Guideline for Security of Systems

I. Purpose

The purpose of this guideline is to establish baseline security controls for University systems that access the University network.

II. Scope

The scope of this guideline includes all University systems that require access to University network resources. Each department and college is expected to implement the security controls listed in this document.

III. Contacts

Direct any general questions about this guideline to your unit’s Information Security Liaison. If you have specific questions, please contact OneIT Information Security Compliance at ISCompliance-group@uncc.edu.

IV. Guidelines

For this guideline, a system is defined as a host that provides a network-accessible service. System owners should identify the risk level of the system and apply the appropriate security controls outlined below. System owners should also maintain a documented inventory of their systems and include the owner contact information, list of administrative users, and system risk level. Privileged accounts should be audited at least annually and documentation of the audit maintained.

A. Low Risk Systems

A Low Risk system is defined by all of the following characteristics:

1. is not public facing
2. does not store or process Level 3 data
3. would not affect business operations if compromised or down for a significant period of time.

The following security controls should be applied.

Patching

Based on the National Vulnerability Database (NVD) ratings, apply critical severity security patches within 30 days of publishing and all other security patches within 90 days. Ensure use of a University-supported operating system version. See this FAQ for detailed Information.

Vulnerability Management

Utilize University-supported tools for authenticated vulnerability scans to identify and remediate vulnerabilities. See this FAQ for detailed information regarding the University’s vulnerability management tools.

Malware Protection

Install University-supported advanced malware protection with antivirus software. See this FAQ for more details.

Configuration Management

Utilize the University-supported configuration management framework. All systems should comply with CIS level 1 system hardening benchmarks. See this FAQ for detailed information regarding the University’s configuration management tools.

Centralized Authentication Services

Per the Standard for Security Requirements of Information Systems, information systems that store or process level 2 or level 3 University data must utilize multi-factor authentication via the University’s centrally managed authentication services. See this FAQ for detailed information. In cases where this isn’t feasible, use of the third-party’s multi-factor authentication is allowed. Exceptions to this standard must be approved by OneIT. For information systems that store or process level 1 or level 0 University data, multi-factor authentication should be utilized, if available.

Enterprise Infrastructure Services

Utilize University enterprise DNS, SMTP, and Active Directory services.

B. Moderate Risk Systems

A Moderate Risk system is defined by all of the following characteristics:

1. is not public facing
2. does not store or process Level 3 data
3. would moderately affect business operations if compromised or down for a significant period of time.

In addition to the controls applicable to low risk systems, the following security controls should also be applied to these systems.

Centralized Logging

Forward logs to the University-supported Security, Incident and Event Management (SIEM) solution. See this FAQ for detailed information regarding the University’s SIEM tool.

Encryption

Enable NIST SP 800-175B approved encryption for data at rest and in transit.

C. High Risk Systems

A High Risk system is defined by any of the following characteristics:

1. is public facing
2. stores or processes Level 3 data
3. would critically affect business operations if compromised or down for a significant period of time.

In addition to the controls applicable to low and moderate risk systems, the following security controls should also be applied to these systems.

Data Center

Public facing systems hosted on campus must be located in OneIT’s primary Data Center.

Security and Privacy Assessment

Contact OneIT to request a security and privacy assessment prior to deployment and implement recommendations. Annually, request a security and privacy assessment review of the system.

Host Intrusion Protection and File Integrity Monitoring

Install and configure the University-supported intrusion detection service/file integrity monitoring system. See this FAQ for detailed information.

Host-Based Firewall

Enable the host-based firewall in a default deny mode and permit the minimum necessary services.

Regulated Data Security Controls

Implement HIPAA, PCI-DSS, FERPA, etc. controls as applicable. Consult with OneIT prior to deployment.

D. Cloud Services

Systems hosted by cloud services may require additional specialized security controls to ensure appropriate protection levels and access to enterprise services in the cloud environment. Consult with OneIT prior to deployment.

V. Exceptions

Requests for exceptions to this guideline may be submitted to the Office of OneIT. See this FAQ for more information regarding the exception process.

Related Resources

• University Policy 311 Information Security
• Standard for Operations Security
• Standard for Security Requirements of Information Systems
• Guideline for Privileged Account Management
• ISO/IEC 27002

ISO/IEC 27002 was adopted by The University of North Carolina at Charlotte in 2012. All standards and guidelines are based on this code of practice for Information Security Management.

Revision History

Initially approved by Information Assurance Committee 2/10/20
Updated 11/03/22