| Component | Details | Points | Source |
|---|---|---|---|
| University Security Initiative Promulgation | Assessment of the organization's promulgation of key Information Security initiatives, such as Cardinal Key Adoption. |
|
% of mandated users enforced with Cardinal Key
|
| Endpoint Minimum Security Standards Adoption | Assessment of the organization’s compliance with endpoint security standards. This includes items such as endpoint encryption compliance and backup. |
|
BI reports -- % of endpoints compliant
|
|
|
Backups -- % of end user laptops and desktops backed up to central service
|
||
| Server Minimum Security Standards Adoption | Assessment of the organization’s compliance with server security standards regardless of server risk classification. |
|
High Risk: Minsec adoption level
|
|
|
High Risk: Minsec inventory attested as being up to date
|
||
|
|
Low and Moderate Risk: Minsec inventory attested as being up to date
|
||
| Application Minimum Security Standards Adoption | Assessment of the organization’s compliance with application security standards regardless of application risk classification. |
|
High Risk: Minsec adoption level
|
|
|
High Risk: Minsec inventory attested as being up to date
|
||
|
|
Low and Moderate Risk: Minsec inventory attested as being up to date
|
||
| Cloud Minimum Security Standards Adoption | Assessment of the organization’s awareness and adoption of Stanford’s cloud security standards. This is applicable to the SaaS, PaaS and/or IaaS services used by the organization. |
|
Participation in Cloud Security Program
|
| Attack Surface | Evaluation of the percentage of IP addresses assigned to an organization whose ports are exposed to the public internet which threat actors commonly abuse. The evaluated ports: 20, 21, 22, 23, 25, 53, 68, 69, 88, 110, 135, 137-139, 143, 161, 389, 445, 465, 636, 902, 1433, 1434, 1521, 3306, 3389, 4433, 4444, 5555, 6666, 7777, 8888, 9999, 5432, 5900, 6379, 9200, 27017, 27018. |
|
Shodan report: % of hosts with commonly abused ports open to the world
|
|
|
Documented business need for opened ports on host(s)
|
||
| Vulnerability Management | Evaluation of the organization’s ability to manage server and application vulnerabilities. This also factors in the age of identified vulnerabilities, the strength of the organization’s primary website cryptography and how quickly items are remediated that are found through the Stanford Bug Bounty program. |
|
Based on Qualys reports, # of Severity 5 vulnerabilities not remediated within 30 days
|
|
|
% of vulnerabilities older than 6 months
|
||
|
|
Participation in Bug Bounty Program
|
||
| Security Incidents | Evaluation of the frequency and severity of security related incidents across the organization. This includes items such as compromised endpoints, servers, websites, exposed credentials, and lost or stolen devices. |
|
Number of major or critical incidents resulting from MinSec non-compliance within the year
|
|
|
Lost/stolen devices (incl. personally owned used for Stanford, Stanford owned, USB, mobile, laptop, desktop)
|
||
| Resistance to Social Engineering | Assessment of how susceptible users in the organization are to various forms of social engineering attacks. This includes data from the Stanford Phishing Awareness Program and security incidents related to social engineering attack patterns. |
|
Average Phishing Awareness Program click rate over the last 6 months
|
|
|
Number of compromised accounts due to phishing
|
||
| Engagement with ISO | An assessment of how engaged the organization is with their primary ISO security partner and the attendance of the org’s IT contacts in ISO meetings, trainings, seminars and other functions. |
|
Attends regularly scheduled meetings with assigned ISO rep (at least quarterly). |
Cybersecurity Fitness Scorecard Components
Last modified March 6, 2024
