Standards define the mandatory settings, controls, and requirements that must be implemented to achieve policy objectives. Compliance with standards is measurable, allowing risks to be identified, quantified, and managed at various organizational levels within the university.
There are two types of standards in the Policy:
- General control standards describe the tasks that must be accomplished and controls that must be put in place to comply with information security policies. They apply broadly to all software and hardware implementations, and are therefore written in platform-neutral, or generic, language. General control standards are derived from a combination of university policies, the laws and regulations that apply to the university, and generally-accepted information security practices in the higher education sector.
- Technical control standards describe the specific steps (procedures, configuration settings, etc.) that should be used to implement the tasks and controls specified by one or more general control standards with a particular software or hardware product(s). Technical control standards are usually derived from general control standards; they are rarely derived directly from policy.
Organization
The New School information security program is built on a foundation of 21 principles that reflect the information security goals and intent of the university's senior leadership and underpin the development of the policies, standards, and procedures. In general, there will be one general control standard and zero or more technical control standards for each principle.
Governance and Compliance
1. Information Security Governance
2. Information Security Policy
3. Accountability and Ownership
4. Security Education and Awareness
5. Legal and Regulatory Compliance
Risk Management
6. Information Risk Management
7. Asset Management
8. Third Party Management
Infrastructure
9. Physical and Environmental Security
10. System Configuration
11. System Monitoring
12. Network Security
13. Electronic Communication
14. Business Continuity and Disaster Recovery
Applications
15. Application Security
16. System Development
17. Change Management
Security Services
18. Identity and Access Management
19. Malware Protection
20. Cryptography
21. Incident Management
Compliance
Compliance with standards is mandatory, but the audience varies by standard. Consult the individual standards documents for details.
The standards contained in the Policy represent baseline, or minimum, requirements that must be met by all offices and departments of the university. As appropriate and necessary, additional standards may be established at the office or department level to codify office-specific or department-specific requirements. These additional standards may supplement, but never reduce, the level of security required by the Policy.
Documents
The table below shows the status of standards documents that have been approved, are currently under developed, or planned for future development. Last update: Feb. 21, 2013
Document
|
Version
|
Approved
|
Compliance Plan
|
| General Controls for Information Security Governance |
To be developed |
- |
- |
| General Controls for Accountability and Ownership |
Draft currently in final approval |
- |
- |
| General Controls for Security Training and Awareness |
1.0 |
10/21/2012 |
Security awareness training is under development to be delivered in 2013 |
| General Controls for Managing the Legal Aspects of Information Security |
1.0 |
10/19/2012 |
- |
| General Controls for Information Risk Management |
To be developed |
- |
- |
| General Controls for Asset Management |
To be developed |
- |
- |
| General Controls for Handling Sensitive Information |
1.0 |
1/18/2012 |
Mandatory |
| General Controls for Third Party Management |
To be developed |
- |
- |
| General Controls for Physical and Environmental Security |
To be developed |
- |
- |
| General Controls for System Configuration |
1.0 |
12/06/2011 |
Systems will be brought into compliance with this standard as the technical controls standards for the various systems are implemented. |
| Technical Controls for Securing Microsoft Windows Server 2008 |
1.0 |
2/12/2013 |
Systems will be brought into compliance through the use of Active Directory Group Policy. |
| Technical Controls for Securing Microsoft Windows 7 |
1.0 |
2/12/2013 |
Systems will be brought into compliance with a combination of a standard New School Windows 7 image loaded onto all machines at the manufacturer and Active Directory Group Policy. |
| Technical Controls for Securing Apple Mac OS X 10 |
1.0 |
2/12/2013 |
Academic Technology systems are already in compliance (with a few minor exceptions that will be corrected in the next image). New systems rolled out, and existing office systems, will be brought into compliance manually. |
| Technical Controls for Securing Red Hat Enterprise Linux 5 |
1.0 |
2/12/2013 |
TBD |
| Technical Controls for Securing Cisco IOS |
Draft currently in review |
- |
- |
| Technical Controls for Securing Cisco Firewall Devices |
Draft currently in review |
- |
- |
| Technical Controls for Securing Juniper JunOS |
Draft currently in review |
- |
- |
| General Controls for System and Network Monitoring |
Draft currently in review |
- |
- |
| Technical Controls for Security Event Logging |
Draft currently in review |
- |
- |
| General Controls for Network Security |
1.0 |
11/03/2011 |
Mandatory |
| General Controls for Electronic Communication |
To be developed |
- |
- |
| General Controls for Business Continuity and Disaster Recovery |
To be developed |
- |
- |
| General Controls for Application Security |
To be developed |
- |
- |
| General Controls for System Development |
To be developed |
- |
- |
| General Controls for Change Management |
1.0 |
11/11/2011 |
Compliance with this standard will be implemented as the associated standards and procedures are implemented. |
| General Controls for Security Patch Management |
Draft currently in review |
- |
- |
| General Controls for Identity and Access Management |
1.0 |
11/07/2011 |
Mandatory |
| Technical Controls for Identity and Access Management |
1.0 |
1/31/2013 |
Mandatory. Will be phased in with Active Directory roll-out, Windows 7 roll-out, and other efforts. |
| General Controls for Malware Protection |
1.0 |
12/06/2011 |
Compliance with this standard will be achieved as part of the Symantec Enterprise Protection upgrade project |
| General Controls for Cryptography |
To be developed |
- |
- |
| General Controls for Incident Management |
To be developed |
- |
- |