BGSU Servers, Endpoints, and Applications Security Standards

• Configure endpoints according to CIS Benchmarks for the respective operating system (e.g., CIS Windows 10, CIS macOS).
• Utilize Role-Based Access Control (RBAC) to restrict access to the system to authorized users only (NIST SP 800-53 AC-3)
• Disable unnecessary services, accounts, and protocols, applying the principle of least privilege (NIST SP 800-53 AC-6).
• Implement strong authentication, including multi-factor authentication (MFA) where feasible (NIST SP 800-53 IA-2).

• Apply first-party (e.g., operating system) and third-party (e.g., application) security patches based on the risk-based patching timeframe matrix below (CIS Control 3, NIST SP 800-53 SI-2).
• Test patches in a non-production environment, when possible, to avoid disruptions.

Patching Timeframe Matrix

• Install and maintain antivirus/anti-malware software with real-time scanning and automatic updates (CIS Control 10, NIST SP 800-53 SI-3).
• Enable host-based firewalls with default-deny rules for incoming traffic (CIS Control 9).
• Use full-disk encryption on all endpoints (NIST SP 800-53 SC-28).
• Maintain an inventory of authorized software and prohibit unapproved software (CIS Control 2).

• Conduct monthly vulnerability scans on endpoints using tools compliant with NIST SP 800-53 RA-5.
• Remediate vulnerabilities based on CVSS scores, prioritizing critical and high-risk issues per the patching timeframe matrix.
• Any software or hardware deployed to a BGSU managed endpoint that uses the BGSU administrative network, must be kept up to date and in line with manufacturer security recommendations and managed by BGSU ITS.  If the software or hardware cannot be maintained in a way that is timely and within reason, the item should be removed from all BGSU managed assets.
• Enable logging to detect exploitation attempts (CIS Control 6, NIST SP 800-53 AU-2).

• Classify data per BGSU’s Data Use and Protection Policy (e.g., Public, Internal, Confidential, Restricted).
• Restrict access to sensitive data based on classification and need-to-know (NIST SP 800-53 AC-4).
• Perform regular, encrypted backups of (CIS Control 10, NIST SP 800-53 CP-9).

• Configure servers according to CIS Benchmarks for the respective operating system or server type (e.g., CIS Windows Server, CIS Linux, CIS Apache).
• Utilize Role-Based Access Control (RBAC) to restrict access to the system to authorized users only (NIST SP 800-53 AC-3).
• Remove or disable unnecessary services, accounts, and protocols, applying the principle of least privilege (NIST SP 800-53 AC-6).
• Use strong authentication with Multifactor Authentication (NIST SP 800-53 AC-2, IA-2).
• Single-sign-on with single logout (or appropriate mitigating controls) and role-based access control should be used when available, otherwise this will invoke the BGSU Security Standards Exceptions Procedure (RBAC) (NIST SP 800-53 AC-2, IA-2).
• Encrypt data in transit with TLS 1.3 or higher and data at rest with AES-256 or equivalent (NIST SP 800-53 SC-8, SC-13).

• Apply first-party (e.g., operating system) and third-party (e.g., server software) security patches per the risk-based patching timeframe matrix below (CIS Control 3, NIST SP 800-53 SI-2).
• Test patches in a non-production environment prior to deployment.

Patching Timeframe Matrix

• Conduct weekly vulnerability scans on servers using tools compliant with NIST SP 800-53 RA-5.
• Remediate vulnerabilities based on the most current CVSS scores, prioritizing critical and high-risk issues per the patching timeframe matrix.
• Any software or hardware deployed to a BGSU managed endpoint that uses the BGSU administrative network, must be kept up to date and in line with established best practices and managed by BGSU ITS.  If the software or hardware cannot be maintained in a way that is timely and within reason, the item should be removed from all BGSU managed assets.
• Enable and retain logs for at least 90 days to support investigations (CIS Control 6, NIST SP 800-53 AU-2).

• Segment networks to isolate business critical servers and limit lateral movement (CIS Control 12, NIST SP 800-53 SC-7).
• Use network firewalls and access control lists (ACLs) to restrict traffic to/from servers.
• Implement intrusion detection/prevention systems (IDPS) to monitor server traffic (NIST SP 800-53 SI-4).

• Classify server data per BGSU’s Data Use and Protection Policy.
• Restrict access to sensitive data based on the principle of least privilege (NIST SP 800-53 AC-4).
• Perform regular, encrypted backups of critical server data with offsite storage (CIS Control 10, NIST SP 800-53 CP-9).

• Applications developed or customized for BGSU must follow secure coding practices, addressing OWASP Top 10 vulnerabilities (CIS Control 18).
• Conduct code reviews and document security testing (e.g., static/dynamic analysis) before deployment (NIST SP 800-53 SA-11).

• Apply first-party and third-party application patches per the risk-based patching timeframe matrix below (CIS Control 3, NIST SP 800-53 SI-2).
• Test patches in a non-production environment prior to deployment.
• Exceptions will invoke the BGSU Security Standards Exceptions Procedure.

Patching Timeframe Matrix

• Use strong authentication with Multifactor Authentication (NIST SP 800-53 AC-2, IA-2).
• Implement role-based access control (RBAC) for application access defaulting to the principle of least privilege (NIST SP 800-53 AC-3, AC-4).

• Use secure headers (e.g., Content Security Policy, HTTP Strict Transport Security) for web applications.
• Conduct regularly scheduled vulnerability scans and penetration testing (CIS Control 18, NIST SP 800-53 RA-5).

• Encrypt processed data according to its classification in the BGSU Data Use and Protection Policy by applications in transit (TLS 1.3 or higher) and at rest (AES-256 or equivalent) (NIST SP 800-53 SC-8, SC-13).
• Restrict data access based on BGSU’s Data Use and Protection Policy (NIST SP 800-53 AC-4).