Q: How do I get started bringing my servers into compliance with the Stanford Minimum Security Standards?
A: To get started bringing your servers into compliance with the Minimum Security (MinSec) standards, the Information Security Office (ISO) has developed quick start guides for Information Security on Stanford managed Linux and Windows servers. Please see the Windows MinSec Cookbook and the Linux MinSec Cookbook for more information.
Q: Do I need to file a Privacy, Security, and Legal review for my existing systems?
A: No, a Privacy, Security, and Legal review is not needed for existing systems.
Q. What if I cannot meet some or all of the Minimum Security Standards for my endpoint?
A: If you cannot meet some or all of these standards, please fill out the temporary Minimum Security Compliance Exception request form for your endpoint. See Request a Compliance Exception for more information.
Q. What is a PAW and who needs one?
A: Please see the Privileged Access Workstation (PAW) service page for more information about PAWs, and who is required to obtain one.
Q. Do I need to submit a temporary exception request for each of my servers/applications?
A: You can submit one exception request for all servers/applications for which you want an exception from the same standard(s). Exceptions can be requested by opening a Help ticket.
Q. What are the eligibility criteria for a temporary Minimum Security Compliance Exception for my server or application?
- If not supported by (up-to-date) OS or application
- OS or application cannot be updated because of a critical dependency on version
- No updates available for vendor supported system
- System doesn't support password complexity requirements
- Remote staff unable to attend SISA training in person
Q. How long does a MinSec exception last?
A: An approved MinSec Temporary Exception will be valid for up to three years.
Q. What kind of data center do I need to comply with the Physical Protection MinSec standard?
A: The system administrator should use their own judgment. The intent of this standard is to ensure that servers cannot be easily stolen. Servers should be housed behind a locked door, and access should be restricted to authorized sysadmins, only, preferably with a spring-loaded door, video-surveillance, and a card reader. A locked office does not suffice.
Q. How do I satisfy the Malware Protection MinSec standard on my Linux server?
A: Linux servers satisfy the Malware Protection requirement by implementing File Integrity Monitoring with OSSEC.
Q. How do I satisfy the Intrusion Detection MinSec standard on my Linux server?
A: Linux servers satisfy the Intrusion Detection requirement by implementing File Integrity Monitoring with OSSEC. Legacy systems that cannot run OSSEC can also satisfy this requirement using TripWire.
Q. How do I satisfy the Malware Protection and Intrusion Detection MinSec standards on my Windows server?
A: Windows Servers can satisfy both of these MinSec requirements by implementing Application Whitelisting with Carbon Black Protection (formerly Bit9).
Q. If I have Two-Step Authentication on my VPN, do I still need it on my server?
A. Yes, Two-Step Authentication must be installed on your server to comply with Minimum Security Standards. For installation instructions, see Two-Step Authentication for Servers and Applications.
Q: I am running a system that does not support two-step authentication. What is an adequate compensating control to mitigate the security risk?
Q: I am having trouble meeting the MinSec deadline for my systems, can I get an extension by submitting an exception request?
Q: Where can I get an overview of my systems' information security vulnerabilities?