Standards define the mandatory settings, controls, and requirements that must be implemented to achieve policy objectives. Compliance with standards is measurable, allowing risks to be identified, quantified, and managed at various organizational levels within the university.
There are two types of standards in the Policy:
- General control standards describe the tasks that must be accomplished and controls that must be put in place to comply with information security policies. They apply broadly to all software and hardware implementations, and are therefore written in platform-neutral, or generic, language. General control standards are derived from a combination of university policies, the laws and regulations that apply to the university, and generally-accepted information security practices in the higher education sector.
- Technical control standards describe the specific steps (procedures, configuration settings, etc.) that should be used to implement the tasks and controls specified by one or more general control standards with a particular software or hardware product(s). Technical control standards are usually derived from general control standards; they are rarely derived directly from policy.
Organization
The New School information security program is built on a foundation of 21 principles that reflect the information security goals and intent of the university's senior leadership and underpin the development of the policies, standards, and procedures. In general, there will be one general control standard and zero or more technical control standards for each principle.
Governance and Compliance
1. Information Security Governance
2. Information Security Policy
3. Accountability and Ownership
4. Security Education and Awareness
5. Legal and Regulatory Compliance
Risk Management
6. Information Risk Management
7. Asset Management
8. Third Party Management
Infrastructure
9. Physical and Environmental Security
10. System Configuration
11. System Monitoring
12. Network Security
13. Electronic Communication
14. Business Continuity and Disaster Recovery
Applications
15. Application Security
16. System Development
17. Change Management
Security Services
18. Identity and Access Management
19. Malware Protection
20. Cryptography
21. Incident Management
Compliance
Compliance with standards is mandatory, but the audience varies by standard. Consult the individual standards documents for details.
The standards contained in the Policy represent baseline, or minimum, requirements that must be met by all offices and departments of the university. As appropriate and necessary, additional standards may be established at the office or department level to codify office-specific or department-specific requirements. These additional standards may supplement, but never reduce, the level of security required by the Policy.
Documents
Document
|
Version
|
Approved
|
Compliance Plan
|
| General Controls for Managing the Legal Aspects of Information Security |
Draft currently in review |
- |
- |
| General Controls for Managing the Legal Aspects of Information Security |
Draft currently in review |
- |
- |
| General Controls for Handling Sensitive Information |
1.0 |
1/18/2012 |
Mandatory |
| General Controls for System Configuration |
1.0 |
12/6/2011 |
Systems will be brought into compliance with this standard as the technical controls standards for the various systems are implemented. |
| Technical Controls for Securing Microsoft Windows Server 2008 |
Draft currently in review |
- |
- |
| Technical Controls for Securing Microsoft Windows 7 |
Draft currently in review |
- |
- |
| Technical Controls for Securing Microsoft Windows 7 |
Draft currently in review |
- |
- |
| Technical Controls for Securing Apple Mac OS X 10 |
Draft currently in review |
- |
- |
| Technical Controls for Securing Red Hat Enterprise Linux 5 |
Draft currently in review |
- |
- |
| Technical Controls for Securing Cisco IOS |
Draft currently in review |
- |
- |
| Technical Controls for Securing Cisco Firewall Devices |
Draft currently in review |
- |
- |
| Technical Controls for Securing Juniper JunOS |
Draft currently in review |
- |
- |
| General Controls for System and Network Monitoring |
Draft currently in review |
- |
- |
| Technical Controls for Security Event Logging |
Draft currently in review |
- |
- |
| General Controls for Network Security |
1.0 |
11/3/2011 |
Mandatory |
| General Controls for Change Management |
1.0 |
11/11/2011 |
Compliance with this standard will be implemented as the associated standards and procedures are implemented. |
| General Controls for Security Patch Management |
Draft currently in review |
- |
- |
| General Controls for Identity and Access Management |
1.0 |
11/7/2011 |
Mandatory |
| Technical Controls for Identity and Access Management |
Draft currently in review |
- |
- |
| General Controls for Malware Protection |
1.0 |
12/6/2011 |
Compliance with this standard will be achieved as part of the Symantec Enterprise Protection upgrade project |