be the minimum necessary to accomplish the required business functions. | Required | Recommended | Recommended |
Passwords shall be changed from the vendor defaults. | Required | Recommended | Recommended |
Systems shall be 'hardened' to a recognized standard, where available. | Required | Recommended | Recommended |
Security updates and patches shall be applied in a timely manner, or automatically when possible. | Required | Required | Required |
Computer system support staff must monitor for announced vulnerabilities in their hardware and software. | Required | Required | Required |
Where possible, computer anti-virus shall be installed and updated automatically or in a timely manner. | Required | Required | Required |
The amount of restricted information collected and stored shall be the minimum amount required for the efficient and effective conduct of business functions | Required | Not Applicable | Not Applicable |
Hardware, Software and data destruction shall be securely disposed at the termination of business need in accordance with Rutgers records management policy, 30.4.5. | Required | Recommended | Not Required |
Only secure (encrypted) storage of restricted information shall be allowed, in absence of mitigating controls (i.e. physically secured area) | Required | Recommended | Not Applicable |
Screen saver password must be used when workstation is unattended. | Required | Required | Recommended |
Portable devices (laptops, cell phones, tablets, etc.), removable media and non Rutgers owned machines/equipment
Control Standard | Critical and Restricted | Internal | Public |
---|---|---|---|
Security standards for desktops are followed. | Required | Required | Required |
Systems shall have a “strong password” and lock (or wipe) after 10 failed attempts to login. | Required | Recommended | Not Applicable |
Systems shall be remotely traceable, lock-able and wipe-able. | Required | Recommended | Not Applicable |
Hardware, Software and data destruction shall be securely disposed at the termination of business need in accordance with Rutgers records management policy. Hardware not capable of being wiped shall be physically destroyed. | Required | Recommended | Not Required |
Only secure storage (full disk/device encryption) shall be allowed. | Required | Recommended | Not Applicable |
Use of Non Rutgers owned equipment | Not Allowed | Allowed | Allowed |
Screen saver passwords must be used when unattended. | Required | Required | Recommended |
Software Development
Control Standard | Critical and Restricted | Internal | Public |
---|---|---|---|
Internally developed software shall be based on secure coding guidelines, and reviewed for common coding vulnerabilities. | Required | Recommended | Recommended |