Application Standard
Introduction
Scope
Administrative Applications
Academic Applications
Network Applications
1.0 Introduction
1.1 Purpose
This document will establish a framework for the management of Application programs used in support of the MnSCU mission.
1.2 Background
MnSCU has adopted a defense in depth strategy for Information Security. Application security, based on sound data protection strategy, is one layer of this security model.
2.0 Scope
2.1 Users
This standard shall apply to all users of MnSCU application programs.
2.2 Systems
This standard shall apply to all multi-user application programs, custom or commercial, that process, handle, or transmit MnSCU data in any form.
2.3 Application types
For purposes of discussion, the application types are defined as follows:
2.3.1 Administrative applications
Administrative applications are those application programs used in the administration of MnSCU business units, such as ISRS2.3.2 Academic applications
Academic applications are those application programs used in the furtherance of academic pursuit such as Instructional Management systems2.3.3 Network applications
Network applications are those application programs used to facilitate transmission of information across networks, such as DNS.3.0 Administrative Applications
3.1 General
3.1.1 Procurement
Uncontrolled procurement may introduce unknown risk.- All Administrative Applications shall be approved by the Information Security Manager or designee.
3.1.2 System Time
Accurate system time is required for proper event reconstruction and forensics.- All Administrative Applications shall utilize NTP synchronized internal system clocks.
3.1.3 Maintenance Ports
Unattended maintenance accounts may allow unauthorized escalation of privileges.- No unattended maintenance accounts shall be allowed on any Administrative Applications.
3.1.4 Default username/passwords and accounts
Default username/passwords and accounts may allow unauthorized access to applications.
- All default username/password combinations shall be changed on all Administrative Applications.
- All default accounts shall be justified or deleted on all Administrative Applications.
3.1.5 User accounts
Active user accounts should be based upon documented business requirements.- All unnecessary user accounts shall be disabled on all Administrative Applications.
- User accounts unused for 90 days shall be disabled
- User accounts shall not be shared.
3.1.6 User passwords
Social engineering may be performed to compromise user accounts- Password recovery shall require positive identification
3.1.7 Log-on warnings
Log-on warnings inform users of rights, obligations, and recourse.- A log-on banner informing users as to authorizations, and recourse shall be presented on each log-on attempt.
3.1.8 Logging
Logging is crucial to accurate event reconstruction.- All Administrative Applications shall enable logging.
- All Administrative Application log-ons shall be logged.
- All logging shall be time stamped with NTP synchronized time base.
- All Administrative Applications shall log to a discreet logfile on an authorized log repository.
3.1.9 Administrative application changes
Changes must be controlled to ensure consistency.- All Administrative Application changes shall be governed by a Configuration Control process.
- Any Administrative Application change shall require:
- re-baselining of the host server network audit.
- re-baselining of the host server operating system.
3.1.10 Emergency Maintenance
Emergency access must be available as a contingency.
- The Information Security Manager or designee shall be authorized to grant temporary emergency access rights to Administrative Applications.
3.1.11 Audit
Audit accounts must be based upon documented business requirements.
- Authorized Auditors shall be granted temporary access to information assets for the length of time required in the performance of their duties.
- Authorized Auditor access shall be approved by the Deputy Director of Internal Auditing and the Information Security Director.
3.1.12 Administrative Application permissions
Directory or file permissions must be controlled to preclude compromise.
- Administrative Applications shall not have write or modify privileges outside their directories.
- Administrative Applications shall not have write or modify privileges to any directory that has execute permissions.
3.2 UNRESTRICTED
3.2.1 Data
- Data shall be protected from unauthorized modification or destruction.
3.2.2 Administration
3.2.2.1 Administrative authorization
- Only authorized roles shall have administrative access to Administrative Applications.
3.2.2.2 Administrative accounts
- Authorized administrators shall have unique accounts
3.2.2.3 Administrative passwords
- There shall be no administrator default password.
- Passwords shall be unique for each account.
- Passwords shall expire every 30 days
- Passwords shall be a minimum 8 characters in length
- Passwords shall be a mixture of characters and numbers
3.2.3 Users
3.2.3.1 User Authorization
- Users shall be granted unrestricted read-only access.
3.3 RESTRICTED
3.3.1 Data
- Data shall be protected from unauthorized modification or destruction.
3.3.2 Administration
3.3.2.1 Administrative authorization
- Only authorized roles shall have administrative access to Administrative Applications.
3.3.2.2 Administrative accounts
- Authorized administrators shall have unique accounts
3.3.2.3 Administrative passwords
- There shall be no administrator application default password.
- Passwords shall be unique for each account.
- Passwords shall expire every 30 days
- Passwords shall be a minimum 8 characters in length
- Passwords shall be a mixture of characters and numbers
3.3.3 Users
3.3.3.1 User Authorization
- User authorization shall be role based.
3.3.3.2 User Passwords
- Administrators shall assign user accounts a password that allows one-time log-in and requires immediate change.
- Passwords shall be a minimum of 8 characters in length
- Passwords shall contain a mixture of characters and numbers.
- Users shall be allowed to change their own passwords with system utilities
- Passwords shall expire after no longer than 180 days.
- Five grace log-ins shall be allowed after expiration of a user password or 14 days notice prior to password expiration shall be given.
3.4 PROTECTED
3.4.1 Data
- Data shall be protected from unauthorized modification or destruction.
3.4.2 Administration
3.4.2.1 Administrative authorization
- Only authorized roles shall have administrative access to Administration Applications.
3.4.2.2 Administrative accounts
- Authorized administrators shall have unique accounts
3.4.2.3 Administrative passwords
- There shall be no administrator application default password.
- Passwords shall be unique for each account.
- Passwords shall expire every 30 days
- Passwords shall be a minimum 8 characters in length
- Passwords shall be a mixture of characters and numbers
3.4.3 Users
3.4.3.1 User Authorization
- User authorization shall be role based.
3.4.3.2 User Passwords
- Administrators shall assign user accounts a password that allows one-time log-in and requires immediate change.
- Passwords shall be a minimum of 8 characters in length
- Passwords shall contain a mixture of characters and numbers.
- Users shall be allowed to change their own passwords with system utilities.
- Passwords shall expire after no longer than 180 days.
- Five grace log-ins shall be allowed after expiration of a user password or 14 days notice prior to password expiration shall be given.
4.0 Academic Applications
4.1 General
4.1.1 Procurement
Uncontrolled procurement may introduce unknown risk.- All Academic Applications shall be approved by the Information Security Manager or designee.
4.1.2 System Time
Accurate system time is required for proper event reconstruction and forensics.- All Academic Applications shall utilize NTP synchronized internal system clocks.
4.1.3 Maintenance Ports
Unattended maintenance accounts may allow unauthorized escalation of privileges.- No unattended maintenance accounts shall be allowed on any Academic Applications.
4.1.4 Default username/passwords and accounts
Default username/passwords and accounts may allow unauthorized access to applications.
- All default username/password combinations shall be changed on all Academic Applications.
- All default accounts shall be justified or deleted on all Academic Applications.
- User accounts shall not be shared.
4.1.5 User accounts
Active user accounts should be based upon documented business requirements.- All unnecessary user accounts shall be disabled on all Academic Applications.
- User accounts unused for 90 days shall be disabled
4.1.6 User passwords
Social engineering may be performed to compromise user accounts- Password recovery shall require positive identification
4.1.7 Log-on warnings
Log-on warnings inform users of rights, obligations, and recourse.- A log-on banner informing users as to authorizations, and recourse shall be presented on each log-on attempt.
4.1.8 Logging
Logging is crucial to accurate event reconstruction.- All Academic Applications shall enable logging.
- All Academic Application log-ons shall be logged.
- All logging shall be time stamped with NTP synchronized time base.
- All Academic Applications shall log to a discreet logfile on an authorized log repository.
4.1.9 Academic application changes
Changes must be controlled to ensure consistency.- All Academic Application changes shall be governed by a Configuration Control process.
- Any Academic Application change shall require:
- re-baselining of the host server network audit.
- re-baselining of the host server operating system.
4.1.10 Emergency Maintenance
Emergency access must be available as a contingency.
- The Information Security Manager or designee shall be authorized to grant temporary emergency access rights to Academic Applications.
4.1.11 Audit
Audit accounts must be based upon documented business requirements.
- Authorized Auditors shall be granted temporary access to information assets for the length of time required in the performance of their duties.
- Authorized Auditor assess shall be approved by the Deputy Director of Internal Auditing and the Information Security Director.
4.1.12 Academic Application permissions
Directory or file permissions must be controlled to preclude compromise.
- Academic Applications shall not have write or modify privileges outside their directories.
- Academic Applications shall not have write or modify privileges to any directory that has execute permissions.
4.2 UNRESTRICTED
4.2.1 Data
- Data shall be protected from unauthorized modification or destruction.
4.2.2 Administration
4.2.2.1 Administrative authorization
- Only authorized roles shall have administrative access to Academic Applications.
4.2.2.2 Administrative accounts
- Authorized administrators shall have unique accounts
4.2.2.3 Administrative passwords
- There shall be no Academic Application default password.
- Passwords shall be unique for each account.
- Passwords shall expire every 30 days
- Passwords shall be a minimum 8 characters in length
- Passwords shall be a mixture of characters and numbers
4.2.3 Users
4.2.3.1 Instructors
4.2.3.1.1 Instructor authorization
- Only authorized instructors shall have instructional access to Academic Applications.
4.2.3.1.2 Instructional passwords
- There shall be no Academic Application default password.
- Passwords shall be unique for each account.
- Passwords shall expire after no longer than 180 days.
- Passwords shall be a minimum 8 characters in length
- Passwords shall be a mixture of characters and numbers
4.2.3.2 Students
4.2.3.2.1 Student Authorization
- Users shall be granted unrestricted read-only access.
4.3 RESTRICTED
4.3.1 Data
- Data shall be protected from unauthorized modification or destruction.
4.3.2 Administration
4.3.2.1 Administrative authorization
- Only authorized roles shall have administrative access to Academic Applications.
4.3.2.2 Administrative accounts
- Authorized administrators shall have unique accounts
4.3.2.3 Administrative passwords
- There shall be no Academic Application default password.
- Passwords shall be unique for each account.
- Passwords shall expire every 30 days
- Passwords shall be a minimum 8 characters in length
- Passwords shall be a mixture of characters and numbers
4.3.3 Users
4.3.3.1 Instructors
4.3.3.1.1 Instructor authorization
- Only authorized instructors shall have instructional access to Academic Applications.
4.3.3.1.2 Instructional passwords
- There shall be no Academic Application default password.
- Passwords shall be unique for each account.
- Passwords shall expire after no longer than 180 days.
- Passwords shall be a minimum 8 characters in length
- Passwords shall be a mixture of characters and numbers
4.3.3.2 Students
4.3.3.2.1 Student Authorization
- Only authorized students shall have student access to Academic Applications.
4.3.3.2.2 Student Passwords
- Administrators shall assign user accounts a password that allows one-time log-in and requires immediate change.
- Passwords shall be a minimum of 8 characters in length
- Passwords shall contain a mixture of characters and numbers.
- Users shall be allowed to change their own passwords with system utilities
- Passwords shall expire after no longer than 180 days.
- Five grace log-ins shall be allowed after expiration of a user password or 14 days notice prior to password expiration shall be given.
4.4 PROTECTED
4.4.1 Data
- Data shall be protected from unauthorized modification or destruction.
4.4.2 Administration
4.4.2.1 Administrative authorization
- Only authorized roles shall have administrative access to Academic Applications.
4.4.2.2 Administrative accounts
- Authorized administrators shall have unique accounts
4.4.2.3 Administrative passwords
- There shall be no Academic Application default password.
- Passwords shall be unique for each account.
- Passwords shall expire every 30 days
- Passwords shall be a minimum 8 characters in length
- Passwords shall be a mixture of characters and numbers
4.4.3 Users
4.4.3.1 Instructors
4.4.3.1.1 Instructor authorization
- Only authorized instructors shall have instructional access to Academic Applications.
4.4.3.1.2 Instructional passwords
- There shall be no Academic Application default password.
- Passwords shall be unique for each account.
- Passwords shall expire after no longer than 180 days.
- Passwords shall be a minimum 8 characters in length
- Passwords shall be a mixture of characters and numbers
4.4.3.2 Students
4.4.3.2.1 Student Authorization
- Only authorized students shall have student access to Academic Applications.
4.4.3.2.2 Student Passwords
- Administrators shall assign user accounts a password that allows one-time log-in and requires immediate change.
- Passwords shall be a minimum of 8 characters in length
- Passwords shall contain a mixture of characters and numbers.
- Users shall be allowed to change their own passwords with system utilities
- Passwords shall expire after no longer than 180 days.
- Five grace log-ins shall be allowed after expiration of a user password or 14 days notice prior to password expiration shall be given.
5.0 Network Applications
Network Applications furnish the network services required for the operation of the MnSCU infrastructure. As such they serve as both potential portals through the security perimeter, as well as a network single point of failure.5.1 General
5.1.1 Procurement
Uncontrolled procurement may introduce unknown risk.- All Network Applications shall be approved by the Information Security Manager or designee.
5.1.2 System Time
Accurate system time is required for proper event reconstruction and forensics.- All Network Applications shall utilize NTP synchronized internal system clocks.
5.1.3 Maintenance Ports
Unattended maintenance accounts may allow unauthorized escalation of privileges.- No unattended maintenance accounts shall be allowed on any Network Applications.
5.1.4 Default username/passwords and accounts
Default username/ passwords and accounts may allow unauthorized access to applications.
- All default username/password combinations shall be changed on all Network Applications.
- All default accounts shall be justified or deleted on all Network Applications.
5.1.5 User accounts
Active user accounts should be based upon documented business requirements.- All unnecessary user accounts shall be disabled on all Network Applications.
- User accounts unused for 90 days shall be disabled.
- User accounts shall not be shared.
5.1.6 User passwords
Social engineering may be performed to compromise user accounts- Password recovery shall require positive identification
5.1.7 Log-on warnings
Log-on warnings inform users of rights, obligations, and recourse.- A log-on banner informing users as to authorizations, and recourse shall be presented on each log-on attempt.
5.1.8 Logging
Logging is crucial to accurate event reconstruction.- All Network Applications shall enable logging.
- All Network Application log-ons shall be logged.
- All logging shall be time stamped with NTP synchronized time base.
- All Network Applications shall log to a discreet logfile on an authorized log repository.
5.1.9 Network application changes
Changes must be controlled to ensure consistency.- All Network Application changes shall be governed by a Configuration Control process.
- Any Network Application change shall require:
- re-baselining of the host server network audit.
- re-baselining of the host server operating system.
5.1.10 Emergency Maintenance
Emergency access must be available as a contingency.
- The Information Security Manager or designee shall be authorized to grant temporary emergency access rights to Network Applications.
5.1.11 Administrative access
Administrative access must be controlled.
- Administrative access to all Network Applications shall be protected by access lists.
- Administrative access to all Network Applications shall be limited to authorized roles.
- Authorized administrators shall have unique accounts
- Administrative passwords shall be unique for each account.
5.1.12 Network application permissions
Directory or file permissions must be controlled to preclude compromise.
- Network Application daemons shall not have write or modify privileges outside their directories.
- Network Application daemons shall not have write or modify privileges to any directory that has execute permissions.
5.2 DNS
- Zone transfers external to the MnSCU network shall be limited to authorized secondary name servers.
- At least one secondary name server shall be external to the MnSCU network.
5.3 SMTP
- No open mail relay shall be allowed
- Email filters shall be incorporated for virus detection
5.4 WWW
- Webserver applications shall not have write or modify privileges outside their directories.
- Webserver applications shall not have write or modify privileges to any directory that has execute permissions.
5.5 Directory Services
- Only authorized roles shall modify Directory Service schema or objects.
5.6 Remote Authentication
- Authentication shall be performed against campus Directory Services.
5.7 Terminal Services
- Terminal services shall be governed by the protection requirements of the Data Protection standard.
5.8 NTP
- A facility time server shall be available throughout the network, synchronized to a Stratum One NTP server, or equivalent.
- All network devices shall synchronize internal time bases with the facility time server.
5.9 DHCP
- All DHCP leases shall be logged, sufficient to correlate IP to machine and time.
5.10 Network Address Translation
- All NAT will be logged sufficient to correlate internal and external IP addresses and ports to time
5.11 Anti-virus
- All anti-virus applications shall quarantine or delete suspected malicious code with no user over-ride capabilities.
- All anti-virus applications shall have automatic signature update capabilities.
