Standards

Standards define the mandatory settings, controls, and requirements that must be implemented to achieve policy objectives. Compliance with standards is measurable, allowing risks to be identified, quantified, and managed at various organizational levels within the university.

There are two types of standards in the Policy:

  • General control standards describe the tasks that must be accomplished and controls that must be put in place to comply with information security policies. They apply broadly to all software and hardware implementations, and are therefore written in platform-neutral, or generic, language. General control standards are derived from a combination of university policies, the laws and regulations that apply to the university, and generally-accepted information security practices in the higher education sector.
  • Technical control standards describe the specific steps (procedures, configuration settings, etc.) that should be used to implement the tasks and controls specified by one or more general control standards with a particular software or hardware product(s). Technical control standards are usually derived from general control standards; they are rarely derived directly from policy.

Organization

The New School information security program is built on a foundation of 21 principles that reflect the information security goals and intent of the university's senior leadership and underpin the development of the policies, standards, and procedures. In general, there will be one general control standard and zero or more technical control standards for each principle.

Governance and Compliance

1. Information Security Governance  
2. Information Security Policy  
3. Accountability and Ownership  
4. Security Education and Awareness  
5. Legal and Regulatory Compliance  

Risk Management

6. Information Risk Management  
7. Asset Management  
8. Third Party Management  

Infrastructure

9. Physical and Environmental Security  
10. System Configuration  
11. System Monitoring  
12. Network Security  
13. Electronic Communication  
14. Business Continuity and Disaster Recovery  

Applications

15. Application Security  
16. System Development  
17. Change Management  

Security Services

18. Identity and Access Management  
19. Malware Protection  
20. Cryptography  
21. Incident Management    

Compliance

Compliance with standards is mandatory, but the audience varies by standard. Consult the individual standards documents for details.

The standards contained in the Policy represent baseline, or minimum, requirements that must be met by all offices and departments of the university. As appropriate and necessary, additional standards may be established at the office or department level to codify office-specific or department-specific requirements. These additional standards may supplement, but never reduce, the level of security required by the Policy.

Documents

The table below shows the status of standards documents that have been approved, are currently under developed, or planned for future development. Last update: Feb. 21, 2013

Document

Version

Approved

Compliance Plan

General Controls for Information Security Governance To be developed - -
General Controls for Accountability and Ownership Draft currently in final approval - -
General Controls for Security Training and Awareness 1.0 10/21/2012 Security awareness training is under development to be delivered in 2013
General Controls for Managing the Legal Aspects of Information Security 1.0 10/19/2012 -
General Controls for Information Risk Management To be developed - -
General Controls for Asset Management To be developed - -
General Controls for Handling Sensitive Information 1.2 9/3/2013 Mandatory
General Controls for Third Party Management To be developed - -
General Controls for Physical and Environmental Security To be developed - -
General Controls for System Configuration 1.0 12/06/2011 Systems will be brought into compliance with this standard as the technical controls standards for the various systems are implemented.
Technical Controls for Securing Microsoft Windows Server 2008 1.0 2/12/2013 Systems will be brought into compliance through the use of Active Directory Group Policy.
Technical Controls for Securing Microsoft Windows 7 1.0 2/12/2013 Systems will be brought into compliance with a combination of a standard New School Windows 7 image loaded onto all machines at the manufacturer and Active Directory Group Policy.
Technical Controls for Securing Apple Mac OS X 10 1.0 2/12/2013 Information Technology lab systems are already in compliance (with a few minor exceptions that will be corrected in the next image). New systems rolled out, and existing office systems, will be brought into compliance manually.
Technical Controls for Securing Red Hat Enterprise Linux 5 1.0 2/12/2013 TBD
Technical Controls for Securing Cisco IOS Draft currently in review - -
Technical Controls for Securing Cisco Firewall Devices Draft currently in review - -
Technical Controls for Securing Juniper JunOS Draft currently in review - -
General Controls for System and Network Monitoring Draft currently in review - -
Technical Controls for Security Event Logging Draft currently in review - -
General Controls for Network Security 1.0 11/03/2011 Mandatory
General Controls for Electronic Communication To be developed - -
General Controls for Business Continuity and Disaster Recovery To be developed - -
General Controls for Application Security To be developed - -
General Controls for System Development To be developed - -
General Controls for Change Management 1.0 11/11/2011 Compliance with this standard will be implemented as the associated standards and procedures are implemented.
General Controls for Security Patch Management Draft currently in review - -
General Controls for Identity and Access Management 1.0 11/07/2011 Mandatory
Technical Controls for Identity and Access Management 1.0 1/31/2013 Mandatory. Will be phased in with Active Directory roll-out, Windows 7 roll-out, and other efforts.
General Controls for Malware Protection 1.0 12/06/2011 Compliance with this standard will be achieved as part of the Symantec Enterprise Protection upgrade project
General Controls for Cryptography To be developed - -
General Controls for Incident Management To be developed - -