Content Comparison

Maintain inventory of computers that identifies criticality of device or data being stored on it.

Maintain inventory of systems being used and managed by WVU that identifies classification of data stored within.

Maintain inventory of servers being used and managed by WVU that identifies purpose of server and classification of data stored on server.

Develop, document, and periodically update system security plans.

☑

⬜

Adhere to WVU IT Purchase process

Require security assessment prior to purchase

☑

⬜

⬜

Assess vendor security compliance every three years, at minimum

☑

Annual risk assessment conducted

⬜

⬜

Risk assessment conducted every 3 years

⬜

⬜

Document architectural layout of the environment

☑

☑

Develop post-assessment plans to reduce risks to acceptable levels

Prioritize remediation/mitigation of risks identified based on severity

Authorize acceptance of unmitigated risks

Authentication is required to access systems

Enterprise Directory Services (SSO) is required for authentication

☑

☑

Two-Factor authentication (2FA) is required for users to access systems

☑

Two-Factor authentication (2FA) is required for privileged access to systems

Two-Factor authentication (2FA) is required for all remote access solutions

All passwords must meet Password Standard

Manage passwords for privileged Service Accounts in password vault

Manage passwords for privileged Shared Application Accounts in privileged access management tool

Manage passwords for Shared Application Accounts with non-privileged access in password vault

Use of restrictive VPN that requires use of a University Devices to conduct privileged access

Two-Factor authentication (2FA) required for non-local maintenance solutions. Individuals must actively accept remote sessions.

Access granted on principle of Least Privilege

Review accounts annually and remove individuals who no longer require access

☑

Implement host-based firewalls to block all inbound traffic not required for use of computer and/or server

Computer must use session lock after 15 min of inactivity

☑

Physically secure servers within a University Data Center

☑

☑

☑

☑

Physically secure servers within Secure Server Room

Backup media must be secured from unauthorized physical access

Printer securely configured in a restricted-access location with authorized person available to receive printout immediately, or printer is password-protected

⬜

⬜

Users must receive training to perform their duties

☑

Privileged users receive training to understand their roles and responsibilities

☑

Server housed in University Data Center whole-disk encrypted

⬜

⬜

⬜

Server housed in server rooms whole-disk encrypted

☑

☑

Server not in server room/device whole-disk encrypted

Development and testing environments of systems storing data are separate from production environment

☑

☑

☑

Follow established SDLC processes

☑

☑

☑

Follow established configuration change control processes

☑

☑

Develop a business continuity plan/disaster recovery plan

☑

☑

☑

Business continuity plan/disaster recovery plan tested annually

☑

☑

☑

Data backed up outside of a University Data Center

☑

☑

☑

Device sanitized appropriately before transfer or reuse

Anti-virus installed and running Real-Time scanning

Send logs to Security Event Management (SIEM) system (Splunk)

☑

☑

☑

Automate alerting on logging failures

☑

☑

⬜

Authenticated vulnerability scans required monthly

☑

☑

⬜

Critical Patches implemented within 30 days

Prioritize remediation/mitigation based on severity, risk, and likelihood

Implement alternative security controls for vulnerabilities that cannot be remediated