Skip to content

IT Policies and Procedures

Security Standards

Guidelines

Minimum IT Security Standards

 

Purpose

Clemson University is committed to protecting the privacy of its students, alumni, faculty, and staff while protecting the confidentiality, integrity, and availability of information important to the University’s mission. To meet that commitment, the University has developed minimum security standards which will be used to identify the security controls required for University managed systems, applications, cloud-based services and other devices that process or connect to University data and resources.

Standards

The Minimum Security Standards will vary based on the classification of the data that is stored or processed on the system or application. Systems must be protected up to the highest data classifications stored or processed on it. For example, if a laptop is used to access a server with Confidential Data, the laptop must be protected at the Confidential level as well. For more information on how data is classified, refer to the  University Data Classification Policy. For assistance in understanding and implementing these guidelines, contact the Office of Information Security Privacy (OIS) through the IT Support Center.

Minimum Security Standards:

Note: For assistance in understanding and implementing these guidelines, contact the Office of Information Security and Privacy (OIS) through our ticketing system.


Endpoints

Endpoints, which are any devices that connect to the Clemson network, also include any desktop or laptop purchased by Clemson and issued to a user.

Endpoint requirements
Control
Requirement
Public
Internal Use
Confidential
Restricted
Inventory Management All assets must be tracked in Configuration Management Database (CMDB) or relevant inventory system. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Configuration Management and System Patching Asset must be managed by the CCIT Configuration Management Solution and maintained according to University Patching Guidelines Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Credentials and Access Control Access must be managed in accordance with the User Account and Password Policy and Strong Password Guidelines. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Antivirus/Malware Protection University supported antivirus solution must be enabled. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Local Encryption Local encryption must be configured in accordance with University Encryption Guidelines. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Advanced Threat Detection Use the University supported Endpoint Protection Platform. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Regulated Data Security Controls Implement FERPA, HIPAA, PCI, FISMA, CUI, Export Controls, or other regulations as applicable. Check mark signifying Yes

Back To Top of Page


Servers

A server is any University hosted system that provides a service over the network. Servers constitute a much smaller portion of University managed systems, but due to their very nature are much more exposed. Servers include hosts such as web servers, application servers, shared drives, and databases.

Server Requirements
Control
Requirement
Public
Internal Use
Confidential
Restricted
Inventory Management All assets must be tracked in Configuration Management Database (CMDB) or relevant inventory system. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Configuration Management and System Patching Asset must be managed by the CCIT Configuration Management Solution and maintained according to University Patching Guidelines. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Credentials and Access Control Access must be managed in accordance with the User Account and Password Policy and Strong Password Guidelines. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Antivirus/Malware Protection University supported antivirus solution must be enabled. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Logging and Monitoring Logging must be enabled and forwarded to the University logging solution if requested. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Firewall Host-based firewall must be in default deny mode and permit minimum necessary services. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Vulnerability Management Identified vulnerabilities must be remediated according to University Patching Guidelines. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Physical Access Control Systems must be located in a University managed or approved Data Center. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Two-Factor Authentication Two-factor authentication must be required for all privileged user and administrator logins. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Local Encryption Local encryption must be configured in accordance with University Encryption Guidelines. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Administrative Access Access Administrative accounts only via a University managed endpoint. Check mark signifying Yes Check mark signifying Yes
Advanced Threat Detection Use the University supported Endpoint Protection Platform. Check mark signifying Yes Check mark signifying Yes
Regulated Data Security Controls Implement FERPA, HIPAA, PCI, FISMA, CUI, Export Controls, or other regulations as applicable. Check mark signifying Yes

Back To Top of Page

Mobile Devices

Mobile devices consist primarily of phones and tablets and are generally running Android or iOS software. University managed mobile devices must adhere to the controls below.

Mobile Device Requirements
Control
Requirement
Public
Internal Use
Confidential
Restricted
Inventory Register devices in University supported Configuration Management Solution. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Configuration Management and System Patching Use University supported Configuration Management Solution. Use a supported Operating System (OS) version. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Credentials and Access Control Devices must be password/pin protected in accordance with Strong Password Guidelines. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Local Encryption Enable device encryption. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes

Back To Top of Page

Personally Owned Devices

Personally owned devices include computers and mobile devices owned and managed by a user. When these devices are connected to the University network or are used to store or process data including email, the devices must meet the requirements below.

Personally Owned Devices Requirements
Control
Requirement
Public
Internal Use
Confidential
Restricted
Configuration Management and System Patching Asset must be maintained according to University Patching Guidelines. Check mark signifying Yes Check mark signifying Yes

Not Authorized

Credentials and Access Control Devices must be password/pin protected in accordance with Strong Password Guidelines. Check mark signifying Yes Check mark signifying Yes
Local Encryption Local encryption must be configured in accordance with University Encryption Guidelines. Check mark signifying Yes

Back To Top of Page

University Developed Software Services

University Developed Software Services are defined as any software or web applications developed by University faculty or staff running on a University owned endpoint or server that provides services across University resources.

University Developed Software Services Requirements
Control
Requirement
Public
Internal Use
Confidential
Restricted
Inventory Internally developed apps must be tracked in Configuration Management Database (CMDB) or relevant inventory system. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Firewall Minimum necessary services must be permitted through the network firewall. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Credentials and Access Control Access must be managed in accordance with the User Account and Password Policy and Strong Password Guidelines. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Vulnerability Management Identified vulnerabilities must be remediated according to University Patching Guidelines. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Logging and Monitoring Logging must be enabled and forwarded to the University logging solution if requested. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Secure Software Development Security must be considered in design requirements. Review all code and correct identified security flaws prior to deployment. For web apps, follow applicable Web Development Standards. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Two-Factor Authentication Two-factor authentication must be required for all privileged user and administrator logins. Check mark signifying Yes Check mark signifying Yes
Security Review OIS must review and all findings must be addressed prior to deployment. Check mark signifying Yes Check mark signifying Yes
Regulated Data Security Controls Implement FERPA, HIPAA, PCI, FISMA, CUI, Export Controls, or other regulations as applicable. Check mark signifying Yes

Back To Top of Page

University Hosted Software Services

University Hosted Software Services are defined as any third-party software running on a University owned endpoint or server that provides services across University resources.

University Hosted Software Services Requirements
Control
Requirement
Public
Internal Use
Confidential
Restricted
Inventory Hosted software must be tracked in Configuration Management Database (CMDB) or relevant inventory system. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Configuration Management and System Patching Asset must be managed by the CCIT Configuration Management Solution and maintained according to University Patching Guidelines. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Credentials and Access Control Access must be managed in accordance with the User Account and Password Policy and Strong Password Guidelines. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Vulnerability Management Identified vulnerabilities must be remediated according to University Patching Guidelines. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Firewall Minimum necessary services must be permitted through the network firewall. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Security Review Software must be procured through Vendor Management. OIS must review and all findings must be addressed prior to deployment. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Logging and Monitoring Logging must be enabled and forwarded to the University logging solution if requested. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Backups Create external backups of application data periodically.  Encrypt at rest and in transit. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Two-Factor Authentication Two-factor authentication must be required for all privileged user and administrator logins. Check mark signifying Yes Check mark signifying Yes
Administrative Access Access Administrative accounts only via a University managed endpoint. Check mark signifying Yes Check mark signifying Yes
Regulated Data Security Controls Implement FERPA, HIPAA, PCI, FISMA, CUI, Export Controls, or other regulations as applicable. Check mark signifying Yes

Back To Top of Page

Software as a Service (SaaS)

Software as a Service (SaaS) is defined as any application or software procured by Clemson University that processes or stores University data in an environment controlled by a third party.

Software as a Service Requirements
Control
Requirement
Public
Internal Use
Confidential
Restricted
Inventory Asset must be tracked in Configuration Management Database (CMDB) or relevant inventory system. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Credentials and Access Control Access must be managed in accordance with the User Account and Password Policy and Strong Password Guidelines. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Security Review Software must be procured through Vendor Management. OIS must review and all findings must be addressed prior to deployment. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Local Encryption Local encryption must be configured in accordance with University Encryption Guidelines. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Network Encryption Encryption protocol must be configured in accordance with University Encryption Guidelines. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Two-Factor Authentication Two-factor authentication must be required for all privileged user and administrator logins. Check mark signifying Yes Check mark signifying Yes
Logging and Monitoring Logging must be enabled and forwarded to the University logging solution if available, or contractually require vendor to supply logs when requested. Check mark signifying Yes Check mark signifying Yes
Regulated Data Security Controls Implement FERPA, HIPAA, PCI, FISMA, CUI, Export Controls, or other regulations as applicable. Check mark signifying Yes

Back To Top of Page

High Performance Computing

HPC systems are complex sets of hardware and software stacks designed to maximize performance and efficiency. As these components have varying limitations of what can be installed or managed for security, the Office of Research Computing will develop additional configuration guidelines for individual components based on NIST recommendations.

High Performance Computing Requirements
Control
Requirement
Public
Internal Use
Confidential
Restricted
Physical Access Control Systems must be located in a CCIT approved Data Center Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Inventory Management All assets must be tracked in Configuration Management Database (CMDB) or relevant inventory system. Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Configuration Management and System Patching Asset must be maintained according to University Patching Guidelines. check-mark.png Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Credentials and Access Control Devices must be password/pin protected in accordance with Strong Password Guidelines. check-mark.png Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Logging and Monitoring Logging must be enabled and forwarded to the University logging solution if requested. check-mark.png Check mark signifying Yes Check mark signifying Yes Check mark signifying Yes
Firewall Firewalls must be configured to permit minimum necessary access and services. check-mark.png check-mark.png Check mark signifying Yes Check mark signifying Yes
Vulnerability Management Identified vulnerabilities must be remediated according to University Patching Guidelines. check-mark.png check-mark.png Check mark signifying Yes Check mark signifying Yes
Two-Factor Authentication Two-factor authentication must be required for all privileged user and administrator logins. check-mark.png Check mark signifying Yes
Regulated Data Security Controls Implement FERPA, HIPAA, PCI, FISMA, CUI, Export Controls, or other regulations as applicable. check-mark.png Check mark signifying Yes

Back To Top of Page

References and Related Documents

 

Responsible Division:
CCIT

Reviewed Date:
October 3, 2023