Systemwide Baseline Security Standards

Campus/System Administration information security program 

• Campus level information security roles and responsibilities documented (security office, IT service providers, etc.)
• A documented process exists for requesting, reviewing and approving exceptions to information security standards and processes. This process is defined in campus standards.

IT vendor security risk management

• IT procurements involving formal contracts are reviewed by IT security teams

Data classification and inventory

• Data classifications are documented for all third-party handled data

Software/hardware asset management

• Hardware inventory is documented and updated at least annually.

Vulnerability management

• Campus level vulnerability management process is documented, including:
  • Interval for vulnerability assessments
  • Communicating vulnerabilities to system owners
  • Time-to-patch expectations
  • Consequences for non-compliance
• A documented, risk-based process for patch management is in place

Training and awareness

• All CU employees must complete a standard information security training module once every two years
• Standard employee information security training content is reviewed and updated at least every two years

Identity, authentication and access

• MFA required on email and VPN for all users.
• Users have unique accounts and single-factor authentication uses secure tech.

Software development

• CU-developed code is stored in a tool that provides both access management and version control.
• CU-managed public code repositories are checked for stored secrets/keys and risk-based remediations are taken.

Messaging security

• Email messages are automatically scanned for malicious attachments and links, and treated based on risk.
• SPF (Sender Policy Framework) records in place with hard fail

Data protection

• Risk-based data backups and/or redundancy are in place for IT services
• Data backup and restoration processes are documented

Network security

• Default deny firewall at internet border with a documented process for managing policies.
• Internet-facing IT services use encrypted protocols for handling and transfer of CU data (exceptions approved by ISO)

Device security (Operating system managed by CU, only applicable when the control is available for a given device)

• EDR installed on all endpoints and servers, reporting to a central service and receiving updates
• Full disk encryption on laptop computers

Network monitoring

• Network traffic monitored (IDS) at internet connections
• Network security monitoring alerts are monitored and escalated to the information security incident response process as appropriate

Log monitoring

• Documented, risk-based logging standard established

Information security incident response process

• Documented campus level information security incident response plan is in place, covering the major phases of incident response, including lessons learned.
• Incident response capabilities are in place to meet plan needs

Information security incident recovery

• Documented process in place for Information security incident recovery