![University of Hawaiʻi at Mānoa](/its/template/system_2019/images/uh-nameplate.png")
University of Hawaiʻi System
Consolidated View — Minimum Security Standards
Last Updated 2022-07-15
When working with Regulated Data, please refer to the applicable Standard, Act, or Policy (e.g., CMMC, PCI DSS, HIPAA, FERPA, NIST SP800-171, etc.) for specific details on any additional controls needed.
The table below provides a consolidated view of the Minimum Security Standards for each device type. A checkmark indicates that a standard is included in the corresponding device types standard listing (endpoints, servers, multi-function devices & internet-of-things). Standards may differ between each device type, please refer to each respective document for implementation details.
The standards listed in the table below are adapted from a subset of the CIS Controls based on its applicability to the University of Hawaiʻi. The Center for Internet Security's (CIS) Controls, are a prioritized set of actions that collectively form a defense-in-depth set of best practices that mitigate the most common attacks against systems and networks.
Quick Reference
- 1.0 - Patching
- 2.0 - Firewall Configuration
- 3.0 - Password Security
- 4.0 - Data Management
- 5.0 - Encryption
- 6.0 - Asset Management
- 7.0 - Data Inventory
- 8.0 - Removable Media
- 9.0 - Malware Protection
- 10.0 - Session Timeout
- 11.0 - Backups
- 12.0 - Multi-Factor Authentication (MFA)
- 13.0 - Centralized Logging
- 14.0 - Secure Access
- 15.0 - Secure Configuration
- 16.0 - Event Logging
- 17.0 - Network Security
- 18.0 - Access Control
- 19.0 - Account Management
- 20.0 - Vulnerability Scanning
# |
Standards |
Device Types |
||
|---|---|---|---|---|
| Automatic Updates / Patching | Endpoints | Servers | MFD / IoT | |
| Enable automatic updates for operating systems and software if possible. | ||||
| Install standard operating system and software security patches on a monthly basis for servers and networking devices. | ||||
| Ensure operating systems and software including email clients and browsers are fully supported by their vendors. End-of-life software and operating systems do not receive security updates. | ||||
| Firewall | Endpoints | Servers | MFD / IoT | |
| Configure and manage a host based firewall or a network firewall device with a default deny-all policy. Only necessary services should be allowed through the firewall. | ||||
| Password Security | Endpoints | Servers | MFD / IoT | |
| Ensure that all devices have strong and unique password protected individual logins for all local and remote accounts. | ||||
| Ensure that all web applications have strong and unique password protected individual logins for administrative accounts. | ||||
| Data Management | Endpoints | Servers | MFD / IoT | |
| Utilize the University's records management process for . | ||||
| Securely dispose of Institutional Data following our Disposal Guidelines. | ||||
| Use Spirion to scan for sensitive and regulated information on a monthly basis. | ||||
| Encryption | Endpoints | Servers | MFD / IoT | |
| Ensure that data is encrypted with a secure encryption algorithm while in transit. | ||||
| Utilize Windows BitLocker or Apple FileVault to enable whole disk encryption on endpoints and removable devices. Ensure that files containing Sensitive and Regulated data stored on servers, applications, databases, and removable media are encrypted or stored in an encrypted file container such as Veracrypt. | ||||
| Utilize ÌÇÐÄVlog¹Ù·½ Enterprise Dropbox to store Sensitive and Regulated data online. | ||||
| Asset Management | Endpoints | Servers | MFD / IoT | |
| Complete the Annual Device Registration. | ||||
| Maintain an updated inventory of all software and hardware assets. | ||||
| Ensure that hardware and software assets are fully supported by their vendors. | ||||
| Review asset lists on a monthly basis. Remove any unauthorized or End-of-Life assets. | ||||
| Data Inventory | Endpoints | Servers | MFD / IoT | |
| Complete the annual Personal Information Survey (PIS). | ||||
| Removable Media | Endpoints | Servers | MFD / IoT | |
| Disable autorun / autoplay for removable media. | ||||
| Malware Protection | Endpoints | Servers | MFD / IoT | |
| Install and enable an anti-malware solution. | ||||
| Ensure automatic anti-malware signature updates are enabled. | ||||
| Enable anti-exploitation features. | ||||
| Session Locking / Session Timeout | Endpoints | Servers | MFD / IoT | |
| Configure a maximum 15 minute session timeout for system access and remote access protocols (SSH, RDP, etc.). | ||||
| Backups | Endpoints | Servers | MFD / IoT | |
| Maintain an offline, off-site, or cloud-based backup instance. | ||||
| Ensure backups are encrypted. | ||||
| Perform automatic backups of systems on at least a weekly basis. | ||||
| Multi-Factor Authentication(MFA) | Endpoints | Servers | MFD / IoT | |
| Enable multi-factor authentication to access externally-exposed applications, remote network access, and administrative access where possible. | ||||
| Utilize ÌÇÐÄVlog¹Ù·½ login for public facing web application logins if applicable. | ||||
| Centralized Logging | Endpoints | Servers | MFD / IoT | |
| Deploy a centralized log management system for servers and aggregate logs. | ||||
| Retain centralized logs for at least 90 days. Adequate log storage must be accounted for. | ||||
| Review centralized audit logs on a weekly basis. | ||||
| Secure Access | Endpoints | Servers | MFD / IoT | |
| Access applications and manage software over a secure encrypted connection (SSH, HTTPS, etc.). | ||||
| Limit access to MFDs and IoT devices by authorized IPs if possible. | ||||
| Secure Configuration | Endpoints | Servers | MFD / IoT | |
| Ensure that servers and network devices are configured following industry security best practices. CIS Configuration Guides are recommended. Configuration scripts are available upon request. | ||||
| Uninstall or disable unnecessary and unused services on servers and network devices. | ||||
| Event Logging | Endpoints | Servers | MFD / IoT | |
| Enable logging of system, security, and application events. | ||||
| Retain logs for at least 90 days. Adequate log storage must be accounted for. | ||||
| Review audit logs on a weekly basis. | ||||
| Network Security | Endpoints | Servers | MFD / IoT | |
| Utilize network segmentation to address least privilege by isolating personal, untrusted, and IoT devices from critical services. | ||||
| Maintain network architecture diagrams. | ||||
| Utilize Wi-Fi Protected Access 2 (WPA2) with AES-128 or greater and a strong password for wireless networks. | ||||
| Access Control | Endpoints | Servers | MFD / IoT | |
| Maintain an updated access control list of user roles, accounts and permissions for local/remote file systems, databases, and applications. | ||||
| Grant access and apply access privileges to systems and services on a need to know basis. | ||||
| Revoke privileges to systems and services upon employee termination, rights revocation, or role change. | ||||
| Account Management | Endpoints | Servers | MFD / IoT | |
| Restrict administrator privileges to individually dedicated administrator accounts. | ||||
| Remove dormant accounts (45 days of inactivity). | ||||
| Disable default system and software accounts or make them unusable. | ||||
| Review account privileges and permissions quarterly. | ||||
| Vulnerability Scanning | Endpoints | Servers | MFD / IoT | |
| Perform vulnerability scans using or Nessus Agents on a monthly basis. | ||||
| Remediate all High and Critical severity vulnerabilities within 7 days. | ||||