Carnegie Mellon University

Guidelines for Data Protection - Information System Security

The following tables define baseline security controls for protecting Information Systems that store, process or transmit Institutional Data. By definition, an Information System is any electronic system that stores, processes or transmits Institutional Data.  This may include workstations, servers, mobile devices (e.g. smart phones, PDAs, etc.) or network devices (e.g. firewalls, routers, etc.).  Controls defined in other portions of this document (e.g. Electronic Access Controls, Encryption and Key Management, etc.) also impact the security of Information Systems and should be reviewed to ensure comprehensive implementation of controls.

System Hardening

ID Control Public Private Restricted
IS-1 Controls are deployed to protect against unauthorized connections to services (e.g. firewalls, proxies, access control lists, etc.) Required Required Required
IS-2 Controls are deployed to protect against malicious code execution(e.g. antivirus, antispyware, etc.) Required Required Required
IS-3 Controls deployed to protect against malicious code execution are kept up to date (e.g. software version, signatures, etc.) Required Required Required
IS-4 Host-based intrusion detection and/or prevention software is deployed and monitored Recommended Recommended Recommended
IS-5 Local accounts that are not being utilized are disabled or removed Required Required Required
IS-6 Default or vendor supplied credentials (e.g. username and password) are changed prior to implementation Required Required Required
IS-7 Services that are not being utilized are disabled or removed Required Required Required
IS-8 Applications that are not being utilized are removed Recommended Recommended Recommended
IS-9 Auto-run for removable Electronic Media (e.g. CDs, DVDs, USB drives, etc.) and network drives is disabled Required Required Required
IS-10 Active sessions are locked after a period of inactivity Required Required Required
IS-11 Native security mechanisms are enabled to protect against buffer overflows and other memory based attacks (e.g. address space layout randomization, executable space protection, etc.) Recommended Recommended Recommended

Vulnerability Management

ID Control Public Private Restricted
IS-12 Procedures for monitoring for new security vulnerabilities are documented and followed Required Required Required
IS-13 Operating system and software security patches are deployed in a timely manner Required Required Required
IS-14 Mitigating controls are deployed for known security vulnerabilities in situations where a vendor security patch is not available Required Required Required
IS-15 System is periodically tested for security vulnerabilities (e.g. vulnerability scanning, penetration testing, etc.) Recommended Recommended Required

System Logging

ID Control Public Private Restricted
IS-16 Successful attempts to access Information Systems are logged Required Required Required
IS-17 Failed attempts to access Information Systems are logged Required for privileged access. Recommended for all other access. Required for privileged access. Recommended for all other access. Required
IS-18 Attempts to execute an administrative command are logged * Recommended Recommended Required
IS-19 Changes in access to an Information System are logged Required Required Required
IS-20 Changes to critical system files (e.g. configuration files, executables, etc.) are logged Recommended Recommended Required
IS-21 Process accounting is enabled, where available Recommended Recommended Recommended
IS-22 System logs are reviewed on a periodic basis for security events Recommended Recommended Required
IS-23 System logs are protected against tampering Required Required Required

Supplemental Guidance

IS-18:  Administrative commands are those commands that typically require some level of privileged access to execute.  For example, adding and deleting users of a system, starting and stopping services and rebooting a system are all examples of administrative commands.  Execution of these commands may occur through some type of command-line interface or they may occur through access to a graphical user interface.  The full scope of administrative commands that should be logged may vary from one system to the next.  As a general rule of thumb, a command that requires the use of sudo on a UNIX or Linux platform would be considered an administrative command. On a Windows platform, a command that requires a typical user to “Run as administrator” would constitute an administrative command.