Skip to content Skip to site navigation Skip to service navigation

Minimum Security Standards Frequently Asked Questions

Q:  How do I get started bringing my servers into compliance with the Stanford Minimum Security Standards?

A:  To get started bringing your servers into compliance with the Minimum Security (MinSec) standards, the Information Security Office (ISO) has developed quick start guides for Information Security on Stanford managed Linux and Windows servers. Please see the Windows MinSec Cookbook and the Linux MinSec Cookbook for more information.


Q:  Do I need to file a Privacy, Security, and Legal review for my existing systems?

A:  No, a Privacy, Security, and Legal review is not needed for existing systems.


Q.  What if I cannot meet some or all of the Minimum Security Standards for my endpoint?

A:  If you cannot meet some or all of these standards, please fill out the temporary Minimum Security Compliance Exception request form for your endpoint. See Request a Compliance Exception for more information.


Q.  What is a PAW and who needs one?

A:  Please see the Privileged Access Workstation (PAW) service page for more information about PAWs, and who is required to obtain one.


Q.  Do I need to submit a temporary exception request for each of my servers/applications?

A:  You can submit one exception request for all servers/applications for which you want an exception from the same standard(s). Exceptions can be requested by opening a Help ticket.


Q.  What are the eligibility criteria for a temporary Minimum Security Compliance Exception for my server or application?

  • If not supported by (up-to-date) OS or application
  • OS or application cannot be updated because of a critical dependency on version
  • No updates available for vendor supported system
  • System doesn't support password complexity requirements
  • Remote staff unable to attend SISA training in person


Q.  How long does a MinSec exception last?

A:  An approved MinSec Temporary Exception will be valid for up to three years.


Q.  What kind of data center do I need to comply with the Physical Protection MinSec standard?

A:  The system administrator should use their own judgment. The intent of this standard is to ensure that servers cannot be easily stolen. Servers should be housed behind a locked door, and access should be restricted to authorized sysadmins, only, preferably with a spring-loaded door, video-surveillance, and a card reader. A locked office does not suffice.


Q.  How do I satisfy the Malware Protection MinSec standard on my Linux server?

A:  Linux servers satisfy the Malware Protection requirement by implementing File Integrity Monitoring with OSSEC


Q.  How do I satisfy the Intrusion Detection MinSec standard on my Linux server?

A:  Linux servers satisfy the Intrusion Detection requirement by implementing File Integrity Monitoring with OSSEC. Legacy systems that cannot run OSSEC can also satisfy this requirement using TripWire.


Q.  How do I satisfy the Malware Protection and Intrusion Detection MinSec standards on my Windows server?

A:  Windows Servers can satisfy both of these MinSec requirements by implementing Application Whitelisting with Carbon Black Protection (formerly Bit9).


Q.  If I have Two-Step Authentication on my VPN, do I still need it on my server?

A.  Yes, Two-Step Authentication must be installed on your server to comply with Minimum Security Standards. For installation instructions, see Two-Step Authentication for Servers and Applications.


Q: I am running a system that does not support two-step authentication. What is an adequate compensating control to mitigate the security risk?

A: Any authentication mechanism such as RADIUS that enforces two-step authentication is a suitable compensating control for systems that do not support native two-step authentication. Alternatively, the Stanford University Network Access Control (SUNAC) service can also be used as a compensating control.


Q: I am having trouble meeting the MinSec deadline for my systems, can I get an extension by submitting an exception request?

A: Minimum Security Standards Exception Requests are intended for servers and applications that cannot meet MinSec standards, not as an extension for MinSec compliance deadlines.


Q: Where can I get an overview of my systems' information security vulnerabilities?

A: Submit a request for a Qualys account, then log in to Qualys to view vulnerabilities. For more information, see the Vulnerability Management service page.
Last modified April 11, 2017