Skip Navigation

Rowan University Office of Compliance and Corporate Integrity

Rowan University

Minimum Security Standards for Electronic Devices

I. Purpose

The purpose of the RowanSOM Minimum Security Standards is to provide the information security standards. These standards are mandatory requirements, and establish an effective baseline of appropriate system, administrative, and physical controls to apply to data based upon its classification. Specific information security guidelines and checklists are available to provide guidance on how to comply with these standards.

II Scope

This standard applies to all RowanSOM data, including but not limited to, student record data, personnel data, financial data (budget and payroll), student life data, departmental administrative data, police records and legal files, and all other data that pertains to, or supports the mission and/or administration of RowanSOM or any of it’s functions.

III Classification Levels

The Information Security Classification Policy identifies four categories of data: Restricted, Private, Internal and Public. For more information on these classification levels and the major responsibilities of the parties involved (i.e. Information Owners (Data Custodians), Information Managers and Information Users).

IV Standard

The following security standards provide direction on the appropriate system, administrative and physical security controls.

A Network



Control Standard


Restricted/Private


Internal


Public


A network based Firewall (or functional equivalent) shall be implemented that denies traffic from networks and hosts that are not secured at this level.

Network traffic shall be limited to only those services and ports considered essential for departmental business practices. Exceptions may be allow to access required services if they are requested, reviewed and do not compromise data security.


Required


Recommended


Not Applicable


Networks shall be scanned for vulnerabilities on a regular schedule. Vulnerabilities detected shall be remediated in a timely manner.

Security detection tools (Intrusion Detection (IDS) and File Integrity Monitoring) shall be implemented.


Required


Recommended


Suggested


Devices processing or storing data shall log all significant security event information. Logs should be reviewed on a daily basis, and retained for a minimum of 1 year.


Required


Recommended


Suggested

B Servers



Control Standard


Restricted/Private


Internal


Public


Devices shall be housed in a physically secure location, accessible to only those with a business purpose.


Required


Recommended


Recommended


Security updates and patches shall be applied in a timely manner, or automatically when possible.

Computer system support staff must monitor for announced vulnerabilities in their hardware and software.


Required


Required


Required


Where possible, computer anti-virus shall be implemented, and updated in a timely manner, or automatically when possible.


Required


Required


Required


Where available, a host based firewall shall be implemented.


Required


Recommended


Recommended


Services and applications should be the minimum necessary to accomplish the required business functions.

Passwords shall be changed from the vendor defaults.

Systems shall be 'hardened' to a recognized standard, where available.


Required


Recommended


Recommended


Individual access to data shall be limited to only those needing access for legitimate purposes


Required


Recommended


Not Applicable


The amount of restricted information collected and stored shall be the minimum amount required for the efficient and effective conduct of business functions


Required


Not Applicable


Not Applicable


Only secure (encrypted) transmission shall be allowed.

Only secure (encrypted) storage of restricted information shall be allowed, in absence of mitigating controls (i.e. physically secured area)



Required


Recommended


Not Applicable


Files shall be backed up and tested on a regular schedule, and stored in a secured location both on and off-site.


Required


Recommended


Not Required


Hardware, Software and data destruction shall be securely disposed at the termination of business need in accordance with RowanSOM records management policy


Required


Recommended


Not Required

C User Accounts



Control Standard


Restricted/Private


Internal


Public


A process shall be established to create and assign, maintain, and verify a unique system identifier (i.e. UserID) for each user.


Required


Recommended


Recommended


Authentication to a system identifier shall be controlled by a mechanism implemented based upon the sensitivity of the data.


Required


Recommended


Recommended

D Desktop



Control Standard


Restricted/Private


Internal


Public


Services and applications should be the minimum necessary to accomplish the required business functions.

Passwords shall be changed from the vendor defaults.

Systems shall be 'hardened' to a recognized standard, where available.


Required


Recommended


Recommended


Security updates and patches shall be applied in a timely manner, or automatically when possible.

Computer system support staff must monitor for announced vulnerabilities in their hardware and software.


Required


Required


Required


Where possible, computer anti-virus shall be installed and updated automatically or in a timely manner.


Required


Required


Required


The amount of restricted information collected and stored shall be the minimum amount required for the efficient and effective conduct of business functions


Required


Not Applicable


Not Applicable


Hardware, Software and data destruction shall be securely disposed at the termination of business need in accordance with RowanSOM records management policy


Required


Recommended


Not Required


Only secure (encrypted) storage of restricted information shall be allowed, in absence of mitigating controls (i.e. physically secured area)


Required


Recommended


Not Applicable

E Portable devices (laptops, cell phones, readers, etc.), removable media and non RowanSOM owned machines/equipment.



Control Standard


Restricted/Private


Internal


Public


Security standards for desktops are followed.


Required


Required


Required


Systems shall have a “strong password” and lock (or wipe) after 10 failed attempts to login.


Required


Recommended


Not Applicable


Systems shall be remotely traceable, lock-able and wipe-able.


Required


Recommended


Not Applicable


Hardware, Software and data destruction shall be securely disposed at the termination of business need in accordance with RowanSOM records management policy. Hardware not capable of being wiped shall be physically destroyed.


Required


Recommended


Not Required


Only secure storage (full disk/device encryption) shall be allowed.


Required


Recommended


Not Applicable


Use of Non RowanSOM owned equipment


Not Allowed


Allowed, but Not Recommended


Allowed

F Software Development



Control Standard


Restricted/Private


Internal


Public


Internally developed software shall be based on secure coding guidelines, and reviewed for common coding vulnerabilities.


Required


Recommended


Recommended


Access to data approved by a Data Owner shall not be shared with anyone who has not been given approval by that Data Owner.


Required


Not Applicable


Not Applicable

G Policy and Procedure



Control Standard


Restricted/Private


Internal


Public


Each department shall establish a security policy, and corresponding procedures to address the following.

* Computer Incident Response

* Computer Incident Reporting

* Annual Risk Assessment


Required


Required


Required


Each department shall provide security awareness training (i.e. seminar, podcast, etc.) on an annual basis.


Required


Recommended


Recommended


Departments and Users shall utilize strong encryption prior to placing data in a “Cloud”


Required


Recommended


Not Applicable


Departments and users telecommuting shall follow the RowanSOM Human Resources guidelines and corresponding "Remote Site Security Standards"


Required


Recommended


Recommended