The main purpose of defining Minimum Security Standards is to assist IT resource users and owners in determining the right level of protection. Owners of corresponding IT resources are responsible for implementing the necessary tasks to achieve the right level of protection. In many cases, services, tools and technical support are provided by ITSC to facilitate implementation of these tasks.
As its name suggests, it only contains a minimum and basic set of tasks required depending on the risk classification of the use of IT resources. In cases of doubt, it is always better to err on the side of caution and implement additional protection if affordable.
Currently, Minimum Security Standard is defined for the following IT Resources:
Users and owners of data should observe the Acceptable Practices for Handling High Risk Data.
Minimum Security Standard for Endpoints
| Standards | What to do? | Risk Category | |||
| High | Moderate | Low | |||
| 1 | Inventory | Maintain an up-to-date record at the department level See note. | Y | Y | Y |
| 2 | Firewall | Enable host-based firewall to deny unintended incoming connections See note. | Y | Y | Y |
| 3 | OS Patching | Apply OS security fixes within seven days of release | Y | Y | Y |
| 4 | Malware Protection | Deploy antivirus software with real-time protection and virus signature update See note. | Y | Y | Y |
| 5 | Supported OS | Use an OS version with vendor support on security fixes, otherwise arrange specialized firewall protection | Y | Y | Y |
| 6 | Access Control | Configure access control by requiring logon See note. | Y | Y | N |
| 7 | Physical Protection | Place in a secure location | Y | Y | N |
| 8 | Configuration Management | Enroll to Intune for configuration and security management See note. | Y | N | N |
| 9 | Disposal | Destroy (e.g. degauss) hard disk or SSD content before disposal | Y | N | N |
Notes:
* For risk classification purpose, an endpoint, if being used to store high-risk data, or being used to access high-risk applications, should be classified as high-risk. Endpoints used for university administrative purpose are most likely classified as high-risk.
1. Inventory should be kept at the department level rather than the central CITARS.
2. Host-based firewall on Windows will be enabled for devices joined on-premises active directory or managed by Microsoft Intune.
4. Microsoft Defender for Endpoint (MDE) will be installed for devices joined on-premises active directory or managed by Microsoft Intune. .
6. Logon to ITSC account is supported by AD or Azure AD join
8. Intune management currently only supports win10 or above.
Minimum Security Standard for Servers
| Standards | What to do? | Risk Category | |||
| High | Moderate | Low | |||
| 1 | Inventory | Maintain an up-to-date IT Resource Record. See notes | Y | Y | Y |
| 2 | Supported OS | Use a supported OS version; or arrange specialized firewall protection if not feasible | Y | Y | Y |
| 3 | Patch Management | Apply patches as suggested in Acceptable Practices for Server Patch Management | Y | Y | Y |
| 4 |
Malware Protection |
Deploy malware protection software for servers. See notes | Y | Y | Y |
| 5 | OS Hardening |
Apply OS hardening steps as suggested in Acceptable Practices for Hardening Server OS |
Y | Y | N |
| 6 | Deploy privilege account management | Manage privilege account as suggested in Acceptable Practices for privilege account management | Y | Y | N |
| 7 | Physical Protection | Place inside a secure data center environment | Y | Y | N |
| 8 | System Administrator Training | Ensure system administrator receive proper system administration training. See note | Y | Y | N |
| 9 | Vulnerability Management | Conduct vulnerability scan regularly. See notes | Y | Y | N |
| 10 | Backup | Deploy encrypted backup solution. See notes | Y | N | N |
| 11 | Remote Logging | Forward logs to a remote log server. See notes | Y | N | N |
| 12 | Disposal | Destroy (e.g. degauss) hard disk content before disposal | Y | N | N |
Notes
- ITSC Virtual Server Hosting VM, provisioned after Jul 2021, already meet items 5,10,11. For VM provisioned beforehand, please send an email to cchelp@ust.hk to request for relevant information.
- High, Moderate or Low risk servers should be registered using the central IT critical assets registration system provided by ITSC. Inventory of testing or temporary servers could be kept by departments.
4. ITSC currently recommends Microsoft Defender for Endpoint for Windows servers and Palo Alto Cortex XDR for Linux servers as the minimum level of protection.
- Departments must assign a system administrator who will ensure that the servers are properly protected. ITSC will arrange security training periodically for both Linux and Window servers.
- ITSC provides Nessus professional, an OS vulnerability scanning tool, for department to identify the vulnerability of their servers. Check here for details.
- If backup is conducted on any removable media like tapes, it must be encrypted.
- ITSC provides remote logging service for high risk servers. Please send an email to cchelp@ust.hk to request for relevant information.
Minimum Security Standard for Application Systems
| Standards | What to do? | Risk Category | |||
| High | Moderate | Low | |||
| 1 | Inventory | Maintain an up-to-date IT Resource Record. See note | Y | Y | Y |
| 2 | Security Fixes | Apply security fixes within 28 days of release; or configure specialized protection (e.g. firewall) if patching is not feasible | Y | Y | Y |
| 3 | Secure Data Transport | Use SSL (i.e. “https”) for all logon pages as well as displaying High Risk data. See notes | Y | Y | Y |
| 4 | Ongoing support for 3rd party software | Ensure ongoing security bug fixes are available in case of third-party application software | Y | Y | Y |
| 5 | Backup | Arrange regular backup of data | Y | Y | N |
| 6 | Application Development | Ensure software development follows Application Development Guidelines | Y | Y | N |
| 7 | Vulnerability Management | Conduct vulnerability scan before deployment and regularly afterwards. See note | Y | N | N |
| 8 | Security Review | Include security as a design during the initial project phase. See note | Y | N | N |
Notes
1. High, Moderate or Low risk applications must be registered using the central IT critical assets registration system provided by ITSC. Inventory of testing or temporary applications could be kept by departments.
3. ITSC CAS system is SSL based and is recommended for implementing central account authentication.
7. ITSC provides web application health check services.
8. Security as as design means having a holistic view on security risk associated with the application software, supporting operating platform and the ongoing operation procedures. Time and extra resources should be reserved. Users can consult ITSC for advise when developing applications with potential very severe risk implications.
Minimum Security Standard for Software as a Service (SaaS) on Cloud
| Standards | What to do? | Risk Category | |||
| High | Moderate | Low | |||
| 1 | Production Selection | Follow our Cybersecurity guideline of “Choosing Cloud service Provider” | Y | Y | Y |
| 2 | Inventory | Maintain an up-to-date IT resource record. See notes | Y | Y | Y |
| 3 | Credential management |
|
Y | Y | Y |
| 4 |
Encryption |
Enable transport layer encryption using TLS. |
Y | Y | Y |
| 5 |
2FA |
Enable 2FA if provided by the vendors |
Y | Y | N |
| 6 |
Logging |
Enable any available application logging that would assist in a forensic investigation in the event of a compromise. |
Y | Y | N |
| 7 |
Data Management |
Contractually ensure that HKUST data are purged upon termination of the agreement with accommodations as necessary to comply with any applicable regulatory requirements. |
Y | Y | N |
| 8 |
CSP checklist |
Complete the Cloud service provider checklist and submit to ITSC for approval before deployment. |
Y | N | N |
Notes
1. High, Moderate or Low risk cloud applications must be registered using the central IT critical assets registration system provided by ITSC.
For enquiries, please contact ITSC Service Desk.
Related Links