Compliance and Exception Process:
- Q: When is a MinSec standard exception needed?
- A: When a minsec standard as a whole cannot be met. For example, a minsec exception is not needed when a single, or small subset, of patches cannot be applied as specified by the Patching standard.
- Q: How do I get started bringing my servers into compliance with the Stanford Minimum Security Standards (MinSec)?
- A: To get started bringing your servers into compliance with the MinSec standards, the Information Security Office (ISO) has developed quick start guides for Information Security on Stanford managed Linux and Windows servers. Please see the Windows MinSec Cookbook and the Linux MinSec Cookbook for more information.
- Q: What if I cannot meet some or all of the Minimum Security Standards for my servers, applications, or endpoints? Can I request a compliance exception? Who should submit the request?
- A: If you cannot meet some or all of these standards for your servers or applications, please fill out the temporary Minimum Security Standards server and application exception request. These requests should be submitted by the server or application Business Owner. If you cannot meet some or all of these standards for your endpoints, please fill out the temporary Minimum Security Compliance Exception Request form. These requests should be submitted by the endpoint's primary user. See Request a MinSec Exception for more information.
- Q: Is there a different process for processing exception requests for endpoints vs. servers and applications?
- A: Yes. The endpoint compliance exception request form starts a review process that is managed in RedCap, while the server and application exception request starts a review process that is managed in ServiceNow.
- Q: Do I need to submit a temporary exception request for each of my servers/applications?
- A: You can submit one exception request for all servers/applications for which you want an exception from the same standard(s).
- Q: My current system/application is not MinSec compliant, but will be replaced by a different system/application in the future. I don't want to divert resources to update a system that is going to go away in X amount of time. Can I submit a MinSec exception until the old system is decommissioned?
- A: No. If a system/application is not meeting MinSec compliance, but there is a plan to replace it with a newer MinSec compliant system, the existing system will simply stay non-compliant until decommissioned.
- Q: What are the eligibility criteria for a temporary Minimum Security Compliance Exception for my server or application?
A: A server or application is eligible if:
- It is not supported by (up-to-date) OS or application
- The OS or application cannot meet a specific minsec standard because of a technical dependency. Exception may be granted on a case-by-case basis as long as there is an upgrade plan on a system that is scheduled to be decommissioned or replaced by another system.
- No updates are available for a vendor supported system
- The system does not support password complexity requirements
- Q: How long does a MinSec exception last?
- A: An approved MinSec Temporary Exception for servers/applications will be valid for up to three years at the discretion of the Information Security Office. An approved MinSec Temporary Compliance Exception for endpoints will be valid for up to one year.
- Q: I am having trouble meeting the MinSec deadline for my systems; can I get an extension by submitting an exception request?
- A: Minimum Security Standards Exception Requests are intended for servers and applications that cannot meet MinSec standards, not as an extension for MinSec compliance deadlines.
- Q: I cannot patch my system because the reboot will cause an outage of the service to my end users.
- A: System managers and business owners should have negotiated maintenance windows for their systems that allow for the application of security patches on a schedule that is in compliance with the Minimum Security Standards.
- Q: I cannot patch my system because I am unsure whether the patches will break a custom application.
- A: System managers should have test environments in place to perform impact analysis of changes to their environment. Exception requests will not be granted based on a suspicion of an impact that has not been validated by testing or vendor input.
- Q: Where can I get an overview of my systems' information security vulnerabilities?
- A: Submit a request for a Qualys account, then log in to Qualys to view vulnerabilities. For more information, see the Vulnerability Management service page.
- Q: For Qualys reported vulnerabilities, do I need to address “potential” vulnerabilities or just “confirmed” vulnerabilities?
- A: In order to meet MinSec compliance, both potential and confirmed vulnerabilities need to be addressed.
- Q: In what order should I prioritize mitigation for potential and confirmed Severity 3/4/5 vulnerabilities?
A: Mitigation for confirmed and potential vulnerabilities should be prioritized in the order shown in the following table, ranging from 1 (highest priority) to 18 (lowest priority).
Mitigation Prioritization Severity Server Classification: High Server Classification: Moderate Server Classification: Low 5 - Confirmed 1 5 9 5 - Potential 2 6 10 4 - Confirmed 3 7 11 4 - Potential 4 8 12 3 - Confirmed 13 15 17 3 - Potential 14 16 18
- Q: If Qualys shows a vulnerability and there is no patch available from the vendor, is a MinSec exception needed?
- A: No. If there is no patch from a vendor for a vulnerability reported in Qualys, a minsec exception is not needed. In the absence of a patch, explore other alternate solutions and compensating controls that may be recommended by the vendor.
- Q: How do I handle false-positive vulnerabilities in Qualys?
- A: If Qualys is showing a vulnerability that is investigated and found to be a false-positive, a minsec exception is not needed. Sysadmin should go into Qualys and set false-positive vulnerability as Ignored and denote that vulnerability is a false-positive in the comments section.
- Q: Who is responsible for updating Qualys for false-positives?
- A: Each organization is responsible for managing their own assets in Qualys, including ignoring vulnerabilities that are false positives.
- Q: How can I request Qualys API access?
- A: Go to https://stanford.service-now.com/services?id=get_help&cmdb_ci=acd7c11a1374e20063eadf82e144b07d and request a Qualys API account. ISO will work with you to identify the appropriate API account permissions.
- Q: What does “Remediate” mean in the Vulnerability Management standard?
- A: To investigate identified vulnerabilities, ignoring false-positives in Qualys, addressing any configuration problems, and/or applying patches when available from the vendor.
Whole Disk Encryption:
- Q: Is the BitLocker Startup Pin required to be compliant for whole disk encryption?
- A: It is highly recommended that all BitLocker features, including a startup pin, be utilized; however, the startup pin can be removed for systems that require unattended reboots.
- Q: Who should be updating each organization's IT System Inventory worksheets each month to reflect current MinSec adoption status?
- A: Each organization has designated a point person who is accountable for ensuring that their inventory worksheet and MinSec adoption status is updated on a monthly basis. Please contact your ISO Consulting liaison if you do not know who that person is. The Operations Owner for each server and/or application is responsible for informing the associated Business Owner of any changes to that server or application’s MinSec adoption status. The Operations Owner is also responsible for providing this information to their organization’s accountable point person to make the update to their inventory worksheet, unless their point person has delegated to them the responsibility and ability to update their server or application’s information in the inventory worksheet themselves.
- Q: Do host-based firewalls have to be configured to allow port scanning by Qualys scanners?
A: Host-based firewalls should permit only the minimum necessary ports/protocols, blocking everything else that does not support a business need. A system administrator should not explicitly block Qualys scanner IP addresses.
Network-based firewalls should permit ISO vulnerability scans to pass through unfettered.
- Q: If I have two-step authentication on my VPN, do I still need it on my server?
- A: Yes, two-step authentication must be installed on your server to comply with Minimum Security Standards. For installation instructions, see Two-Step Authentication for Servers and Applications.
- Q: I am running a system that does not support two-step authentication. What is an adequate compensating control to mitigate the security risk?
- A: Any authentication mechanism such as RADIUS that enforces two-step authentication is a suitable compensating control for systems that do not support native two-step authentication. Alternatively, the Stanford University Network Access Control (SUNAC) service can also be used as a compensating control.
- Q: Is sending logs to a University Splunk instance required to meet this standard?
- A: While University Splunk is not required, ISO may require logs from critical systems to be sent to Splunk for security monitoring and incident investigation.
Sysadmin and Developer Training:
- Q: How can I tell if someone completed a SISA class this calendar year?
- A: Ask the employee to review their STARS Training History and send you their completion certificate or a screen capture of the completed course.
- Q: How can I satisfy the sysadmin/developer training requirement if I cannot attend one of the in-person classes?
- A: You can take one of the online (self-paced) classes which does not require previous completion of the Information Security I prerequisite.
- Q: How do I satisfy the Malware Protection and Intrusion Detection MinSec standards on my Windows server?
- A: Windows Servers can satisfy both of these MinSec requirements by implementing CrowdStrike
- Q: How do I satisfy the Intrusion Detection MinSec standard on my Linux server?
- A: Linux servers satisfy the Intrusion Detection requirement by implementing File Integrity Monitoring with OSSEC. Legacy systems that cannot run OSSEC can also satisfy this requirement using TripWire.
- Q: What kind of data center do I need to comply with the Physical Protection MinSec standard?
- A: The system administrator should use their own judgment. The intent of this standard is to ensure that servers cannot be easily stolen. Servers should be housed behind a locked door, and access should be restricted to authorized sysadmins only, preferably with a spring-loaded door, video surveillance, and a card reader. A locked office does not suffice.
Dedicated Admin Workstation:
- Q: What is a PAW and who needs one?
A: Please see the Privileged Access Workstation (PAW) service page for more information about PAWs, and who is required to obtain one.
Security, Privacy, and Legal Review:
- Q: Do I need to file a Privacy, Security, and Legal review for my existing systems?
- A: No, a Privacy, Security, and Legal review is not needed for existing systems.
Regulated Data Security Controls:
- Q: If my systems are MinSec compliant, does that mean they are also HIPAA or PCI-DSS compliant?
- A: No, in order to meet specific regulatory security control requirements, your system must also meet the appropriate security requirements. For example, in order to meet HIPAA requirements, your system also has to meet the HIPAA Administrative, Technical, and Physical Security Rules.