1. STANFORD UNIVERSITY RESEARCH COMPUTING Are we outliers? Institutional minimum security requirements RUTH MARINSHAW OCTOBER 14, 2015

2. Low Risk Data and systems are classified as Low Risk if they are not considered to be Moderate or High Risk, and: 1. The data is intended for public disclosure, or 2. The loss of confidentiality, integrity, or availability of the data or system would have no adverse impact on our mission, safety, finances or reputation. Stanford University Risk Classifications Moderate Risk Data and systems are classified as Moderate Risk if they are not considered to be High Risk, and: 1. The data is not generally available to the public, or 2. The loss of confidentiality, integrity, or availability of the data or system could have a mildly adverse impact on our mission, safety, finances or reputation. High Risk Data and systems are classified as High Risk if: 1. Protection of the data is required by law /regulation 2. Stanford is required to self- report to the government and/or provide notice to the individual if the data is inappropriately accessed, or 3. The loss of confidentiality, integrity, or availability of the data or system could have a significant adverse impact on our mission, safety, finances or reputation.

3. Low Risk  Research data (at data owner’s discretion)  SUNet IDs  Information authorized to be available on or through Stanford’s website without SUNet ID authentication  Policy & procedure manuals designated by the owner as public  Job postings  University contact information not designated by the individual as “private” in StanfordYou  Information in the public domain  Publicly available campus maps Examples Moderate Risk Unpublished research data (at data owner’s discretion) Student records & admission applications Faculty/staff employment applications, personnel files, benefits, salary, birth date, personal contact information Non-public Stanford policies & policy manuals Non-public contracts Stanford internal memos & email, non-public reports, budgets, plans, financial info University and employee ID numbers PTA numbers Engineering, design & operational information regarding Stanford infrastructure High Risk Health Information, including Protected Health Information (PHI) Health Insurance Policy ID #s Social Security #s Credit card #s Financial account #s Export controlled information under US laws Driver’s license, Passport & Visa #s Donor contact information & non-public gift information

4. Special note to Stanford researchers: Except for regulated data such as protected health information (PHI), Social Security Numbers, and financial account numbers, research data and systems predominately fall into the Low Risk classification.

5. StandardsWhat to doLMH  Patching*  Inventory*  Firewall  Credentials & Access Control  2-step Authentication*  Centralized logging  Sysadmin training*  Vulnerability Management*  Malware Protection*  Intrusion Detection*  Physical Protection  Dedicated Admin Workstation  Security, Privacy & Legal Review*  Regulated Data Security Controls  Based on NVD, patch high severity within 7 days, medium severity within 14, low within 28; supported OS  Review/update NetDB & SUSI quarterly  Default deny, permit minimum necessary services  Review accounts & privileges quarterly. Enforce password complexity. Recommend login via Kerberos.  Require Duo for all interactive & administrator logins  Send logs to remote server; SU Splunk recommended  Attend 2 days of SU Info Sec Academy annually  Monthly Qualys scans. Remediate severity 5 within 7 days, severity 4 within 14, severity 3 within 28 days  Deploy Bit9 in high enforcement mode  Bit9 on supported platforms else OSSEC or Tripwire  Place system hardware in a data center  Admin accounts accessed only from an approved Personal Bastion Host  Request review & implement recommendations before deployment  Implement PCI DSS, HIPAA or export controls as applicable Minimum Security Standards: Servers

6. Questions and Discussion ruthm@stanford.edu